Windows 2000 Vulnerability
For Windows 2000's powerful features and new architectures, we have to sigh Microsoft's strength, which can foresee that Windows 2000 will become the mainstream of a new generation server operating system, and also become a hacker attack. However, due to the new Windows2000's new architecture relies on Active Directory (also known as AD), this makes a lot of administrators who are busy adapt to new operating systems, and the original data is migrated. The security issues for Windows 2000 have not attached enough attention.
This article details the hackers often use some of the vulnerabilities and specific steps that are often used when attacking the Windows 2000 system, so that the network system administrator is trying to do as much as possible when maintaining the system. There is a word very reasonable: "There is no absolutely stupid system in the world, only absolutely stupid administrators." As long as our network administrators can carefully maintain the system, I believe that the hackers are not a machine.
Landing input method vulnerability
Here we first introduce a login error, which is often the input method of input method. When we start the Windows 2000 to log in to the prompt interface, any user can open a help bar of various input methods, and you can use some of these functions to access the file system, which means we can bypass Windows2000 users. Log in to the verification mechanism and access the entire system with the highest administrator privilege. Therefore, this vulnerability is very harmful, and when we enter the system, you can use the Terminal Server remote communication. This vulnerability attacks the system. The default Windows2000 system comes with this vulnerability in the input method: intelligent ABC, Microsoft Pinyin, internal code, full fight, double fight, Zheng code. So I feel that this vulnerability is the leak of the primary repair.
1. Delete the unwanted input method, such as Zheng code, etc.
2, but after all, we cannot delete all the own input methods. If we want to use a vulnerability input method, you can delete the help file of that input method. These help files typically in the Win2000 installation directory (such as: C: / Winnt) / help directory, the corresponding help file is:
※ Winime.chm input method operation guide ※ Winsp.chm double spelling method help ※ Winzm.chm Zheng code input method help ※ WinPy.chm full spelling method help ※ WINGB.CHM internal code input method help
3, Microsoft has released the MS00-069 security announcement for this issue and gives a patch of Simplified Chinese Windows2000 and English WINDOWS2000 on the Internet. So please patch your patch as soon as possible.
NetBIOS information leakage
Next, let's talk about NetBIOS sharing invasion. This problem has never resolved from NT just released. And it has always been the most common intrusion of the NT system architecture. It is particularly worth mentioning that the IPC $ Null Session is known in the NT system. Although the SP3 can be restricted by modifying the registry. But I don't know why Windows2000 is still inoperable, I keep this empty dialogue. Then let's take a look at the empty session to bring what information to the invader:
NET USE // Server / IPC $ "" / user: "File: // This command is used to create an empty box
NET View // Server File: / / This command is used to view the shared resource server name annotation of the remote server
-------------------------------------------------- ----- // PC1 // PC2 command successfully completed.
Net Time // Server File: // This command is used to get the current time of a remote server.
NBTSTAT -A Server File: / / This command is used to get the NetBIOS user name table of the remote server
Netbios Remote Machine Name Table
Name Type Status ------------------------------------------ NULL < 00> UNIQUE RegisteredNULL <20> UNIQUE RegisteredINTERNET <00> GROUP RegisteredXIXI <03> UNIQUE RegisteredINet ~ Services <1C> GROUP RegisteredIS ~ NULL ...... <00> UNIQUE RegisteredINTERNET <1E> GROUP RegisteredADMINISTATOR <03> UNIQUE RegisteredINTERNET < 1D> Unique registered ..__ msbrowse __. <01> Group registeredmac address = 00-54-4f-34-d8-80
Look, just have used the commands that have been brought by several systems, so we have any way to get someone else to get so much information?
Only by simple modification registration table is once again. HKEY-LOCAL_MACHINE / SYSTEM / CURRENTCONTROSET / CONTROL / LSAVALUE NAME: RESTRICTANONYMOUSDATA TYPE: REG_DWORDVALUE: 1
But if you don't need to open sharing. Then why not ban it? The method and NT4 in Windows2000 are slightly different. It does not limit TCP / IP bindings on Netbiso, but we can select advanced (V) options in the setup panel of the Internet Protocol (TCP / IP) property, then select TCP / IP filtering, then click to enable TCP / IP filtering Finally, only the TCP port is selected, and then you can add the port you want to open.
Strange system crash characteristics
In addition, Windows 2000 has a strange feature that uses the system's end users to press the right Ctrl, and the Press twice Scrool Lock button can easily let the entire Windows2000 system completely crash. But at the same time, in C: / WinNT / Down Dump Complete Current System Memory Record, the memory record file name is Memory.dmp. Of course, this strange feature is closed by default, but we can activate it by modifying the registry:
1. Run the regedt32.exe (Windows2000 32-bit Registry Editor) 2, select the primary key: hkey_local_machine / then find the CURRENTCONTROLSET / Select Services / Enter i8042PRT / Parameters3, newly built a double-byte value 4, will The key is called CrashonCtrlscroll5 and then sets a value that is not zero. 6, exit restart
When all this is finished, you can try to let the system crash, press the effect after pressing the button, the following information will appear:
*** STOP: 0x000000E2 (0x00000000, 0x00000000, 0x00000000, 0x00000000) The end-user manually generated the cremedup.
It is worth noting that this strange feature also exists in WindowsNT4, I don't know if it is a small feature of Microsoft programmers. However, if there is a hacker or virus, it is very dangerous.
Telnet's denial service attack
Telnet in Windows has always been one of the favorite network utilities of network administrators, but a new vulnerability indicates that the Telnet in Windows 2000 is guarding the process of being initialized, has not been reset. It is easy to receive an ordinary denial of service attack. In February 2000, the refusal service attack almost became the nightmare of all large websites. After the Telnet connection, in the case where the initialization dialog has not been reset, after a certain time interval, if the connection user has not provided a username and password, Telnet's dialogue will time out. The connection will be reset until the user enters a character. If the malicious user is connected to the Telnet daemon of the Windows2000, and if the connection does not reset, he can effectively reject any other user to connect the Telnet server, mainly because the maximum number of customer connections in Telnet at this time is 1. During this period, any other user who tries to connect to the Telnet server will receive the following error message:
Microsoft Windows Workstation Allows Only 1 Telnet Client Licenseserver Has Closed Connection
When the "List Current User" option does not display the timeout session, because the session has not successfully passed the certification.
IIS service leak file content
This is a vulnerability found by the NSFOCUS security team. When Microsoft IIS 4.0 / 5.0 (Far East Version) When processing HTTP command requests containing incomplete double-byte coding characters, the file content in the web directory will lead to remote attackers.
The Microsoft IIS Far East Region includes Chinese (Simplified / Traditional), Japanese, Korean Edition, which makes them use the double-byte encoding format due to specific text formats. When IIS receives an HTTP request submitted by the user, if the file name contains a non-ASCII character, IIS checks if this character is a leading character in double-byte encoding (for example, the Japanese leader characters contains two characters: 0x81 -0x9f, 0xE0-0xFC). If it is a front lead character, it will continue to check if the next character is end character. If there is no next character, IIS will simply discard this leader, because it does not constitute a complete double-byte encoding. However, this process will cause IIS to open different files instead of the file specified in the request.
By submitting a special format URL, IIS allows IIS to open some of the type of file that it does not explain in a certain ISAPI dynamic link library, and obtains the content of the file. Depending on the type of ISAPI application installed, an attacker may get the file content in the web root directory or virtual directory, which can be a normal text file (.asp, .ini, .asa, etc.) or two-way Document (.exe, etc.).
The hackers use the Unicode method to use this vulnerability: Unicode (unified character encoding standard, encoding the double-byte to character) can be said to be the most popular invasion resort since the near period, only in the near future, Jiangmin Company Several large websites are attacked by this invasive means. Then let's talk about this easy to use the Unicode vulnerability to invade IIS.
Above we mentioned that due to certain double-bytes of Windows2000, we have different English versions when handling certain special characters, however, using this IIS vulnerability, an attacker can bypass the Directory audit of IIS. command.
http://server/scripts/..
