1. What is telnet
For Telnet's understanding, different people hold different perspectives, you can regard Telnet as a communication protocol, but for intruders, Telnet is just a remote login tool. Once the intruder establishes a Telnet connection with the remote host, the intruder can use the soft and hardware resources on the target host, while the invader's local machine is only equivalent to only one terminal with only the keyboard and the display.
2. What is TELNET to be used by intruders?
(1) Telnet is the first means to control the host
In the first few sections, if the intruder wants to execute the command on the remote host, you need to establish an IPC $ connection, then use the NET Time command to view the system time, and finally use the AT command to establish a planned task to complete the remote execution command. Although this method is able to perform commands remotely, but compared to the Telnet mode, it will be much more convenient. Once the invader establishes a Telnet connection with the remote host, you can control the remote computer like controlling the local computer. It can be seen that Telnet is a remote control method that invaders is used to use. When they do everything possible to get administrator privileges from the remote host, they will generally use Telnet to log in.
(2) Used to do a springboard
The invader called "jump board" for invaders, they often use this method, from a "broiler" to another "broiler", which will not expose their IP address during the invasion, this A process will be described in detail in Chapter 5.
3. About NTLM verification
Because Telnet features are too powerful, it is also one of the most frequent logins of the invaders, so Microsoft adds authentication to Telnet, called NTLM verification, which requires Telnet terminal to have a username and password that requires a Telnet service host. Need to meet NTLM validation relationships. NTLM verification greatly enhances the security of Telnet hosts, just like a road to reject a lot of intruders.
4. Log in with Telnet
è Login command: telnet host [port]
è Disconnect the telnet connection command: exit
Successfully establish a Telnet connection, in addition to requesting account and passwords on remote computers, you also need to turn on "Telnet service" and remove NTLM authentication. It is also possible to use a dedicated Telnet tool to connect, such as STERM, CTERM and other tools.
2.3.2 Telnet typical invasion
1. Typical intrusion steps
Step 1: Establish an IPC $ connection. Where Sysback is the front door account established, the command is shown in the figure.
Step 2: Turn on the Telnet service disabled in the remote host, as shown.
Step 3: Disconnect the IPC $ connection, as shown.
Step 4: Remove NTLM verification. If NTLM authentication on a remote computer is not removed, it will fail when logging in to the remote computer, as shown.
However, invaders will use various ways to make NTLM validations with virtuality. There are many ways to release NTLM, and some common methods are listed below to see how invaders remove NTLM validation.
(1) method one
First, establish the same account and password on the remote host on the local computer, as shown.
Then, "Command Tips" is found by "Start" → "Programs" → "Attachment", right-click Command Prompt ", then select" Properties ", and then displayed as shown.
"Tell" before "Taking other users", then click "and click the" OK "button. Next, "Command Prompt" is still found in the path, and the left mouse button is turned on to get the dialog box shown. Type "User Name" and "Password" as shown.
After clicking the "OK" button, get the MS-DOS interface, then use the MS-DOS to log in, as shown.
Type the "Telnet 192.168.27.128" command and enter the bus, type "Y" in the obtained interface to indicate the transmission password and log in, as shown.
Finally, it is shown.
Figure 2-47 is the Shell that the remote host is opened for Telnet end users, and the command entered in the shell will be executed directly on the remote computer.
For example, type the "Net User" command to view the list of users on the remote host, as shown.
(2) Method 2
This method uses tool NTLM.exe to remove NTLM verification. First establish an IPC $ connected to the remote host, then copy NTLM.exe to the remote host, and finally make NTLM.exe through the AT command, and the entire process is shown in the figure.
After planning the task, you can type the "Telnet 192.168.27.128" command to log in to the remote computer, as shown.
Finally, get the login interface, as shown.
Type a username and password in this login interface. If the username and password are correct, log in to the remote computer to get the shell of the remote computer.
After successfully logging in, get the login interface shown in the figure.
In addition, you can also use the program RESUMETELNET.EXE with OpenTelnet.exe to restore the NTLM verification of the remote host, the command format is "ResumeTelnet.exe // Server SerName Password", as shown.
After the execution is shown.
According to the returns of the figure, ResumeTelNet.exe closes the Telnet service of the target host to restore NTLM authentication.
Telnet Advanced Invasion Raiders
As can be seen from the previous introduction, even if the computer uses NTLM authentication, intruders can easily remove NTLM authentication to implement Telnet login. If the invaditor logs in with a 23rd port, the administrator can easily discover them, but unfortunately, intruders usually do not perform Telnet connecting through the default module. So how to modify the Telnet port and how to modify the Telnet service to conceal the whereabouts? Let's take some common example to illustrate this process and introduce the tools you need to complete this process.
è x-scan: The host used to scan out the NT weak password.
è OpenTelnet: Used to go to NTLM verification, open the Telnet service, modify the Telnet service port.
è aproman: Used to view the process, kill the process.
è INSTSRV: Used to install service to the host.
(1) About Aproman
Aproman views the process in a command line, killing processes, will not be killed by anti-virus software. For example, if the intruder discovers that there is anti-virus software on the target host, the uploaded tool will be killed by anti-virus software, then they will turn off the anti-virus firewall before the upload tool. The method is as follows:
C: /aproman.exe -a display all processes
C: /aproman.exe -p Displays the port process association relationship (required Administrator permission)
C: /aproman.exe -t [pid] kills the process of specified progress numbers
C: /aproman.exe -f [filename] stores process and module information into file (2) InSRV profile
INSTSRV is a program that can be installed, uninstall service with command line, which can freely specify the service name and service execution. The usage of instsrv is as follows, and more detailed use is shown in Figure 2-61.
Installation Services: Instsrv
Uninstall service: instsrv
There is also another excellent remote service management tool SC. It belongs to the command line tool that can be queried, start, stop, and delete the services on the remote computer. Its usage is simple, and it is not introduced here. Below the examples to introduce how the intruder implements Telnet login and leaves the Telnet back door.
Step 1: Take out the host with NT weak password. "NT-Server Weak Downtown" is selected in the "Scan Module" of X-Scan, as shown.
Then the scan range is "192.168.27.2 to 192.168.27.253" in the Scan Parameter, as shown in Figure 2.
After waiting for some time, the scan results are shown as shown.
Step 2: Open the remote host Telnet service with OpenTelnet, modify the target host port, remove NTLM verification.
Regardless of whether the remote host opens "Telnet service", intruders can solve them through tools Opentelnet. For example, through the "opentelnet //192.168.27.129 administrator" 1 66 "command is 192.168. 27.129 host removes NTLM authentication, open the Telnet service, and change the Telnet Default 23 login port to the 66th port.
Step 3: Copy the required file (instsrv.exe, aproman.exe) to the remote host.
First establish IPC $, then copy the required file by mapping the network hard disk, paste it into the C: / WinNT folder of the remote computer, the specific process is shown in the figure.
After the copy is successful, as shown.
Step 4: Telnet logins.
Type the command "Telnet 192.168.27.129 66" in MS-DOS to log in to the remote host 192.168.27.129.
Step 5: Kill the firewall process.
If the intruder needs to copy similar to Trojans to the remote host and execute, they will close the anti-virus firewall in the remote host in advance. Although there is no copy similar to Trojans to the remote host, you still have to introduce this process. When the invader is successful, they will enter the C: / Winnt directory to use the Aproman program. First check all the processes by command aproman -a, then find the PID of the anti-virus firewall process, and finally use Aproman -T [PID] to kill the anti-virus firewall.
Step 6: Also install more hidden Telnet services.
In order to log in to the computer afterwards, the intruder will leave the back door after the first login. Here here how the intruder how to make Telnet services will always run through the method of installing the system service. Before installing the service, it is necessary to understand how the Windows operating system provides "Telnet service". Open Computer Management and view the Telnet service properties, as shown.
In the "Telnet Properties" window, you can see "The path" of "executable" points to "C: / Winnt / System32 / TLNTSVR.exe". It can be seen that programs TLNTSVR.EXE are designed to provide "Telnet services" in the Windows system. That is, if a service points to the program, the service will provide a Telnet service. Therefore, intruders can customize a new service, pointing the service to TLNTSVR.EXE, so that the Telnet service provided by the service is logged in, so even if the Telnet service on the remote host is disabled, the intruder can also None hindered login to remote computers, this method is called Telnet back door. Here is how the above process is implemented. First enter the directory where INSTSRV is located, as shown. Then use INSTSRV.EXE to create a service called "Syshealth" and point this service to C: / Winnt z / System32 / TLNTSVR.EXE, typed according to INSTSRV.EXE, type command "INSTSRV.EXE SYSHEALTH C: / Winnt /System32/tlntsvr.exe, as shown.
A service called "SysHeahth" is successful. Although there is no relationship from the surface, it does not have any relationship with the remote connection, but in fact the service is the Telnet back door service left by the invader.
You can see that the service has been added to the remote computer through "Computer Management". Intruders generally set the start type of this service to "automatic", stop the original "Telnet service" and disable, as shown.
By verifying, although the Telnet service on the remote host has been stopped and disabled, the intruder can still control the remote host through Telnet. Through these modifications, even if the administrator uses the "netstat -n" command to see the open port number can also see that the 66-port is providing Telnet service.
In addition, this will be introduced here with the netstat -n command. This command is used to view the current connection of the local machine, as shown. Among them, "proto" is listed as the currently connected protocol type, such as TCP protocol and UDP protocol. "Local Address" is listed as the IP address of the local host. It can be seen from the figure, and the local host has two IP addresses, which are "192.168.0.2" and "192.168.27.1", respectively. "Foreign Address" is listed as a remote host IP address. "State" is listed as the current connection status, including Establish, Time _ wait (wait), SYN _ SENT (connected) and other status.
Frequently Asked Questions & Answers
1. Q: Although the username and password of the remote host, it failed when using the OpenTelnet connection, as shown, why?
A: According to the returned error number "53", the target host does not start the Server service, or no IPC $.
2. Q: How can I resist Telnet invasion?
answer:
è Guarantee the strongness of the account password to prevent cracking from violence.
è Disable Telnet service.
è Because OpenTelnet is implemented by IPC $, it is possible to prevent some cases from happening.
è Install the network firewall.
