Title: Differential Tool Realization Analysis LCX
Author: Nemesis when we found an empty password administrator account with a streamer, nature will soon execute commands on remote machines with NTCMD.EXE streamer tape. However, have you ever thought about how we don't have passwords on the remote machine? What did NTCMD.exe do? Ntcmd.exe is a console program that is executed as follows: NTCMD // ip -u: username -p: password, but in fact, NTCMD is just a front program, what he did in the following format: pipecmd.exe // ip -u: Username -p: password commadn-you-infuted to execute the program pipecmd.exe to complete the specific task. Each time we enter a command in the NTCMD> prompt (except exit, bye), NTCMD.exe will execute PIPECMD.exe once . So how is pipecmd.exe executing a command on a remote machine? Is there a mechanism in NT, you can send a command to the remote NT system after logging in, and the other party will execute this command, and then feedback the result. I don't know if there is such a method under NT, but piPecmd.exe is not so real. So, what method uses to execute the command on the remote machine? After PiPecmd.exe starts, first establish a connection with the IP address, username, and password call, and // IP / Admin $ resource, and then establish a connection with the same method and // IP / IPC $ with the same method and // IP / IPC. If you fail, you will report an error. We know // ip / admin $ represents the / winnt directory of the other party, and // IP / IPC $ is a remote login mechanism, and after IP / IPC $ establishment, you can do something about the remote machine. . After successful connection / IPC $ and / admin $, PiPecmd.exe calls a function waitnamedpipe try and // IP / PIPE / PIPECMD_COMMUNICATON The named pipe on this remote machine is established. Here is to ask, how can the remote machine have this named pipe waiting for you to connect? Now we can't set up the connection with // ip / pipe / pipecmd_communicaton. This is what is the postcmd.exe. Of course not an error quit. PiPecmd.exe will call a series of Win32 resource management functions such as FindResource, LoadResource to read the binary resources called "Pipecmdsrv". What is this resource? He is the behind-the-scene hero of the command on the remote machine. He is actually a console program, which is different from the general console program, he is a service program. You can use VC to put the PIPECMDSRV resource export in pipecmd.exe to PipeCmdsrv.exe and then execute him, he will report "this is a service executable!", "This is a service executable!" PIPECMD.EXE is read after reading the PiepCmdsrv resources. Call the function createfile Create a file on the remote machine: //IP/admin ((/system32/pipecmdsrv.exe) then call a series of Win32 service control functions, install and start the service PIPECMDSRV on the remote machine, and whitening is on the remote machine Pipecmdsrv.exe (although it is not accurate).
The PIPECMDSRV service creates // IP / PIPE / PIPECMD_COMMUNICATON / PIPE / PIPE / PIPECMD_STDOUTXXXYYY / / / IP / PIPE / PIPECMD_STDINXXXXYYYYYY / / IP / PIPE / PIPECMD_STDERRXXXXXXYYYYY}. Here XXX is the name of your machine, YYY is a number. Oh, the original name of your machine is also as if the Pipecmdsrv to the other party, this is not safe. Ok, now pipecmd.exe is again connected to // ip / pipe / pipecmd_communicaton, and then encompasses the commands entered by the user after connecting the user (such as DIR C: /) to the PIPECMDSRV service on the other machine. The PIPECMDSRV service will execute this command on the other machine after receiving this command. I think that pipecmdsrv may be the command to perform this command via a redirect input output cmd.exe. After execution, the PIPECMD can read the output via pipe // ip / PIPE / PIPECMD_STDOUTXXXYYY, if this command is interactive, such as telnet xxx.xxx.xxx.xxx pipecmd.exe also passed // ip / pipe / pipecmd_stdinxxxyyy Send the user's input to the PIPECMDSRV, I want to be redirected to cmd.exe. This is NTCMD.EXE -> PIPECMD.EXE <-> Pipecmdsrv.exe executes the secret on the remote machine. Finally, say two sentences: Write this article doesn't matter, just think of if you really want to do any guest, just use tools, not only, you must use it, but also know what these tools do, How do you finish these work, eventually preposter your own tools. I think many of the port users don't want to know how these functions in the streamer are implemented, such as NTCMD.exe, such as Remotenc.exe, and more. Software can not be shared, but knowledge must be shared, I think Xiao Yan does not oppose some implementation of the stream, but the level of these implementation methods is relatively low, Xiao Yan does not necessarily have time to write this article. . Then let's write by our people, I hope everyone will not put me and give the flow of ip patch, then I will die. From: http://www.haiyang.net/safety/book/show.asp? Id = 763
Another: Win32DASM has been used to disassemble the PiPecmd.exe and found that there is the following API function.
ADVAPI32.CloseServiceHandleADVAPI32.CreateServiceAADVAPI32.InitializeSecurityDescriptorADVAPI32.OpenSCManagerAADVAPI32.OpenServiceAADVAPI32.SetSecurityDescriptorDaclADVAPI32.StartServiceAKERNEL32.CloseHandleKERNEL32.CopyFileAKERNEL32.CreateFileAKERNEL32.ExitThreadKERNEL32.FillConsoleOutputCharacterAKERNEL32.FindResourceAKERNEL32.GetComputerNameAKERNEL32.GetConsoleScreenBufferInfoKERNEL32.GetCurrentProcessIdKERNEL32.GetLastErrorKERNEL32.GetModuleHandleAKERNEL32.GetStdHandleKERNEL32.LoadResourceKERNEL32.LockResourceKERNEL32.ReadConsoleAKERNEL32.ReadFileKERNEL32.SetConsoleCtrlHandlerKERNEL32. SetConsoleCursorPositionKERNEL32.SetConsoleTitleAKERNEL32.SetLastErrorKERNEL32.SizeofResourceKERNEL32.SleepKERNEL32.WaitNamedPipeAKERNEL32.WriteFileMPR.WNetAddConnection2AMPR.WNetCancelConnection2AMSVCRT .__ getmainargsMSVCRT .__ p ___ argcMSVCRT .__ p ___ argvMSVCRT .__ p ___ initenvMSVCRT .__ p__commodeMSVCRT .__ p__fmodeMSVCRT .__ set_app_typeMSVCRT .__ setusermatherrMSVCRT._beginthreadMSVCRT._controlfpMSVCRT._except_ha ndler3MSVCRT._exitMSVCRT._inittermMSVCRT._iobMSVCRT._mbsicmpMSVCRT._mbsnbicmpMSVCRT._splitpathMSVCRT._XcptFilterMSVCRT.exitMSVCRT.fflushMSVCRT.fprintfMSVCRT.sprintf reference to the following string:
"high" "idle" "INVALID Password
"" IPC $ "" nowait "" p: "" PipeCmd Service "" PipeCmd_communicaton "" PipeCmd_stderr "" PipeCmd_stdin "" PipeCmd_stdout "" PipeCmdSrv "" PipeCmdSrv.exe "" Please Use NTCmd.exe Run This "" realtime "" u "" U: "
