IPC $ intrusion attack and defense
Excerpt from "Hacker X Files" author: iqst
1, what is IPC $? IPC $ (Internet Process Connection) is a resource shared "named pipe", which is a named pipe that opens inter-process communication, by providing trusted username and password, connecting two sides can establish security Channel and exchange of encrypted data in this channel, thereby implementing access to remote computers. IPC $ is a new feature of Winnt / 2000, which has a feature that only one connection is allowed between two IPs in the same time. Winnt / 2000 is in the initial installation system while providing IPC $ function. The default sharing is also opened, that is, all logical shares (C $, D $, E $ ...), all of this, Microsoft's original intention is to facilitate administrator management, but in interested in unintentional, the system Decrease in security. Usually we can always hear someone who is talking about IPC $ vulnerability. In fact, IPC $ is not a true vulnerability. I think that someone says this, I must refer to Microsoft's own "back door", empty space (Null Session " ), Then what is an empty conversation?
2, what is a empty conversation? Before introducing empty sessions, we need to understand how a security conference is established. In WindowsNT 4.0, it is a session with a challenge response protocol to establish a session with a remote machine. Establishing a successful session will become a safety tunnel, establishing both parties It is interworking information, the process of this process is as follows: 1. Session Requests (Customers) transmit a packet to the session recipient (server), requiring the establishment of the safety tunnel. 2, the server generates a random 64-bit number (realistic challenge) transfer back to customers. 3. The customer gets this 64-bit number generated by the server, with the password that tries to establish a session, returns the result to the server (implement response). 4. After the server accepts the response, send to local security validation (LSA), LSA verifies the response by using the user's correct password to confirm the requester identity. If the requester's account is the local account of the server, verify local, if the request account is a domain account, respond to the domain controller to verify. When the response to the challenge is verified correctly, an access token is generated, and then transmitted to the customer. Customers use this access token to connect to resources on the server until the suggested session is terminated. The above is a rough process established by a security conference. What is the empty session? The empty board is a session established with the server without trust (ie, the username and password is not provided), but according to the Win2000 access control model, the establishment of the empty space is also required to provide a token, and the expiration of the session is in the establishment process. There is no authentication of user information, so this token does not contain user information, so this session does not allow the system to send encrypted information, but this does not mean that the security marker SID is not included in the empty session (it indicates Users and locations), for an empty box, the LSA's token SID is S-1-5-7, this is the SID of the empty session, the username is: Anonymous Logon (this username can be seen in the user list To, but cannot be found in the SAM database, which belongs to the system's built-in account), this access token contains the following group: EveryoneNetwork
Under the limitations of security policies, this empty session will be authorized to access all information accessible to the above two groups. So what can I do if I build an empty session? For WinNT, in the default security settings, the user and sharing on the target host can be used to access the share, accessing the small part of the registry, etc., there is no great use value, smaller for Windows2000. Because in the Windows2000 and later versions, the default only administrator and backup operators have the right to access the registry from the network, and it is not convenient to achieve it, and you can see it from these we can see that this non-credible session There is not much to use, but from a complete IPC $ invading, the empty box is an indispensable springboard because we can get a list of users from it, and most weak password scanning tools use this user list to make a password. The list of successful deport users has greatly increased the success rate of the suspected, only from this point to show the safety hazards caused by the empty session, so that the empty session is not useless, the following is an empty conversation Some specific commands that can be used: 1, first, we build an empty box (of course, this requires the target open IPC $), the command is as follows: c: / net us // Target IP / IPC $ "/ user:" "command Completed successfully.
The above command contains four spaces, NET is in the middle of the USE, one after the use, one space around the password.
2. View the shared resource of the remote host. The premise is that after establishing an empty connection, use the NET View // The other party IP command can view the shared resource of the remote host. If it opens, you can get the result, but this command cannot display the default sharing.
3. View the current time of the remote host, this everyone should be. Use Net Time command
4, get the NetBIOS username list (need to open your own NBT) or more is what we often use empty sessions, it seems to have a lot of things, but pay attention to a point: Establish an IPC $ Connection will be in Event Leave a record in the log, whether you log in success?
