Author: Purple Magic [panel members EST] Source: "Hacker X Files" written in October 2003, when I found the problem NTFS directory jump, wrote this post was published in the hacker X archives. At that time, I was the first to propose this jump promotion permission. I am now dedicated to 8-based friends, I wish you all a happy new year. Some methods and ideas to achieve improved permissions under the NTFS format partition to promote users from the World from the Microsoft Win2K operating system to adopt NTFS format partitions. The benefits of the NTFS format partition are self-evident, such as setting permissions and permission audits at all levels. I have been partitioning in the NTFS format, using NTFS format partitions on the operating system, as long as the allocation permissions settings will greatly enhance the security of the system. As for many benefits of NTFS partition format, I am not introduced in detail here. The NTFS partition seems to be a myth, many intruders cannot break through the permission review of NTFS partitioning and cannot carry out in-depth penetration, I have been blocked by NTFS in the previous HACKING to block multiple times, resulting in failure of the entire penetration Recently, I found a way to successfully improve the permissions under the setting of the other BT setting, and I don't dare to introduce to everyone in detail this article. Want to in-depth discussion, you must first learn how type of host settings currently using the NTFS format partition. One default settings first take a look at the default permissions settings User or Guest group permission to the system root directory. Take a look at the picture (1) Let's take a look at the default permission assignment of the Program Files directory. Please see Figure (2) As shown in Figure (2), it can be seen in the default NTFS format partition. Only: reading and running, listing the folder directory, reading (the guest group is also the same). We can do an experiment, I am now User login into the computer, then at the program files directory attempt to build a folder, please see Figure (3) I saw it? Refusal to access, explain that there is no write permission. Below we continue to see the Winnt directory, the host I tried is the win2k host. Please see the default permission assignment of the Winnt directory, or take the user group (the guest group is also the same), please look at the picture (4) Winnt directory and the proGram files directory is similar, I will not say more, everyone can see it. understood. There is also a key directory is the "Documents and Settings" directory. This directory typically stores the user's startup information, such as the favorites, start menus, document ... This directory folder is generally "administrators" "all users" ... ... Default NTFS Format Partition Lower Guest Group and User Group Without any permissions (such as Administrator folder), only read permissions on the All Users and Guest folders, without any write permissions. To finish the system partition, it is said that the system is permission other than the system partition. Generally, the authority of the Guest group is fully controlled by the authority of the system. Any operation can be made. I'm optimistic that I refer to the default. As for the default permissions, I will give you so much nonsense. I will tell you how to implement improvement permissions in the case of authority default assignment. There is basically the following ideas and methods. 1 Replacement Service Law: This approach is now widely used by black fans, and the method is to assume that the service loaded is not under the system partition, you can find the file corresponding to the service, and then use the back door, Trojan ... replace it This file. After the system restarts, you will automatically load this file that you replace it, so you will implement improvement permissions.
Analysis: The default NTFS format partition, all of the partition guests and user groups other than the system have full control, so it will lead to replacement services. 2 System Vulnerability is nothing to say to the upgrading permissions caused by system vulnerabilities, such as IDQ.DLL ISPC.EXE, such as DEBUG upgrading permissions and early input method vulnerabilities. 3 Using Serv-U Servudaemon.ini file upgrade permissions about this article I published in December magazine, detailed reading magazine. Analysis: Want to use this method to improve the permissions must be met, you must rewrite the servudaemon.ini file, and the user group and the guest group cannot modify servudaemon.ini in the NTFS format system partition, so this method has certain limits. For the system, the partition can be rewritten by default, this method can be utilized to implement improvement permissions. 4 Using the default 43958 port of Serv-U, upgrade permissions After the default installation Serv-U, the Serv-U defaults 127.0.0.1:43958 port, so only in this unit can connect to this management port. Serv-U default management account is Localadministrator, the default password is #L@'ak#.lk; 0 @p. After you get normal permissions, you can take this 127.0.0.1:43958. Map to your own IP address. (Note Problem: 127.0.0.1 This IP address is your local IP address) and then use the default management account to be localadministrator, password #L@lk@lk; 0 @p land, then use SEV-U remote management Implement improvement permissions. (For details, please see my "Successful infiltration Windows Server 2003") Analysis: In the default NTFS format partition, the guest group and the USER group member have executable permissions, so we can execute Port mapping tools to map 127.0.0.1:43958 ports, resulting in increase permissions. The above four is the most commonly used improvement permission. Of course, there are other ways, such as: sniffing, using other third-party software design defects, find the ASP file where the MSSQL account is located ... I will tell you more. By default, there are not many assignments for the default NTFS permission. Many of the security-safe administrators will not use the default permission allocation. I will tell you about it is not the default. Second non-default settings If the administrator specializes to change this default permission assignment, you can show that this administrator pays attention to safety, which should be set to a minimal permission than by default. I have encountered a metamorphosis host recently. Set the permissions very metamorphosis, I will see how it is allocated after it is broken, please see the picture (5) I saw it? The C drive has only the administrators group, which means that only the system administrator has full control over the system. Other users have no permissions. Let's take a look at the setting of the D disk, please look at the picture (6) Administrator also set the D disk to this. All remaining E, F, G are set to this. First, this host is a virtual host, the web is on the G disk, one of the virtual directories of the virtual directory, please see Figure (7) Only the web directory is fully controlled to the IIS account. These are all I later learned. Below I will tell you how I successfully implemented permissions under this setting. The IP address of this host is: 61.151.xxx.xxx.
Open port is: * 61.151.xxx.xxx | ___ 21 file transfer protocol [control] | ___ 220 serv-u ftp server v4.0 for Winsock Ready ..... | ___ 25 simple mail transfer | ___ 220 ESMTP ON WebEasymail [3.5.2.3] ready. | ___ 80 World Wide Web HTTP | ___ http / 1.1 404 Object Not Found..server: Microsoft-IIS / 5.0..date: Mon, 29 DEC 2003 22:53:46 gmt .. Content-type: text / html..content | ___ 1433 Microsoft-SQL-Server | ___ 3306 mysql server | ___ .... 3.23.56-nt ..... LRW} 2 ~ f #, ... ............ | ___ 5631 PcanywhereData I got a WebShell on the host through SQL INJECTION. Since it is WebShell that I have now got this host's guest group permission. But I found that when I execute the command, I found that there is no command to execute, and even the most basic DIR and Net User are not. Please see Figure (8) You cannot perform any commands with cmd.asp. Next, I changed a WebShell similar to the ocean top network ASP Trojan. Some operations can be performed. But finding only some operations can be made in the current directory. The virtual path under this website is: g: /Home/sh.Leocn.com, in addition to this folder, you can see the directory, please see Figure (7). I believe that many readers have also encountered such a situation, and the method of setting up the improvement permissions according to the default NTFS above. Because you don't go to this directory. Browse the C drive with Aspshell, there is no (set enough BT?), Please look at the picture (9) I estimate that the general invaders will basically give up. But what is the scan of the scan for the previous article noticed? This host opens 5631 ports, indicating that there is pcanywhere installed. Generally, everyone knows that the PCANywhere installation will be in: c: / program files / symantec pcanywhere / directory with * .cif file, get this file to break the PCANywhere password, and then connect to the entire host. But we are now browsing C: / Program Files / Symantec pcanywhere / directory. After finding the study, it is not yapping in c: / program files / symantec pcanywhere / directory with * .cif this file, in the c: / documents and settings / all users / application data / symantec / pcanywhere / this file will also have this file. . You can control the entire host like this file here. When I have arrived here, I will ask, you now have a C-disk to see how you take this CIF file? Oh, it can be obtained. The most important place this article is here, please continue to look down. Although it is not possible now, but you pay attention to observe the URL on ASP Trojan: http://www.xxx.com/music/a.asp?path=c:/ = C: & Ib = True.
I mentioned above this C: / Documents and settings / all users / application data / symantec / pcanywhere / this CIF file. Now let's change the URL of the ASP Trojan: http://www.xxx.com/music/a.asp? Path = c: / documents% 20and% 20Settings / All% 20Users / Application% 20Data / symantec / pcanywhere & oldpath = C : / Documents% 20and% 20Settings / All% 20Users / Application% 20DATA / SYMANTEC & IB = TRUE Enter the result of the return in the chart (10) Haha, how? It doesn't matter if you can't browse to the C drive. We can jump directly to this directory. You don't think that you can't browse the C drive, you can explain what your directory under the C is browsing. C: / documents and settings / all users / application data / symantec / pcanywhere / directory is a good example. Browse to the file directly to download this file. Then you can get a password with a stream. Please see the picture (11) After the crack, you can explain the Administrator privilege of this host. Next, enter the cracked username password to connect with the PCANYWHERE control. Please see the picture (12) There are two situations here. 1 wait for administrators, then you control. (Comparative Danger) 2 You test whether the password cracked by PCANYWHERE is consistent with the host administrator. What are you waiting for? I am the same password. I logged directly to the host. Look at the picture (13) I am more fortunate, but many administrators' passwords are consistent. Even if you don't match, you can already restart the host at willing on the landing interface. It is nothing to penetrate here if it continues. Recently, Xue Lianpi also encounters a host that sets this as it is the same as the Administrator permission to use this way. Analysis of the above upgrades: This host is mainly promoted by my success. It is mainly because the administrator is too believed to be set to the C disk on the NTFS format. He thought that the USER or GUEST privilege group can not be browsed to C. All directorys are not browsing under all directories. Actually, not this, don't believe we look at the setting of the C: / Documents and Settings / All Users / Application Data / Symantec / PCANywhere / this directory. Please see Figure (14) User users can list files and directories to this folder, read, run, list files and directories. The methods and ideas mentioned above are just that I have unintentionally found it. I believe that many "cattle" people will say after reading: Just this? I will "I mostly despise this person." Pcanywhere Password file is in this folder. Many people know. But you will not be able to jump to C: / documents and settings without any directory. / ALL USERS / Application Data / Symantec / PCANYWHERE / this directory :) Others I will not say more. Three summatings: Improvement permissions under NTFS default rights are not difficult, Methods I believe in more than N But as the second paragraph of the article, I will only write this way, it is the jump directory. Of course, there are still a lot of directory that can jump, such as / inetpub /, but it's like jump There is nothing to go to it. Fortunately, it is now very special to install PCANywhere. Generally, I can use this to mention this method to successfully improve the permissions.
