Questions about IPC $, NULL connections, and default sharing

The first thing to note is that NULL connections and IPC $ are different concepts. An empty connection is a session established with the server without trust. In other words, it is an anonymous access to the server. IPC $ is a named pipe open for inter-process communication. You can obtain the relevant permissions by verifying the user name and password. Many tools must use IPC $. By default, shared disks are shared to facilitate remote management, including all logical disks (C $, d $, e $ ......) And the system directory winnt or Windows (ADMIN $ ).

FAQs and answers:
1. How to establish an empty connection?
Run the net use \ IP \ IPC $ ""/User: "command to establish an empty connection with the target (the target must be open IPC $ ).
For nt, with the default security settings, you can use NULL connections to list target users, share, Share Everyone permissions, and access a small part of the Registry. 2000 is less effective. It is also inconvenient to implement and requires the help of tools.

2. Why can't I connect to IPC $? ( Note: XP cannot be connected with a blank password by default )
(1) only NT/2000/XP and above systems can establish IPC $. If you are using 98/Me, this function is not available.
(2) confirm that your command is correct. The correct command is: net use \ target IP \ IPC $" password "/User:" username "
note that there are no more or fewer spaces. Double quotation marks can be omitted if the user name and password do not contain spaces. The empty password is represented.
(3) analyze the cause based on the returned error number:
error number 5: Access Denied: the user you are using is probably not the administrator privilege. First, raise the permission;
error No. 51. The network path cannot be found in Windows: The network is faulty.
error No. 53. The network path cannot be found: the IP address is incorrect. The target is not on; the target LanmanServer service is not started; the target has a firewall (port filtering);
error code 67, network name not found: Your lanmanworkstation service is not started; the target has deleted IPC $;
error 1219: The creden are in conflict with the existing creden set: You have set up an IPC $ with the other party. Please delete and connect again.
error code 1326, unknown user name or wrong password: The cause is obvious;
error code 1792: attempted to log on, but the network login service did not start: the target netlogon service is not started.
error 2242: the password of this user has expired: The target has an account policy, and the password must be changed periodically.

3. How to open the target IPC $?
First, you need to obtain a shell that does not depend on IPC $, such as SQL cmd extension, telnet, and Trojan. Of course, this shell must have the admin permission. Then you can run the net share IPC $ command in shell to open the target IPC $. From the previous question, we can know that there are still many conditions for using IPC $. Make sure that all the services are running and start the service if they are not running. (For details about how to do this, see the usage of the net command ). If the problem persists (for example, if a firewall exists, it cannot be killed), we recommend that you give up.

4. How do I map and share access by default?
Run the net use Z: \ target IP \ C $ "password"/User: "username" command to map the C disk of the other party to its own Z disk, and so on.
If you have already created an IPC $ with the target, you can directly use the IP address and drive letter to add $ for access. For example, copy muma.exe \ IP \ D $ \ path \ muma.exe. You can also map it, but you don't need a user name or password: net use Y: \ IP \ D $. Then copy muma.exe Y: \ path \ muma.exe. When the path contains spaces, you must use "" to hide all paths.

5. How do I delete the IPC ing and IPC $ connections?
Run the net use \ IP \ IPC $/del command to delete the connection to a target IPC $.
Run the net use Z:/del command to delete the ing Z disk, and other disks.
Run the net use */del command to delete all objects. Follow y for confirmation.

6. Connect to IPC $. What can I do then?
The account that can use the Administrator permission successfully connects to the target IPC $, which means you can "communicate" with the other system. You can use various command line tools (such as the pstools series, win2000srvreskit, and telnethack) to obtain target information and manage target processes and services. If the default share is enabled for the target, you can upload and run the Trojan horse. You can also use TFTP or FTP to upload files. Tools such as dwrcc, VNC, and remoteadmin also have direct screen control functions. If it is a 2000 Server, you can also enable Terminal Services for convenient control. For the usage of the tool mentioned here, please refer to the built-in instructions or relevant tutorials.

7. How to prevent others from using IPS $ and default shared intrusion into me?
A. One way is to delete both IPC $ and default share. But there will be again after the restart. You need to modify the registry.
1. First Delete the existing
NET Share IPC $/del
NET Share ADMIN $/del
NET Share C $/del
............ (Delete several items)
2. Do not create a null connection
First Run regedit and find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA] to change the key value of restrictanonymous (DWORD) to 00000001.
3. Disable auto-enable default share
For server, find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] and change the key value of AutoShareServer (DWORD) to 00000000.
For Pro version, [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] changes the key value of auto‑wks (DWORD) to 00000000.
If the preceding primary key does not exist, create a new one and change the key value.

B. The other is to disable the services that are shared by IPC $ and default (not recommended).
net stop LanmanServer
A message may be prompted, the xxx service will also disable whether to continue. Some secondary services depend on LanmanServer. Generally, Press Y to continue.
C. The simplest method is to set a complex password to prevent the password from being lifted through IPC $. However, if you have other vulnerabilities, IPC $ will facilitate further intrusion.
D. You can install a firewall or filter ports. Firewall method will not talk about it, port filtering to see here:
have configured a local policy to prohibit port 139/445 connection http://www.sandflee.net/txt/list.asp? Id = 98