2. What is Telnet used by intruders?
(1) Telnet is the first method to control hosts.
As described in the previous sections, if intruders want to execute commands on a remote host, they need to establish an IPC $ connection and then use the nettime command to view the system
Finally, you can use the AT command to create a scheduled task to complete remote command execution. Although this method can remotely execute commands, telnet is much more convenient for intruders. Intruders
Once a telnet connection is established with a remote host, the remote computer can be controlled just like a local computer. It can be seen that the Telnet mode is the remote control method used by intruders.
After obtaining the Administrator permission for the remote host, logon is usually performed using telnet.
(2) used as a stepping stone
Intruders call bots used for stealth a stepping stone. They often use this method to log on from a zombie to another zombie ", in this way, the IP address is not exposed during the intrusion process. This process will be detailed in chapter 5th.
3. About NTLM Verification
Because telnet is too powerful and one of the most frequently used logon methods by intruders, Microsoft adds authentication for telnet, which is called NTLM authentication, it requires that the Telnet terminal not only have the username and password of the Telnet service host, but also meet the NTLM authentication relationship. NTLM verification greatly enhances the security of the Telnet host, just like blocking a lot of intruders.
4. Use telnet to log on
Logon command: Telnet host [port]
Command for disconnecting telnet: Exit
To successfully establish a telnet connection, in addition to understanding the account and password on the remote computer, the remote computer must have enabled the "Telnet Service" and removed NTLM verification. You can also use dedicated Telnet tools, such as sterm and cterm.
2.3.2 Typical Telnet intrusion
1. Typical Telnet intrusion steps
Step 1: Establish an IPC $ connection. In this example, sysback is the backdoor account created earlier.
Step 2: Enable the telnet service that is disabled on the remote host ,.
Step 3: disconnect IPC $ ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093515248 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093515248.jpg "border = 0>
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093516179 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093516179.jpg "border = 0>
Step 4: Remove NTLM verification. If NTLM authentication is not removed from the remote computer, the system fails to log on to the remote computer ,.
However, intruders may use various methods to make NTLM verification ineffective. There are many methods to remove NTLM. The following lists some common methods to see how intruders can remove NTLM verification.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093518234 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093518234.jpg "border = 0>
(1) method 1
First, create the same account and password as the remote host on the local computer ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093518699 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093518699.jpg "border = 0>
Then, choose Start> program> attachment to find the command prompt, right-click the command prompt, and select Properties.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093520157 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093520157.jpg "border = 0>
Click "OK" before "Run as another user (u. Then, find the "command prompt" according to the above path and click open with the left mouse button to get the dialog box.
, Type "User Name" and "password ".
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093521740 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093521740.jpg "border = 0>
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093522991 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093522991.jpg "border = 0>
Click OK to get the MS-DOS interface, and then telnet to log on with the MS-DOS ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093522323 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093522323.jpg "border = 0>
Type the "Telnet 192.168.27.128" command and press Enter. In the displayed window, type "Y" to send the password and log on ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093523206 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093523206.jpg "border = 0>
.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093524104 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093524104.jpg "border = 0>
Figure 2-47 shows the shell opened by the remote host for the Telnet terminal user. The command entered in the shell will be executed directly on the remote computer.
For example, enter the "Net user" command to view the user list on the remote host ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093524949 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093524949.jpg "border = 0>
(2) method 2
This method uses the tool NTLM. EXE to remove NTLM verification. First, establish an IPC $ connection with the remote host, then copy NTLM. EXE to the remote host, and run the AT command to run NTLM. EXE on the remote computer.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093524314 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093524314.jpg "border = 0>
After the scheduled task runs NTLM. EXE, you can enter the "Telnet 192.168.27.128" command to log on to the remote computer ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093525972 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093525972.jpg "border = 0>
The logon page is displayed, 500) {This. resized = true; this. style. width = 500 ;}"&
GT; = 780) window. Open ('/article/uploadfiles/200612/20061226093525680 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093525680.jpg "border = 0>
Enter the user name and password in the logon interface. If the user name and password are correct, you will be logged on to the remote computer to obtain the remote computer shell.
Log on to the logon page.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093528483 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093528483.jpg "border = 0>
Secrets // server sername Password ",.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093528330 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093528330.jpg "border = 0>
After execution
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093529701 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093529701.jpg "border = 0>
When the screenshot is displayed, resumetelnet.exe disables the telnet service of the target host and resumes NTLM verification.
Advanced Telnet intrusion strategy
From the previous introduction, we can see that even if the computer uses NTLM verification, intruders can easily remove NTLM verification for telnet login. If the attacker logs on to the ECS instance through port 23
Attackers can easily find them, but unfortunately, intruders usually do not Telnet through the default port 23. How can intruders modify the telnet port and
What about the telnet service to hide the whereabouts? The following are some common examples to illustrate this process and introduce the tools required to complete this process.
X-Scan: used to scan hosts with weak nt passwords.
Opentelnet: used for NTLM authentication, enabling the telnet service, and modifying the telnet service port.
Aproman: Used to view and kill processes.
Instsrv: used to install services on the host.
(1) aproman Overview
Aproman can view and kill processes through the command line without being killed by anti-virus software. For example, if an attacker finds that the target host runs anti-virus software, the uploaded tool will be scanned and killed by the anti-virus software, and they will disable the anti-virus firewall before uploading the tool. The usage is as follows:
C:/aproman.exe-A: displays all processes.
C:/aproman.exe-P: display the port process Association (Administrator permission required)
C:/aproman.exe-T [pid] Kill the process with the specified process number
C:/aproman.exe-f [filename] store process and module information in a file
(2) instsrv Overview
Instsrv is a program that can be installed and uninstalled using command lines. You can specify the service name and the Program executed by the Service. The usage of instsrv is as follows. For more details, the usage is 2-61.
Install the service: instsrv <service name> <execution program location>
Uninstall service: instsrv <service name> remove
There is also an excellent remote service management tool SC. It is a command line tool that can query, start, stop, and delete services on a remote computer locally. Its usage is very simple. I will not introduce it here. The following example describes how to implement Telnet logon and leave a telnet backdoor for intruders.
Step 1: scan the host with a weak nt password. Select NT-SERVER weak password in scan module of X-scan ",.
In "scan parameters", specify the scan range as "192.168.27.2 to 192.168.27.253", as shown in figure 2.
Wait for a while and get the scan result.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093529546 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093529546.jpg "border = 0>
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093530486 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093530486.jpg "border = 0>
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093531177 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093531177.jpg "border = 0>
Step 2: Use opentelnet to enable the remote host Telnet service, modify the target host port, and remove NTLM verification.
Whether or not the remote host enables the "Telnet service", intruders can solve the problem by using the opentelnet tool. For example
"Opentelnet // 192.168.27.129 administrator" "1
Run the "66" command to remove NTLM authentication from hosts whose IP address is 192.168.27.129, enable the telnet service, and change the default logon port of Telnet on port 23 to port 66.
Port number.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093531110 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093531110.jpg "border = 0>
Step 3: copy the required file (instsrv.exeappsaproman.exe) to the remote host.
First, create IPC $, and then copy and paste the required files to the C:/winnt folder on the remote computer by ing the network hard disk.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093533660 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093533660.jpg "border = 0>
After the copy is successful ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093533894 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093533894.jpg "border = 0>
Step 4: Log On via Telnet.
In the MS-DOS, type the command Telnet 192.168.27.129 66 to log on to the remote host 192.168.27.129.
Step 5: Kill the firewall process.
If intruders need to copy Trojan-like programs to a remote host and execute them, they will disable the anti-virus firewall in the remote host in advance. Although the Trojan-like program is not copied to the remote host
This process is described. After successful login, intruders will enter the C:/WINNT directory to use the aproman program. First, run aproman-a to view all processes. Then
Find the PID of the anti-virus firewall process, and finally use aproman-T [pid] To kill the anti-virus firewall.
Step 6: Install the more concealed Telnet service.
In order to log on to the computer afterwards, intruders will leave a backdoor after the first logon. Here we will introduce how intruders can install system services to keep the telnet service running forever. Before installing the service, you need to know how the Windows operating system provides the "Telnet service. Open "Computer Management" and view the "Telnet Service" attributes, as shown in.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093537277 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093537277.jpg "border = 0>
In the "Telnet properties" window, you can see that "executable file path" points to "C:/winnt/system32/tlntsvr.exe ". Visible, Program
Tlntsvr.exe is used to provide the "Telnet Service" in windows. That is to say, if a service points to the program, the service will provide telnet
Service. For this reason, the publisher can define a new service and direct the service to tlntsvr.exe to log on through the telnet service provided by the Service.
The Telnet service is disabled, and intruders can log on to a remote computer without any hindrance. This method is called a telnet backdoor. The following describes how the above process is implemented. First
Enter the directory where instsrv is located ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093538492 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093538492.jpg "border = 0>
Then, use instsrv.exe to create a service named "syshealth" and direct the service to C:/winntz/system32.
/Tlntsvr.exe, specify the instsrv.exeusage, and click the command "instsrv.exe ".
Syshealthc:/winnt/system32/tlntsvr.exe ",.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093538769 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093538769.jpg "border = 0>
A service named "sysheahth" is successfully created. Although the service does not seem to have any relationship with remote connection, it is actually a telnet backdoor service left by intruders.
"Computer Management" shows that the service has been added to a remote computer. Intruders generally set the Service Startup type to "automatic", and disable the original "Telnet service ,.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093539562 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093539562.jpg "border = 0>
Verification shows that, although the telnet service on the remote host has been stopped and disabled, intruders can still use Telnet to control the remote host. Through these modifications, even if the administrator uses the "netstat-n" command to view the open port number, it cannot be seen that port 66 is providing the telnet service.
In addition, the netstat-N command is introduced here. This command is used to view the current connection status of the local machine ,. The "Proto" column lists the protocol type of the current connection, such as the TCP protocol.
And UDP protocol. "Localaddress" is the IP address of the local host. As shown in the figure, the local host has two IP addresses: "192.168.0.2" and
"192.168.27.1 ". The "foreignaddress" column is the remote host IP address. The "state" column lists the current connection status, including
Established (established), time_wait (waiting), syn_sent (in connection) and other statuses.
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093540892 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093540892.jpg "border = 0>
FAQs
1. Q: Although I have obtained the username and password of the remote host, I failed to connect to opentelnet. Why?
(500) {This. resized = true; this. style. width = 500;} ">= 780) window. open ('/article/uploadfiles/200612/20061226093541992 .jpg'); "src =" http://www.05112.com/Article/UploadFiles/200612/20061226093541992.jpg "border = 0>
A: According to the error code "53" returned, the server service is not started on the target host, or the IPC $ is not enabled.
2. Q: How can I defend against Telnet intrusion?
A:
Ensure account and password robustness and prevent brute force cracking.
Disable the Telnet service.
Since opentelnet is implemented through IPC $, disabling IPC $ can also prevent some situations.
Install the network firewall.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
