{Attack} 1-obtain bots [Both For WinNT and 2000, and the platform is 2000]

First, let's use the scanner to detect host vulnerabilities!

Common include port scanners, CGI vulnerability scanners, and large scanners like streamer, which can scan everything. Let's talk about the principle of the scanner first!

If you are a and want to scan B, the process of creating three handshakes is usually as follows:

A -------- SYN -------> B

A <----- SYN/ack ------ B

A ------- ack --------> B

In this way, a connection is established, and many such scanning methods are established, so as to know which ports are opened by the peer and which powerful service scanners will be further tested! However, this TCP scan will leave a lot of records. If B's network administrator is not an idiot, he will start to pay attention to you !!

So we will use semi-open scanning (SYN), that is:

A -------- SYN -------> B

A <----- SYN/ack ------ B

A -------> \ B

A-connected --? <----- B

In this way, because B has never been confirmed, of course it will not record the IP address. But if B is very BT, then he will record Any SYN IP, then there is no way !!

After finishing the scan principle, let's talk about several scanning tools. One port is a path and the path to the system is displayed!
I recommend that you use both superscan and nscan outside China. If there is a problem with the Chinese version of superscan, we recommend you download the E version from WWW and peckerland.com. nscan is available in black and white! These two interfaces are simple, so I won't bother! I like superscan very much. His scanning is accurate and fast ~~ Large-scale scanning of a single port is also very good. We used it to scan 3389!

Here I will introduce streamer !! Xscan !! And Sss !!! I think everyone should be familiar with streamer! If you are a newbie, start with streaming !! The interface is cool! However, xscan, which uses streaming light as an attack tool rather than scanning tool, is the focus of security. It can be semi-open scanning !!

In addition, I think it is better to see the traffic flow on the scanning! Because I asked sharkstorm, he said that the streaming will leave traces on the other host, so I suspect that the streaming uses TCP scanning! So now I use xscan instead of streaming light for large-scale scanning! The next step is SSS. The latest version is 3.43. The registration machine of Version 3.41 is developed by redshadow. The full name is Shadow Security hacker, which can scan many vulnerabilities quickly and leaves few traces, detailed report generation. Sometimes the traffic or some domestic scanners will report false positives, and I often use it for detection. So when I intrude into a single machine, I use it !!!!

I recommend using the method of scanning weak nt passwords! Of course, it may be recommended that someone else scan weak SQL passwords, but the weak nt password on the internet is really much more than the SA is empty ~~ We first open the traffic light 4-> scan-> simple scan-> NT/98-> ip segment to start scanning, scan to many hosts with 139 enabled, and then the IPC host, right-click-> probe-> remote user detection, and many users and sharing will be scanned out, which may include weak passwords (see the killer's streamer tutorial). Here I will tell you a secret, there are many of them with the admin permission for guest. These passwords are generally empty. This is because this host has been cracked and someone has left a backdoor. This is cheap. Let's use it first!

As we have said before, I do not like to use streaming to scan, so here we use xscan to scan for weak nt passwords! Select the weak nt password in the scan option, and then set an IP address range so that the IP address can be scanned. The next step is to wait for the result to be fruitful. Next, let's talk about how to use it! As mentioned above, I like to use streamer for attack. Now let's see how powerful it is !! Traffic light 4-> Tools-> NT/IIS tools-> NT Remote pipeline command enter IP address, the user name you just scanned, and password (if it is blank, do not fill in) connection!

Ntcmd> net user

Check it out. Connect it ~~ . Let's add a user name.

Ntcmd> net user AAA 123/Add

The command is successfully completed.

Add to the Administrators group

Ntcmd> net localgroup administrators AAA/Add

The command is successfully completed.

Okay, so that the zombie will be ready. What? You want to make him a stepping stone? Okay. Let's continue. Traffic light 4-> Tools-> NT/IIS tools-> IPC growers, add IP addresses, user names, and passwords. Then, click Start. Then we can connect to the system via Telnet and debug snake's sksockserver. Note that you cannot install sksockserver using ntcmd. I will not talk about the specifics. You can refer to the instructions for yourself.

Of course, you can also put a bunch of backdoors. However, I like this:

Ntcmd> net use G: \ IP \ C $

The command is successfully completed.

In this way, we map his c disk to my g disk. Then I put another Trojan server and run it with ntcmd.
We can also capture C; \ winnt \ repair \ SAM. _, run lc3 to get the password of all users, or use a Trojan to catch the password !!

Of course, we can also telnet to run tlntadmn to modify the telnet port. How can we expand it? We still use ntcmd

Ntcmd> net View

......

Many machine names are shared with our bots.

For example, one of them is:

\ Love

We will:

Ntcmd> Ping-A love

In this way, his IP address is obtained. I usually use SSS to scan it again. Of course, you can also try it with your password to see if it can be entered.

The last step is to clean the footprints. We recommend that you use Xiao Rong's cleaniislog for convenience. For usage instructions, see! Remember, the first choice for intrusion into NT is absolutely 139, NETBIOS

In addition, you can use the 2000 Built-in Computer Management to connect to a computer. I will explain the other methods here:

The input method is basically out of the box ~~ However, if you scan a large number of bots, it may be better to use the SA of SQL to be empty, and directly use streaming to connect. After the connection, you can directly add an account, but sometimes it cannot be connected. For example, I have never been connected to a school data center. It is estimated that I have a hard firewall in the internal network. I have a good connection on 3389. But it will not improve if you always play this game! The second thing to note is that idq overflow and. printer vulnerabilities. I don't want to talk about these two vulnerabilities, because many people will use them, but they won't succeed. Here I will talk about the circumstances in which they will succeed. Generally, xscan is used. If ISAPI extensions are used, congratulations. If these two vulnerabilities are absolutely successful, I will try again and again. These two vulnerabilities are closely related to the IIS vulnerability. Therefore, do not be confused by the false positives of other scanners. The vulnerability library of Android has detailed descriptions of these two vulnerabilities.

Streaming is a good attack tool, and you will have a long experience with its exploits folder and Tools Folder.