Class "tomato garden" System Security Test

"Tomato garden" suffered from Waterloo, the website was arrested by the banned author, and recently the "tomato" was poisonous. As a matter of fact, there are countless transformed version systems like "tomato garden", and the installation volume is amazing. I will not comment on none of them, but the security of the "tomato garden" system is worrying.
It may be a convenient figure. The user chooses a system like "tomato garden. After such a system is installed, it can be directly used without optimization or installation tools. I don't know what the purpose is. "tomato garden" systems have huge security vulnerabilities. Generally, users are put into use without any security settings, causing frequent attacks to the system. The following is a simple security test.

Tools:

S Scanner

1. Remote logon test (port 3389)

Run the s scanner at the command prompt and enter the command "s syn **. 1 **. 133.1 **. 1 **. 138.254 3389 "scans hosts with port 3389 enabled in the CIDR block. In less than 10 seconds, the result is displayed. This IP segment has 365 active hosts, and port 3389 has nearly 102 hosts. (Figure 1)

　　

The Remote Desktop Connection Tool (mstsc. msc) is used to test the connection. A host with port 3389 is randomly located and connected. The connection is successful. Enter the username "administrator" and enter a blank password to test the connection. A message is displayed, indicating that a new user is currently logged on. In the past, a user with the username "new" was present. Click "OK" to display the user configuration page for the first login. in less than 10 seconds, the user entered and immediately logged out. (Figure 2)

　　

Log on with a new user with a blank password. The other user will exit immediately after reading the picture. The test was performed on other hosts with a success rate higher than 3389. In the test, some Windows SP Systems Support multi-user logon! After logging in, he cannot know a person without security awareness! Some hosts have a password set for the "new" account, but the "administrator" password is blank. Some users have set passwords, but the passwords are simple. You can guess them three or four times. For example, some simple weak passwords such as "123456", "winndows", and "adsl. (Figure 3)

　　

　　Analysis: These "tomato garden" systems do not know for any reason. In addition to an "administrator", the system has an "new" user and is also an administrator, all administrator passwords are empty. In addition, the "computer city edition" XP system supports remote logon by multiple users. This can be said to be the biggest vulnerability or backdoor. Attackers can leave the environment where no one is detected.

2. IPC $ test (port 139)

Run the s scanner at the command prompt and enter the command "s syn **. 1 **. 133.1 **. 1 **. 138.254 139 445 "scans hosts with ports 139 and 445 enabled in the CIDR block. The same time is very short, and the result is coming out immediately. port 445 is more open than port 3389, And it is roughly over 50%. What people cannot believe is that these hosts not only open ports 139 and 445, but also ports 3389 are open. (Figure 4)

　　

Randomly find an IP address and enter the "net use \ ** command at the" command prompt \**. 1 **. 135.253ipc $ "/user: administrator" means the administrator with an empty password connects to this IP address through IPC $. Prompt "command successful completion" to continue typing "net use z: \ **. 1 **. 135.253c $" to map the C drive of the host to the local drive letter Z. The prompt "command successfully completed" indicates that nothing can be done at this step until the detection ends. Even if the system of this host is down. (Figure 5)

　　

　　Analysis: This is also the sequent of the "tomato garden" system. The administrator "administrator" and "new" are empty passwords, and IPC $ is not disabled or set through group policies. Therefore, it leaves a huge vulnerability for the system. An attacker with intermediate computer level can control such a system through scanning.

3. telnet test (port 23)

Run the s scanner at the command prompt and enter the command "s syn **. 1 **. 133.1 **. 1 **. 138.254 23 ", scan the host with port 23 enabled for this CIDR block. In a short time, the result is displayed. There are 35 open ports 23 on 365 hosts online. (Figure 6)

　　

Use telnet to connect and test a random IP address. Run the following command: telnet **. 1 **. 134.242 failed to log on with the "new" blank password, and changed to the "adminstrator" empty password. The login was successful. (Figure 7)

　　

In this way, you can obtain a "shell" with administrator permissions. readers who have some basic "command line" operation experience know that, after obtaining "shell", the entire host is controlled.

Test other IP addresses and connect with the administrator or new empty password. The success rate exceeds 40%. Some of the IP addresses are vrouters with port 23 enabled. The default user "admin" is used, and the default password "admin" is used to connect successfully. Now that you control the vro, you can win more than just a host, and the entire LAN may fall! (Figure 8) (Figure 9)

　　

　　

　　Analysis: Why port 23 on a PC is incredible. Log on to these hosts to view system information and find a modified version of the XP system. We know that port 23 is disabled by default for the XP system of the installation version. The purpose of the system builder to open port 23 and then publish the system image is worth pondering.

　　Summary: The above is a very simple test with little technical content, but it is terrible because of this. Nowadays, the network is filled with various "tomato garden" systems. As individual users, they must improve their security awareness, master necessary security skills, and make the right choices when deploying the system, otherwise, the next intrusion will be you!