Port attract the butterfly to prevent black hands from capturing chickens with port 135

When the new semester is approaching, many students will be equipped with computers. Is the security of new computers well protected? Can I refuse to become a hacker's zombie? Unfortunately, many new users do not know or ignore sensitive port shielding, such as port 135. Once a hacker uses port 135 to access your computer, you can control your machine. How should we prevent intrusion through port 135? Next we will unveil the secrets for everyone.

TIPS: each computer system on the Internet opens multiple network ports at the same time, just like a door in and out of a room. Because the room door is used to facilitate people's access, and the port provides data exchange for different network services. Just as the door of a room can be placed into a thief, the network port can also attract many non-fast customers.

　　I. Why is port 135 used to capture chickens?

Today, most hackers use web Trojans to capture bots. Why do other hackers still remember port 135? There are two main reasons:

One reason is that port 135 is the port opened by the WMI Service by default, so that the intrusion range is very wide. Because WMI is a service provided by Windows, it is not only convenient for users to intrude into the system, but also requires only one script code to manage the remote system. The WMI Service opens port 135 by default. Therefore, WMI intrusion is also called port 135 intrusion.

Another reason is that there are a large number of machines opened at port 135. This phenomenon may be caused by the lack of security awareness of new computer users every year or the lack of knowledge about how to disable the service. It is worrying that many dangerous ports such as 3389 can be found on the network.

TIPS: the WMI Service is short for the Microsoft Windows Management specifications service, which allows you to manage computers remotely. It is very similar to the Remote Desktop of system services in many aspects. However, Remote Desktop is a graphical operation, while WMI is a command line operation.

The WMI Service must be supported by the Windows Management Instrumentation Service. This service is started by default and is an important system service, which facilitates intrusion. It is precisely because it can perform remote control operations, so the security of the system will decrease, so it is called a backdoor program that will never be killed.

　　2. How do hackers use port 135 to capture chickens?

Step 1: scan the remote system with port 135 enabled in the network. There are a lot of scanning tools, the tool used here is the common "S scanner", because it is very fast scanning. Click the "run" command in the Start Menu, enter "cmd" to open the Command Prompt window, and enter the following command: S tcp 192.168.1.1 192.168.1.255 135 100/save.

The IP addresses at the beginning and end of the scan indicate the start and end addresses of the scan. The IP addresses at the end of the scan indicate the port number to be scanned, And the IP addresses at the end of the scan indicate the number of threads to be scanned. A larger value indicates a faster speed. Note that many Windows systems have a default thread limit of 10. We need to use a modification tool to modify this limit.

Tip: after we open the installation directory of the strongswan client and run bettersp2.exe, set the value to 256 in the "change to" option in the pop-up window, click "application", and restart the system.

Step 2: filter the targets that can be intruded by the system from scanning to enabling port 135. Start with result.txt, the IP address file in the sscanner directory, and delete more information in the text file. Only the content related to the IP address is retained. Then run the brute-force cracking tool NTScan, which can use the user name and password to crack the remote system.

In the NTScan window, set the IP address file in "host file", select the WMI scan type, and set it to 135 in "Scan port. Click "start" and click "start" to start the operation. ntscan.txt exists in the address of all successful users.

Step 3: Use the Recton tool to upload our Trojan program. Click the implant label in the window, find an address in ntscan.txt, and add it to the remote host settings option. Select the "Http download" option, set the webpage link address of the Trojan program in the "file directory", and click the "start execution" button.

In this way, the Trojan Program uploads data to the remote host using port 135 and runs it quietly in the system background. This method does not require remote user intervention. Therefore, its concealment and success rate are very high, and it is suitable for batch capturing by bots, however, the trojan program to be uploaded must go through the kill-free process.

TIPS: when running hacker tools, you must first disable anti-virus software, because anti-virus software will clear them as viruses.

　　Iii. Defense skills

1. Use the network firewall to block port 135 in the system. This will cause hacker intrusion to fail from the first step. In addition, ports such as ports 139, 445, and 3389 are also important.

2. Enhance the account and password strength of the system administrator in the current system. For example, set the password to at least six characters, including numbers, uppercase and lowercase letters, and so on. In this way, the hacker tool cannot easily crack the password of our account, so that even if we scan port 135, it will not help.

3. Install the latest version of anti-virus software and update the virus database to the latest version. If possible, you are advised to use anti-virus software with active defense functions.

(Wan lifu)

　　Attack and Defense game

Hacker attack: using port 135 can indeed capture a large number of bots, but it takes a lot of time. As the operating system is constantly updated and the prevention of port 135 is strengthened, this method has gradually become a cainiao, and the real experts are dismissive. There are many methods for hackers to capture chickens. For example, we can also use thunder to spread Trojans. This is a popular method for capturing chickens.

Security protection personnel: Since port 135 is intruded, we only need to disable or restrict the related functions. In addition to using the security feature of thunder during the download process, hackers can also use the Web Trojan blocker tool to spread TROJANS bundled with thunder. Whether it is a webpage trojan or a bundled Trojan, it will be intercepted and prompted to the user's attention as long as it runs.