IPC $ vulnerability description
Anyone who has used Windows 2000 knows that the default installation of Windows 2000 allows any user to obtain the list of all accounts and shares of the system through an empty user connection (IPC $, this was originally intended to facilitate LAN users to share resources and files, but any remote user can use this empty connection to get your user list. Some ulterior motives will use this feature to search for our user list and use dictionary tools to attack our host. In addition, you can create some hidden shares when installing the system and access them through the "computer name or IP address drive letter $. As a system administrator, I usually like to use these shares to remotely manage computers and view computer shared resources. I did not expect to leave a channel for hackers.
Hacker attack
Figure 1 "streamer" Main Interface
Some ulterior motives have used the hacker tool software to detect the IPC $ vulnerability on the servers managed by me. Among them, the software "streamer" is the most famous, as shown in interface 1, press the [Ctrl + R] key to pop up the scan box (2 ). Enter the IP address range you want to scan in the scan range column, select Windows NT/98 in the scan host type, and then scan, some online Windows NT/98 machines will be scanned.
Figure 2 scan dialog box
Right-click "IPC $ host" on the interface and select the "probe all IPC $ user list" command under "probe, the IPC $ user list in the machine with the IP address range is detected. The key is that users who do not have a password or simple password in the list can also be scanned here (3 ). After obtaining the user list, you can also use a dedicated hacker dictionary to test the password. Who can ensure that the password of each user on the server is strong? So there is always a time for these people to succeed.
Figure 3 scan results
With the username and password, enter "\ IP Address" in the address bar of IE browser. A dialog box is displayed asking you to enter the username and password, after entering the username and password, you can easily access the target machine. However, only the folders shared by the target machine are displayed. If you enter "\ IP address C $ (or D $, E $, etc.)" in the address bar, you can see all the content of the target machine drive C (or D $, E $, etc.
Prevent IPC $ vulnerability attacks
I was shocked when I learned that hackers had used this vulnerability to intrude into the system. I quickly set the password to be more complex, but no matter how complicated the password is, after a while, we found signs of intrusion. It seems that everything cannot be done in both ways. The same is true for computer management. Convenience is not safe, and security is inconvenient. So I have to use the following method to put IPChtml # "target = _ blank>$The vulnerability is blocked, so you cannot enjoy the convenience of default sharing.
1. You can modify the Registry to disable NULL connections (IPC $)
Click [start] → [run]. In the run box, enter "Regedit" and press enter to open the Registry. Set RestrictAnonymous of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA to "1" to disable empty user connections.
2. You can modify the Registry to disable management of shared C $ D $.
Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ServicesLanmanServerParameters entry of the Registry.
For the server, add the key value "AutoShareServer", the type is "REG_DWORD", and the value is "0 ".
For the client, add the key value "autoscaling wks", the type is "REG_DWORD", and the value is "0 ".