How hackers hack into NT systems

Today's enterprises are generally used in the NT system, but also have to admit that the NT system is indeed very suitable for enterprises to use the operating system, but the "hacker" attacks led to the enterprise information security crisis ...

Get the NT administrator password what else can do, do not want to do anything. But what can be done? Can be a detailed answer will not be a lot, and many enterprise system administrators think the password is empty nothing, because they do not know what "hackers" will do. This article is about to get the NT administrator password to invade an enterprise computer group of the primary and intermediate methods, especially in a large enterprise, corporate system administrator password often related to the entire company's information leaks, as well as the company's data loss, seriously affecting the development and survival of an enterprise.

First, let's assume that the password for the administrator of one of the enterprise's servers is 192.168.0.1, while the other does not close port 139.

1. Intrusion of common shared resources

This kind of intrusion method can be said to be NT the simplest intrusion. Casually in their own machine which window of the address bar input "\\192.168.0.1" about 1-2 seconds, the other side will require you to enter the user name and password, enter the user name and password can be entered later, and you can see this server in the enterprise share resources. Because permissions are admin, you can almost delete anything from each other's shared resources. (If you set the share to read-only then there's no way.)

2. Default and hide the intrusion of shared resources

Before I talk about this intrusion method, let me introduce you to an NT ipc$ connection, by default the NT system has a special hidden share, which is ipc$ sharing. Ipc$ is a kind of pipeline communication specifically used in NT, and most of the communication between NT systems is done in ipc$ communication.

This technique is relatively clever, but it is very simple. But the key is to see how the "hacker" How to use, some people may only delete files, some people can use this to leave the back door, so that the next time if the password changes can use the back door to enter. Also in the machine casually open a window, enter "\\192.168.0.1" in the address bar will require a password, input later to see the same things as described earlier. OK, now also set up a good ipc$ connection, in fact, prompts you to enter the password from the input window also know is to establish a ipc$ connection. Then we again in the Address bar to enter the address, this time the input is a little different, the input "\\192.168.0.1\c$" will probably appear in the other party C disk all the content. Want to see the other side D plate? Similarly, enter "\\192.168.0.1\D$" to see the other side D plate. Then it would be easy to change the home page of the enterprise (if the other is a Web server). Remember that because the permissions are administrators can certainly write, leaving the back door to see the "hacker" idea slightly. Generally they will set up a batch file in C (suppose under c:\\winnt), assuming the file name is Hack.bat, and the content is generally:

NET user hack 1234/add (create a user named hack, password 1234) net localgroup Administrators Hack/add 
(let hack also administrator) 
del C:\Doc Uments and settings\administrator\ start \ menu \ program \ Start \hack.lnk (remove shortcuts in Startup folder
to eliminate footprint) 
del C:\winnt\hack.bat ( Remove Hack.bat This file erase footprint)

This allows the enterprise system administrator to secretly add a user to the next login. Of course, adding users is a relatively stupid way to leave the "back door", so in fact, a lot of "hackers" will put a small program can be resident memory, and then set up a similar batch files and shortcuts, then "hackers" can basically long-term ownership of this host in the enterprise.

Advanced means of 3.ipc$ connection intrusion

However, every "hacker" can not be so stupid, must wait until the next enterprise system Administrator landing will be able to occupy, often "hackers" will use more ingenious techniques, quickly left behind the door. First they set up a ipc$ connection, they will use a variety of methods backdoor, such as the Telnet service, "hacker" How to open the Telnet service? In fact, there are many ways, such as Microsoft itself out of a small program "Netsvc.exe" is specifically for the system administrator to establish a ipc$ connection after the remote Open service management tools, but the tool to the "hacker" the hands of nature has become an essential "hacker" tool. Enter "Netsvc \\192.168.0.1 telnet/start" under the command character about 5 minutes each other Telnet service opens, then "telnet 192.168.0.1" hehe ... Wait Requires NTLM authentication, and then the "hacker" stopped outside, then they will use a small program, is specifically shut down a NTLM authenticated program Ntlm.exe. "Copy ntlm.exe \\192.168.0.1\admin$\system32" copies Ntlm.exe to the System32 directory of the other enterprise server, of course, other names are also available. Replication passed, but how to let him run it? Of course, there are many ways. "Net time \\192.168.0.1" to see how much of each other's system is assumed to be 18:00. Now enter "at \\192.168.0.1 18:02 Ntlm.exe", and after a while, the command prompt displays the new task id=1, meaning that the other system runs Ntlm.exe this program at 18:02, wait until 18:02, and then "Telnet 192.168.0.1 "This time is prompted to enter the user and password, enter the resulting administrator username and password after the successful telnet to the enterprise server ...

But this is netsvc, and at the moment it is trouble, to introduce another method, first of all, thanks to Microsoft for the NT system administrator to provide a convenient management function, this function to the "hacker" hands can be said to be "hacker" the Gospel, without "hackers" again so troublesome input such a command. After establishing the ipc$ connection (the ipc$ connection is really a very powerful management connection), to open Computer Management in the local computer, click "Connect to Another computer" in "Computer Management (local)" In the Computer Management window, and enter "in name". 192.168.0.1 "OK, first of all your NT system will see whether to establish a ipc$ connection," There "on the connection, now you can directly manage the 192.168.0.1, such as looking at his log, start his service (including Telnet), manage his IIS, There's everything. More research, even log off the other side of the system currently landing users, restart the other computer, shut down the other computer has, is really powerful. NT system to the "hacker" hands, the entire system has become a "hacker" tool, but also a very powerful "hacker" tool. Telnet is started, but what about NTLM authentication? Simple, in the local computer to establish a user name and password the same user, if there has been changed to the same password, and then use the user in the local re-landing, "telnet 192.168.0.1" hehe ~ Even the password does not have to input! Because it's authenticated by NTLM.

Are the security-conscious enterprise system administrators now aware of the dangers of exposing the administrator's password? It's not finished yet. It's not over yet? The machines have been completely controlled by hackers-yes, not yet, see!

4. Deep invasion

This step requires a "hacker" has a wealth of experience, the actual operational ability requirements are very high, is no longer the text can be described clearly, the following can only be a rough introduction.

The

Hacker, of course, will not just stop immediately after tapping a server, he will penetrate into your intranet, especially in an enterprise, which is often a computer group. Those commercial spies "hackers" of course more want to invade the enterprise inside. And many enterprise system administrators like to set all the server password to the same, give "hacker" provides a good intrusion conditions. When you telnet to the other server, the computers in the entire workgroup or domain in the "net View" Enterprise are all in a show. Likewise in Telnet establishes the ipc$ connection after the same invasion as the invasion of this server. Previously said to establish a ipc$ connection is the use of the graphical interface, but this time no longer have a graphical interface, now assume the enterprise intranet 192.168.0.2 password and this server password is the same, then you can use the "net using \\192.168.0.2\IPC$ passwd /user:username "To establish the ipc$ connection, then the mapping drive disk, enter" net use Z: \\192.168.0.2\c$ "so that the 192.168.0.2 C disk map to the 192.168.0.1 of the z disk. Enter "Z:" To browse the 192.168.0.2 C disk as you would browse 192.168.0.1 's hard drive. And if he is a commercial spy "hacker", once found in the value of things naturally do not say what will happen in the future. Of course, this is often the best condition, in fact, there are a considerable number of enterprise system administrators will not set the same password. Now look at the network situation, if the invasion is just a primary domain controller, hey, that for commercial espionage is happy to die, quickly upgrade themselves into a domain administrator, the entire enterprise of a domain of the machine fell in his hands. Of course, in the hands of "hackers" this is a very good situation, but now the line of Microsoft row color more and more, but also according to the "hacker" experience of how much, determines the size of the opportunity to invade the intranet.

In an enterprise, a Web server is often connected directly to the Internet. And a patient "hacker", a business agent who wants to invade the business will certainly do whatever it takes to invade, one of the ways is to use Web services. The MIME vulnerabilities that Microsoft has seen this year are well worth using. Here's an introduction to MIME vulnerabilities, where MIME has problems dealing with malformed MIME types, an attacker can create a html,e-mail containing an executable file and modify the MIME header so that IE does not handle the MIME correctly, and executes the specified executable file attachment. With this vulnerability, hackers will replace the homepage of the Web server and insert the Memi Vulnerability code into HTML in the home page, allowing employees within the enterprise to run the specified program while browsing the home page of their company. (The enterprise is absolutely impossible to never look at their own home page, especially the business owners, they generally will not regularly check the home page.) Then they go on their homepage and silently execute the program specified by the hacker, which may or may not be the same as adding a user's batch file.

It can be seen from the above that once the NT system password leaks is a very dangerous thing, especially in an enterprise. At the same time, the topology of an enterprise network is also playing a very important role, and "hackers" in particular, commercial espionage used by far more than these, they can also use other means, such as e-mail and other means to get the company's internal sensitive information or confidential information.

5. Other intrusion

Others can also be invaded via port 3389. 3389 is the Win2000 system, and is a graphical interface, remote Management Service port. Once the hacker has the administrator password, the danger is also more intuitive. Another is through the management of IIS intrusion, by default, IIS provides a Web-mode management services, in the C:\inetpub\wwwroot there is a call iisstar.asp things, if you can access, and have the Administrator password (NT4 is not an administrator can also, As long as the legal account is NT, you can remotely manage IIS information services via the Web, and then control the entire machine in a special way, then the entire enterprise ...