Password psychology is actually applied to intranet 3389

This article is a casual article. It mainly lists several examples. In an intranet penetration, the Administrator's password is guessed by non-technical means.
 
This is a small part of the APT Penetration Process. The Remote Desktop of Windows 6. x core version has a feature, that is, when we connect to Windows 3389, some Windows will automatically display the welcome interface due to insufficient security settings.
When it allows connections to earlier versions of the system, such as Windows XP, based on the above points, some System Remote Desktop will automatically list the user name.
This situation is common in the intranet.
My goal here is an intranet cluster. Many machines have a total of three CIDR blocks and a PC system, but are configured as servers. Many machines have independent Internet ip addresses, however, the Internet cannot connect 3389, some only enable 80, some only enable 3389, and so on. The target is messy and not an administrator. It is difficult to collect passwords. For example:

Windows XP system Empty Password
Not to mention the Intranet. It is common, but in many cases, 3389 is restricted, and you will be prompted that you cannot log on to the cloud due to account restrictions...
In this case, consider taking other routes, such as 135,445.

Weak Windows 7 Password
There is a Windows 7 server. A total of eight users are listed on the welcome screen. Two or three servers in the same C segment also list several users.
These users have many weak passwords, such as 1234,12345, 123, or the user name and password are the same, for example, I met a wey/wey machine.

Password tips
After the login fails, click return. The system displays the password prompt...
1. The password prompt is: 8520. Okay, this is the password.
2. The password indicates that usual is obviously not a password. This is a common password. It is found that this password is consistent with the Web management password in the database.
3. password prompt 1. If there are three such passwords, the two are unlocked. One is consistent with the Web management password, and the other is 6 and the other is 1.
4. The password prompts "name + birth". This prompt requires a social engineer. I still have a real social engineer, from the Administrator's Facebook. As for the social engineering process, I searched the historical records of this ip address and found a domain name resolution record (expired), but the cache is still in progress. I checked the Administrator email address of the domain name holder, facebook can search by email. Add a friend.
5. Tip 54112: This prompt is very cool. I have no idea how to handle it. I suddenly dumped this string of numbers and entered them in the slot, 21145. I logged on.
6. I encountered a password prompt: 5678. After trying, the password was obviously not 5678. I thought about it, four digits, consecutive, 5 to 8, and successfully logged in with 1234.
7. The administrator user name smge password prompt is also smge, but the password smge is incorrect. An error occurred while logging on to SMGE in upper case. Later, the attempt to log on to Smge1234 (uppercase) was successful.
8. When a special password says "3j8s .... ", Nima, there are four points behind 3j8s. I don't know what it is after I break my head. Then I press more, Nima, 3j8s, and check 3 and s, the layout of 8 and j, including 2a, 4d, 5f, 6g, 7 h, 9 k, and 0l, are arranged and combined to form a symmetric 3s8j2a9k and 3s8j4d7h, 3s8j5f6g. The actual password is 3s8j2a9k. What is the password for the basic rule.
9. When "212" is displayed, the user name x. x. x. x and x. x. both x.212 machines are called LAB, x. x. the password for x.212 is displayed as lab, but ping 212 in the same C segment to obtain the ip address x. x. x.77, the user name is LAB212, And the password prompt 212 means the same as the LAB212 password. LAB212 password obtained through 80 webshell.
10. I just met a user name named no58, which is about 58th? The password prompt is name519. I entered name519. The password is incorrect. I entered no58519 again. The login was successful.

XP Intranet penetration into PC has XP method, Win7 has Win7 method, the benevolent sees the benevolent wise sees wisdom, this sentiment, write a essay only, the following is a few pictures, Grand jiale happy

Windows 7 Security Settings page:




Windows XP empty password:




Windows server 2012




At first glance, we can see that it is the zip code used as the password.




This weak explosion, 1 to 9:




Here is the multi-account welcome screen:




Guess what the password is:




The high school student ID and birthday are too good to find:






I really didn't come out here:




This password is not year, but the year of birth.




Password 123:




What is this guess: