The breakthrough of defensive combat has firewall website

First, casing
Ping www.111.com found a timeout, which can be a firewall or a policy. Again with Superscan Sweep, found that there are many open ports, the initial estimate is the software firewall.

Second, inject

Search for the keyword ASP from the source file and find an injection point. With NBSI injection, found that is the sa password login, to add a user, display command completion. Haha, it seems that the administrator is too careless. First upload a Webshell, upload a veteran's ASP Trojan. Next is the personal habits, I usually invade the habit is to upload webshell first, and then Webshell to the system to promote the permissions. Because this can be said at the time of the invasion will be very convenient, I personally think this method is very good.

Iii. Elevation of authority

What privileges to look at first:

CS Cript C:\Inetpub\AdminS Cripts\adsutil.vbs Get/w3svc/inprocessisapiapps

Get:

Microsoft (R) Windows Script Host version 5.1 for Windows

Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.

InProcessIsapiApps: (LIST) (5 Items)

"C:\WINNT\system32\idq.dll"

"C:\WINNT\system32\inetsrv\httpext.dll"

"C:\WINNT\system32\inetsrv\httpodbc.dll"

"C:\WINNT\system32\inetsrv\ssinc.dll"

"C:\WINNT\system32\msw3prt.dll"

Add the Asp.dll in:

CS Cript C:\Inetpub\AdminS Cripts\adsutil.vbs

Set/w3svc/inprocessisapiapps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32

\inetsrv\httpext.dll "" C:\WINNT\system32\inetsrv\httpodbc.dll "" C:\WINNT\system32

\inetsrv\ssinc.dll "" C:\WINNT\system32\msw3prt.dll "" C:\Winnt\System32

\inetsrv\asp.dll "

Then use ASP trojan to add a user, display command completion.

Iv. Terminalservice

Next is open 3389, with net start display, found that the TS service has been opened, but there is no 3389 on the port, I think it may be changed port. But in fact they deceive my feelings, I used Netstat-an to see a bit, found that there are 3389, and then found in net start is the other side of the firewall to make ghosts. Forget, upload a trojan, upload a changed the signature 20CN rebound Trojan, and then use a trojan in the GUI Shimonoseki off the firewall, and then with 3389 Lander logged up, here I do because I know that the administrator will not be next. And for this time, the more sophisticated method you can use Fpipe to implement port redirection, or with Httptunnel. And black defense inside said, but I tried not to succeed once, and I in the collection of information to see the black defense and another master wrote the same, do not know who copied who. Another tool is Despoxy, (TCP Tunnel for HTTP Proxies) If you are interested, you can try it, it can penetrate HTTP proxy.

Five, simple back door

1. Change the FSO name, this is let me enjoy, this has the system permission of the horse.

2. Put a few rootkits and a few on the network rare backstage.

3. I do not like to put more backstage, I feel very bored.

Liu, Sniffer

1.TS interface, download a few sniffer. First arpsniffer the graphics to see a bit, dizzy dead, not an intranet machine. Another look at an external network, dizzy death, the entire IP segment is. It seems that I run well, open Webdavscan checked, only two or three IP is the site, and is very small, then there is no motivation.

The breakthrough of defensive combat has firewall website