This is an unconventional network security detection, or network security investigation.
I. Reasons:
A few days ago, a friend said that a database server in their unit seemed to be hacked and left a message "*** here!" on the desktop !". I rushed over and checked the database server system comprehensively. This host is a Windows XP system and has no SP2 patch package. I was surprised by the results: 1. There are two administrator users in the system, "administrator" and "new", and the password is empty. 2. The system has port 3389 enabled for Remote Desktop Connection. 3. The system has opened port 23 and can telnet. 4. ports 135 and 445 are open, and the sharing is not deleted by default. 5. This is the host of the database server. directly connect to the database using sa. The password is "sa" and can be connected using an SQL connector. Ask a friend to learn that this system was built on a ghost disk, because he saw many people doing this. Is this phenomenon universal? So I got this unconventional security detection to see how the local network security is.
Ii. tools:
S scanner, Microsoft Remote logon tool (mstsc. msc), telnet, SQL Scanner
Iii. Time period:
One night at and one workday.
Iv. objects:
Local ADSL user
V. Detection
Run the "command prompt" (cmd.exe) on the adsl, and then run the "ipconfig" command to obtain the local Internet IP address. Then, take the local IP address as the center, determine an ip segment, and scan with the slave s scanner.
1. Remote logon test (port 3389)
Step 1: run the s scanner at the command prompt and input the following command:
S syn **. 1 **. 133.1 **. 1 **. 138.254 3389
In less than 10 seconds, the result is displayed. (Figure 1)
Figure 1
Shocking! This ip segment has 365 online hosts and 3389 ports opened, accounting for 202!
Step 2: Use Microsoft's "Remote Desktop Connection" tool (mstsc. msc) to test the connection. A host with port 3389 is randomly located and connected. Wow! Connected! Enter the username "administrator" and enter the password for testing. A message is displayed, indicating that a new user is currently logged on. (Figure 2) there is a user with the username "new. Sorry, click OK to display the user configuration page for the first login. It takes less than 10 seconds to go in. Log out immediately. Then, log on with a new user with a blank password. The recipient is watching MM! (Figure 3) exit now. The test was performed on other hosts with a success rate higher than 3389. In the test, some Windows SP Systems Support multi-user logon! After logging in, he cannot know a person without security awareness! Some hosts have a password set for the "new" account, but the "administrator" password is blank. Some users have set passwords, but the passwords are simple. You can guess them three or four times. For example, some simple weak passwords such as "123456", "ndows", and "adsl.
Figure 2
Figure 3
Analysis: Currently, many users use the "gost Version System". In addition to an "administrator", these systems also have the "new" user and administrator permissions. All administrator passwords are empty! In addition, some "computer city edition systems" support remote logon by multiple users! A considerable number of computer users don't know about this and can directly use it without any security configuration. Some computer users think that anti-virus software can be installed without any worries. But the "Gate" is open, and these anti-virus software is useless, and anti-virus is not equal to anti-black!
2. IPC $ test (port 139)
Step 1: run the s scanner at the command prompt and input the following command:
S syn **. 1 **. 133.1 **. 1 **. 138.254 139 445
The same time is very short. The result is coming out immediately. port 445 is more open than port 3389. A rough calculation is that over 80% of these hosts are open! (Figure 4)
Figure 4
Step 2: randomly find an ip address and run the following command at the "command prompt:
Net use \ **. 1 **. 135.253ipc $ "/user: administrator
Prompt "command completed successfully"
Continue to input the command:
Net use z: \ **. 1 **. 135.253c $
Prompt "command completed successfully" (figure 5)
Figure 5
In this way, the system disk is mapped to the local machine, so far as it is detected. At this step, what else can't be done? Even if the system crashes this host.
Analysis: this is also the sequent of "ghost system" or "Computer City System". In the administrator group, "administrator" and "new" are empty passwords. Computer users lack basic awareness of computer security, and are not aware of preventive actions. Please have someone to configure it. After the system is installed, you will be able to access the Internet without any configuration. Can you avoid being hacked?
3. telnet test (port 23)
Step 1: run the s scanner at the command prompt
S syn **. 1 **. 133.1 **. 1 **. 138.254 23
In a short time, the result is displayed! Port 23 has 35 ports in the 365 online hosts tested. (Figure 6)
Step 2: use telnet to test the connection
Randomly find an IP address and run the following command:
Telnet ***. 1 ***. 134.242
An error occurred while logging on with the "new" blank password. If the "adminstrator" empty password is used, the logon is successful. (Figure 7) the result of obtaining a "shell" with administrator permissions is detected. Readers who have some basic "command line" operation experience know that obtaining "shell" means controlling the entire host.
Test other IP addresses and connect with the administrator or new empty password. The success rate exceeds 40%. Some of the vrouters with port 23 partially opened are connected successfully by using the default user "admin" and the default password "admin. (Figure 8) (figure 9), two vrouters of different brands. Now that you control the vro, you can win more than just a host, and the entire LAN may fall!
Figure 8
Figure 9
Analysis: the host has opened port 23, which is indeed somewhat unknown! Why does one PC open port 23? Neither the "ghost System" nor the "computer city edition System" open this port. I think someone has already entered the host and left a backdoor. The computer has been infiltrated, so the host doesn't even know it! The security awareness of users is evident. In addition, some organizations or individuals do not have any security configurations.