──────────────── Moderation Record ────────────────
Performed by: namejm
Description: Moved from DOS Batch & Script Technology (Batch Room)
──────────────── Moderation Record ────────────────
The struggle between network administrators and hackers never stops; their relationship is like that between police and thieves. On the network battlefield without gunpowder, whoever has more sophisticated technical means, a flexible mind, and is willing to learn and grow continuously will be invincible. Network administrators maintain the security of their servers, and hackers attempt to successfully intrude into a server. Using tools is a convenient, time-saving, and efficient method, but have you ever thought that many problems are not as complicated as we imagine, and tools are someone else's, making us feel uncomfortable using them. Whether it's defense or intrusion, can we use the simplest methods to achieve our goals? The answer is yes. Mastering some network-related DOS commands allows us to complete tasks in the DOS window that others can only do with tools. Enough chatter, follow me.
(Note: This article was originally intended to write about network intrusion using DOS, but when it was almost finished, I suddenly felt that there were too many such things and no changes, so it was rewritten to introduce common usages of network DOS commands. The focus is on network *operation DOS commands, which is very incomplete----that's why it's called the "Incomplete Tutorial", heh heh. Just hope to let everyone have a correct understanding of DOS. Although we've entered the Windows era, its functions are indeed not to be underestimated. To put it broadly, friends who are good at DOS have high attainments in computers, and everyone should recognize this.)
I. ping
It is a command used to check if the network is unobstructed or the network connection speed. As an administrator or hacker living on the network, the ping command is the first DOS command that must be mastered. The principle it uses is as follows: Machines on the network have uniquely determined IP addresses. We send a data packet to the target IP address, and the other party will return an equally sized data packet. Based on the returned data packet, we can determine the existence of the target host and initially judge the operating system of the target host, etc. Now let's look at some of its common *operations. First, look at the help. Type "ping /?" in the DOS window and press Enter, and the help screen shown in Figure 1 appears. Here, we only need to master some basic and useful parameters (the same below).
-t means continuously sending data packets to the target IP until we force it to stop. Imagine, if you use a 100M broadband connection and the target IP is a 56K modem, the target IP will be disconnected soon because it can't bear so much data. Hehe, an attack is realized so simply.
-l defines the size of the sent data packet, with a default of 32 bytes. We can use it to define up to 65500 bytes at most. Using it together with the -t parameter introduced above will have a better effect.
-n defines the number of data packets sent to the target IP, with a default of 3 times. If the network speed is relatively slow, 3 times is also a waste of time for us. Since our purpose here is only to judge whether the target IP exists, we can define it as once.
Note that if the -t parameter and the -n parameter are used together, the ping command will be based on the parameter placed later. For example, "ping IP -t -n 3", although the -t parameter is used, it doesn't ping continuously, but only pings 3 times. In addition, the ping command doesn't have to ping the IP necessarily; it can also directly ping the host domain name, and then we can get the host's IP.
Now let's take an example to illustrate the specific usage, as shown in Figure 2.
Here, time=2 means the time from sending the data packet to receiving the returned data packet is 2 seconds. From this, we can judge the size of the network connection speed. From the TTL return value, we can initially judge the operating system of the pinged host. The reason for saying "initially judge" is that this value can be modified. Here, TTL=32 means the operating system may be win98.
(Little knowledge: If TTL=128, it means the target host may be Win2000; if TTL=250, the target host may be Unix)
As for using the ping command to quickly find LAN faults, quickly search for the fastest QQ server, and attack others by pinging... these are up to everyone to develop.
II. nbtstat
This command displays NetBIOS statistics and current TCP/IP connections on TCP/IP. Using this command, you can get the NetBIOS information of the remote host, such as the user name, the workgroup it belongs to, the MAC address of the network card, etc. Here, we need to understand several basic parameters.
-a Using this parameter, as long as you know the machine name of the remote host, you can get its NetBIOS information as shown in Figure 3 (the same below).
-A This parameter can also get the NetBIOS information of the remote host, but you need to know its IP.
-n Lists the NetBIOS information of the local machine.
When you get the IP or machine name of the other party, you can use the nbtstat command to further get the other party's information, which increases the security factor of our intrusion.
III. netstat
This is a command used to view the network status, with simple *operation and powerful functions.
-a View all open ports of the local machine, which can effectively discover and prevent trojans, and know the services opened by the machine, etc., as shown in Figure 4.
Here, it can be seen that the local machine has open FTP services, Telnet services, mail services, WEB services, etc. Usage: netstat -a IP.
-r Lists the current routing information, telling us the gateway, subnet mask, etc. of the local machine. Usage: netstat -r IP.
IV. tracert
Tracks the routing information. Using this command, we can find out all the paths that data takes from the local machine to the target host, which is very helpful for us to understand the network layout and structure. As shown in Figure 5.
Here, it indicates that the data is transmitted from the local machine to the machine with IP 192.168.0.1, and no intermediaries are passed through in the middle, indicating that these two machines are in the same LAN segment. Usage: tracert IP.
V. net
This command is the most important one among network commands. We must thoroughly master the usage of each sub-command, because its functions are really powerful. This is simply the best intrusion tool provided by Microsoft for us. First, let's take a look at its sub-commands. Type "net /?" and press Enter as shown in Figure 6.
Here, we focus on mastering several sub-commands commonly used for intrusion.
net view
Use this command to view all shared resources of the remote host. The command format is net view \\\\IP. As shown in Figure 7.
net use
Map a shared resource of the remote host to a local drive letter, which is convenient for use in the graphical interface, heh heh. The command format is net use x: \\\\IP\\sharename. The above one means mapping the directory with the shared name magic of IP 192.168.0.5 to the local Z drive. The following one means establishing an IPC$ connection with 192.168.0.7 (net use \\\\IP\\IPC$ "password" /user:"name"), as shown in Figure 8.
After establishing the IPC$ connection, heh heh, we can upload files: copy nc.exe \\\\192.168.0.7\\admin$, which means transferring the nc.exe in the local directory to the remote host. Combined with other DOS commands to be introduced later, intrusion can be realized.
net start
Use it to start services on the remote host. When you establish a connection with the remote host and find that some service is not started and you want to use this service, use this command to start it. Usage: net start servername, as shown in Figure 9, successfully started the telnet service.
net stop
After intrusion, if you find that a certain service on the remote host is in the way, what to do? Use this command to stop it, the usage is the same as net start.
net user
View and account-related situations, including creating a new account, deleting an account, viewing a specific account, activating an account, disabling an account, etc. This is very beneficial for our intrusion. Most importantly, it provides the premise for us to clone accounts. Type net user without parameters to view all users, including disabled ones. The following explains respectively.
1. net user abcd 1234 /add, create a user with username abcd and password 1234, and it is a member of the user group by default.
2. net user abcd /del, delete the user with username abcd.
3. net user abcd /active:no, disable the user with username abcd.
4. net user abcd /active:yes, activate the user with username abcd.
5. net user abcd, view the situation of the user with username abcd, as shown in Figure 10.
net localgroup
View all information related to user groups and perform related *operations. Type net localgroup without parameters to list all current user groups. In the intrusion process, we generally use it to promote a certain account to an administrator group account, so that we can control the entire remote host with this account. Usage: net localgroup groupname username /add, as shown in Figure 11.
Now we added the just-created user abcd to the administrator group. At this time, the user abcd is already a super administrator, heh heh. You can use net user abcd to view his status again, and compare it with Figure 10 to see the difference. But this is too obvious. The network administrator can find the flaw as soon as he looks at the user situation. So this method can only deal with novice network administrators, but we still need to know it. The current means are to clone a super administrator that the network administrator can't see using other tools and means. This is a later topic. Interested friends can refer to the article "In-depth Analysis of Cloning Accounts" in "Hacker Defense" issue 30.
net time
This command can view the current time of the remote host. If your goal is just to enter the remote host, then this command may not be needed. But after a simple intrusion is successful,难道 just take a look? We need to penetrate further. This even requires knowing the current time of the remote host, because using time and other means (to be introduced later) can realize the timing startup of a certain command and program, laying the foundation for further intrusion. Usage: net time \\\\IP. As shown in Figure 12.
VI. at
The function of this command is to arrange to execute a certain command and program at a specific date or time (you know the importance of net time!). When we know the current time of the remote host, we can use this command to make it execute a certain program and command at a certain time in the future (such as 2 minutes later). Usage: at time command \\\\computer. As shown in Figure 13.
It means that at 6:55, let the computer named a-01 start the telnet service (here net start telnet is the command to start the telnet service).
VII. ftp
Everyone should be relatively familiar with this command, right? There are many FTP hosts open on the network, and a large part of them are anonymous, that is, anyone can log in. Now if you scan a host that opens FTP service (usually a machine with port 21 open), and if you don't know how to use FTP commands, what to do? The following gives the basic usage of FTP commands.
First, type ftp and press Enter in the command line, and the FTP prompt appears. At this time, you can type "help" to view the help (this method can be used to view the help of any DOS command), as shown in Figure 14.
Everyone may see that there are so many commands, how to use them? Actually, not so many are needed, just master a few basic ones.
First is the login process, which requires using open. Just type "open host IP ftp port" and press Enter under the FTP prompt. Generally, the port is 21 by default, and it can be omitted. Then enter a legal username and password to log in. Here, take anonymous FTP as an example to introduce, as shown in Figure 15.
Both the username and password are ftp, and the password is not displayed. When it prompts **** logged in, it means the login is successful. Here, because it is anonymous login, the user is displayed as Anonymous.
Next, the usage of specific commands will be introduced, as shown in Figure 16.
dir is the same as the DOS command, used to view the files on the server. Just type dir and press Enter, and you can see the files on this FTP server.
cd enters a certain folder.
get downloads files to the local machine.
put uploads files to the remote server. This depends on whether the remote FTP server gives you write permissions. If yes, heh heh, how to use it won't be said more, everyone can use their imagination.
delete deletes files on the remote FTP server. This must also ensure that you have write permissions.
bye exits the current connection.
quit the same as above.
VIII. telnet
A powerful remote login command, almost all intruders like to use it, and it works every time. Why? It's easy to operate, just like using your own machine. As long as you are familiar with DOS commands, after successfully connecting to the remote machine as an administrator, you can use it to do whatever you want. The following introduces the usage method. First, type telnet and press Enter, then type help to view its help information, as shown in Figure 17.
Then type open IP and press Enter under the prompt, and then the login window appears, asking you to enter a legal username and password. Any password entered here is not displayed, as shown in Figure 18.
When the username and password are entered correctly, the telnet connection is successfully established. At this time, you have the same permissions as this user on the remote host, and you can use DOS commands to do what you want to do, as shown in Figure 19. Here I logged in with super administrator permissions.
Up to here, the introduction of network DOS commands comes to an end. The purpose of this introduction is just to give novice network administrators an impression and let them know the importance of being familiar with and mastering network DOS commands. In fact, there are far more than these network-related DOS commands. Here is just to whet the appetite,
hoping to be helpful to the majority of novice network administrators. Learning DOS is of great help for being a good network administrator, especially being proficient in some network DOS commands.
In addition, everyone should be clear that anyone who wants to enter the system must have a legal username and password (input method vulnerabilities are almost extinct, right?), even if you only get a very small permission of the account, you can use it to achieve the final goal. So resolutely eliminate empty passwords and add a strong password to your account, which is the best way to defend against weak password intrusion.
Finally, I sincerely say that cultivating a good sense of security is the most important.
[ Last edited by namejm on 2006-12-17 at 11:56 PM ]
