Simple process

One . information gathering

nslookup   whois

Two . Scan for leaks

namp=IP Range   port   80  （iss,apache, What website ）

Advanced scanning ： Such as iss Loophole   Scanning for website vulnerabilities

3、 ... and . Exploit

Four . Raise the right （shell Environmental Science , Desktop Environment , Highest authority ））

Manually test port number open ： talent IP Address   Test port

5、 ... and . Destroy the bodies

6、 ... and . leave oneself a way out

7、 ... and . Penetration test report

Practice

Open two virtual machines

win2003  The server    10.1.1.2       

winxp   staff     10.1.1.1

use xp attack 2003

First, two virtual machines should be able to communicate To configure IP In the same LAN

After the configuration is completed, try xp On ping once 2003   ping success

Next The attack

attack 445 attack （ Shared port ）

First step ： Port scanning

Manual scanning

telnet IP port    The following situations represent that the corresponding port is open

Automatic scanning Use scanport

You can see xp and 2003 Both virtual machines are turned on 445 port

445 One of the exploits ipc$:

net use Used to connect your computer to shared resources （ Establish disk mapping ）, Or disconnect the computer from shared resources ( Delete disk mapping ), When using this command without options , It lists the computer connections .

1) Make an empty connection :
net use \\IP\ipc$ "" /user:"" ( Be sure to pay attention to : This line of command contains 3 A space )

2) Establish a non empty connection :
net use \\IP\ipc$ " password " /user:" user name " ( There are also 3 A space )

3) Map default share :
net use z: \\IP\c$ " password " /user:" user name " ( You can put the other party's c The disk maps to its own z disc , And so on )
If you've established a goal ipc$, You can use IP+ Disk character +$ visit , Specific commands net use z: \\IP\c$

4) Delete one ipc$ Connect
net use \\IP\ipc$ /del

5) Delete shared mapping
net use c: /del Delete mapped c disc , And so on
net use * /del Delete all , There will be a prompt to press y confirm

3 View the shared resources of the remote host （ But you don't see the default share ）
net view \\IP  
 

  Brutally crack the system password 445

Using tools ntscan

take user And the password burst out   You can go through net use \\IP\ipc$ " password " /user:" user name " To make a connection

After successful connection, the back door can be left

Make a Trojan

copy Implant Trojans