Those who have used the Windows 2000 Terminal Service will be able to experience the convenience of the terminal service. However, this poses security risks.
Malicious users can enter the system by guessing their passwords. What's more dangerous is that if this machine has an Input Method Vulnerability, intruders
You can have full control over this machine.
Next, let's talk about how to use the Input Method Vulnerability to remotely intrude into Windows 2000 machines in Terminal Services:
First, we determine that port 3389 of a machine is open:
D: \ nmapnt> nmapnt.exe-SS-P 3389 XXX. XXX
Starting nmapnt v. 2.53 by ryan@eEye.com
Eeye Digital Security (http://www.eEye.com)
Based on NMAP by fyodor@insecure.org (www.insecure.org/nmap /)
Interesting ports on FGF-DELL4300 (XXX. XXX ):
Port State Service
3389/tcp open msrdp
NMAP run completed -- 255 IP addresses (93 hosts up) scanned in 542 seconds
D: \ tools \ nmapnt>
Now we can see that the terminal service of this machine is open, so we can start to act.
Open the terminal service client, add an IP address, and select connect.
Wait for a moment. Generally, the familiar Login Dialog Box will appear soon. Let's see if there is any Input Method Vulnerability. Related
For more information about the input method vulnerabilities, seeArticle. If there is an Input Method Vulnerability, how can we gain control? After many research experiments.
Finally, I came up with a solution. We found that after we jumped to url, we did not respond to the assumer.exe in the winntdirectory. (Yes
The machine is running, but why can't we see the results ?), If we keep double-clicking, or do nothing
The connection will be disconnected. At the moment of disconnection, we seem to see the window we double-clicked. After several experiments, we found that
If you do not log in, the server will be disconnected. So I tried to log in first. I thought of opening the User Manager in the help,
After the test, the following link is added to the URL: MK: @ msitstore: C: \ winnt \ HELP \ tshootconcepts. chm:/where_usermgr.htm.
There will be a link to the manager that can open the local user and the Group on the right. Normally, this manager can be opened,
But when I did not log in, I was just rolling in, so I thought of another method. Finally, I thought of creating a command line shortcut. Skip
Enter "C: \ winnt \ System32" in the URL, and then find "net.exe". Click" net.exe "on the right and select" create shortcut ".
A file named "net. lnk", right-click the shortcut and select Properties. Then we can enter
. Add the path and parameters of the command to be executed to the target. We still use the net command, so we do not need to change the path,
Run the following command to add an account named test: C: \ winnt \ system32 \ net.exe user test/Add. The password is empty. Double-click the shortcut
Run it. Then we add this account to the Administrators group,
C: \ winnt \ system32 \ net.exe localgroup administrators test/Add. OK! Run again. Now we have basically succeeded,
Close the Help window and log in with the test account. The password is blank. After entering, we will delete the shortcut we just created. Then
Add the TsInternetUser account to the Administrators group and set the password. In this way, we can use this account next time. Then
Log on with this account. If you can log on, delete the created test account.
This machine is controlled in our hands.