Break through remote desktop restrictions

00x00 cause

When connecting to the remote desktop, the server prompts the following:

 

1	You are not allowed to accessThis Terminal Server. Please contact your administratorFor More information. Secured by securerdp.

A closer look is not a problem with the remote management group,SecurerdpThis software restriction causes

Securerdp is a user login server management software. It prevents illegal users from trying to crack user passwords. It can filter IP/MAC addresses and computer names. It has the following functions:

1. Connection restrictions allow connection based on login time, IP address, host name, MAC address, client version, and other information

It seems that the connection to the client is limited. Currently, the popular D-shield and security dog have such functions.

 

 

00x01 Solution

OD Open and load Software

The ASPack shell ignores this and runs the software. The Registry API breakpoint regopenkeyexa is directly downloaded and the configuration is saved.

When the breakpoint is disconnected, the Registry path is displayed.

 

1	HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter

 

 

Run to the Registry and check it.

Evil directWtsfilter itemDeleted

 

 

Before deletion, I configured to exclude my own IP address. The system prompts that the connection is not allowed.

After the registry key is deleted, there are no restrictions.

 

 

The idea is quite clear. You can simply get rid of the registry key.

 

I first read the registry value in shell, and it does exist.

Read the registry value:

 

1	Reg Query"HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter" /V tsdata

 

Backup and export registry key:

 

1	CMD/C"Regedit/e d: \ freehost \ jiqiren \ WEB \ editor \ JS \ WTS. Reg"HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter""

 

Delete the registry key:

 

1	RegDelete "HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter" /VA/F

 

 

The connection to the target server is now released.

 

 

The server has Elevation of Privilege. After logging on to the server, restore the registry key and check its configuration. The computer name is restricted.

 

 

00x02 Summary

1. I didn't see the prompt at the beginning. I thought it was a group policy or a remote group relationship.

2. It is useless to kill the process directly when detecting the software, and the implementation method remains to be explored.

3. In fact, these small security software is not "safe" yet ".