00x00 cause
When connecting to the remote desktop, the server prompts the following:
1 |
You are not allowed to access This Terminal Server. Please contact your administrator For More information. Secured by securerdp. |
A closer look is not a problem with the remote management group,SecurerdpThis software restriction causes
Securerdp is a user login server management software. It prevents illegal users from trying to crack user passwords. It can filter IP/MAC addresses and computer names. It has the following functions:
1. Connection restrictions allow connection based on login time, IP address, host name, MAC address, client version, and other information
It seems that the connection to the client is limited. Currently, the popular D-shield and security dog have such functions.
00x01 Solution
OD Open and load Software
The ASPack shell ignores this and runs the software. The Registry API breakpoint regopenkeyexa is directly downloaded and the configuration is saved.
When the breakpoint is disconnected, the Registry path is displayed.
1 |
HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter |
Run to the Registry and check it.
Evil directWtsfilter itemDeleted
Before deletion, I configured to exclude my own IP address. The system prompts that the connection is not allowed.
After the registry key is deleted, there are no restrictions.
The idea is quite clear. You can simply get rid of the registry key.
I first read the registry value in shell, and it does exist.
Read the registry value:
1 |
Reg Query "HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter" /V tsdata |
Backup and export registry key:
1 |
CMD/C "Regedit/e d: \ freehost \ jiqiren \ WEB \ editor \ JS \ WTS. Reg" HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter "" |
Delete the registry key:
1 |
Reg Delete "HKEY_LOCAL_MACHINE \ SOFTWARE \ terminalsoft \ wtsfilter" /VA/F |
The connection to the target server is now released.
The server has Elevation of Privilege. After logging on to the server, restore the registry key and check its configuration. The computer name is restricted.
00x02 Summary
1. I didn't see the prompt at the beginning. I thought it was a group policy or a remote group relationship.
2. It is useless to kill the process directly when detecting the software, and the implementation method remains to be explored.
3. In fact, these small security software is not "safe" yet ".