A story from a group of children!
When connecting to the remote desktop, the server prompts the following:
You are not allowed to access to this Terminal Server. Please contact your administrator for more information. Secured by SecureRDP.
A closer look is not a problem with the remote management group, but the ghost of the SecureRDP software,
Good guy, this software has the following features:
SecureRDP is a user login server management software. Prevents unauthorized users from attempting to crack their passwords. Attackers can filter IP/MAC addresses and computer names. Specific functions are as follows:
1. Connection restrictions allow connection based on login time, IP address, host name, MAC address, Client version, and other information
It seems that the connection to the client has been restricted. The popular D-shield and security dog have such functions!
The first time I saw this software, I was curious. I also wanted to help the boy shoes with the software.
The Virtual Machine is installed, and the limited ip address is configured. When you look at the Software Directory, there are still only these files, then his configuration is either
It is written to another directory, or to the registry!
Think about a dog that was previously debugged. Od Open and load Software
The Aspack shell ignores this and runs the software. The Registry API breakpoint RegOpenKeyExA is directly downloaded and the configuration is saved.
When the breakpoint is disconnected, the Registry path is displayed.
HKEY_LOCAL_MACHINE \ Software \ Terminalsoft \ WTSFilter
Run to the Registry and check it.
The evil one directly deletes the WTSFilter item.
Before deletion, I configured to remove my own ip address. The system prompts that connection is not allowed!
After the registry key is deleted, there are no restrictions!
The idea is clear. You can simply get rid of the registry key!
I first read the registry value in shell, and it does exist.
Read the registry value:
Reg query "HKEY_LOCAL_MACHINE \ Software \ Terminalsoft \ WTSFilter"/v tsdata
Backup and export registry key:
Cmd/c "regedit/e d: \ freehost \ jiqiren \ web \ Editor \ js \ wts. reg" HKEY_LOCAL_MACHINE \ Software \ Terminalsoft \ WTSFilter ""
Then, delete the registry key:
Reg delete "HKEY_LOCAL_MACHINE \ Software \ Terminalsoft \ WTSFilter"/va/f
Okay, now connect to the target server and find that there are limits!
The server has Elevation of Privilege. After logging on to the server, restore the registry key and check its configuration. The computer name is restricted!
This fun process is over. The kill command successfully removes its limit!
Conclusion:
1. I didn't see the prompt at the beginning. I thought it was a group policy or a remote group relationship!
2. It is useless to kill the process directly when detecting the software. The implementation method remains to be explored!
3. In fact, these small security software is really not "safe "!