Have you ever needed to remotely access a windows box with a borked terminal server and that you would not/could not rather reboot?
That’s exactly what happened me a couple of days ago….
My idea was to remotely install and start a vnc server.
Which is a good start, the problem is the windows server was reachable through ssh on a centos box ( port forwarding terminal server port tcp 3389 inside the ssh connection).
So I had to get the ” Complete set of executables, no installer” version from tightvnc
Unpack it, and get the files (WinVNC.exe, VNCHooks.dll) on the centos box.
Then I copied the files to win server on the ADMIN$ share using:
smbclient //10.0.0.5/ADMIN$ -U administrator
I managed then to get a remote prompt using
winexe -U WINDOWSDOMAIN/Administrator%password' //10.0.0.5 "cmd.exe"
BTW winexe is great , watch out that on centos/RHEL linux the static compiled version is not compatible with the OS libc…
I had to compile it , untarring sources and with a :
autogen.sh configure make proto bin/winexe
then, on the windows prompt you need to install the service with
please note that the service won’t allow logins until you set a password, what I did is exporting a vnc config from another windows machine and merge it into the registry:
this one for example sets the password to secret
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default] "SocketConnect"=dword:00000001 "AutoPortSelect"=dword:00000001 "InputsEnabled"=dword:00000001 "LocalInputsDisabled"=dword:00000000 "IdleTimeout"=dword:00000000 "LocalInputsPriorityTime"=dword:00000003 "QuerySetting"=dword:00000002 "QueryTimeout"=dword:0000001e "QueryAccept"=dword:00000000 "QueryAllowNoPass"=dword:00000000 "LockSetting"=dword:00000000 "RemoveWallpaper"=dword:00000001 "BlankScreen"=dword:00000000 "EnableFileTransfers"=dword:00000001 "Password"=hex:2e,2d,bf,57,6e,b0,6c,9e "PasswordViewOnly"=hex:2e,2d,bf,57,6e,b0,6c,9e "PollUnderCursor"=dword:00000000 "PollForeground"=dword:00000001 "PollFullScreen"=dword:00000000 "OnlyPollConsole"=dword:00000001 "OnlyPollOnEvent"=dword:00000000 "PollingCycle"=dword:0000012c "DontSetHooks"=dword:00000000 "DontUseDriver"=dword:00000000 "DriverDirectAccess"=dword:00000001 "LocalInputsPriority"=dword:00000000
The idea was to copy it on the windows box in a vnc.reg file and then use:
regedit /s vnc.reg
finally you can remotely start the service in the windows prompt using:
net start winvnc
If you forward your local port 5900 inside the ssh connection on the remote windows machine and connect with a vnc client to localhost you will magically reach the remote server.
I noticed that on windows, the remote forwarding trick for terminal server connections using localhost is not possible anymore with the new mstsc.exe client , remember to keep an old version around.
I have 5.0.2195.6674 version which still works, 6.0.6001.18000 from windows xp sp3 it is not, or please check out this
Wow that was my first post, geeky enough isn’t it?