Remotely installing VNC

Sometimes you just need VNC on a PC, either to spy on someone, or to step someone thru a problem.

I Often get phone calls where you need to look at what the user is doing in order to figure out what they are doing wrong.

for this example, there is the Server, where VNC will be installed, and the Client, this is where you will run the VNC Viewer from.

Initial Build

From the client, download VNC ( i use TightVNC for some reason) and install as normal to c:\program files\TightVNC

Setup it up listening, and set a password.

go to its registry key, something like HKLM\software\orl\vnc or HKLM\software\tightvnc and extract that key to the tightVNC folder (call it tightvnc.reg)

Each PC

Copy the whole tightvnc folder to the server (\\server\c$\program files\tightvnc)

PSEXEC to the server, psexec -s \\server cmd.exe

install VNC on the server via the command line, "c:\program files\TightVNC\winvnc -install" (or --install or install)

import reg settings on the server, password and pref's etc, "reg import c:\program files\tightvnc\tightvnc.reg"

start the winvnc service on the server, "net start winvnc"

Exit PSEXEC, "exit"

Now from he Client, open c:\program files\tightvnc\vncviewer.exe and connect to the server, the password will be what you setup on the initial client

Run Explorer (shell) as an admin while logged in as a user.

This is a little odd one, if really only i hack you will use once a year, but its good to know its possible.

Lets say you have all users PC users not as local admins, and one of them fills out a huge survey online, but when they get to the end (30 minutes later) they realize they cannot save, they can only print. so they print it right? that would be a simple solution if they had any printers installed!

So how can i non admin add printers? that can't. and the user didn't want to redo the survey (national mangers, pfft all the same). So i had to come up with this hack below

Step one, open a new cmd via runas:

Runas /noprofile /user:localmachine\username cmd.exe

Step two, kill explorer.

Press ctrl+alt+esc and kill explorer.exe

Step three, open explorer.exe again as admin.

Go to that admin cmd window, and type”explorer”

Done..it will not close any other windows. Go to the task manager again, and you can see what running as what.

This is where you can add printers, or do anything else as and admin

Going back

Step four, kill explorer.

You cannot do this from the taskmanager, you (as a user) do know have rights to kill processes created by admins.

So go to your cmd window (running a admin) and type

Taskkill /im “explorer.exe”

Step five, start explorer again

In taskmamanger, go to file, new task, and type “explorer”. And it will all be back to normal.

Then end result is that have all their programs open still, but now a few extra printers too.

All this can be scripted (with a pause in the middle). so you can run it, pause, do your work as admin, press any key, and resume as the user....

so maybe you can use it more than once, because once scripted, it sure beats a log off and log on.

GPO: Add the Administrators security group to roaming user profiles path

Dont you hate it when a user rings up and you solve their problem you need access you their profiles on the server?

such examples might be they cannot login, or its slow to login due to profile size. Or you want to add an icon to their desktop? or you want to restore a file or something like that.

But you cannot do that by default, bucause 2003 server will set only the real user to have access to that folder (and system and stuff like that), but not even domain admins will have access by default.

Sure, you can go in there and take ownership, apply (wait 20 minutes for it to propergate to all sub folders and files, and then change the ACL's and repropergate again (thanks microsoft). 40 minutes later and 5 frantic phone calls from the user later, you can proceed.

Or, if you planned ahead, you would be added this following group policy before creating all of the users (i used this when setting up new domains).

i will not explain how to add this setting, just where it is. only admins will be applying it.

Computer Configuration/Administrative Templates/System/User Profiles/Add the Administrators security group to roaming user profilesSetting path

schedule restores to a VM

not sure if this one is possible, but we are about to start to use storagecraft shadowprotect to do online backups of servers.

sounds great, can do inc backups every 15 minutes. so if something happens bad, then you dont lose too much data.

but what is there is a hardware failure, and you need to restore to another server, the ad says it will take minutes, and yes i agree, it will take minutes to get the process starts, but if you have a 50GB server (and thats rather small ide say) then restoring that will take (50GB copied from a 100mb NAS)  about 70 minutes, thats of course after all the other stuffing around trying to get the now dead server to come alive again.

We have always used a custom written backup program, its rather simple, it does the following:

1, take a shadow copy of all drives

2, open a virtual disk and maps it as a drive letter

3, robocopy all the data from the shadow copies to the virtual disks

4, close the virtual disk and remove the shadow copy.

sure, there is a little error checking and reporting, and backup types (full, diff and inc) code in place (in fact its 90% of it), but its still remains rather simple.

But was i love most about this is that the virtual disk is bootable (once you add it to a virtual machine) so it means you can just boot it up when you want, default having it isolated from your LAN is good practise). So when i have a server die, or even do something funny, i will start to boot up the backup of it, and the same time ill try to fix the live server, 10 minutes later ill give up and go to the failover server, and that would have already booted. Sure it might be 3% slower, but your working again.

This system i also use to test boot servers every few weeks; see if that boots, install any patch's that you want to try out, reboot and it doesn't work, then there is nothing lost (besides a known good backup).

This system only did backups once every night.

so moving away from this system and going to storage craft and doing backups up to every 15 minutes. ill still like to be able to have a fail over server i can boot up with 10 minutes notice, test it out, test install patch's, or just plain fiddle with. without having a 70 minutes wait first.

So, can i, in shadow protect, do schedule restores (of course to a virtual machine)

Remotely enable RDP

As in most of my posts, i assume the person reading this is working in a company, with all PC's on the domain, and that you are a domain admin (or at least have domain admin rights, even if that's not your job role).

So of course you will need local admin access on the remote machine (domain admins have that) and you will need the firewall not blocking everything.

There are many many different ways to do this.

you can open regedit, connect to a remote computer, and change the following key:

or on a local PC you can go to the cmd windows and type the following:

reg add "\\machinename\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

for the above to work to need remote access to that PC (file and print sharing enabled).

or you can PSEXEC to the remote PC and type a command like the above but with the machinename part.

or you can remote install VNC on the machine, the VNC to it, and then enable remote desktop.

or you can ring up the user and get then to do it.

or you can leave your desk, walk down 2 flights of stairs and do it yourself, maybe on the way to lunch or something.

or, set a group policy for it (apply it just to them it needed) and wait till they reboot.

Now, if you did of the first few ways, and the firewall is on, it will not add an exception for you. so the port will be open (you can just that via psexec \\machine cmd then netstat -ano |find /i "listening"). but you can add a firewall exception via the netsh command

netsh interface ip firewall add portopening TCP 3389 RemoteDesktop.

or maybe RDP was enabled the whole time, but the firewall was turned on AFTER is was enabled (this also does not add an exception), so use the above to remotely add an exception.

Netstat: everthing about ports

if you don't know what netstat does then just run this, and study the output

netstat -ano

netstat /? will tell you more if you are still guessing.

if you want to know what on your PC is taking with what, then the below command is perfect:

netstat - ano | find /i "est"

if you want to know what 'servers' are running on your PC, or what is open and waiting for someone to connect in to, this below is your man:

netstat - ano | find /i "listening"

if the source is 0.0.0.0 then it means is listening all ALL ip address (on all NIC's), else it will just like the IP address separately.

This will also list the PID, you can use use tasklist /fi "pid eq 1234" to look this up or use taskmanager with PID showing. There are programs that tie this bits of info together, but who needs em.

This is useful for when some goose has changed the default RDP port from 3389 to 3388 and not told anyone, windows says RDP is turned on, but you cannot connect to it. after fiddling the firewall and anything else you can think of you check the registry and see its on a different port. its dead simple to check the active listening ports.

If you want more details then this, like how much bandwidth each port is using, then you need to use a program like netlimiter its not free, and it needs a reboot, but it tells you want program and what port and what session is using up all your bandwidth, and gives you that info over time also.

Process Explorer will also tell you what active sessions a process has open but will only show you once you know the process.

Or you can use a packetsniffer, ive got a hole nother entry about that.

Packet Sniffing

Packet sniffers can be setup in 2 main ways:

1, to sniff all trafic thats going in or out from the machine your on.

2, to sniff all traffic going past a certain point (eg, out to the internet) on the network.

Most of the time i use it just to see what a PC is doing, who its talking to, and most importantly what its sending.

Most packet sniffers ive played with do mostly the same thing, caputre packets and let you sort and filter them. WireShark is perfect for the single PC usage, its free, (and open source for those that care)

ill list some examples of when ive needed a packet sniffer, not all relate to my work:

1, i wanted to download lots of pictures from google street view, from about 2km of highway near my place. i opened wireshark, open google maps and went to streetview, then looked at the packet sniffer and it told me where it was getting that data from. it also gave my lots of XML files that would tell me the next location to go it, and what picture that used. so i just wrote a script to enumerate thru a few hundred of them and save the pictures in order, then i just used windows movie maker to stitch them altogether. ended up looking great.

2, was setting up a 3rd party program for one of my client, this program sent shipping notices to the transport company, so they could oganise a pickup. but the program was connecting, it was giving a comms related error. i ran wireshark and see if sent off a request to a FTP location, it authenticated fine, but was failing to store/upload the files. something i did notice tho was the username and password of course are clear text for FTP, and the password looked generic (not specific to my client), i manaully logged on to that site with tho credentials and refreshed the page a few times and started to see other people upload shipping notices, and the they would vanish (a bot must be polling every 2 minutes or so), but i could download these files and see then in clear text again. besides that security program, it showed my the FTP module did not switch to the right transfer mode before upload the files, i had to get my firewall guys to make some changes and it all worked.

3, many many other times, use to see how things work like the stucture of a DNS packet, following HTTP streams (joining the convertsion back and forward), detect broadcast hammers, and just to spy on other people.

Its certainly worth knowing what info you can gather with a packet sniffer, just download and play.

Download it here: http://www.wireshark.org/download.html

NETSH, edit network settings from the command line

just run NETSH from a cmd window and you will see what i mean.

it can do lots of things, to best explain ill just give you a list of examples.

to set a NIC to use static

netsh interface ip set address name="Local Area Connection" static 192.168.0.2 255.255.255.0 192.168.0.1 1

to set a NIC to use DHCP

netsh interface ip set address "Local Area Connection" dhcp

it supports scripting files also

full details about the NETSH usage is here: http://support.microsoft.com/?kbid=242468

Pipe to the clipboard

Ill be short on this one, in windows 2008 and vista you can pipe to the clipboard

usage is as you would expect. for example

hostname | clip

that would put the results on the dir listing in the clip board. good for scripts and stuff you know you will just need to copy out anyway., Or if the output is really large, more than the cmd buffer.

TCP PROXY

Great for routing trafic thru a sniffing host, or settting up a mail server on a not standard port. or redirect one port to another. syntax is simple, eg:

stcppipe.exe www.yahoo.com 80 80

The above listens on all IP's on port 80, and sends it to yahoo on port 80

stcppipe.exe mail1.doamin.com 25 2525

Listen on 2525 and sends that data to port 25 on mail1.domain.com

DOWNLOAD: http://www.mediafire.com/file/gmmwgfdnnxj/Portping.exe

PSEXEC

This little tool lets you run process's on a remote computer.

And if its a console program, like cmd, then you can get feedback too. So you can get a remote cmd prompt to any computer on your network!

Usage is simple:

psexec \\computername cmd.exe

(this will only work if you are already authed to the computer, like it a domain member, and you are a domain admin for example)

more info and download at http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

ARP scanning: Finding all used IP addresses

When you cannot ping something, like when the firewall is on, it still responsed to arp requests.

run this fromt he command prompt, just remember to change the IP addresss:

arp -d 

for /L %i in (1,1,254) do @start ping 192.168.0.%i -n 1 -l 10 -w 50 

ping 127.0.0.1 -n 5 

cls 

arp -a  

So this clears your arp cache, ping 255 address's , waits a few seconds, and then displays your arp cache. Cut and paste it all in a command prompt and your good to run. and of course change the IP address range as needed.

Search for an emails in Active Directory

to search for an email address in active directory

1, from dsa.msc

2, right click the domain (eg, company.local)

3, click "find..."

4, in the "find:" drop down, selected "Custom Search"

5, goto the advanced Tab

6, enter this as a LDAP query: (proxyaddresses=smtp:user@domain.com)

7, and this hit "Find Now"

PortPing

It will ping a port to see if its open.

Yes, you can just telnet to an IP, and specify a port. But this lets you do it continuosly.

Usage, porting hostname port

eg, portping server 3389

Great for after you have reboot a server thats behind a firewall (that you cannot ping), but there is a port forward to 3389 (RDP), then you can tell when its back up, without all the trying and trying. A massive time saver for all

download from here: http://www.mediafire.com/file/ygj5yzmkowe/Portping.exe