Article Author: a11yesno
Source of information: Evil Octal Information Security team (www.eviloctal.com)
Vulnerability Discovery Date 05 a month
Note: Because I haven't been paying much attention to network security lately, it seems that no one in the memory has said this method, so let it out don't shoot bricks I thx!
The principle is very simple Ah, Sam's FV key. How to avoid detection
The general detection of the clone account is the detection of Sam there is no the same FV bar to use this feature to bypass detection bar OH
Steps
1.net user Allyesno freexploit/add&net localgroup Administrators Allyesno/add
2.clone Allyesno->guest
3.delete Allyesno Sam FV (Oh, this is done)
Since then conventional detection tools have been unable to detect LA quack.
In addition, Kaka mentioned that once the login account will generate file problems this can be in the registry to modify the user-generated file path and add other tools to help hide
test environment at that time for XP sp2&2003 SP1 don't know if Microsoft is up to now do not know if Vista can be used
Can add me QQ to discuss 138888318 verification: very good, very harmonious
Thx: Some of the people who helped test at 0x577 IRC, such as Kaka Luoluo et cetera (too long for others to remember)
PS: Sigh, has been marginalized t_t ...
Some additions:
Deleting information about the registry and using net user Xxx/delete this deletion is different
I built the user Allyesno and then cloned the guest into Allyesno.
Allyesno and guest refer to the user information in the SAM file through the registry
Windows system authentication users start by first in the registry query related user name (Sam inside) and then in the Sam file to read the appropriate information to start
If you use a command such as net user Allyesno/delete, the SAM registry and the user information for the SAM file will be deleted
The Allyesno user information in the SAM file that the guest points to is deleted. Guest will not be able to log in successfully
Instead, just delete all the Allyesno user information in the registry, but the Sam file still retains the Allyesno information so the guest can log in successfully.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
