A summary of the methods of nt/2000 elevation of privilege "turn"

Windows nt/2000 Common Lifting method
An attacker would typically elevate his or her privileges to the Administrators group after gaining access to the system, so that the attacker could control the computer. This is mainly in the following ways: 1. Get the administrator password, the next time you can use the password into the system; 2. Create a new user first, then add this generic to the Admins group, or simply add an obscure user such as guest to the admin group; 3. Install the back door.
This article provides an overview of the methods commonly used by attackers in Windows NT4 and Windows 2000 to elevate permissions. Here are the specific methods:
Method 1: Download the system%windir%epairsam.* (WinNT 4 is sam._ and Windows 2000 under the SAM) file, and then use the L0PHT and other software to crack, as long as you can get, willing to spend time, you will be able to crack.
Problem: (1) The attacker may not be able to access the file (see attacker's identity and administrator's settings);
(2) This file is the last time the system backup of the account list (also may be the first time the system was installed), then change the password of the account, it is useless.
　
Method 2: Use Pwdump (L0PHT, Windows 2000 invalid) or PWDUMP2, get the system's current user list and password encryption list, and then use L0PHT to crack the list.
Problem: A normal user cannot successfully run the Pwdump class program (without permissions), for example: Using a Unicode vulnerability to enter the system is iusr_computer identity, which typically belongs to the Guests group, and running the Pwdump class program will fail.
(Both of these are off-line)
　
Method 3: Use an Enum and other programs for remote cracking, guessing password. An enum can use a specified dictionary to crack a user of a remote host.
Problem: (1) If the system set up the account lockout, cracked several failed, the account is locked, temporarily can not be cracked;
(2) to the remote system to open the Netbios connection, TCP 139 port, if the firewall is filtered if the Enum can not connect to the host.
(This is done by cracking the password, and by directly elevating the current user or adding users to the Administrators group.) ）
　
Methods 4:getadmin (WinNT 4), Pipeupadmin (under Windows 2000), can be run on the computer to join the current user account to the Administrators group. And Pipeupadmin is more powerful, ordinary users and Guests group users can run successfully.
Problem: Getadmin has patches repaired in SP4, it cannot be used for WinNT 4 system above SP4, and of course later there is an enhanced version of Getadmin, but it does not seem to run successfully under SP6a.
Note: This method leverages the security vulnerabilities of the WinNT 4 system and can be installed to fix the problem.
(in addition, there are workarounds.) ）
Method 5: When specifying a user shell program (Explorer.exe) in Winnt 4 and the Windows 2000 registry, the absolute path is not used, but the file name of a relative path is used (taking into account compatibility issues). Because the search order problem of the program during system startup makes%systemdrive%explorer.exe (the system-installed and directory-Explorer.exe) program executed, this provides an opportunity for an attacker to execute his own program the next time the user logs on.