Author: looo Source: http://www.looooo.info/
A few nonsense words: After Heiji posted the final part of my clone account, many of my friends gave me some valuable comments on this article. Because the original article was written casually when I was bored, it was not rigorous in many places.
So I reorganized this article, added some materials, and modified some less rigorous information. If you have any questions, please visit my blog.
Preface: I believe everyone has used clone accounts. Whether using tools or manually, cloning an account is undoubtedly the best option to hide an account. However, reading articles on the internet is especially troublesome. In this way. Actually, it is very easy to clone an account. Is to copy the Administrator's registry key. This article is intended for users who have already used a clone account. I will only describe the cloning principles and methods. I hope to inspire you.
Principle: our accounts have their corresponding key values in the registry, for details, under "[HKEY_LOCAL_MACHINE/SAM/domains/account/users" Administrator's item "000001f4", there are two binary values: "F" and "V ". Generally, I cloned all the guest users, so I will use this clone user as an example. The methods for cloning other users are the same. The guest item is "000001f5 ". The items corresponding to other users can be viewed under "[HKEY_LOCAL_MACHINE/SAM/domains/account/users/names. All we need to do is copy the "F" and "V" values under "1f4" to the corresponding values under "1f5. This is what we call the clone account.
1 simple clone:
A. Principle: only copy the "f" value. In this way, the cloned account is less concealed than the fully cloned account (which will be mentioned later), but it is more convenient for you. If the zombie administrator is not too powerful, we recommend that you use this method. In this way, if the cloned user logs on to the system, the desktop used is administrator, that is, the file "C: /Documents and Settings/administrator "is the same as admin. Instead of the previous "C:/Documents and Settings/guest ". However, in "query user" and "Terminal Service Manager", the user you log on to is still "guest", and the "net localgroup Administrators" command still shows that guest is the administrator, this is what I call concealment lower than full cloning. However, in net and user management, there is no problem with guest users.
B. Specific Method: No matter what method you use, depending on your personal habits, use the "System" permission to open the "Registry ", I like to use the PSU Command Format PSU-P Regedit-pid. here we will explain that the PID is the value of Winlogon IN THE SYSTEM process. then open [HKEY_LOCAL_MACHINE/SAM/domains/account/users/000001f4] to open his "F" value and copy it to the "f" value of "1f5. Then, under cmd (required), change the password for guest (net user guest password) and activate the Guest account (net user guest/active: Y ), then we can simply disable it (net user guest/active: N! End
2. Full clone
A. Principle: Copy all "F" and "V" values. In this way, the cloned two accounts are actually one account in the system, which is the most concealed. Unless viewed with professional tools, they are in the net and user management, "net localgroup Administrators" does not show any problems. The most important thing is that after you log on to the console, "Administrator" is displayed on the "query user" and "Terminal Service Manager. :) So that we can achieve the goal of super concealment. Here, I want to explain that if you use this clone method to log on to the account, you actually log on to the administrator interface. That is to say, if you use a clone account to log on Via 3389, if the Administrator also uses 3389 to log on when you disconnect the connection and do not log off, it will be your session !! You can also see the operations retained on that session, because the two of you are now in the same session! What I mean is inconvenient. However, if 3389 is enabled by you, and the Administrator does not remotely log on to the server, it will be nice. Your session is not one. In addition, if you use the clone method to log on to the cloned account, you can log on to two different accounts instead of a session.
B. Specific Method: The method is the same as that of simple clone. The difference is that all the "F" and "V" values are copied. You can also export the items of [HKEY_LOCAL_MACHINE/SAM/domains/account/users/000001f4] directly. Edit the exported registry file, change "000001f4" to "000001f5", and import it to him. Then, under cmd (required), change the password for guest (net user guest password) and activate the Guest account (net user guest/active: Y ), then we can simply disable it (net user guest/active: N! End
3. Remind me not to change the password of the cloned account again After cloning, except for the password I requested during creation !. As long as you change the password, the account you cloned will be exposed!
4. I want to help you. Speaking of this, I would like to say a few more words. I often see users who create an Administrator group after they intrude into a server. It seems that when the Administrator does not exist, alternatively, you can get an account that spoofs your ADMIN $ account. What I want to say is that the Administrator is not a fool. Although the account with "$" cannot be seen in "Net user", it can be clearly put in the user management in Computer Management. If you want your zombie to stay for a long time, you will be smart. I also want to say a few words to the administrators. Now everyone's security awareness has been improved. They all know what to patch in time and what special changes to password settings. However, you have neglected the security of third-party software. For example, the SQL IIS server-u is very harmful. I think that computer security can be divided into three aspects. The first is system security, which can be solved through a few patches. The second is security settings. You have a solid system, but you have got an empty password and won't laugh at the hackers. In this regard, you just need to change the abnormal password, but I want to remind you that you can set the abnormal password, but do not write a text to prevent you from remembering it, put all the passwords in it. I learned that a machine was built through a third-party software vulnerability. After entering the machine, I looked at the east and west of another disk and looked at a pass.txt file. I naturally opened it and saw the master server and route password of their entire network !! I am also dizzy with abnormal passwords. Later, I learned which machine is a network management machine. In fact, his protection is still very strict, and there are no system vulnerabilities. Later I learned that all his passwords are extremely abnormal, it seems impossible for me to destroy the Earth. :) If there is no third-party software vulnerability, I cannot get in. So I want to talk about the security of third-party software. In fact, I think security settings can be integrated with third-party software. Many third-party software vulnerabilities are discovered through insecure settings. For example, if the SQL SA has a blank password and the SA has a high permission, the system permission is directly used for connection. In addition, it is best to use the latest version of the software. For example, server-U. This is also my habit. Everything is the latest version.
5. You may be bored with so many reasons. Someone should have throttled the eggs at Roman. If you have any questions, contact me directly.