Author: a11yesno
Source: evil baboons Information Security Team (www.eviloctal.com)
Vulnerability Discovery Date: 05-month
Note: Because I haven't paid much attention to network security recently, it seems that no one has mentioned this method in my memory, so don't make thx a brick for me!
The principle is very simple. sam's FV key value should focus on how to escape detection.
Generally, the clone account is detected to check whether there are the same FV in sam. Use this feature to bypass the detection.
Procedure
1. net user allyesno freexploit/add & net localgroup administrators allyesno/add
2. clone allyesno-> guest
3. delete allyesno sam FV (haha, that's done)
In this way, regular detection tools cannot detect the vulnerabilities ..
In addition, kaka mentioned that once you log on to the account, the file will be generated. In this case, you can modify the file path generated by the user in the Registry and add other tools to help hide the file.
The testing environment was xp sp2 & 2003 sp1. I don't know if Microsoft has completed it. I don't know if Vista can be used.
You can join me in QQ to discuss 138888318 verification: very good, very harmonious
Thx: Some people who helped test in 0x577 irc, such as kaka luoluo, etc)
Ps: sighs. T_T .....
Some Supplements:
Deleting registry information is different from deleting a registry using net user xxx/delete.
I created the user allyesno and cloned the guest into allyesno.
Both allyesno and guest point to the user information in the sam file through the registry.
For windows system authentication, the user's startup method is to first query the relevant user name (in sam) in the Registry and then read the corresponding information in the sam file to start
If you use commands such as net user allyesno/delete, the user information of the sam registry and sam file will be deleted.
The allyesno user information in the sam file pointed to by guest is deleted and guest won't be successfully logged on.
On the contrary, the user information of allyesno in the registry is deleted, but the information of allyesno is retained in the sam file, so guest can be successfully logged on.
Long Term