Invisible, hiding system account technology secrets

When hackers intrude into a host, they will try to protect their "labor results". Therefore, they will leave various backdoors on the zombie to control the zombie for a long time, the most commonly used is the account hiding technology. Create a hidden account on the zombie for use as needed. The account hiding technology is the most concealed backdoor. Generally, it is difficult for users to discover the existence of hidden accounts in the system. Therefore, it is harmful. This article will reveal the secrets of the common technology used by hackers such as hidden accounts.

Before hiding the system account, we need to first learn how to view the existing account in the system. In the system, you can go to the "command prompt", control panel "Computer Management", and "Registry" to view existing accounts, administrators only check for exceptions in "command prompt" and "Computer Management". Therefore, how to hide system accounts in these two fields is the focus of this article.

I. Conspiracy in "command prompt"

In fact, it is not very advanced to create a hidden account in the system. You can use the "command prompt" that we usually use to create a simple hidden account.

Click Start> Run, Enter CMD to run the command prompt, enter net user piao $123456/add, and press Enter, "Command completed successfully" is displayed ". Enter "net localgroup administrators piao $/add" and press Enter. Then, we can use the "command prompt" to create a username named "piao $ ", A simple "hidden account" with a password of "123456" and elevated the hidden account to administrator permissions.

Figure 1. Create a simple hidden account

Let's see if the hidden account is successfully created. In the "command prompt", enter the "net user" command to view the system account. Press enter to display the account that exists in the current system. From the returned results, we can see that the "piao $" account we just created does not exist. Next, let's go to "Administrative Tools" on the control panel, open "computer", View "local users and groups", and in the "user" field, the hidden account "piao $" we created is undoubtedly exposed.

It can be concluded that this method can only hide the account in the "command prompt", while "Computer Management" is powerless. Therefore, this method of hiding accounts is not very practical. It is only valid for careless administrators. It is an entry-level system account hiding technology.

2. Hide accounts in the Registry

From the above, we can see that the method of hiding an account from a command prompt has obvious disadvantages and is easy to expose itself. Is there any technology that can hide accounts at the same time in "command prompt" and "Computer Management? The answer is yes, and all this requires a small setup in the registry, so that the system account can completely evaporate in the two.

　　1. Return to the peak and give the Administrator the registry operation permission.

In the registry, You need to modify the key value of the system account at "HKEY_LOCAL_MACHINESAMSAM". However, when we come here, we will find that the key value of the system account cannot be expanded. This is because the system gives the system administrator the "write d ac" and "read control" permissions by default, and does not grant the modification permission, therefore, we cannot view and modify the key values under "SAM. However, you can use another Registry Editor in the system to grant the Administrator the modification permission.

). Go to "HKEY_LOCAL_MACHINESAMSAM" in regedt32.exe and click "security"> "Permissions". In the displayed "SAM Permissions" edit window, select the "administrators" account, select "full control" in the permission settings section below, and click "OK. Then we switch back to the Registry Editor, and we can see that the key values under "HKEY_LOCAL_MACHINESAMSAM" can be expanded.

Figure 2. Grant operation permissions to the Administrator

　　Tip:The method mentioned above is only applicable to Windows NT/2000 systems. In Windows XP, you can perform permission operations directly in the registry. You can right-click the item you want to set the permission and select "permission.

　　2. Steal the bar and replace the hidden account with the administrator.

After obtaining the registry operation permission, we can start to hide the creation of the account. Go to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames" in the Registry Editor. All existing accounts in the current system will be displayed here, including our hidden accounts. Click "piao $", and the "type" item in the key value displayed on the right is 0x3e9. Go to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers" and find "000003E9, the two correspond to each other, and all information of the Account "piao $" is hidden in "000003E9. Similarly, we can find that the corresponding item of the "administrator" account is "000001F4 ".

Export the key value of "piao $" to piao $. reg, and export the F key values of "000003E9" and "000001F4" to user. reg and admin. reg respectively. Use NotePad to open admin. reg, copy the content following the "F" value, replace the "F" value in user. reg, and save it. Next, go to the "command prompt" and enter "net user piao $/del" to delete the hidden account we created. Finally, import piao $. reg and user. reg to the Registry. At this point, the Account creation is completed.

Figure 3. Copy the F value content

　　3. crossing the river to split the bridge and cut off the ways to delete hidden accounts

Although our hidden accounts have been hidden in "command prompt" and "Computer Management", experienced system administrators may still use the Registry Editor to delete our hidden accounts, so how can we make our hidden accounts rock solid?

Open “regedt32.exe and go to "HKEY_LOCAL_MACHINESAMSAM". Set the permissions of "SAM" and cancel all permissions of "administrators. Again. This way, even if an inexperienced administrator finds a hidden account in the system, the Administrator is helpless.

2. Hide accounts in the Registry

From the above, we can see that the method of hiding an account from a command prompt has obvious disadvantages and is easy to expose itself. Is there any technology that can hide accounts at the same time in "command prompt" and "Computer Management? The answer is yes, and all this requires a small setup in the registry, so that the system account can completely evaporate in the two.

　　1. Return to the peak and give the Administrator the registry operation permission.

In the registry, You need to modify the key value of the system account at "HKEY_LOCAL_MACHINESAMSAM". However, when we come here, we will find that the key value of the system account cannot be expanded. This is because the system gives the system administrator the "write d ac" and "read control" permissions by default, and does not grant the modification permission, therefore, we cannot view and modify the key values under "SAM. However, you can use another Registry Editor in the system to grant the Administrator the modification permission.

). Go to "HKEY_LOCAL_MACHINESAMSAM" in regedt32.exe and click "security"> "Permissions". In the displayed "SAM Permissions" edit window, select the "administrators" account, select "full control" in the permission settings section below, and click "OK. Then we switch back to the Registry Editor, and we can see that the key values under "HKEY_LOCAL_MACHINESAMSAM" can be expanded.

Figure 2. Grant operation permissions to the Administrator

　　Tip:The method mentioned above is only applicable to Windows NT/2000 systems. In Windows XP, you can perform permission operations directly in the registry. You can right-click the item you want to set the permission and select "permission.

　　2. Steal the bar and replace the hidden account with the administrator.

After obtaining the registry operation permission, we can start to hide the creation of the account. Go to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames" in the Registry Editor. All existing accounts in the current system will be displayed here, including our hidden accounts. Click "piao $", and the "type" item in the key value displayed on the right is 0x3e9. Go to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers" and find "000003E9, the two correspond to each other, and all information of the Account "piao $" is hidden in "000003E9. Similarly, we can find that the corresponding item of the "administrator" account is "000001F4 ".

Export the key value of "piao $" to piao $. reg, and export the F key values of "000003E9" and "000001F4" to user. reg and admin. reg respectively. Use NotePad to open admin. reg, copy the content following the "F" value, replace the "F" value in user. reg, and save it. Next, go to the "command prompt" and enter "net user piao $/del" to delete the hidden account we created. Finally, import piao $. reg and user. reg to the Registry. At this point, the Account creation is completed.