Windows 2003 Hidden User (anonymous backdoor account) How to find, create and delete

One, the "command prompt" in the conspiracy

In fact, the production system hidden account is not very advanced technology, using our usual "command prompt" can be used to create a simple hidden account.

Click "Start" → "Run", enter "CMD" to run "command Prompt", enter "NET user piao$ 123456/add", return, the success will show "Command completed successfully". Then enter "net localgroup Administrators piao$/add" carriage return, so that we use the "command Prompt" successfully established a user named "piao$", Password is "123456" simple "hidden Account", and the hidden account L for administrator privileges.

Figure 1. Create a simple hidden account

Let's see if the hidden account was established successfully. In the command prompt, enter the command "NET user" to view the system account, and a return will display the account that exists on the current system. From the returned results we can see that the "piao$" account we created just now does not exist. Then let's go to "Administrative Tools" in the Control Panel, open the "computer" in which to see "Local Users and Groups", in the "user" item, we established a hidden account "piao$" exposure is no doubt.

It can be concluded that this method can only hide the account from the command prompt, and there is nothing to do with Computer Management. So the hidden account method is not very practical, only for those careless administrator effective, is an entry-level system account hiding technology.

Second, in the "registration form" to play the account hidden

From the above we can see the method of hiding the account with the command prompt the disadvantage is obvious and it is easy to expose yourself. So is there any technology that can hide an account in both command prompt and Computer Management? The answer is yes, and all it takes is a little setup in the registry that allows the system account to evaporate completely in both.

1, the twists and turns, to the Administrator registry operation permissions

The key value of the system account in the registry needs to be modified at "Hkey_local_machine\sam\sam", but when we arrive there, we find that the key value of the location cannot be expanded. This is because system administrators are given the "write D AC" and "Read Control" permissions by default, and no modification is granted, so we have no way to view and modify the key values under the "SAM" key. But we can use another registry Editor in the system to give the administrator permission to modify.

Click "Start" → "Run", enter "Regedt32.exe" after the return, then the other "Registry Editor", and we usually use the "Registry Editor" is different it can modify the System account operation Registry permissions (for easy to understand, Hereinafter referred to as Regedt32.exe). In Regedt32.exe to "Hkey_local_machine\sam\sam", click on the "Security" menu → "permissions", in the pop-up "SAM Permissions" edit window Select "Administrators" account, at the bottom of the permission settings to check the " Full Control, click "OK" when you are done. Then we switch back to "Registry Editor" and we can see that the key values under "Hkey_local_machine\sam\sam" can be expanded.

Figure 2: Assigning permissions to an administrator

Tip: The methods mentioned above apply only to Windows nt/2000 systems. In a Windows XP system, actions for permissions can be done directly in the registry by selecting the items that need to be set, right-clicking, and selecting Permissions.

2, rescue, replace the hidden account with the administrator

After successfully getting the registry Operation permission, we can formally start to hide the creation of the account. To "Hkey_local_machine\sam\sam \domains\account\users\names" in the Registry Editor, all existing accounts in the current system will be displayed here, including our hidden accounts, of course. Click on our hidden account "piao$" and the "type" item in the key value shown on the right appears as 0x3e9, up to "Hkey_local_machine\sam\sam\domains \account\users\" where you can find " 000003E9 "This one, the two correspond to each other, the hidden account" piao$ "all the information in the" 000003E9 "in this item. Similarly, we can find the "administrator" account corresponding to the item "000001F4".

Export the key value of "piao$" to Piao$.reg, and export the F key values of the "000003E9" and "000001f4" items to User.reg,admin.reg respectively. Open Admin.reg with Notepad, copy the contents of the "F" value after it, and replace the contents of "F" in User.reg, and save it when you are done. Next go to "command Prompt" and enter "NET user piao$/del" to delete the hidden account we created. Finally, the Piao$.reg and User.reg are imported into the registry, so that the hidden account creation is complete.

Figure 3, copy F-value content

3, ladder, cut off the way to delete hidden accounts

While our hidden accounts have been hidden from command prompt and Computer Management, but experienced system administrators may still be able to delete our hidden accounts through the Registry Editor, how can we make our hidden accounts rock solid?

Open "Regedt32.exe", to "Hkey_local_machine\sam\sam", set the "SAM" Key permissions, the "Administrators" has all the rights to cancel. An error occurs when a real administrator wants to operate on an item under "Hkey_local_machine\sam\sam" and cannot be given permission again through "Regedt32.exe". This way, inexperienced administrators have no alternative but to find hidden accounts in the system.

Three. Special tools to keep accounts hidden one step

Although the above method can be very good to hide the account, but the operation appears to be more troublesome, not suitable for novice, and the operation of the registry is too risky, it is easy to cause system crashes. So we can use the Special Account hiding tool to do hidden work, so that the hidden account is no longer difficult, only need a command to get it done.

We need to use this tool called "hideadmin", download it and unzip it to C drive. Then run "Command Prompt", enter "Hideadmin piao$ 123456", if "Create a hiden Administrator piao$ successed!" is displayed, it means that we have successfully established an account named piao$, A hidden account with a password of 123456. The account hiding effect created with this tool is the same as the effect of modifying the registry earlier in this section.

Four, the "hidden account" request out of the system

The danger of hidden accounts is enormous. Therefore, we need to understand the account hiding technology, and then to the corresponding prevention technology to make an understanding of the hidden accounts thoroughly request the system

1. Add "$" symbol-type hidden account

The detection of such hidden accounts is relatively straightforward. The general hacker in this way after the establishment of hidden accounts, the hidden account will be promoted to administrator privileges. Then we just need to enter "net localgroup Administrators" in the "command prompt" to get all the hidden accounts. If you have trouble, you can directly open "Computer Management" to view, add "$" symbol of the account is not hidden here.

2. Modify the registry type hidden account

Because accounts that are hidden using this method are not visible in the command prompt and Computer Management, you can remove hidden accounts from the registry. Came to "Hkey_local_machine\sam\sam\domains\account\users\names", the existence of the account here and "Computer Management" in the existence of the account to compare, the extra account is hidden account. It's also easy to delete it and simply delete it to hide the item named by the account.

3, unable to see the name of the hidden account

If a hacker makes a modified registry-based hidden account, the administrator's permissions to the registry are removed. Then the administrator is unable to remove the hidden account through the registry, or even know the hidden account name created by the hacker. But there is no absolute, we can use the help of "Group Policy", so that hackers cannot login by hidden accounts. Click "Start" → "Run", enter "Gpedit.msc" Run "Group Policy", expand "Computer Configuration" → "Windows settings" → "Security Settings" → "Local Policies" → "Audit Policy", double-click on the right "audit policy changes", in the Popup settings window tick "Success", then click OK. The same settings are made for audit login events and audit process tracking.

Figure 4, turn on the Login event audit function

After the login audit, you can record any account login operations, including hidden accounts, so that we can be "Computer Management" in the "Event Viewer" to know exactly the name of the hidden account, and even the time of the hacker landing. Even if the hacker deletes all log logs, the system will also record which account deleted the system log, so that the hacker's hidden account will be exposed.

This article is from the "lake and Laughter" blog, please make sure to keep this source http://hashlinux.blog.51cto.com/9647696/1870661

Windows 2003 Hidden User (anonymous backdoor account) How to find, create and delete