I. Principles and dangers of account cloning
1. How accounts are cloned
The relative identifier of the account SID is saved in the registry. One is the subkey name under the Registry HKEY_LOCAL_MACHINE \ SAM \ AMDomains \ AccountUsers, the other is the value of the sub-item F of the sub-key. However, Microsoft made a mistake of not synchronizing them. The latter was used for logon and the former was used for query. When the Administrator F option is used to overwrite the F option of other accounts, the account is Administrator, but the query is still in the original state. This is called the clone account.
Security Tips: SID, also known as Security Identifiers, is a unique number that identifies users, groups, and computer accounts. When this account is created for the first time, a unique SID will be issued to each account on the network. The internal process in Windows 2000 references the account SID instead of the account user or group name. If you create an account, delete the account, and use the same user name to create another account, the new account will not have the permissions or permissions authorized to the previous account, the reason is that the account has different SID numbers.
2. hazards of account cloning
Once a system user is cloned and used together with the terminal service, a hidden backdoor is opened to the attacker, allowing the attacker to access your system at any time. This door is invisible to you, because it relies on Microsoft Terminal Services and does not release Virus files, it will not be scanned and killed by anti-virus software.
2. Common Methods for cloning users
1. Manually clone method 1
In Windows 2000/xp/2003 and Windows NT, the SID of the default Administrator account is fixed at 500 (0x1f4 ), we can use an existing account in the machine to clone the account with SID 500. Here we select the account IUSR_XODU5PTT910NHOO (XODU5PTT910NHOO is the name of the compromised server machine. To enhance concealment, we chose this account. All users can use the following methods, but this user is more common)
One of the tools we need here is ipvxec, a lightweight telnet replacement tool that allows you to execute processes on other systems without manually installing the client software, in addition, you can obtain the full interactivity that is equivalent to that of the console application. One of the most powerful features of PsExec is to start the interactive Command Prompt window in remote systems and remote support tools (such as IpConfig) to display information about remote systems that cannot be displayed in other ways.
Run the command "Export xec-I-s-d cmd" to run a System CMD Shell, as shown in 1.
| Figure 1 |
Get a cmd shell with system permissions, and then run "regedit/e admin. reg HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \ 000001F4 ". In this way, we export information about the Administrator Account whose SID is 500 (0x1f4), as shown in 2.
| Figure 2 |
Then Edit admin. reg file, set admin. change "1F4" in HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \ 000001F4 to the SID of IUSR_XODU5PTT910NHOO, and change "1F4" in the reg file to "3EB ", 3.
| Figure 3 |
Run the following command: "regedit/s admin. reg ", import the admin. reg file, and then run the "net user IUSR_XODU5PTT910NHOO n3tl04d" command to change the password of IUSR_XODU5PTT910NHOO to n3tl04d. We recommend that you use a 14-bit password, that is, the better the IUSR_XODU5PTT910NHOO password, now you can use the IUSR_XODU5PTT910NHOO password to remotely log on to n3tl04d, the same configuration environment as the administrator! 4.
| Figure 4 |
Note: In most machines, the SID of IUSR_MACHINE users is 0x3E9 (If IIS is not installed at the initial installation, however, if you have created an account and then installed IIS, it may not be the value.) If you are not sure, you can use:
"Regedit/e sid. reg HKEY_LOCAL_MACHINE \ SAM \ Domains \ Account \ Users \ Names \ IUSR_MACHINE "command to export the registry and edit sid. reg file. The SID is "3EB", as shown in Figure 5.
| Figure 5 |
2. method 2
Another method to clone an account is to run regedt32.exe first, expand the Registry to HKEY_LOCAL_MACHINE \ SAM, click "edit"> "Permissions" in the menu bar (Windows 2000 is "security"> "Permissions" in the menu bar). The "SAM Permissions" window is displayed. Click "Administrators, in this window, select allow full control. (in Windows 2000, select "Allow to spread inherited permissions from the parent" in this window.) then click "OK. 6.
| Figure 6 |
Find HKEY_LOCAL_MACHINE \ SAM \ DomainsAccount \ Users 1f4, and double-click "F" in the window on the right, as shown in 7.
| Figure 7 |
Select all content, right-click and select "copy", then open F under HKEY_LOCAL_MACHINE \ SAM \ DomainsAccount \ Users \ 00003EB, and paste the copied content, in this way, we cloned the IUSR_XODU5PTT910NHOO account into an administrator and deleted the permissions of the SAM directory to avoid being discovered.
3. Use mt for cloning
Mt.exe is a very powerful network tool that is executed in command line mode. It can enable system services, check users, and directly Display User Logon passwords. It is like a double-edged sword. Intruders and system administrators must use it. However, because it is often used by intruders, it is classified as a virus by many anti-virus software.
Detailed test reports on MT can be made to http://www.antian365.com/bbs/viewthread.php? Tid = 2786 & extra = page % 3D1 & frombbs = 1. The clone user usage is as follows:
Mt-clone
For example: mt-clone adminstrator IUSR_XODU5PTT910NHOO
8.
| Figure 8 |
The administrator account administrator is cloned as the IUSR_XODU5PTT910NHOO account. Finally, run the "net user IUSR_XODU5PTT910NHOO n3tl04d" command to change the password of IUSR_XODU5PTT910NHOO to n3tl04d.
4. Use AIO to clone
AIO (All In One) is a "tool" written by WinEggDrop that integrates many gadgets ", there are clone users, modify Service Startup types, delete system accounts, check system hidden services, port scans, and port forwarding among others.
It's easy to Clone an account using AIO, that is: Aio.exe-Clone the normal account to be cloned account password
For example, Aio.exe-Clone Administrator IUSR_XODU5PTT910NHOO n3tl04d
In this way, you can use IUSR_XODU5PTT910NHOO \ n3tl04d to log on as the administrator.
9.
| Figure 9 |
5. Clone using CA
Ca.exe a remote account clone tool compiled by Xiao Rong, of course, local cloning is okay.
The usage is as follows: ca \ IP address administrator username administrator password cloned User Password
For example, ca \ 127.0.0.1 administrator 123456 IUSR_XODU5PTT910NHOO 123456
10.
| Figure 10 |
6. Create a hidden account
The required tool is called adhider. It is a tool specially designed to hide users. This tool has a disadvantage, that is, after the server is restarted, the user will not be able to hide it and it will be displayed in user management.
Usage: adhider user name and password
For example, adhider n3tl04d $ \ 123456
11.
| Figure 11 |
You can use
N3tl04d $ \ 123456 login, get and administrator permissions.
7. clone
Clone is a 28-degree ice-writing clone tool. It only supports windows2003 and windowsxp, and does not support windows2000. This tool has a disadvantage, that is, after the server is restarted, the user will not be able to hide it and it will be displayed in user management.
Usage: Clone.exe username and password
For example, clone n3tl04d 520mm
12.
| Figure 12 |
You can use n3tl04d \ 520mm to log on and obtain the Administrator permission.
Note: In Windows 2003, if you use clone and then run the MT check, you will be prompted that you do not have system permissions, in this case, you need to restart the computer or run a cmd with the system permission to use the MT check.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
