After testing,it seems the Administrastor account is really insecure-vulnerability warning-the black bar safety net

ID MYHACK58:62200610339
Type myhack58
Reporter 佚名
Modified 2006-07-11T00:00:00


If you have an ordinary user account,there is a very simple method to get the NT Administrator account:

First put c:\winnt\system32 under logon. the scr was renamed as logon. old backup

Then put the usrmgr. exe renamed to logon. scr

Then restart

the logon. the scr is loaded at startup of the program,after the reboot,do not appear past the login password input interface,but the User Manager

In this case he has permission to put yourself added to the Administrator group

Don't forget to put the file name changed back!


The following technology is applicable to not paying attention to the NT network security web site,

Some http techniques also can be used for higher-level personnel reference

Into the NT network can take the following steps:

Because the NT IIS server in the ftp are generally allowed anonymous anonymous account into some anonymous account and upload permissions,we're gonna attack this site. Because if you do not allow the anonymous account,it could result in plaintext passwords in the online transmission. With tcpspy tools can intercept these passwords. Now do not talk about these more advanced techniques.

Because of the allow anonymous account for the ftp login settings,also bring us a breakthrough in the NT server opportunities. We use the ftp login to a NT server,比如 example name):


Connected to

ntsvr2 this thing exposed its NETbios name,then in the IIS context,there must be a IUSER_ntsvr2 the user account belongs to Domain user Group, this account we later used to obtain Administrator privileges

User (

Password: enter guest@ or guest

For lack of network security knowledge of the administrator,many people don't have the guest account prohibition,or not to set a password. Then the guest account is the one with the correct user account, although only belongs to the Domain guest group

In this case we can into the NT server the ftp.

Go in later,look at the directory listing,try cd /c or wwwroot, and other key directory,if lucky,change the directory successfully, then you have 8 0% of the grasp.

Now,start to find the cgi-bin directory(or scripts directory),go in later,

Put the winnt under cmd. execopy to the cgi-bin,the getadmin and gasys. dll pass up to cgi-bin

Then input:http://www. xxx. com/cgi-bin/getadmin. exe? IUSR_SATURN

About ten more seconds after the screen display:

CGI Error

In this case a 9 0% could be:you have put IUSER_ntsvr2 upgrade to the Administrator,that is, any access to the web site of the person who is the administrator

Here you can add user: c:\winnt\system32\net.exe user china news /add

This will create a china user,password is news,then:


You then use the china account login,you can have the greatest privileges,也 可以 用 上面 的 cmd.exe 的 方法 直接 修改 如果 没有 cmd.exe,can also pass a go up to the scripts/tools or cgi-bin directory


With NT's Netbios technology to scan




So you can get the domain of the shared resource name

net view file://www. xxx. com/

You can get the machine of the shared resource name,if there is a c drive

net use f: file://www. xxx. com/c

You can use f:map its c drive

net use $">\\\ipc$Content$nbsp;"quot;"quot; /user:"quot;"quot;

Four: Unix ported tools:

Windows95"amp;9 8 The user can use the tcp/ip tool to get tcp/ip connection in the package:

WinDump95.exe before using also to download this library Packet95.exe

WindowsNT user version

WinDump.exe PacketNT.exe