Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:6220069153
HistoryMay 18, 2006 - 12:00 a.m.

Hidden system accounts Madona-vulnerability warning-the black bar safety net

2006-05-1800:00:00
佚名
www.myhack58.com
15
JSON

When hacking a host, will find ways to protect their“fruits of Labor”, and therefore in the broiler on the left all sorts of backdoors for a long time was the control broiler,of which the most used is the account hidden technique. In broilers on the establishment of a hidden account, to prepare for times of need. Account hidden technology can be described as the most covert of backdoors, the average user is difficult to find the system hidden account exists, so the danger is large, this article is about the hidden accounts that hackers commonly used techniques revealed。

In the hidden System account, we need first to find out how to view the system already exists in the account. In the system can enter the“command prompt”, the Control Panel’s“Computer Management”,“registry”of the existence of the account to view, and administrators generally only in the“command prompt”and“Computer Management”check whether there are abnormal, so how to make the system account in both the hidden will be the focus of this article is.

A“command prompt”in the conspiracy

In fact, the production system hidden account is not very advanced technology, the use of our usual frequently used“command prompt”you can create a simple hidden account.

Click“Start”→“Run”, enter“CMD”Run“command prompt”, enter“net user piao$ 1 2 3 4 5 6 /add”, ENTER, after the success will display a“command successfully completed”. Then input“net localgroup administrators piao$ /add”carriage return, so that we use the“command prompt”successfully established a user name is“piao$”, password is“1 2 3 4 5 6”a simple“hide account”,and the hidden account elevated to administrator privileges.

! Escape to in the invisible, the hidden System account Madona

Figure 1. Build a simple hidden account

We look at the hidden accounts of the establishment is successful. In the“command prompt”, enter to view the system account, the command“net user”, enter will display the current system exists in the account. From the returned results we can see we have just established“piao$”this account does not exist. Then let us go to control panel“Administrative Tools”, open“Computer”and see the“Local Users and groups”in the“user”one, we establish the hidden accounts“piao$”exposed.

Can be summarized conclusion is: this method can only account in the“command prompt”will be hidden, and for the“Computer Management”is powerless. So this hidden account of the method is not very practical, only to those who are careless administrators, is an entry-level system account hidden technique.

Second, in the“registry”in the play transfers the user to hide

From the above we can see the command prompt hidden account of the method disadvantage is obvious, it is easy to expose yourself. Then there is no can in the“command prompt”and“Computer Management”, while the hidden accounts of the technology? The answer is Yes, and all this only need we in the“registry”in a small setting, you can let the system account in both completely evaporated.

1, the winding paths, to the administrator of the registry operation permissions

In the registry of the system account key is operated, the need to“HKEY_LOCAL_MACHINE\SAM\SAM”at The be modified, but when we came to the place, will be found when unable to expand the premises in the key value. This is because the system default for the system administrator to give“write D AC”and“read Control”permissions, not grant permission to modify, so we have no way of“SAM”under the key values to view and modify. We can, however, by means of a system in another“Registry Editor”to the administrator given modify permissions.

Click“Start”→“Run”, enter“regedt32.exe”after the carriage return, then will pop up another“Registry Editor”, and we usually use the“Registry Editor”the difference is that it can modify the system account operations to the registry of permissions for ease of understanding, 以下简称regedt32.exe in. In regedt32. exe to the“HKEY_LOCAL_MACHINE\SAM\SAM”, click on the“Security”menu→“permissions”in the pop-up“SAM’s permission”to Edit window, select the“administrators”account, at the bottom of the permission settings and tick the“full control”, after the completion click“OK”. Then we switch back to“Registry Editor”, you can find“HKEY_LOCAL_MACHINE\SAM\SAM”the following keys can be expanded.

! Escape to in the invisible, the hidden System account Madona

Figure 2. To the administrator given authority to operate

**Tip:**in the above-mentioned method is only applicable to Windows NT/2 0 0 0 system. In the Windows XP system, for a permission of operation may be directly in the registry, the method to select the need to set the permissions of the item, right click, Select“permissions”.

The 2, bait and switch, the hidden account of the replacement of the administrator

Successful registry operation rights, we can officially start the hidden account making. Came to the Registry Editor to“HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names”, the current system, all existing accounts are displayed here, including of course our hidden account. Click on our hidden accounts“piao$”, in the right of the displayed key value in the“type”of a display is 0x3e9, up to the“HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\”, you can find the“000003E9”this one, both of which are corresponding to each other, hidden accounts“piao$”all the information in the“000003E9”this one. Similarly, we can find the“administrator”account with the corresponding entry for the“000001F4” in.

The“piao$”key value derived for piao$. reg, while the“000003E9”and“000001F4”F-key values are exported to user. reg, admin. reg. Use“Notepad”to open the admin. reg, which will be“F”value of the content after the copy down, replace the user. reg in the“F”value of the content, after the completion of the Save. Next, enter the“command prompt”, enter“net user piao$ /del”will we build a hidden account deleted. Finally, the piao$. reg and user. reg to import the registry, thus, hiding the account made complete.

! Escape to in the invisible, the hidden System account Madona

Figure 3, copied F-value content

3, the burning bridges, cutting off the Remove hidden account of the way

Although we hidden account is already in“command prompt”and“Computer Management”in the hidden, but experienced system administrators is still possible through the Registry Editor to delete our hidden account, so how can we let our hidden account rock solid?

Open“regedt32.exe”and came to“HKEY_LOCAL_MACHINE\SAM\SAM”, set the“SAM”permissions to the“administrators”have permission to cancel all. When the real administrator would like to“HKEY_LOCAL_MACHINE\SAM\SAM”the following key operation when an error occurs, and not by“regedt32.exe”again given permission. So there is no experience of the administrator even found a system of hidden accounts, also is helpless.

III. Special tools, make the account hidden in one step

Although according to the above method can have hidden accounts, but the operation is relatively trouble, not for the novice, and the registry operation risk is too high, can easily cause the system to crash. Therefore we can by means of a dedicated account hide tool to hide the work, so that the hidden account is no longer difficult, only need one command it can get.

We need to use this tool called“HideAdmin”, download down after extracting to the c drive. Then run the“command prompt”, enter“HideAdmin piao$ 1 2 3 4 5 6”can, if the display“Create a hiden Administrator piao$ Successed!”, the It indicates that we have successfully established an account named piao$, the password is 1 2 3 4 5 6 hidden account. Use this tool to establish the account hidden effects and above modify the registry of the effect is the same.

Fourth, the“hidden account”please out of the system

Hidden account of the harm can be described as enormous. Therefore we have the necessary in the understanding of the accounts to hide the technology, and then the corresponding prevention techniques for one to understand, the hidden account completely please out of the system

1, Add“$”symbol-type hidden accounts

For this type of hidden account of the detection is relatively simple. Generally hackers use this method to establish the complete hidden account, hidden account elevated to administrator privileges. Then we only need to“command prompt”type“net localgroup administrators”can make all the hidden accounts visible to. If you take the trouble, you can directly open the“Computer Management”to view, add“$”symbol in the account is not in here to hide.

2, modify the registry type hidden accounts

Due to the use of this method of the hidden account is not in“command prompt”and“Computer Management”to see, so you can into the registry to remove hidden account. Come to“HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names”, put here the existence of the account and the“Computer Management”in the presence of the account compares the account is a hidden account. Want to remove it is also very simple, direct Delete to hide the account name of the item.

3, can not see the name of the hidden account

If a hacker making a modify the registry type hidden accounts, on this basis, deletion the administrator of the registry of the operating authority. Then the administrator is not through the registry to remove hidden account, can’t even know the hack to establish the hidden account name. But things did not absolute, we can use the“Group Policy”in Help, so the hacker could not hide the account login. Click“Start”→“Run”, enter“gpedit. msc in”run“Group Policy”, expand“Computer Configuration”→Windows Settings→Security Settings→Local Policies→audit policy, double-click to the right of the“audit policy change”, in the pop-up Settings window, check the“successful”, and then point“determined”. For the“audit login events”and“audit process tracking”for the same settings.

! Escape to in the invisible, the hidden System account Madona

Figure 4, Open the login event audit functionLanding after the audit, can be of any account of the landing operation is recorded, including hidden accounts, so that we can through the“Computer Management”in the“Event Viewer”exactly that hide the account name, or even hack login time. Even if a hacker all login log deletion, system will also record which account to delete a system log, this hack hidden account is exposed no doubt.

! Escape to in the invisible, the hidden System account Madona

Figure 5. Through the Event Viewer to find the hidden account

That hide the account name after a good run, but we still can not delete this hidden account, because we do not have permissions. But we can be in the“command prompt”type“net user hidden account name 6 5 4 3 2 1”change this to hide the account password. So this hidden account will fail, hackers can no longer use this to hide the account login.

JSON