Windows2000 under the administrator account really insecure-vulnerability warning-the black bar safety net

ID MYHACK58:62200714524
Type myhack58
Reporter 佚名
Modified 2007-03-13T00:00:00


If you have an ordinary user account,there is a very simple method to get the NT Administrator account:

One of: first c:\winnt\system32 under logon. the scr was renamed as logon. old backup Then put the usrmgr. exe renamed to logon. scr

Then restart

the logon. the scr is loaded at startup of the program after the reboot, do not appear past the login password input interface, but the User Manager.

In this case he has permission to put yourself added to the Administrator group

Don't forget to put the file name changed back!

Bis: The following technology is applicable to not paying attention to the NT network security of the site, some http techniques also can be used for higher-level personnel reference

Into the NT network can take the following steps:

Because the NT IIS server in the ftp are generally allowed anonymous anonymous account into some anonymous account and upload permissions, we need to attack this site. Because if you do not allow the anonymous account, it could result in plaintext passwords in the online transmission. With tcpspy tools can intercept these passwords. Now do not talk about these more advanced techniques. Because of the allow anonymous account for the ftp login settings, also bring us a breakthrough in the NT server opportunities. We use the ftp login to a NT server,比如 example name):


Connected to

ntsvr2 this thing exposed its NETbios name,then in the IIS in the background, there must be a IUSER_ntsvr2 the user account belongs to Domain user Group, this account we later used to obtain Administrator privileges. User (

Password: enter guest@ or guest

For lack of network security knowledge of the administrator,many people don't have the guest account prohibition, or not to set a password. Then the guest account is the one with the correct user account, although only belongs to the Domain guest group.

In this case we can into the NT server the ftp.

Go in later,look at the directory listing,try cd /c or wwwroot, and other key directory,if lucky,change the directory successfully, then you have 8 0% of the grasp.

Now,start to find the cgi-bin directory(or scripts directory),go in later,

Put the winnt under cmd. execopy to the cgi-bin,the getadmin and gasys. dll pass up to cgi-bin

Then input:http://www. xxx. com/cgi-bin/getadmin. exe? IUSR_SATURN

About ten more seconds after the screen display:

CGI Error

In this case a 9 0% could be: you have put IUSER_ntsvr2 upgrade to the Administrator, that is, any access to the web site of the person is the administrator.

Here you can add user: c:\winnt\system32\net.exe user china news /add

This will create a china user,password is news,then:


You then use the china account login, you may have the greatest privileges, 也可以用上面的cmd.exe的方法直接修改如果没有cmd.exe that can also pass a go up to the scripts/tools or cgi-bin directory.

Ter: With NT's Netbios technology to scan




So you can get the domain of the shared resource name

net view file://www. xxx. com/

You can get the machine of the shared resource name,if there is a c drive

net use f: file://www. xxx. com/c

You can use f:map its c drive

net use $">\\\ipc$Content$nbsp;"quot;"quot; /user:"quot;"quot;

Four: Unix ported tools: Windows95"amp;9 8 The user can use the tcp/ip tool to get tcp/ip connection in the package:

WinDump95.exe before using also to download this library Packet95.exe

WindowsNT user version

WinDump.exe PacketNT.exe(T003:)