3. What if the broiler does not open the 3389 terminal service and I don’t want to use the command line?
In this case, you can also use the interface to remotely create hidden super users for broilers. Because it has the function of connecting to the network registry, you can use it to set permissions for the registry key of the remote host to edit the remote registry. Account Manager also has a function to connect to another computer, and you can use Account Manager to create and delete accounts for remote hosts. The specific Buju is similar to the one introduced above, so I won’t say much, but its speed is really unbearable.
There are two prerequisites here: 1. First use net use Broiler ipipc$ "Password"/user:"Super username" to establish a connection with the remote host, and then you can use the Account Manager to connect to the remote host.
2. The remote host must enable the remote registry service (if it is not enabled, you can also enable it remotely because you have the password of the super user).
4. Create hidden superusers with disabled accounts
1. I want to check which users are prohibited by careful administrators. Generally speaking, some administrators usually disable guest for security reasons, and of course, they will disable other users. In the graphical interface, it is very easy. As long as you are in the account manager, you can see a red cross on the disabled account; and under the command line, I have not thought of a good idea, so I can only use the command: "net user user user” one by one to check whether the user is disabled.
2. Here, we assume that the user hacker is disabled by the administrator. First, I will use Xiaorong’s super-group user cloning program to clone the disabled user hacker into a super user (after cloning, the disabled user hacker will be automatically activated): Broiler ip Administrator Super user password hacher hacher password.
3. If you now have a cmdshell, such as the shell obtained by using telnet service or SQLEXEC to connect to the msSQL default port 1433 of the broiler, you just need to enter the command:
net user hacker /active:no
In this way, the user hacker will be disabled (at least on the surface). Of course, you can also replace the user hacker with other disabled users.
4. At this time, if you look at the user in the account manager in the graphical interface, you will find that the user hacker is disabled, but is this actually the case? Use this disabled user to connect the broiler to see if it can be connected? Use the command: net user Broiler ipipc$ "hacker password"/user:"hacker" continuously. I can tell you that after many trials, I can succeed every time, and it is super user permission.
5. What should I do if there is no cmdshell? You can disable user hacker by the at command I introduced above; Command format: at Broiler ip time net user hacker /active:no
6. Principle: I can’t tell the specific and profound principles, I can only say them from the simplest. You first disable the super user administrator in the account manager in the graphical interface. A dialog box will definitely pop up and prohibit you from continuing to disable the super user administrator. Similarly, when cloning, the hacker's "F" key in the registry is replaced by the super user administrator's "F" key in the registry, so hacker has the permissions of the super user. However, since hacker is still the original "C" key in the registry, hacker will still be disabled, but its super user permissions will not be disabled. Therefore, the disabled user hacker can still connect to broilers and also has the permissions of the super user. I can't understand the specifics, so please understand it like this.
5. Some things to pay attention to
1. After the hidden super user is established, the user cannot be seen in the account manager and under the command line, but this user exists.
2. After the hidden super user is established, you cannot modify the password anymore, because once the password is modified, the hidden super user will be exposed to the account manager and cannot be deleted. 3. If you are testing on this machine, it is best to use the backup tool that comes with the system to back up the "system status" of this machine first. It is mainly a backup of the registry, because when I was doing the experiment, there was a phenomenon that there was no user in the account manager and no group in the group, but they exist. Fortunately, I have a backup, haha. The SAM key is the most sensitive part of the system after all.