Teach you how to create and delete hidden accounts in the system

  
        

When a hacker invades a host, he will try to protect his own "labor results," so he will leave a variety of backdoors on the broiler to control the broiler for a long time. The most used is the account hiding technology. Create a hidden account on the broiler for use when needed. Account hiding technology can be described as the most hidden back door. It is difficult for general users to find the existence of hidden accounts in the system, so it is very harmful. This article reveals the techniques commonly used by hackers to hide accounts. Before hiding the system account, it is necessary to first understand how to view the existing accounts in the system. In the system, you can go to the “Command Prompt”, “Control Panel”, “Computer Management,” and check the existing accounts in the registry. The administrator usually checks only in the “Command Prompt and “Computer Management”. There are exceptions, so how to hide the system account in both will be the focus of this article. First, “ conspiracy in the command prompt In fact, the production system hidden account is not very advanced technology, using the "command often used" command prompt can make a simple hidden account. Click “Start →“Run, enter “CMD Run<;Command prompt, enter “net user kao$ 123456 /add, Enter, after successful, the command will be completed successfully. Then enter “net localgroup administrators kao$ /add to enter, so we use the “ command prompt to successfully create a user name "ldo; kao$, password for "lduffs", "hidden" hidden account, and put This hidden account is promoted to administrator privileges. Create a simple hidden account Let's see if the creation of a hidden account is successful. Enter the command to view the system account at the “Command Prompt” and “net user”. After returning, the account existing in the current system will be displayed. From the returned results, we can see that the account we just created does not exist. Then let's go to the Control Panel's "Administrative Tools" and open the "Computers" to see the local users and groups. In the "Users" section, we created a hidden account "kao$ exposed." The conclusion that can be concluded is that this method can only hide the account in the “Command prompt”, but there is nothing to do with “Computer Management”. So this method of hiding accounts is not very practical, only effective for those careless administrators, is an entry-level system account hiding technology. Second, in the "registration account" in the registry hidden from the above we can see that the shortcomings of using the command prompt to hide the account is very obvious, it is easy to expose yourself. So is there any technology that can hide accounts at the same time in the "Command Prompt" and "Computer Management"? The answer is yes, and all this requires us to make a small setting in the registry. Let the system account evaporate completely in both. 1, the peak loop, give the administrator registry operation authority to operate the key value of the system account in the registry, you need to modify the "HKEY_LOCAL_MACHINESAMSAM, but when we come to the place, we will find that the place can not be expanded Key value. This is because the system defaults to the system administrator to "write D AC and" read control permissions, no modification rights, so we have no way to view and modify the key values ​​under the "SAM". However, we can give the administrator permission to modify by means of another "registry editor" in the system. Click “Start →“Run, type “regedt32.exe and press Enter, then another “Registry Editor” will pop up, unlike the usual “Registry Editor”, which can modify the system. Permissions when the account operates the registry (for ease of understanding, hereinafter referred to as regedt32.exe). In regedt32.exe, go to "HKEY_LOCAL_MACHINESAMSAM", click on the "Security Menu → “ Permissions, in the pop-up "SAM's permission editing window, select the "administrators account", check the permissions settings below "ldquo; Full control, click “Make sure” when you are done. Then we switch back to the "Registry Editor" and we can see that the key values ​​under "HKEY_LOCAL_MACHINESAMSAM" can be expanded. Hint: The methods mentioned above are only available for Windows NT/2000 systems. In the Windows XP system, the operation of the permission can be directly performed in the registry by selecting the item that needs to be set, right-clicking, and selecting “privilege”. 2. Stealing the column and replacing the hidden account with the administrator. After successfully obtaining the registry operation authority, we can officially start the production of the hidden account. Go to the registry editor's “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames, all existing accounts in the current system will be displayed here, including our hidden account. Click on our hidden account <;kao$, the type of the key value displayed on the right side is displayed as 0x3e9, go up to “HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers, you can find the item <;000003E9, which are mutually corresponding All information about the hidden account "kao$ is in the item "000003E9. Similarly, we can find the item corresponding to the administrator account as “000001F4. Export the key value of “kao$” to kao$.reg, and export the F key values ​​of ““000003E9 and “000001F4 respectively to user.reg, admin.reg. Open the admin.reg with “Notepad”, copy the content after the “F value”, replace the “F value” in the user.reg, and save it after completion. Next, go to the “Command Prompt” and enter “ld user; net user kao$ /del” to delete the hidden account we created. Finally, kao$.reg and user.reg are imported into the registry, and the hidden account is created. 3, cross the river to break the bridge, cut off the way to delete hidden accounts Although our hidden account has been hidden in the "Command Prompt and & ldquo; computer management, but experienced system administrators may still delete our hidden account through the Registry Editor , then how can we make our hidden account rock-solid? Open “regedt32.exe, go to "HKEY_LOCAL_MACHINESAMSAM, set the permissions of the SAM item, and cancel all the permissions owned by the "administrators". When the real administrator wants to operate on the item under "HKEY_LOCAL_MACHINESAMSAM", an error will occur and the permission cannot be granted again via “regedt32.exe. Such inexperienced administrators are helpless even if they find hidden accounts in the system. 3. Special tools to hide the account in one step Although the account can be easily hidden according to the above method, but the operation is more troublesome, not suitable for novices, and the operation of the registry is too dangerous, it is easy to cause system crash. So we can use a special account hiding tool to hide the work, so that hiding the account is no longer difficult, only a single command can be done. The tool we need to use is called "HideAdmin", download it and extract it to the c drive. Then run the “Command Prompt” and type “HideAdmin kao$ 123456. If you show “Create a hiden Administrator kao$ Successed!”, then we have successfully created a hidden account with the account name kao$ and password 123456. . The account hiding effect created with this tool is the same as the effect of modifying the registry in the previous article. Fourth, put the "hidden account out of the system" hidden accounts can be described as a huge hazard. Therefore, it is necessary for us to understand the corresponding protection technology after understanding the account hiding technology, and completely remove the hidden account from the system. 1. Add the “# symbolic hidden account”. The detection of such hidden accounts is relatively simple. Generally, after using this method to establish a hidden account, the hacker will promote the hidden account to the administrator authority. Then we only need to enter “net localgroup administrators in the “Command Prompt” to make all hidden accounts visible. If you are in trouble, you can open it directly by “Computer Management” and add the “#” symbol account that cannot be hidden here. 2, modify the registry type hidden account Because the account hidden by this method will not be seen in the "Command Prompt and" computer management, so you can delete the hidden account in the registry. Go to "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames" and compare the account that exists here with the account that exists in Computer Management. The extra account is the hidden account. It's also easy to delete it, just delete the item named after the hidden account. 3, can not see the name of the hidden account If the hacker made a modified registry-type hidden account, on this basis deleted the administrator's authority to operate the registry. Then the administrator can't delete the hidden account through the registry, and even can't know the hidden account name established by the hacker. But the world is not absolute, we can use the help of Group Policy to prevent hackers from logging in through hidden accounts. Click “Start →“Run, enter “gpedit.msc Run“Group Policy, expand “Computer Configuration →“Windows Settings →“Security Settings →“Local Strategy →“ To review the policy, double-click on the right side to review the policy change, and check “Successful” in the pop-up settings window, then “OK”. Make the same settings for "audit login events and “audit process tracking. After logging in to the login event review function, you can log the login operation of any account, including hidden accounts, so that we can accurately know the name of the hidden account and even the hacker through the “Event Viewer” in the computer management. The time of landing. Even if the hacker deletes all the login logs, the system will also record which account deleted the system log, so that the hacker's hidden account is exposed. Find hidden accounts through the event viewer Once you know the name of the hidden account, it's easy, but we still can't delete the hidden account because we don't have permission. However, we can change the password of this hidden account by typing “<quo;net user hidden account name 654321” in the “Command prompt”. This hidden account will be invalid, and the hacker can no longer log in with this hidden account.

Copyright © Windows knowledge All Rights Reserved