Home Kali Linux Suborner : The Invisible Account Forger

Kali Linux

Suborner : The Invisible Account Forger

February 26, 2023

Suborner is a simple program to create a Windows account you will only know about 🙂

Create invisible local accounts without net user or Windows OS user management applications (e.g. netapi32::netuseradd)
Works on all Windows NT Machines (Windows XP to 11, Windows Server 2003 to 2022)
Impersonate through RID Hijacking any existing account (enabled or disabled) after a successful authentication

Create an invisible machine account with administrative privileges, and without invoking that annoying Windows Event Logger to report its creation!

Where can I see more?

Released at Black Hat USA 2022: Suborner: A Windows Bribery for Invisible Persistence

Blogpost: R4WSEC – Suborner: A Windows Bribery for Invisible Persistence
Demo: YouTube – Suborner: Creation of Invisible Account on Windows 11
Slides – HITB Singapore Main Track – Suborner Slides

How can I use this?

Build

Make sure you have .NET 4.0 and Visual Studio 2019
Clone this repo: git clone https://github.com/r4wd3r/Suborner/
Open the .sln with Visual Studio
Build x86, x64 or both versions
Bribe Windows!

Release

Download the latest release and pwn!

Usage

 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

      88
  .d88888b.                  S U B O R N E R
 d88P 88"88b
 Y88b.88        The Invisible Account Forger
 "Y88888b.                        by @r4wd3r
      88"88b                          v1.0.1
 Y88b 88.88P
  "Y88888P"               https://r4wsec.com
      88
 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

Description:

    A stealthy tool to create invisible accounts on Windows systems.

Parameters:

    USERNAME: Username for the new suborner account. Default = <HOSTNAME>$
    Syntax: /username:[string]

    PASSWORD: Password for the new suborner account. Default = Password.1
    Syntax: /password:[string]

    RID: RID for the new suborner account. Default = Next RID available
    Syntax: /rid:[decimal int]

    RIDHIJACK: RID of the account to impersonate. Default = 500 (Administrator)
    Syntax: /ridhijack:[decimal int]

    TEMPLATE: RID of the account to use as template for the new account creation. Default = 500 (Administrator)
    Syntax: /template:[decimal int]

    MACHINEACCOUNT: Forge as machine account for extra stealthiness. Default = yes
    Syntax: /machineaccount:[yes/no]

    DEBUG: Enable debug mode for verbose logging. Default = disabled
    Syntax: /debug

Credits:

This attack would not have been possible without the great research done by:

Benjamin Delpy (@gentilkiwi) and his outstanding Mimikatz
The SecureAuth researchers behind Impacket
Ben Ten @Ben0xA
Infosec community!

Click Here To Download

Suborner : The Invisible Account Forger

Where can I see more?

How can I use this?

Build

Release

Usage

Credits:

LEAVE A REPLY Cancel reply

APPLICATIONS

Htcap-Web Application Scanner Able To Crawl Single Page Application

Aced : Tool to parse and resolve a single targeted Active Directory principal’s DACL

slopShell : The Only Php Webshell You Need

Msldap : LDAP Library For Auditing MS AD

HOT NEWS

Kage – Graphical User Interface for Metasploit Meterpreter & Session Handler

EVEN MORE NEWS

Bomber : Navigating Security Vulnerabilities In SBOMs

EmbedPayloadInPng : A Guide To Embedding And Extracting Encrypted Payloads In...

Exploit Street – Navigating The New Terrain Of Windows LPEs

POPULAR CATEGORY

Cracking the Code: How to Optimize Your Videos for SEO Success

TIWAP : Totally Insecure Web Application Project

Tachyon : Fast Http Dead File Finder