Skip to content

Commit

Permalink
Adding content from Issue #9. Reorg'ing content to put it with simila…
Browse files Browse the repository at this point in the history
…r stuff and in the right places.
  • Loading branch information
WebBreacher committed Jan 23, 2014
1 parent 2870f3b commit 62a18ac
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 27 deletions.
26 changes: 13 additions & 13 deletions persistence/windows/general.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,21 +13,21 @@ return false;

Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.

### Remote Assistance Enable
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
* **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.</code></div>

### Enable `psexec`
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.

<pre>
c:\> net use \\[TargetIP]\ipc$ username /user:password
c:\> sc \\[TargetIP] config netdde start= auto
c:\> sc \\[TargetIP] config netddedsdm start= auto
c:\> sc \\[TargetIP] config clipsrv start= auto
c:\> sc \\[TargetIP] start netdde
c:\> sc \\[TargetIP] start netddedsdm
c:\> sc \\[TargetIP] start clipsrv
</pre>
### Remote Desktop Enable - Method 1
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
* **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.</code></div>

### Enable Remote Desktop
### Remote Desktop Enable - Method 2
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.

1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
Expand Down
26 changes: 13 additions & 13 deletions pivoting/windows/remote.md
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,19 @@ Commands that move data and files between systems on a network and are usually e
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>qwinsta<br> SESSIONNAME USERNAME ID STATE TYPE DEVICE<br> services 0 Disc<br>>console johndoe 1 Active<br> rdp-tcp 65536 Listen</code></div>

### Remote Assistance Enable
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
* **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.</code></div>

### Remote Desktop Enable
* **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
* **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.</code></div>
### psexec
* **Command with arguments**: `psexec \\[computername|IP] [cmd]`
* **Description**: The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
<pre>
c:\> net use \\[computername|IP]\ipc$ username /user:password
c:\> sc \\[computername|IP] config netdde start= auto
c:\> sc \\[computername|IP] config netddedsdm start= auto
c:\> sc \\[computername|IP] config clipsrv start= auto
c:\> sc \\[computername|IP] start netdde
c:\> sc \\[computername|IP] start netddedsdm
c:\> sc \\[computername|IP] start clipsrv
</pre>
* **Example Command**: `psexec \\1.1.1.1 ipconfig /all` would retrieve the IP settings for the 1.1.1.1 system.

### tasklist
* **Command with arguments**: `tasklist /v /s [computername|IP]`
Expand Down
8 changes: 7 additions & 1 deletion presence/windows/find_files.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,13 @@ Commands that find files on the filesystem and are usually executed from the con
* **Command with arguments**: `dir /a`
* **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008 03:45 AM <DIR> $Recycle.Bin<br>09/18/2006 04:43 PM 24 autoexec.bat<br>10/08/2013 10:27 PM <DIR> Boot<br>04/11/2009 08:00 AM 333,257 bootmgr<br>10/08/2013 10:27 PM 8,192 BOOTSECT.BAK<br>09/18/2006 04:43 PM 10 config.sys<br>01/19/2008 06:47 AM <JUNCTION> Documents and Settings [C:\Users]<br>10/23/2013 07:39 PM 2,460,454,912 pagefile.sys<br>01/19/2008 04:40 AM <DIR> PerfLogs<br>10/08/2013 06:36 PM <DIR> Program Files<br>10/08/2013 06:36 PM <DIR> <br>10/10/2013 07:59 PM <DIR> Users<br>10/23/2013 07:38 PM <DIR> Windows<br> 5 File(s) 2,460,796,395 bytes<br> 10 Dir(s) 33,311,416,320 bytes free</code></div>
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008 03:45 AM <DIR> $Recycle.Bin<br>09/18/2006 04:43 PM 24 autoexec.bat<br>10/08/2013 10:27 PM <DIR> Boot<br>04/11/2009 08:00 AM 333,257 bootmgr<br>10/08/2013 10:27 PM 8,192 BOOTSECT.BAK<br>09/18/2006 04:43 PM 10 config.sys<br>01/19/2008 06:47 AM <JUNCTION> Documents and Settings [C:\Users]<br>10/23/2013 07:39 PM 2,460,454,912 pagefile.sys<br>01/19/2008 04:40 AM <DIR> PerfLogs<br>10/08/2013 06:36 PM <DIR> Program Files<br>10/08/2013 06:36 PM <DIR> <br>10/10/2013 07:59 PM <DIR> Users<br>10/23/2013 07:38 PM <DIR> Windows<br> 5 File(s) 2,460,796,395 bytes<br> 10 Dir(s) 33,311,416,320 bytes free</code></div>

### Searching Sub-directories
* **Command with arguments**: `dir /s *[term]*`
* **Description**: Searches for the word entered in the [term] section in all sub-directories ofthe current directory.
* **Example Terms**: `pass`, `cred`, `vnc`, `.config`, `sysprep.*`
* **Attribution**: http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607

### Recursive
* **Command with arguments**: `dir /b /s [directory or filename]`
Expand Down

0 comments on commit 62a18ac

Please sign in to comment.