From 62a18ac3e0c9504fee3d6b3f8039ca32532a27fa Mon Sep 17 00:00:00 2001
From: webbreacher <webbreacher@gmail.com>
Date: Wed, 22 Jan 2014 21:40:49 -0500
Subject: [PATCH] Adding content from Issue #9. Reorg'ing content to put it
 with similar stuff and in the right places.

---
 persistence/windows/general.md | 26 +++++++++++++-------------
 pivoting/windows/remote.md     | 26 +++++++++++++-------------
 presence/windows/find_files.md |  8 +++++++-
 3 files changed, 33 insertions(+), 27 deletions(-)

diff --git a/persistence/windows/general.md b/persistence/windows/general.md
index 241ab27..651fbfd 100644
--- a/persistence/windows/general.md
+++ b/persistence/windows/general.md
@@ -13,21 +13,21 @@ return false;
 
 Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
 
+### Remote Assistance Enable
+ * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
+ * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
+ * **Output**:
+   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+The operation completed successfully.</code></div> 
 
-### Enable `psexec`
-The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
-    
-<pre>
-c:\> net use \\[TargetIP]\ipc$ username /user:password
-c:\> sc \\[TargetIP] config netdde start= auto
-c:\> sc \\[TargetIP] config netddedsdm start= auto
-c:\> sc \\[TargetIP] config clipsrv start= auto
-c:\> sc \\[TargetIP] start netdde
-c:\> sc \\[TargetIP] start netddedsdm
-c:\> sc \\[TargetIP] start clipsrv
-</pre>
+### Remote Desktop Enable - Method 1
+ * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
+ * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
+ * **Output**:
+   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+The operation completed successfully.</code></div> 
 
-### Enable Remote Desktop
+### Remote Desktop Enable - Method 2
 Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
 
  1. On the compromised system, create a file named `fix_ts_policy.ini` containing the contents below. Change the *"hacked_account"* value to the account you have compromised on the remote system.
diff --git a/pivoting/windows/remote.md b/pivoting/windows/remote.md
index cc95915..ff0d4e1 100644
--- a/pivoting/windows/remote.md
+++ b/pivoting/windows/remote.md
@@ -71,19 +71,19 @@ Commands that move data and files between systems on a network and are usually e
  * **Output**:
    * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>qwinsta<br> SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE<br> services                                    0  Disc<br>>console           johndoe                   1  Active<br> rdp-tcp                                 65536  Listen</code></div> 
 
-### Remote Assistance Enable
- * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f`
- * **Description**: **Must be admin to run this.** Enable remote assistance through adding a registry entry on the local system.
- * **Output**:
-   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
-The operation completed successfully.</code></div> 
-
-### Remote Desktop Enable
- * **Command with arguments**: `reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f`
- * **Description**: **Must be admin to run this.** Enable remote desktop through adding a registry entry on the local system.
- * **Output**:
-   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
-The operation completed successfully.</code></div> 
+### psexec
+ * **Command with arguments**: `psexec \\[computername|IP] [cmd]`
+ * **Description**: The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
+<pre>
+c:\> net use \\[computername|IP]\ipc$ username /user:password
+c:\> sc \\[computername|IP] config netdde start= auto
+c:\> sc \\[computername|IP] config netddedsdm start= auto
+c:\> sc \\[computername|IP] config clipsrv start= auto
+c:\> sc \\[computername|IP] start netdde
+c:\> sc \\[computername|IP] start netddedsdm
+c:\> sc \\[computername|IP] start clipsrv
+</pre>
+ * **Example Command**: `psexec \\1.1.1.1 ipconfig /all` would retrieve the IP settings for the 1.1.1.1 system.
 
 ### tasklist
  * **Command with arguments**: `tasklist /v /s [computername|IP]`
diff --git a/presence/windows/find_files.md b/presence/windows/find_files.md
index 2dbcb7a..307d48a 100644
--- a/presence/windows/find_files.md
+++ b/presence/windows/find_files.md
@@ -18,7 +18,13 @@ Commands that find files on the filesystem and are usually executed from the con
  * **Command with arguments**: `dir /a`
  * **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files
  * **Output**:
-   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008  03:45 AM    <DIR>          $Recycle.Bin<br>09/18/2006  04:43 PM                24 autoexec.bat<br>10/08/2013  10:27 PM    <DIR>          Boot<br>04/11/2009  08:00 AM           333,257 bootmgr<br>10/08/2013  10:27 PM             8,192 BOOTSECT.BAK<br>09/18/2006  04:43 PM                10 config.sys<br>01/19/2008  06:47 AM    <JUNCTION>     Documents and Settings [C:\Users]<br>10/23/2013  07:39 PM     2,460,454,912 pagefile.sys<br>01/19/2008  04:40 AM    <DIR>          PerfLogs<br>10/08/2013  06:36 PM    <DIR>          Program Files<br>10/08/2013  06:36 PM    <DIR> <br>10/10/2013  07:59 PM    <DIR>          Users<br>10/23/2013  07:38 PM    <DIR>          Windows<br>               5 File(s)  2,460,796,395 bytes<br>              10 Dir(s)  33,311,416,320 bytes free</code></div> 
+   * <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008  03:45 AM    <DIR>          $Recycle.Bin<br>09/18/2006  04:43 PM                24 autoexec.bat<br>10/08/2013  10:27 PM    <DIR>          Boot<br>04/11/2009  08:00 AM           333,257 bootmgr<br>10/08/2013  10:27 PM             8,192 BOOTSECT.BAK<br>09/18/2006  04:43 PM                10 config.sys<br>01/19/2008  06:47 AM    <JUNCTION>     Documents and Settings [C:\Users]<br>10/23/2013  07:39 PM     2,460,454,912 pagefile.sys<br>01/19/2008  04:40 AM    <DIR>          PerfLogs<br>10/08/2013  06:36 PM    <DIR>          Program Files<br>10/08/2013  06:36 PM    <DIR> <br>10/10/2013  07:59 PM    <DIR>          Users<br>10/23/2013  07:38 PM    <DIR>          Windows<br>               5 File(s)  2,460,796,395 bytes<br>              10 Dir(s)  33,311,416,320 bytes free</code></div> 
+
+### Searching Sub-directories
+ * **Command with arguments**: `dir /s *[term]*` 
+ * **Description**: Searches for the word entered in the [term]  section in all sub-directories ofthe current directory.
+ * **Example Terms**: `pass`, `cred`, `vnc`, `.config`, `sysprep.*`
+ * **Attribution**: http://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607
 
 ### Recursive
  * **Command with arguments**: `dir /b /s [directory or filename]`