Time
7 hours 47 minutes
Difficulty
Advanced
CEU/CPE
10

Video Description

This lesson focuses on the Windows scheduling tools to schedule batch and non-batch scripts using the following Windows scheduling tools:

  • Ap
  • Sketch task

These tools are designed to make an application work at a scheduled time so information can be collected. Participants learn step by step instructions in creating new tasks.

Video Transcription

00:04
where did kind of dug into baskets pretty heavily. And we did that, as I said for a reason. And one of the things that we are gonna want to do with Bash scripts is scheduled or schedule, even just non bash scripts and regular programs that I prefer scheduling baskets myself
00:18
the way we're gonna schedule these things with two possible commands. We could do it with that,
00:24
or we can do it with sketch tasks.
00:28
These two commands are Windows scheduling tools that are designed to
00:33
scheduled it. It's a Z Z sounds are designed to make an application executed a later time. They're primarily used for backups or for troubleshooting maintenance, that sort of thing.
00:43
But a lot of computers have tons of these tasks on them,
00:48
and so you can easily hide among them.
00:50
So, for example, if you know that this user logs off every day or not, logs off but leaves their desk every day for an hour. A 12 because they've got a scheduled luncheon 12 and they don't want to miss it.
01:00
If you put your script in to kick up a reverse ah, remote desktop protocol at 12 every day,
01:08
then when they kind of get booted off of their session, they won't even notice that they get back in the room. The computer just locked.
01:17
Or perhaps if you have a situation where
01:19
you know this is admin goes home at five
01:23
and this can kick up whatever traffic might have alerted him if he'd been there had been paying attention
01:30
at that time where you'll be safe.
01:32
So we're gonna look at the tasks that are scheduled.
01:34
Well, first we're gonna check at at is the old version of the schedule. Or,
01:40
um, it's simpler. Not very useful. You probably won't
01:44
finds much, but we can check
01:48
eso actually find out what I what is currently scheduled with that you just type at
01:53
enter No entries last night. Very useful.
01:57
Let's check sketch tasks. Maybe they've got something. Oh, they've got everything
02:01
sweet.
02:02
So, as you see, there are all sorts of stuff. There. Auto wakes. There's gadget manager. All of these things
02:10
you see here for different shell or different folders, different task names,
02:15
they do different things.
02:16
Most of them seemed to come from windows. So again, you're looking for a place to stash your stuff.
02:23
Microsoft windows. Something probably safe place.
02:29
We're really anywhere in the mike in the making A folder.
02:32
Aah! These sketched asks you could take out if you were doing information gathering. You could put them in your file that we have been using. I generally don't,
02:42
um
02:43
unless I find something interesting where they're doing backups to a specific server. By the time you get to the point of going through sketch task, you've already collected the interesting stuff. This is just kind of
02:53
tedious network e details, but you never know. So it's worth glancing through.
02:59
However,
03:00
we're not here to do that right now. We're here to create a new task.
03:04
So let's see how we do that. First we clear so we don't have our screen all cluttered up,
03:07
and we're gonna do
03:09
slash question.
03:10
Okay,
03:13
create.
03:15
That's what we want to do. Right?
03:16
Let's see what Creed has to say.
03:19
Okay. Has to say a lot.
03:21
Okay. Scroll back. Stopped her to do.
03:24
All right. So
03:29
slash s system. What does that mean?
03:31
Means the remote system.
03:32
If you need to do this, if you need to schedule a task to go on another computer
03:38
and you know that your access and currently admin or some account which would actually let you do that
03:45
sketch tasks just gained access to the entire network for you
03:49
so long. Of course, if they have the executed bols you need on there or even just,
03:54
you know, the ability to get those executed was easily. But sketch tasks can. Actually, you can create a task for a remote system you want to access
04:02
for 30 seconds from now and bam, you're in.
04:06
No, you see username, the user context under which you wanted to execute
04:12
the password for that user so we might use the user account the admin account we created recently.
04:18
There's an argue, which is a run as user, which is different from the user.
04:24
This basically will actually generate up its own
04:30
user name under which to run. Rather than just using whatever context you give it. You can actually give it a proper context and then give it a run. As so that will be this user name under this user name,
04:42
which is sort of complicated, and it's not really something we want to use right now, but it's doable
04:46
and then schedule, says how, after we want to do it,
04:50
Um, I'll tell you one of my favorite well, one of the favorites among people in one of my old classes was to every minute spot a calculator.
05:00
We were bad people or two every minute run a task which created another task, which created another task. Etcetera, etcetera. Just fun, things like that.
05:10
This, though I can't alike on Idol.
05:14
When the system goes idle,
05:16
you can start this task.
05:20
It's kind of nice someone, you know,
05:24
let their machine go idle. It spawns up a command prompt response up a Net cat listener and gives them that gives you access to a command problem because you know that guy's not listening
05:31
or on start, which is again a great way to do it if you want it to. Every time someone starts up the computer, this happens
05:40
but
05:41
again,
05:42
sort of the most common or not most common but the most useful when I found for sketch tasks as opposed to the other backdoor methods,
05:49
is actually doing a daily or even weekly. If you're not going to be using the system extremely often, usually a daily
05:57
a specific time, the time that you've identified as being useful.
06:01
So it'll be. So far, what we've got is going to be sketch desks, create username, account for password
06:10
password. He gave it
06:12
sc daily
06:15
and let's see what else we've got.
06:19
So you've got days here. We can do it differently. Weaken do instead of SC we could do slash d
06:26
your specific days
06:29
or we could give it specific days of the month.
06:31
Or we could just give it this wild card which says, every day
06:34
it's simple enough.
06:38
Task name is going to be what we're actually gonna call it.
06:41
Test run is what it's actually going to do
06:44
here. It obviously gives the example of talc. We're probably going to be using our net cat.
06:48
Or
06:49
if you were
06:51
moving up a little higher, you might be using crypt scatter. One of the encrypted versions that actually defeats I D. S is.
06:58
But whatever listener you're using you'll have is the task run. You have a start time. This is the handy one that I was talking about. Where if you know they're going to leave at five every day, you could started it 501
07:09
um,
07:11
one that I saw was a scheduled task that someone used that logged him into the system every morning at exactly 06 30 because that was his required time to be on the system. And they had something monitoring to make sure he logged in by them.
07:23
So he logged in a 06 30 roll into worker and 07 15
07:27
45 minute. Now no one the wiser until,
07:30
of course, he got fired because it turns out that super not okay,
07:33
But hey, whatever.
07:35
So start time interval.
07:39
Um,
07:41
if you already got it set to minute hourly, whatever,
07:45
this isn't really going to do any good, but it can tell you the actual in minutes how often
07:50
to do it
07:51
tells you when to end the task.
07:56
Obliteration around the task. Lots of similar things sort of correspondent work together.
08:01
So let's go ahead and give this a shot.
08:05
Now, quick Warning
08:07
sketched. Asks is
08:09
one of the most annoying little windows commands there are. Everything has to be just so,
08:16
and if it's not, it will break and it will yell at you
08:22
the m o command. By the way,
08:24
that has. Here's modifier. Um
08:28
well, I was finer control over schedule recurrence. We don't really need to worry about that.
08:33
But I saw that in this sample command, which I'm using because again you've never used Sketched asks enough that it's not a good idea to check
08:41
Tien
08:43
And we saw a lot of interesting things so we could do Windows
08:48
Office
08:50
Update Checker
08:54
seems legit
08:54
Task run
08:56
and cat dot xy And we saw in another video earlier about how you can change the name of encapsulates a little bit more believable.
09:05
Um,
09:07
you can change it in this case to office update checker dot MSC Although I usually recommend avoiding changing extensions, Justcause windows can respond poorly.
09:16
What? Most of the time it won't.
09:18
You could change the
09:20
extension in this to a different kind of portable executed. That sounds more official or anything like that.
09:26
I'm just in general. Something is going to sound Windows E and it will run this task
09:31
and we're actually gonna d'oh
09:35
the full on C colon. Ah, you always want to make sure you're doing that because you never know where it's going to be executing, and sometimes it gets a little
09:43
persnickety.
09:45
E c MD dot xy
09:48
and watch it. Rick,
09:50
look at that.
09:52
Okay,
09:54
cool. Not that bad.
09:56
You dropped this in quotes.
10:00
Bam!
10:01
That task has been created,
10:03
so we're gonna do sketch tasks,
10:07
query,
10:09
task name
10:11
and we know it's windows.
10:15
You might know. I seem to have forgotten Windows Office update checker,
10:18
man.
10:20
You see, it's gonna run it in 9 p.m.
10:22
Every day. It's gonna start tomorrow in my case, and it'll run every day. 9 p.m.
10:30
And when it runs is gonna spit up that night. Cat listener. It's gonna do it silently without throwing anything out telling anyone
10:35
and it will execute.
10:37
And ah, that's pretty much the whole thing in terms of sketch tasks will do a quick run through that.
10:45
Like I said, I don't ever expect you to really have a great use of it, cause at is kind of terrible
10:50
in my mind. Anyway,
10:52
nine
10:54
p. M.
10:56
Next
11:00
Thursday
11:05
and cat,
11:13
there you go.
11:16
So, as you see at is pretty quick. Pretty easy to use you at a time in the day, and it will execute.
11:22
I'm not a huge fan of that, as I mentioned, because it's old and kind of weak in comparison to sketch tasks,
11:28
and also because, as you saw in this machine, there were no ATS,
11:33
so it's sort of noticeable. If there is one,
11:39
there we go. But it's nice to know that it's there, and it's nice to know what it is just in case.
11:45
So there you go. We saw Batch scripting, simple back scripting. We saw a bad script and we saw a sketch tasks, and we saw at
11:52
these three are primarily used in our cases are going to use for back adoring
11:56
um, sketch task. You can tell it to run as often as you want as rarely as you want
12:01
at. You can do somewhat to that intention, but not nearly as well. And bad scripts can be designed to do pretty much everything you want to do.
12:11
If you're good and you're willing to take that plunge,
12:13
I would say experiment with bad scripts until you could do
12:18
one or two of these full videos, all of the data, information gathering or something like that, with a single batch script that you drop on your target, perhaps using T F T P.
12:28
Once you've got there, you're pretty well ready to start on
12:31
serious. Well, semi serious pen testing. Now that you've got a sense about scripting works and you got a sense of how to make things happen quickly,
12:39
you're definitely a lot closer.
12:43
Hopefully, you all learned a lot about this. Maybe a few things you didn't know about scheduling or about batch or whatever
12:48
you learned. A new nifty little trick for writing two files with nothing but a command trumped. Although, again, I had vacate never doing that unless you absolutely have to. Just the worst.
12:58
Uh,
12:58
as always, I'm glad to have been here with you. My name is Joseph Perry. I'm your residents. Me on the subject. And you're listening to this on cyberia dot i t?

Up Next

Post Exploitation Hacking

In this self-paced online training course, you will cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting.

Instructed By

Instructor Profile Image
Joe Perry
Senior Technical Instructor at FireEye, Inc
Instructor