Hello, ladies and gentlemen, and welcome to the post exploitation, hacking, persistence and continued access course
in this class, we're going to be discussing the second stage or three stage process, which is actual persistence and back adoring.
This is going to be the big one for Windows.
Well, one of the really big ones for Windows
in that it is going to be discussing actually creating a new user and actually making that user sort of consistent access point for you.
part of this is going to involve actually creating user setting permissions making sort of blend in
part of it's going to include
actually sharing out a drive so you can access it as that user
and just sort of finding the permissions you can give the user if you've exploited in, is an administrator or
in some way escalated your privileges to those of an administrator, that's going to be a great starting point. It will be
sort of hard to do this otherwise,
particularly on a window seven machine or a newer box.
But where, as as always, we're going to be operating under the assumption that you're a fantastic, super elite hacker, and you exploited your way in is admin. And you've taken over the machine.
with that ah, perhaps slightly hopeful thought in mind. We're gonna dig right in.
So in order to do this properly, we're gonna have to have a return of our old friend net. In this case, we're gonna be using that user.
So you see these user accounts exist. Remember that there was a count one account to account three ASP. Net and Perry.
let's see what we can do with this user thing.
That's certainly our current step. We wanna add a user.
Syntax is net user user name, and then we've got a password.
it has to set, you know, that has toe. Aah!
Follow certain requirements.
But if you remember back, we saw already in our information gathering that in that accounts, the password length and password requirements are pretty non existent.
so we're gonna add the user. We're going to try
to do some fun stuff with that user
later on. But first up, being first up
pretty easy. One we're gonna do Net user ad
user name is going to be a count
if you want to give it a password, just for safety's sake again, this is a reminder from earlier because a lot of the back door and we've been doing, we haven't done anything that requires a password.
We're doing it that way because this is a basic class. However, if you're actually doing a full on Penn test for a course or for a company, you need to remember to always have some form of authentication for your back doors. If it's on a production network and someone else could get access to it,
you need to make sure they have to pass word authenticate. Yes, I know you did. Just exploit your own way in, but make them do the hard work, too. If you leave open a back door with North vacation and they come in and take everything,
you're gonna be in trouble.
that user ad account for
And if you want to do a password, weaken, say insecure password. Nice, strong, terrible password.
And it says the passwords really long and Windows doesn't think you can handle that. That's okay, cause it's a little bit after Windows 2000.
All right, command completed successfully Let's see if it's telling truth.
I look at that account for
so now we have an account for it exists. It's something we could work with. The thing in the world has got a password and everything,
what is account for, actually Ah, what do
what groups is that a part of? How do we find that out? I just typed in the Net Local group command. That's actually not quite right.
We can actually check that help user and see if we might be able to find it there.
See, there's lots of interesting nonsense here that we already looked at.
We don't see a group's list. Okay, well,
where would it be? The long and short of it is We actually do use what we do, use that local group,
but we don't actually use it
by itself. We actually want to go through and see what accounts we want to put this guy in. Right now, he doesn't have any special groups, so we see things that we want him on. Definitely one of the administrators.
Home years just might not be bad.
Remote desktop users means he's someone who's allowed to create a remote desktop.
And of course, users will probably already be in
So let's change that
that local group administrators
administrators, Since I can type it. There we go. So you count one account Foreign Perry. So now we know going into it that Perry and account one. We're both admin accounts capable of doing fancy stuff
that'll be useful going forward. We also see the Count Fours in there, and it blends in pretty well
sit down. Account for is a local admen,
so we've just got to go ahead, do the same thing,
adding a count for two
let's see who's in home users before we go out into it.
Okay, we see that their admin accounts and it would make sense for this guy to, ah,
show up in that one.
So we add account for
All right, So now this admin account, this random account four looks just like an admin account. It's in the same groups as privileges. It's important.
Ah, that means that this account could also, you know,
actually execute things and actually accomplish goals.
So with that in mind.
We can go ahead and say something along the lines of run ***
needs a user, that user name and then the program that we actually execute and then profile actually load that user's profile. But that's default, so I don't really have to worry about it.
Let me enter Password, Remember, is insecure
It spits out of command. Prompt.
You see that we're in C Windows some 32. That's an administrator.
That's a power That means we've come in is an administrator. We've come in doing administrator E things. Obviously we were already is an administrator, But
that's in the case that we came in. We found ourselves with a command prompts that wasn't doing us any good.
For example, the netapp that we did earlier
or something along those lines. We now have an actual good command from one that could be useful to us, and one that we know
belongs to a user with all the admin privileges.
But what can we do? Is madman One of the things I mentioned the beginning of the video is one of the things that's going to be most useful.
And that's going to be the ability to actually share out drives
It's pretty straightforward. We're gonna do the net share. We see what we've got shared right now. You see? You know, sharing a bunch of files we're gonna do net help, share
what commands they entered. Share those files. And what commands were going entered.
So back up here at the very top, you see? Not Sher Sher Name?
Sure. Damocles Dr Path.
Okay, lets try. Oh, and then we're gonna want to use this grant user read Change full
just so that we could make sure are important. User has everything needs Sonett share
for share name. We want to look back up. What we saw here we see
print share I p c share users Kodak.
So maybe something along the lines of
count one. Our account. Four other. Almost a bad thing.
did something bad there.
First they ended. Bowers did badly with spell administration.
Okay, Not Sher Sher name. You will see.
Oh, yeah, I forgot my colon. Never forget your colon.
It's very painful thing you forget.
So we're going to do another net share and see if it's been shared out properly. And look at that. Kodak administration
Who in the world would suspect that? And yet again, we've been looking around, and because of that, we're able to blend in and look like just another one of the many print chairs that are up.
it's sharing at the C drive,
and it's got full access for the account for past for the if account for just in case
that was already going to be a default. But it's still good to know the grant in case you've got it.
A network account, but not an actual account on this local machine.
So now that shared out, you've got the user account created.
I got all the groups added,
and you've pretty much got access to this machine forever. Unless someone comes through and actually sees the account, which again, we specifically did.
I count four because it doesn't really come across as anything. We could have done any name, obviously, but account for in this machine blends in with the syntax
and is pretty hard to pick out unless you already knew for sure. How many accounts were all
very few people know how many accounts are on even people who are security conscious enough to say,
You know, obviously the names in such a manner are generally not going to be checking it every day. This machine's been up for a while.
You probably won't remember.
So there you go. This is a really good way to backdoor a computer because it's a really difficult way to know.
And because it tends to give you better long term access now, not only do you have external access through exploits or however you got in the first place us of internal access, you could walk up to this machine and just
enter into the account.
Obviously, this was a domain controller. If this was the domain list, you'd be able to actually access any computer on the network as an administrator,
and you pretty much owned their systems. Now
with that, I think we're gonna go ahead and this video, as I mentioned, this is one of the most important Windows video, so I really hope you take your time and
play with these commands and really get used to using them in a bit of a hurry and using them effectively so that you can create users and you can hide yourself. And you could just, generally speaking,
be the best relief hacker you could be.
I'll see you next time. Until then, I've been your Smee, Joseph Perry, and you've been watching us on cyber readout. I t.