3. Maintain access and hide malicious activities
1. User system Monitoring with PowerSpy
Keylogger software
2. System Monitoring with Spytech spyagent
3. Hide files using NTFS ADS Streams
Copy calc from system32 folder to your test folder, Now create a text file
You can type dir to check the size of file
Now lets append calc to readme.txt
The size does not change. Now create a link to the hidden file
opening backdoor.exe will run the calculator hidden in txt file.
list hidden ADS streams
Reference
Appending Text File as ADS example
4. Hide data using white space steganography
Conceal messages in ACII text by adding white spaces to the end of line.
Snow tool is used which can add upto 7 spaces interspersed with tabs.
Create a txt file and then use the following command to hide the message in the file.
-m is the message you want to hide
-p is the password
test.txt is the original file
test2.txt is the target file
Opening test2.txt will not show us the hidden data. However, if we open the file in notepad and click edit>select all, we will see some hidden spaces.
To see the hidden message, use the following command.
5. Image Steganography using OpenStego and Stegonline
OpenStego
Select message file, cover file to hide data and click on hide
A new file will be created. It will open as an image but contains our message as well. Similarly extract data from the tool.
Stegonline
Upload file, and then set the settings, remember the settings.
similarly, the data can be extracted from the image.
6. Maintain persistence abusing boot or Logon autostart
After getting th admin meterpreter on remote machine, change to startup folder.
check the working directory with pwd.
Now upload your, msfvenom payload here.
Other tools
7. Maintain Domain Persistence exploiting Active Directory Objects
AdminSDHolder is an Active Directory container with the default security permissions, it is used
as a template for AD accounts and groups, such as Domain Admins, Enterprise Admins etc. to
protect them from unintentional modification of permissions.
If a user account is added into the access control list of AdminSDHolder, the user will acquire
"GenericAll" permissions which is equivalent to domain administrators.
After gaining the meterpreter session, upload powertools master.
Now enter the shell and start powershell
Now change directory to powertools folder and use the following commands to add Martin user to ACL.
To check the permissions, use the following commands
Now to add the user to admin group use th following command
From powershell, we can use the following command to check the persistence
8. Priv Esc with WMI and maintain persistance
WMI (Windows Management Instrumentation) event subscription can be used to install event filters, providers, and bindings that execute code when a defined event occurs. It enables system administrators to perform tasks locally and remotely.
Get a meterpreter session and upload the script, have a second msfvenom payload ready as well.
Now within meterpreter load powershell
Now type the following commands to run the script
Now listen with multi handler on msf. In 5-10 minutes, you will get an admin shell.
9. Covert channels using covert_TCP
Networks use network access control permissions to permit or deny the traffic flowing through them. Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, and web proxies to allow certain traffic. Covert channels can be created by inserting data into the unused fields of protocol headers. There are many unused or misused fields in TCP or IP over which data can be sent to bypass firewalls. The Covert_TCP program manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can act like a server as well as a client and can be used to hide the data transmitted inside an IP header. This is useful when bypassing firewalls and sending data with legitimate-looking packets that contain no data for sniffers to analyze. A professional ethical hacker or pen tester must understand how to carry covert traffic inside the unused fields of TCP and IP headers.
Sending Machine
Download the tool on your sending machine
Now compile it.
2nd Machine
Compile the tool there as well. Now open the tcpdump listener.
Start the listener
Now , from the sending machine send the message.
We, will get the text file as well in the same folder.
Last updated