Professional Documents
Culture Documents
CSCB524 - CCSB4113 - Chapter 8 Lab 8
CSCB524 - CCSB4113 - Chapter 8 Lab 8
Techniques
CHAPTER 8 LAB 8
CSCB524/CCSB4113 1
MAINTAINING PERSISTENCE
AFTER COMPROMISING A SYSTEM
CSCB524/CCSB4113 2
Ways to Maintain Persistence of a
Compromised System
I. Creating and manipulating scheduled
jobs and tasks
II. Creating custom daemons and processes
III. Creating additional back doors
IV. Creating new users
V. Creating reverse and bind shells
CSCB524/CCSB4113 3
Scheduled Tasks (at)
C:\at\\VICTIM 8:17pm /every:M,W,F User_Feed_Synchronization.exe
CSCB524/CCSB4113 4
Kali VS Windows 7
10.0.2.37 10.0.2.38
C:\Windows\system32> time
Press ENTER
C:\Windows\system32> at
CSCB524/CCSB4113 6
CSCB524/CCSB4113 7
CSCB524/CCSB4113 8
• This shows the
capability of
being able to
run any
program we
want:
– Pinging back
– Password
sniffers
– Key loggers
CSCB524/CCSB4113 9
COVERING TRACKS
CSCB524/CCSB4113 10
Erase, Modify or Disable the
Evidence
• Remove any unneeded files or tools that
were added to the victim’s machine
• Hiding other files and resources in hidden or
uncommon locations
– Linux, Unix, OS X
• Create a folder beginning with a dot (.)
– Windows
• Hide stuff in the System32 or User folders
• Apply hidden attribute
• Use alternate Data Streams
C:\type c:\info.txt > hello.txt:info.txt
C:\start notepad hello.txt:info.txt
CSCB524/CCSB4113 11
• Create a blank text file
C:\Windows\system32> cd \
C:\>type nul > hello.txt
CSCB524/CCSB4113 12
• Delete info.txt
C:\>del info.txt
CSCB524/CCSB4113 13
Why is this useful to us?
• Instead of hiding text file, attacker could
be hiding malware and then they can call
that malware using the ‘at’ program
• No one can see the hidden file because of
alternate data stream
CSCB524/CCSB4113 14
Alternate Data Streams (ADS)
• Alternate Data Streams (ADS) are a file
attribute only found on the NTFS file
system
• The ability to fork file data into existing
files without affecting their functionality,
size, or display to traditional file
browsing utilities like dir or Windows
Explorer
CSCB524/CCSB4113 15
Department of Computing
College of Computing and Informatics
Universiti Tenaga Nasional
CSCB524/CCSB4113 16