Sunday, 27 December 2015

Get shell using missing autorun

HashFlare HashFlare
Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.


(5)In my case you can see that uTorrent.exe is missing .

(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.


Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)

For just POC ; you can run autorunsc.exe again to find out whether  our backdoor (uTorrent.exe) is written successfully or not?

missing -autorun-backdoor

In above image you can see that  uTorrent.exe is no longer missing which missed in previous step.

(B)Now this is second method; but may be suspicious.

When you put binary in start up folder it will run automatically when pc is started.

Startup Folder Location in windows Xp:-

C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup

Startup Folder location In windows 7:-

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.


Post a Comment

Whatsapp Button works on Mobile Device only

Start typing and press Enter to search