Penetration Testing mailing list archives
Utilizing registry write access
From: natron <natron () invisibledenizen org>
Date: Wed, 21 May 2008 17:41:20 -0500
All, Does anyone have a favorite location to load code from when granted remote registry access to a machine? I've used several different ones and all have their pros/cons, mostly that they require a user to logon or can be blocked from running via a policy setting. I'd love it if there were a location that the attacker could trigger remotely -- any ideas? I tried replacing the screen saver as I remember that used to work ages ago (this could be triggered if RDP/3389 is open), but this reg value no longer accepts a cmd.exe value (I couldn't get it to work on Server 2003 or XP anyway). Locations requiring triggers outside of attacker's direct control (restart, user logon, or cmd.exe/explorer.exe execution): HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\\Software\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load HKLM,HKCU\Software\Microsoft\Command Processor\AutoRun HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run -N ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Utilizing registry write access natron (May 22)