Utilizing registry write access
- From: natron <natron@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 May 2008 17:41:20 -0500
All,
Does anyone have a favorite location to load code from when granted
remote registry access to a machine? I've used several different ones
and all have their pros/cons, mostly that they require a user to logon
or can be blocked from running via a policy setting. I'd love it if
there were a location that the attacker could trigger remotely -- any
ideas?
I tried replacing the screen saver as I remember that used to work
ages ago (this could be triggered if RDP/3389 is open), but this reg
value no longer accepts a cmd.exe value (I couldn't get it to work on
Server 2003 or XP anyway).
Locations requiring triggers outside of attacker's direct control
(restart, user logon, or cmd.exe/explorer.exe execution):
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKLM,HKCU\Software\Microsoft\Command Processor\AutoRun
HKLM,HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
-N
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
- Prev by Date: RE: username and Password sent as clear text strings
- Next by Date: Re: Wireless pen-test Cisco WPAv1 with PEAP and client side cert verification
- Previous by thread: THC-Hydra web form attack
- Next by thread: WarDialing: can't identify the system (binary signature)
- Index(es):
