Anyone has worked on post-exploitation scripts?
#1
Hi,

I have a rootkit in a system, but I want to discover other connected machines, but I don't know how to do.

I tried to use wireshark  or nmap with my c++ program, but it did not given anything, but the key might be that I don't have admin rights.

Should I focus to have admin rights first to start discover, or there is tools to discover and spread in the network withtout admin rights?
Reply
#2
This has been moved to the malware forum.

In any case how do you talk to your rootkit? You got a CLI at your side through which you can instruct the client to perform some action? If you can execute system commands, or run nmap, i am pretty sure you can just enumerate the local network.

Which OS are you targeting? And what commands are you using with nmap?
Reply
#3
I would not say that it is important to get administrative access first. Especially because, if you get a well-configured and updated network, it can be almost impossible on some hosts except for very specific vulnerabilities. The ideal is to research the most vulnerable host and enter there.

But to think about how to do this, it is important to keep in mind what Vector said. What is the target system?
Reply
#4
Hi,

Thank for the replies, the targeted system are classic windows, and I have a way to send commands and receive the results through internet (I rather keep the exact way to myself).

The key here is that I can download exe or scripts and start them in a different process, but nmap got caught every time, maybe I wonder to use it in a dll, but I'm not sure it will solve anything.

The rootkit is c++ written
Reply
#5
(05-08-2021, 02:33 PM)jean_valjean Wrote: Hi,

Thank for the replies, the targeted system are classic windows, and I have a way to send commands and receive the results through internet (I rather keep the exact way to myself).

The key here is that I can download exe or scripts and start them in a different process, but nmap got caught every time, maybe I wonder to use it in a dll, but I'm not sure it will solve anything.

The rootkit is c++ written

If you can write a rootkit in C++, why not write a port scanner for your specific use case as well?

Also the problem here is that Nmap is touching the disk before it gets executed. File-less is always better than with files, but you know what's even better than that? Using native tools. Have you tried running the arp, ipconfig and ping utilities?

I suggest you do a ping sweep before we start bringing in external tooling.
Reply
#6
Hey,

Well, I think it might be possible to make a port scan, but the key then is to scan for vulns, or to use SE tools to infect another machine. The key for me will to automatize a port or everything of the process, so it can start to spread asap it infected a machine.

But I'm afraid this is totally impossible..
Reply
#7
You could use something like massscan to scan the local subnet of the network. Find alive posts and in proceed to the next step and port scan the alive hosts to discover services.

Also maybe steal a trick of two from Neurax? (Worm framework for self spreading binaries wirelessly) If I remember it correctly it copies itself into logical disks found on the network.

Just throwing out some ideas for you. I haven't really made any rootkits of my own before.
Reply
#8
Hi,

Ty for the links, that was exactly the thing I was looking for!
Reply