In previous post   we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.
(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.
(3)Now from uploaded directory execute following command to get missing autoruns of machine
autorunsc.exe -a | findstr /n /R “File\ not\ found”
(4)Now we have list of file which is missing ; these files are run at startup time

(5)In my case you can see that uTorrent.exe is missing .
(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.

Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)

For just POC ; you can run autorunsc.exe again to find out whether  our backdoor (uTorrent.exe) is written successfully or not?

In above image you can see that  uTorrent.exe is no longer missing which missed in previous step.

(B)Now this is second method; but may be suspicious.

When you put binary in start up folder it will run automatically when pc is started.

Startup Folder Location in windows Xp:-

C:\Documents and Settings\”nirav”\Start Menu\Programs\Startup

Startup Folder location In windows 7:-

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s