Download
1 / 21
220 likes | 490 Views
Command Line FU. The art of efficiency ( Laziness). Disclaimer. I’m not a programmer I’m doing it wrong These scripts are horridly written Will include lolcats. Some OS options. Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin
E N D
Command Line FU The art of efficiency (Laziness)
Disclaimer • I’m not a programmer • I’m doing it wrong • These scripts are horridly written • Will include lolcats
Some OS options • Windows • Windows Management Instrumentation Command-line (WMIC) • Batch files (.bat) • VBS • Cygwin • Macros (AutoItScriptAutoHotkey) • PowerShell (<XP) • Linux • Bash • Awk/Sed • Curl • Android • Linux Deploy ( need loop/root ) • Busybox
WMIC • WMIC search systems for running ‘exe’ to hijack FOR /F “delims==“ %%A IN (‘type ips.txt’) DO wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner • Netstatwith pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)
WMIC • WMIC mask task killer (quickkill.exe) PsExec.exe /accepteula -sd C:\quickkill\sysrun.bat wmic process list brief | gawk "{print "PsExec" $2}"| egrep -vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WMIC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\.exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %%A IN ('type out.txt') DO cax /killall%%A
VNC REPEATER NAT NAT UltraVNC Repeater Reverse VNC Server VNC Client
VNC REPEATER • VNC Single click with reconnect/Areo disable/branding • Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST" if errorlevel 1 gotorestartvnc • echo SET ID=%ID%>vnccheck.bat • start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run
VNC REPEATER Random person running quickvnc
Quickclean • Securely deletes common temp files/folders for all users • deletes c:\temp • Internet explorer temp files for all users • firefoxcookies,saved,cache passwords etc for all users • temp folders for all users • old windows updates • recycle bin • %SystemRoot%\$ntuninstallK ( old windows updates ) • %SystemRoot%/$hf_mig$ ( old windows updates ) • OPTIONAL: all startup items for all users • OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users
Om Nom NomNom webs • Common ways to hide code • Obfuscate code in java • Flash • Refer checking • Agent tag checking • Session Tokens • Mobile apps with pinning SSL Certs • Tools to reproduce/sniff traffic • Command line Java (JavaScript-C SpiderMonkey) • Browser plugins (Live HTTP Headers, URL Snooper) • Wireshark / BurpSuite / proxychainsProxifier(M$) • PHP: cURL • Curl • Replay Media Catcher SWFDecompiler • Virtuous Ten Studio ( Android )
Om Nom NomNom webs ( proxies ) • JS curl -s "http://nntime.com/proxy-list-01.htm" -A ‘blzthedemogods' | egrep '(document.write| = )|;<\/script>' |sed -e 's/.*<td>/print("/g' -e 's/<script type="text\/javascript">document.write(//g' -e 's/":/:/g' -e 's/<\/script>.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js • Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer 'http://rosinstrument.com/raw_free_db.htm?&t=2' http://rosinstrument.com/raw_free_db.htm?&t=2
Om Nom NomNomgoogle • Images.google.com curl "http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs=isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub("<","\n<"); print}' | grepimgurl| sed -e 's/.*imgurl=/<imgsrc="/g' -e 's/&imgrefurl.*/">/g' >> $1-$2.html
Regex • Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b“
Regex • Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4} • Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b • IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b • UNC: ((?#drive)\b[a-z]:|\\\\[a-z0-9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<>|\r\n]*) • Complex strings (passwords or ... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{6,}
Random / Annoyances • Ask.com Toolbar nag RegAdd "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F RegAdd "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F • File associations rem assoc .ppt=ppt rem ftypeppt=%CD%\office\POWERPNT.EXE "%%1" • Dump clear text password with mimikatz and Windows Credentials Editor (WCE)
Random / Annoyances • Nmap MS00-067 scanner nmap --script smb-check-vulns.nse --script- args=unsafe=1 -p445 192.168.1.116 --open • set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ • Remove the .NET Credentials (stored user names and passwords) Control keymgr.dll • Checking Oracle sids with nmap nmap-n --script=oracle-sid-brute -p 1521-1560 IP nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n IP
Make it portable! • SFX Self extracting archive) • QEMU images (MicroXP2011) • Use a real language statically compile • App virtualization Spoon Studio,VmwareThinapp or Cameyo
Contact/Reference • Fu http://rmccurdy.com/scripts/fu.txt http://rmccurdy.com/scripts/fu_ripp.txt ( ripped from commandlinefu.com ) • Some examples used in presentation http://rmccurdy.com/scripts/proxy/proxycheck.sh http://rmccurdy.com/scripts/quickvnc/
