Phreaknic Talk - Command Line FU and J00

Download Report

Transcript Phreaknic Talk - Command Line FU and J00

Command Line FU
The art of efficiency (Laziness)
Disclaimer
• I’m not a programmer
• I’m doing it wrong
• These scripts are horridly written
• Will include lolcats
Rmccurdy.com
Some OS options
• Windows
• Windows Management Instrumentation Command-line (WMIC)
• Batch files (.bat)
• VBS
• Cygwin
• Macros (AutoItScript AutoHotkey)
• PowerShell (<XP)
• Linux
• Bash
• Awk/Sed
• Curl
• Android
• Linux Deploy ( need loop/root )
• Busybox
Rmccurdy.com
WMIC
• WMIC search systems for running ‘exe’ to hijack
FOR /F “delims==“ %%A IN (‘type ips.txt’) DO wmic /Node:%%A
wmic /user:username /password:yourpassword /FAILFAST:ON
process where “name like ‘%.exe’” call getowner
• Netstat with pid
for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find
^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n
in ('"wmic process where processId=%d get
caption,executablepath | find ".""') do @echo Protocol=%a,
IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)
Rmccurdy.com
WMIC
• WMIC mask task killer (quickkill.exe)
PsExec.exe
/accepteula -sd C:\quickkill\sysrun.bat
wmic process list brief | gawk "{print "PsExec" $2}"| egrep vi
"(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WM
IC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\.
exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt
FOR /F "delims==" %%A IN ('type out.txt') DO cax /killall %%A
Rmccurdy.com
VNC REPEATER
NAT
UltraVNC
Repeater
VNC Client
NAT
Reverse VNC
Server
Rmccurdy.com
VNC REPEATER
• VNC Single click with reconnect/Areo disable/branding
• Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe"
"EST"
if errorlevel 1 goto restartvnc
• echo SET ID=%ID%>vnccheck.bat
• start winvnc -autoreconnect
-id:%ID% -connect
rmccurdy.com::3389 -run
Rmccurdy.com
| egrep
VNC REPEATER
Random person running quickvnc
Rmccurdy.com
OclHashcat batchcrack
Rmccurdy.com
Quickclean
• Securely deletes common temp files/folders for all users
•
•
•
•
•
•
•
•
•
•
deletes c:\temp
Internet explorer temp files for all users
firefox cookies,saved,cache passwords etc for all users
temp folders for all users
old windows updates
recycle bin
%SystemRoot%\$ntuninstallK ( old windows updates )
%SystemRoot%/$hf_mig$ ( old windows updates )
OPTIONAL: all startup items for all users
OPTIONAL: all outlook mailbox data and everything under 'Local
Settings' for all users
Rmccurdy.com
Om Nom Nom Nom webs
• Common ways to hide code
•
•
•
•
•
•
Obfuscate code in java
Flash
Refer checking
Agent tag checking
Session Tokens
Mobile apps with pinning SSL Certs
• Tools to reproduce/sniff traffic
• Command line Java (JavaScript-C SpiderMonkey)
• Browser plugins (Live HTTP Headers, URL Snooper)
• Wireshark / BurpSuite / proxychains
Proxifier(M$)
• PHP: cURL
• Curl
• Replay Media Catcher SWFDecompiler
• Virtuous Ten Studio ( Android )
Rmccurdy.com
Om Nom Nom Nom webs ( proxies )
• JS
curl -s "http://nntime.com/proxy-list-01.htm"
‘blzthedemogods' | egrep '(document.write| =
)|;<\/script>' |sed -e 's/.*<td>/print("/g' -e
type="text\/javascript">document.write(//g' -e
-e 's/<\/script>.*/;/g' | sed '/^[ \t]/d' | tr
-A
's/<script
's/":/:/g'
-d '\r‘|js
• Refer checking/cookies/JS
curl -s -b cookie -c cookie -A '"$varagent"' --referer
'http://rosinstrument.com/raw_free_db.htm?&t=2'
http://rosinstrument.com/raw_free_db.htm?&t=2
Rmccurdy.com
Om Nom Nom Nom google
• Images.google.com
curl
"http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs
=isch:1,isz:l&start=0&sa=N&safe=off" | awk
'{gsub("<","\n<"); print}' | grep imgurl| sed -e
's/.*imgurl=/<img src="/g' -e 's/&imgrefurl.*/">/g' >> $1$2.html
Rmccurdy.com
Regex
• Mmmmm PII (Personally identifiable information CC and SSN
one liner for office)
find . -iname "*.???x" -type f -exec unzip -p '{}' '*'
\; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g'
| egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][09]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[09]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[09]{4}\b“
Rmccurdy.com
Regex
• Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}
• Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][09]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
• IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[05]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][09]?)\b
• UNC: ((?#drive)\b[a-z]:|\\\\[a-z09]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<>
|\r\n]*)
• Complex strings (passwords or ... In my case HTML)
(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_azA-Z0-9]*?[0-9])\S{6,}
Rmccurdy.com
Random / Annoyances
• Ask.com Toolbar nag
Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE
/T reg_sz /F
Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS"
/D DISABLE /T reg_sz /F
• File associations
rem assoc .ppt=ppt
rem ftype ppt=%CD%\office\POWERPNT.EXE "%%1"
• Dump clear text password with mimikatz and Windows
Credentials Editor (WCE)
Rmccurdy.com
Random / Annoyances
• Nmap MS00-067 scanner
nmap --script smb-check-vulns.nse --scriptargs=unsafe=1 -p445 192.168.1.116 --open
• set power profile via command line
Powercfg.exe /SETACTIVE "Always On"
Powercfg.exe /SETACTIVE "Max Battery“
• Remove the .NET Credentials (stored user names and
passwords)
Control keymgr.dll
• Checking Oracle sids with nmap
nmap -n --script=oracle-sid-brute -p 1521-1560 IP
nmap --script oracle-brute -p 1521-1560 --script-args
oracle-brute.sid=XE -n IP
Rmccurdy.com
Autohotkey
Rmccurdy.com
Make it portable!
• SFX Self extracting archive)
• QEMU images (MicroXP 2011)
• Use a real language statically compile
• App virtualization
Spoon Studio,Vmware Thinapp or Cameyo
Rmccurdy.com
Make it portable!
Rmccurdy.com
Contact/Reference
• Fu
http://rmccurdy.com/scripts/fu.txt
http://rmccurdy.com/scripts/fu_ripp.txt ( ripped from
commandlinefu.com )
• Some examples used in presentation
http://rmccurdy.com/scripts/proxy/proxycheck.sh
http://rmccurdy.com/scripts/quickvnc/
Rmccurdy.com