1 / 20

Command Line FU

Command Line FU. The art of efficiency ( Laziness). Disclaimer. I’m not a programmer I’m doing it wrong These scripts are horridly written Will include lolcats. Some OS options. Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin

dolores-soto
Download Presentation

Command Line FU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Command Line FU The art of efficiency (Laziness)

  2. Disclaimer • I’m not a programmer • I’m doing it wrong • These scripts are horridly written • Will include lolcats

  3. Some OS options • Windows • Windows Management Instrumentation Command-line (WMIC) • Batch files (.bat) • VBS • Cygwin • Macros (AutoItScriptAutoHotkey) • PowerShell (<XP) • Linux • Bash • Awk/Sed • Curl • Android • Linux Deploy ( need loop/root ) • Busybox

  4. WMIC • Wmicfu search systems for running ‘exe’ to hijack FOR /F “delims==“ %%A IN (‘type ips.txt’) DO wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner • Netstatwith pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)

  5. WMIC • Wmicfu mask task killer (quickkill.exe) wmic process list brief | gawk "{print "PsExec" $2}"| egrep -vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WMIC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\.exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %%A IN ('type out.txt') DO cax /killall%%A

  6. VNC REPEATER NAT NAT UltraVNC Repeater Reverse VNC Server VNC Client

  7. VNC REPEATER • VNC Single click with reconnect/Areo disable/branding • Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST" if errorlevel 1 gotorestartvnc • echo SET ID=%ID%>vnccheck.bat • start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run

  8. OclHashcatbatchcrack

  9. Quickclean • Securely deletes common temp files/folders for all users • deletes c:\temp • Internet explorer temp files for all users • firefoxcookies,saved,cache passwords etc for all users • temp folders for all users • old windows updates • recycle bin • %SystemRoot%\$ntuninstallK ( old windows updates ) • %SystemRoot%/$hf_mig$ ( old windows updates ) • OPTIONAL: all startup items for all users • OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users

  10. Om Nom NomNom webs • Common ways to hide code • Obfuscate code in java • Flash • Refer checking • Agent tag checking • Session Tokens • Tools to reproduce/sniff traffic • Command line Java (JavaScript-C SpiderMonkey) • Browser plugins (Live HTTP Headers, URL Snooper) • Wireshark / BurpSuite / proxychainsProxifier(M$) • PHP: cURL • Curl • Replay Media Catcher SWFDecompiler

  11. Om Nom NomNom webs ( proxies ) • JS curl -s "http://nntime.com/proxy-list-01.htm" -A ‘blzthedemogods' | egrep '(document.write| = )|;<\/script>' |sed -e 's/.*<td>/print("/g' -e 's/<script type="text\/javascript">document.write(//g' -e 's/":/:/g' -e 's/<\/script>.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js • Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer 'http://rosinstrument.com/raw_free_db.htm?&t=2' http://rosinstrument.com/raw_free_db.htm?&t=2

  12. Om Nom NomNomgoogle • Images.google.com curl "http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs=isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub("<","\n<"); print}' | grepimgurl| sed -e 's/.*imgurl=/<imgsrc="/g' -e 's/&imgrefurl.*/">/g' >> $1-$2.html

  13. Regex • Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b“

  14. Regex • Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4} • Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b • IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b • UNC: ((?#drive)\b[a-z]:|\\\\[a-z0-9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<>|\r\n]*) • Complex strings (passwords or ... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{6,}

  15. Random / Annoyances • Ask.com Toolbar nag RegAdd "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F RegAdd "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F • File associations rem assoc .ppt=ppt rem ftypeppt=%CD%\office\POWERPNT.EXE "%%1" • Dump clear text password with mimikatz and Windows Credentials Editor (WCE)

  16. Random / Annoyances • Nmap MS00-067 scanner nmap  --script smb-check-vulns.nse --script- args=unsafe=1 -p445 192.168.1.116  --open • set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ • Remove the .NET Credentials (Stored User names and Passwords) Control keymgr.dll • Checking oracle sids with nmap nmap-n --script=oracle-sid-brute -p 1521-1560 IP nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n IP

  17. Autohotkey

  18. Make it portable! • SFX Self extracting archive) • Spoon Studio,VmwareThinapp,Cameyo • QEMU (MicroXP2011) • Use a real language statically compile

  19. Make it portable!

  20. Contact/Reference • Fu http://rmccurdy.com/scripts/fu.txt http://rmccurdy.com/scripts/fu_ripp.txt ( ripped from commandlinefu.com ) • Some examples used in presentation http://rmccurdy.com/scripts/proxy/proxycheck.sh http://rmccurdy.com/scripts/quickvnc/

More Related