Presentation is loading. Please wait.

Presentation is loading. Please wait.

Command Line FU The art of efficiency (Laziness).

Similar presentations

Presentation on theme: "Command Line FU The art of efficiency (Laziness)."— Presentation transcript:

1 Command Line FU The art of efficiency (Laziness)

2 Disclaimer I’m not a programmer I’m doing it wrong These scripts are horridly written Will include lolcats

3 Some OS options Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin Macros (AutoItScript AutoHotkey) PowerShell ( { "@context": "", "@type": "ImageObject", "contentUrl": "", "name": "Some OS options Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin Macros (AutoItScript AutoHotkey) PowerShell (

4 WMIC Wmic fu search systems for running ‘exe’ to hijack FOR /F “delims==“ %A IN (‘type ips.txt’) DO wmic /Node:%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner Netstat with pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)

5 WMIC Wmic fu mask task killer (quickkill.exe) wmic process list brief | gawk "{print "PsExec" $2}"| egrep - vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WM IC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\. exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %A IN ('type out.txt') DO cax /killall %A

6 VNC REPEATER NAT VNC Client Reverse VNC Server UltraVNC Repeater

7 VNC REPEATER VNC Single click with reconnect/Areo disable/branding Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST" if errorlevel 1 goto restartvnc echo SET ID=%ID%>vnccheck.bat start winvnc -autoreconnect -id:%ID% -connect -run

8 OclHashcat batchcrack

9 Quickclean Securely deletes common temp files/folders for all users deletes c:\temp Internet explorer temp files for all users firefox cookies,saved,cache passwords etc for all users temp folders for all users old windows updates recycle bin %SystemRoot%\$ntuninstallK ( old windows updates ) %SystemRoot%/$hf_mig$ ( old windows updates ) OPTIONAL: all startup items for all users OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users

10 Om Nom Nom Nom webs Common ways to hide code Obfuscate code in java Flash Refer checking Agent tag checking Session Tokens Tools to reproduce/sniff traffic Command line Java (JavaScript-C SpiderMonkey) Browser plugins (Live HTTP Headers, URL Snooper) Wireshark / BurpSuite / proxychains Proxifier(M$) PHP: cURL Curl Replay Media Catcher SWFDecompiler

11 Om Nom Nom Nom webs ( proxies ) JS curl -s "" -A ‘blzthedemogods' | egrep '(document.write| = )|; ' |sed -e 's/.* /print("/g' -e 's/ document.write(//g' -e 's/":/:/g' -e 's/.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer ''

12 Om Nom Nom Nom google curl " =isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub(" /g' >> $1- $2.html

13 Regex Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find. -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/ ]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0- 9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0- 9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0- 9]{4}\b“

14 Regex Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4} Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\b UNC: ((?#drive)\b[a-z]:|\\\\[a-z0- 9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<> |\r\n]*) Complex strings (passwords or... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a- zA-Z0-9]*?[0-9])\S{6,}

15 Random / Annoyances Toolbar nag Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F File associations rem assoc.ppt=ppt rem ftype ppt=%CD%\office\POWERPNT.EXE "%1" Dump clear text password with mimikatz and Windows Credentials Editor (WCE)

16 Random / Annoyances Nmap MS00-067 scanner nmap --script smb-check-vulns.nse --script- args=unsafe=1 -p445 --open set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ Remove the.NET Credentials (Stored User names and Passwords) Control keymgr.dll Checking oracle sids with nmap nmap -n --script=oracle-sid-brute -p 1521-1560 IP nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n IP

17 Autohotkey

18 Make it portable! SFX Self extracting archive) Spoon Studio,Vmware Thinapp,Cameyo QEMU (MicroXP 2011) Use a real language statically compile

19 Make it portable!

20 Contact/Reference Fu ( ripped from ) Some examples used in presentation

Download ppt "Command Line FU The art of efficiency (Laziness)."

Similar presentations

Ads by Google