Presentation is loading. Please wait.

Presentation is loading. Please wait.

Command Line FU The art of efficiency (Laziness).

Similar presentations


Presentation on theme: "Command Line FU The art of efficiency (Laziness)."— Presentation transcript:

1 Command Line FU The art of efficiency (Laziness)

2 Disclaimer I’m not a programmer I’m doing it wrong These scripts are horridly written Will include lolcats Rmccurdy.com

3 Some OS options Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin Macros (AutoItScript AutoHotkey) PowerShell (

4 WMIC Wmic fu search systems for running ‘exe’ to hijack FOR /F “delims==“ %A IN (‘type ips.txt’) DO wmic /Node:%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner Netstat with pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o) Rmccurdy.com

5 WMIC Wmic fu mask task killer (quickkill.exe) wmic process list brief | gawk "{print "PsExec" $2}"| egrep - vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WM IC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\. exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %A IN ('type out.txt') DO cax /killall %A Rmccurdy.com

6 VNC REPEATER Rmccurdy.com NAT VNC Client Reverse VNC Server UltraVNC Repeater

7 VNC REPEATER Rmccurdy.com VNC Single click with reconnect/Areo disable/branding Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST" if errorlevel 1 goto restartvnc echo SET ID=%ID%>vnccheck.bat start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run

8 OclHashcat batchcrack Rmccurdy.com

9 Quickclean Rmccurdy.com Securely deletes common temp files/folders for all users deletes c:\temp Internet explorer temp files for all users firefox cookies,saved,cache passwords etc for all users temp folders for all users old windows updates recycle bin %SystemRoot%\$ntuninstallK ( old windows updates ) %SystemRoot%/$hf_mig$ ( old windows updates ) OPTIONAL: all startup items for all users OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users

10 Om Nom Nom Nom webs Rmccurdy.com Common ways to hide code Obfuscate code in java Flash Refer checking Agent tag checking Session Tokens Tools to reproduce/sniff traffic Command line Java (JavaScript-C SpiderMonkey) Browser plugins (Live HTTP Headers, URL Snooper) Wireshark / BurpSuite / proxychains Proxifier(M$) PHP: cURL Curl Replay Media Catcher SWFDecompiler

11 Om Nom Nom Nom webs ( proxies ) Rmccurdy.com JS curl -s "http://nntime.com/proxy-list-01.htm" -A ‘blzthedemogods' | egrep '(document.write| = )|; ' |sed -e 's/.* /print("/g' -e 's/ document.write(//g' -e 's/":/:/g' -e 's/.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer 'http://rosinstrument.com/raw_free_db.htm?&t=2'

12 Om Nom Nom Nom google Rmccurdy.com Images.google.com curl "http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs =isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub(" /g' >> $1- $2.html

13 Regex Rmccurdy.com Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find. -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/ ]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0- 9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0- 9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0- 9]{4}\b“

14 Regex Rmccurdy.com Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\b UNC: ((?#drive)\b[a-z]:|\\\\[a-z0- 9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<> |\r\n]*) Complex strings (passwords or... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a- zA-Z0-9]*?[0-9])\S{6,}

15 Random / Annoyances Rmccurdy.com Ask.com Toolbar nag Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F File associations rem assoc.ppt=ppt rem ftype ppt=%CD%\office\POWERPNT.EXE "%1" Dump clear text password with mimikatz and Windows Credentials Editor (WCE)

16 Random / Annoyances Rmccurdy.com Nmap MS scanner nmap --script smb-check-vulns.nse --script- args=unsafe=1 -p open set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ Remove the.NET Credentials (Stored User names and Passwords) Control keymgr.dll Checking oracle sids with nmap nmap -n --script=oracle-sid-brute -p IP nmap --script oracle-brute -p script-args oracle-brute.sid=XE -n IP

17 Autohotkey Rmccurdy.com

18 Make it portable! SFX Self extracting archive) Spoon Studio,Vmware Thinapp,Cameyo QEMU (MicroXP 2011) Use a real language statically compile Rmccurdy.com

19 Make it portable! Rmccurdy.com

20 Contact/Reference Fu ( ripped from commandlinefu.com ) Some examples used in presentation Rmccurdy.com


Download ppt "Command Line FU The art of efficiency (Laziness)."

Similar presentations


Ads by Google