Command Line FU The art of efficiency (Laziness)
Disclaimer I’m not a programmer I’m doing it wrong These scripts are horridly written Will include lolcats Rmccurdy.com
Some OS options Windows Windows Management Instrumentation Command-line (WMIC) Batch files (.bat) VBS Cygwin Macros (AutoItScript AutoHotkey) PowerShell (<XP) Linux Bash Awk/Sed Curl Android Linux Deploy ( need loop/root ) Busybox Rmccurdy.com
WMIC Wmic fu search systems for running ‘exe’ to hijack FOR /F “delims==“ %A IN (‘type ips.txt’) DO wmic /Node:%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner Netstat with pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o) Rmccurdy.com
WMIC Wmic fu mask task killer (quickkill.exe) wmic process list brief | gawk "{print "PsExec" $2}"| egrep - vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WM IC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\. exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %A IN ('type out.txt') DO cax /killall %A Rmccurdy.com
VNC REPEATER Rmccurdy.com NAT VNC Client Reverse VNC Server UltraVNC Repeater
VNC REPEATER Rmccurdy.com VNC Single click with reconnect/Areo disable/branding Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST" if errorlevel 1 goto restartvnc echo SET ID=%ID%>vnccheck.bat start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run
OclHashcat batchcrack Rmccurdy.com
Quickclean Rmccurdy.com Securely deletes common temp files/folders for all users deletes c:\temp Internet explorer temp files for all users firefox cookies,saved,cache passwords etc for all users temp folders for all users old windows updates recycle bin %SystemRoot%\$ntuninstallK ( old windows updates ) %SystemRoot%/$hf_mig$ ( old windows updates ) OPTIONAL: all startup items for all users OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users
Om Nom Nom Nom webs Rmccurdy.com Common ways to hide code Obfuscate code in java Flash Refer checking Agent tag checking Session Tokens Tools to reproduce/sniff traffic Command line Java (JavaScript-C SpiderMonkey) Browser plugins (Live HTTP Headers, URL Snooper) Wireshark / BurpSuite / proxychains Proxifier(M$) PHP: cURL Curl Replay Media Catcher SWFDecompiler
Om Nom Nom Nom webs ( proxies ) Rmccurdy.com JS curl -s " -A ‘blzthedemogods' | egrep '(document.write| = )|; ' |sed -e 's/.* /print("/g' -e 's/ document.write(//g' -e 's/":/:/g' -e 's/.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer '
Om Nom Nom Nom google Rmccurdy.com Images.google.com curl " =isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub(" /g' >> $1- $2.html
Regex Rmccurdy.com Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find. -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/ ]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0- 9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0- 9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0- 9]{4}\b“
Regex Rmccurdy.com Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0- 5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0- 9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?)\b UNC: ((?#drive)\b[a-z]:|\\\\[a-z0- 9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<> |\r\n]*) Complex strings (passwords or... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a- zA-Z0-9]*?[0-9])\S{6,}
Random / Annoyances Rmccurdy.com Ask.com Toolbar nag Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F File associations rem assoc.ppt=ppt rem ftype ppt=%CD%\office\POWERPNT.EXE "%1" Dump clear text password with mimikatz and Windows Credentials Editor (WCE)
Random / Annoyances Rmccurdy.com Nmap MS scanner nmap --script smb-check-vulns.nse --script- args=unsafe=1 -p open set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ Remove the.NET Credentials (Stored User names and Passwords) Control keymgr.dll Checking oracle sids with nmap nmap -n --script=oracle-sid-brute -p IP nmap --script oracle-brute -p script-args oracle-brute.sid=XE -n IP
Autohotkey Rmccurdy.com
Make it portable! SFX Self extracting archive) Spoon Studio,Vmware Thinapp,Cameyo QEMU (MicroXP 2011) Use a real language statically compile Rmccurdy.com
Make it portable! Rmccurdy.com
Contact/Reference Fu ( ripped from commandlinefu.com ) Some examples used in presentation Rmccurdy.com