Command Line FU The art of efficiency (Laziness) Disclaimer • I’m not a programmer • I’m doing it wrong • These scripts are horridly written • Will include lolcats Rmccurdy.com Some OS options • Windows • Windows Management Instrumentation Command-line (WMIC) • Batch files (.bat) • VBS • Cygwin • Macros (AutoItScript AutoHotkey) • PowerShell (<XP) • Linux • Bash • Awk/Sed • Curl • Android • Linux Deploy ( need loop/root ) • Busybox Rmccurdy.com WMIC • WMIC search systems for running ‘exe’ to hijack FOR /F “delims==“ %%A IN (‘type ips.txt’) DO wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner • Netstat with pid for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o) Rmccurdy.com WMIC • WMIC mask task killer (quickkill.exe) PsExec.exe /accepteula -sd C:\quickkill\sysrun.bat wmic process list brief | gawk "{print "PsExec" $2}"| egrep vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WM IC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\. exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt FOR /F "delims==" %%A IN ('type out.txt') DO cax /killall %%A Rmccurdy.com VNC REPEATER NAT UltraVNC Repeater VNC Client NAT Reverse VNC Server Rmccurdy.com VNC REPEATER • VNC Single click with reconnect/Areo disable/branding • Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" "EST" if errorlevel 1 goto restartvnc • echo SET ID=%ID%>vnccheck.bat • start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run Rmccurdy.com | egrep VNC REPEATER Random person running quickvnc Rmccurdy.com OclHashcat batchcrack Rmccurdy.com Quickclean • Securely deletes common temp files/folders for all users • • • • • • • • • • deletes c:\temp Internet explorer temp files for all users firefox cookies,saved,cache passwords etc for all users temp folders for all users old windows updates recycle bin %SystemRoot%\$ntuninstallK ( old windows updates ) %SystemRoot%/$hf_mig$ ( old windows updates ) OPTIONAL: all startup items for all users OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users Rmccurdy.com Om Nom Nom Nom webs • Common ways to hide code • • • • • • Obfuscate code in java Flash Refer checking Agent tag checking Session Tokens Mobile apps with pinning SSL Certs • Tools to reproduce/sniff traffic • Command line Java (JavaScript-C SpiderMonkey) • Browser plugins (Live HTTP Headers, URL Snooper) • Wireshark / BurpSuite / proxychains Proxifier(M$) • PHP: cURL • Curl • Replay Media Catcher SWFDecompiler • Virtuous Ten Studio ( Android ) Rmccurdy.com Om Nom Nom Nom webs ( proxies ) • JS curl -s "http://nntime.com/proxy-list-01.htm" ‘blzthedemogods' | egrep '(document.write| = )|;<\/script>' |sed -e 's/.*<td>/print("/g' -e type="text\/javascript">document.write(//g' -e -e 's/<\/script>.*/;/g' | sed '/^[ \t]/d' | tr -A 's/<script 's/":/:/g' -d '\r‘|js • Refer checking/cookies/JS curl -s -b cookie -c cookie -A '"$varagent"' --referer 'http://rosinstrument.com/raw_free_db.htm?&t=2' http://rosinstrument.com/raw_free_db.htm?&t=2 Rmccurdy.com Om Nom Nom Nom google • Images.google.com curl "http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs =isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub("<","\n<"); print}' | grep imgurl| sed -e 's/.*imgurl=/<img src="/g' -e 's/&imgrefurl.*/">/g' >> $1$2.html Rmccurdy.com Regex • Mmmmm PII (Personally identifiable information CC and SSN one liner for office) find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][09]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[09]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[09]{4}\b“ Rmccurdy.com Regex • Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4} • Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][09]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b • IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[05]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][09]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][09]?)\b • UNC: ((?#drive)\b[a-z]:|\\\\[a-z09]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<> |\r\n]*) • Complex strings (passwords or ... In my case HTML) (?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_azA-Z0-9]*?[0-9])\S{6,} Rmccurdy.com Random / Annoyances • Ask.com Toolbar nag Reg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F Reg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F • File associations rem assoc .ppt=ppt rem ftype ppt=%CD%\office\POWERPNT.EXE "%%1" • Dump clear text password with mimikatz and Windows Credentials Editor (WCE) Rmccurdy.com Random / Annoyances • Nmap MS00-067 scanner nmap --script smb-check-vulns.nse --scriptargs=unsafe=1 -p445 192.168.1.116 --open • set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery“ • Remove the .NET Credentials (stored user names and passwords) Control keymgr.dll • Checking Oracle sids with nmap nmap -n --script=oracle-sid-brute -p 1521-1560 IP nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n IP Rmccurdy.com Autohotkey Rmccurdy.com Make it portable! • SFX Self extracting archive) • QEMU images (MicroXP 2011) • Use a real language statically compile • App virtualization Spoon Studio,Vmware Thinapp or Cameyo Rmccurdy.com Make it portable! Rmccurdy.com Contact/Reference • Fu http://rmccurdy.com/scripts/fu.txt http://rmccurdy.com/scripts/fu_ripp.txt ( ripped from commandlinefu.com ) • Some examples used in presentation http://rmccurdy.com/scripts/proxy/proxycheck.sh http://rmccurdy.com/scripts/quickvnc/ Rmccurdy.com