Command Line FUThe art of efficiency (Laziness)

Disclaimer

• I’m not a programmer

• I’m doing it wrong

• These scripts are horridly written

• Will include lolcats

Rmccurdy.com

Some OS options

• Windows• Windows Management Instrumentation Command-line (WMIC)• Batch files (.bat)• VBS• Cygwin• Macros (AutoItScript AutoHotkey)• PowerShell (<XP)

• Linux• Bash• Awk/Sed• Curl

• Android• Linux Deploy ( need loop/root )• Busybox

Rmccurdy.com

WMIC

• Wmic fu search systems for running ‘exe’ to hijack

FOR /F “delims==“ %%A IN (‘type ips.txt’) DO wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where “name like ‘%.exe’” call getowner

• Netstat with pid

for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)

Rmccurdy.com

WMIC

• Wmic fu mask task killer (quickkill.exe)

wmic process list brief | gawk "{print "PsExec" $2}"| egrep -vi "(conhost\.exe|explorer\.exe|winlogon|Name|System|UI0Detect|WMIC|svchost|lsass|lsm|spoolsv|cmd|smss|csrss|wininit|services\.exe|wdm|cmgshieldsvc|emsservice|emservice)" > out.txt

FOR /F "delims==" %%A IN ('type out.txt') DO cax /killall %%A

Rmccurdy.com

VNC REPEATER

Rmccurdy.com

NATNAT

VNC Client Reverse VNC Server

UltraVNC Repeater

VNC REPEATER

Rmccurdy.com

• VNC Single click with reconnect/Areo disable/branding

• Tcpvcon.exe /accepteula -c | egrep -ia "winvnc.exe" | egrep "EST"

if errorlevel 1 goto restartvnc

• echo SET ID=%ID%>vnccheck.bat

• start winvnc -autoreconnect -id:%ID% -connect rmccurdy.com::3389 -run

OclHashcat batchcrack

Rmccurdy.com

Quickclean

Rmccurdy.com

• Securely deletes common temp files/folders for all users

• deletes c:\temp• Internet explorer temp files for all users• firefox cookies,saved,cache passwords etc for all users• temp folders for all users• old windows updates• recycle bin • %SystemRoot%\$ntuninstallK ( old windows updates )• %SystemRoot%/$hf_mig$ ( old windows updates )• OPTIONAL: all startup items for all users• OPTIONAL: all outlook mailbox data and everything under 'Local Settings' for all users

Om Nom Nom Nom webs

Rmccurdy.com

• Common ways to hide code

• Obfuscate code in java• Flash• Refer checking• Agent tag checking• Session Tokens

• Tools to reproduce/sniff traffic

• Command line Java (JavaScript-C SpiderMonkey)• Browser plugins (Live HTTP Headers, URL Snooper)• Wireshark / BurpSuite / proxychains Proxifier(M$)

• PHP: cURL • Curl• Replay Media Catcher SWFDecompiler

Om Nom Nom Nom webs ( proxies )

Rmccurdy.com

• JScurl -s "http://nntime.com/proxy-list-01.htm" -A ‘blzthedemogods' | egrep '(document.write| = )|;<\/script>' |sed -e 's/.*<td>/print("/g' -e 's/<script type="text\/javascript">document.write(//g' -e 's/":/:/g' -e 's/<\/script>.*/;/g' | sed '/^[ \t]/d' | tr -d '\r‘|js

• Refer checking/cookies/JScurl -s -b cookie -c cookie -A '"$varagent"' --referer 'http://rosinstrument.com/raw_free_db.htm?&t=2' http://rosinstrument.com/raw_free_db.htm?&t=2

Om Nom Nom Nom google

Rmccurdy.com

• Images.google.comcurl "http://www.google.com/images?q=FIRST+LAST&hl=en&gbv=1&tbs=isch:1,isz:l&start=0&sa=N&safe=off" | awk '{gsub("<","\n<"); print}' | grep imgurl| sed -e 's/.*imgurl=/<img src="/g' -e 's/&imgrefurl.*/">/g' >> $1-$2.html

Regex

Rmccurdy.com

• Mmmmm PII (Personally identifiable information CC and SSN one liner for office)

find . -iname "*.???x" -type f -exec unzip -p '{}' '*' \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b“

Regex

Rmccurdy.com

• Email: [A-Z0-9._%-]+@[A-Z0-9.-]+\.[A-Z]{2,4}

• Internal IP: \b(10|172|192)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

• IP: \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b

• UNC: ((?#drive)\b[a-z]:|\\\\[a-z0-9]+)\\((?#folder)[^/:*?"<>|\r\n]*\\)?((?#file)[^\\/:*?"<>|\r\n]*)

• Complex strings (passwords or ... In my case HTML)(?=[-_a-zA-Z0-9]*?[A-Z])(?=[-_a-zA-Z0-9]*?[a-z])(?=[-_a-zA-Z0-9]*?[0-9])\S{6,}

Random / Annoyances

Rmccurdy.com

• Ask.com Toolbar nagReg Add "HKLM\SOFTWARE\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /FReg Add "HKLM\SOFTWARE\Wow6432Node\JavaSoft" /V "SPONSORS" /D DISABLE /T reg_sz /F

• File associations rem assoc .ppt=pptrem ftype ppt=%CD%\office\POWERPNT.EXE "%%1"

• Dump clear text password with mimikatz and Windows Credentials Editor (WCE)

Random / Annoyances

Rmccurdy.com

• Nmap MS00-067 scannernmap  --script smb-check-vulns.nse --script-

args=unsafe=1 -p445 192.168.1.116  --open

• set power profile via command linePowercfg.exe /SETACTIVE "Always On"Powercfg.exe /SETACTIVE "Max Battery“

• Remove the .NET Credentials (Stored User names and Passwords)

Control keymgr.dll

• Checking oracle sids with nmapnmap -n --script=oracle-sid-brute -p 1521-1560 IPnmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n IP

Autohotkey

Rmccurdy.com

Make it portable!

• SFX Self extracting archive)• Spoon Studio,Vmware Thinapp,Cameyo• QEMU (MicroXP 2011)• Use a real language statically compile

Rmccurdy.com

Make it portable!

Rmccurdy.com

Contact/Reference

• Fuhttp://rmccurdy.com/scripts/fu.txthttp://rmccurdy.com/scripts/fu_ripp.txt ( ripped from commandlinefu.com )

• Some examples used in presentation

http://rmccurdy.com/scripts/proxy/proxycheck.shhttp://rmccurdy.com/scripts/quickvnc/

Rmccurdy.com