background preloader

Agile Hacking

Facebook Twitter

[PenTester Scripting] Advanced-Command-Exploitation. Agile Hacking: A Homegrown Telnet-based Portscanner. Agile Hacking: A Homegrown Telnet-based Portscanner published: May 11th, 2008 So here is the scenario: the attacker has limited access to a box and he/she needs to perform a portscan from it.

Agile Hacking: A Homegrown Telnet-based Portscanner

However, he/she does not want to download any tools to the target system. There might be various reasons for not wanting to upload a portscanner to the box. Perhaps, the attacker wants to minimize the footprint. In my case, the reason why I had to come up with a solution to this problem is because I had to simulate an attack in which the attacker had gained access to a Internet-visible web server. I really didn’t want to download a tool such as nmap and then compile it. Anyway, my solution to this problem was to write a simple TCP portscanner in bash which glues around the telnet command which is present on most Unix/Linux distributions.

The following is a more elaborate version of our portscanner which supports scanning for either common or all ports. . #! Syntax follows: gnucitizen $ . Command Line Kung Fu. Hacking Without Tools: Windows - RST. I'm not an MCP, MCSE, MCTS, MCPD, MCITP, or MCA I'm not even very good at Minesweeper I'm a UNIX geek I love the command line How much you ask?

This entire presentation was created by writing out HTML markup by hand in the Vim text editor It turns out that for some reason, not every system runs UNIX In fact, the ones we're most concerned about in Information Security are often running Windows (strange!) Pentesting Ninjitsu 1. Pentesting Ninjitsu 2 Infrastructure and Netcat without Netcat. Running a command on every mac. Simple yet effective: Directory Bruteforcing. One thing you learn when you start a career pentesting is: Never assume anything.

Simple yet effective: Directory Bruteforcing

In my experience hacks aren’t always elegant and elaborate. Sometimes something simple and effective is your avenue of penetration. Which brings us to today’s topic: directory bruteforcing. Directory bruteforcing is a favorite of mine. Before we start bashing away, and let’s be honest here that’s what we’re doing, we have to mention that this kind of enumeration can get you blacklisted. Today, we’re showcasing python based Wfuzz by Edge-Security and Java based Dirbuster maintained by the OWASP project. We hate to regurgitate verbatim but Wfuzz actually gives pretty good usage and feature documentation that can be seen on their website here.

Usage: # wfuzz.py -c -z file -f wordlists/commons.txt --hc 404 --html 2> results.html This does a basic directory bruteforce against throwing http GETs to the web server matching every line in the wordlists/commons.txt file. Dirbuster is very similar. . # cat dircurl.sh #! Command-Line Ninjitsu. Recently I wrote a blog post about using some basic native DOS commands to extract information from a target PC about user accounts, shares, software, networking information etc...

Command-Line Ninjitsu

What I didn't cover in that post was WMIC (Windows Management Instrumentation Command). If that previous post was say the equivelent of DOS Kung Fu then WMIC to me is the Ninjitsu of DOS. The pupose of this post is to describe and list WMIC commands that can be used to derive information from a target, and that information could be useful to either a Sys Admin, a Malware Hunter or just a plain old Evil Attacker. As I will demonstrate WMIC can be used to modify settings also. Used alongside the commands I listed in my earlier post on Command-Line Kung Fu, the commands listed here allow almost any operation via that simple DOS prompt with no additionally installed tools. The Grammar of WMIC. Whenever I’m Handler on Duty, I typically write up a little Windows command line tip to help security people and especially incident handlers analyze and understand their Windows systems better.

The Grammar of WMIC

Most of thesearticlesfocus on very specific ways to use a given command, usually the very powerful WMIC command included in WinXP Pro, Win2003, and WinVista. But, you know, quite often, people tell me, “I like to use the WMIC command in this or that specific way, but I don’t really follow the underlying syntax of the thing.” Windows CMD Commands. Windows Command-Line Kung Fu with WMIC.

A few weeks ago, uber-handler Tom "I-Write-Spyware" Liston and I were working on some tests of anti-spyware applications.

Windows Command-Line Kung Fu with WMIC

One of the experiments we performed was to take an ultra-infected box and run various anti-spyware tools to see if any of them could clean up the mess. The Windows machine we had was so thoroughly laced with spyware that IE couldn't run, Task Manager couldn't start, and the services control panel was kaput. Pretty much every GUI-based management and analysis tool on the box was hosed. Ouch! And, no, booting into Safe Mode didn't help at all (we tried it of course), because the system was so corrupted. So, how could we do analysis on this machine without resorting to these GUI tools?

So, what did we resort to? WMIC is a world unto itself, immensely complex, able to read several thousands of settings on a Windows box, and update hundreds, again both locally and remotely. But enough pontificating! C:\> wmic process [pid] delete Or, better yet, try this one on for size: Windows-scripting-COM-tricks. WMIC, the other OTHER white meat.