Nytro Posted April 15, 2020 Report Posted April 15, 2020 Evilreg v1.0 Author: github.com/thelinuxchoice Twitter: twitter.com/linux_choice Read the license before using any part from this code Reverse shell using Windows Registry file (.reg). Features: Reverse TCP Port Forwarding using Ngrok.io Requirements: Ngrok Authtoken (for TCP Tunneling): Sign up at: https://ngrok.com/signup Your authtoken is available on your dashboard: https://dashboard.ngrok.com Install your auhtoken: ./ngrok authtoken <YOUR_AUTHTOKEN> Target must reboot/re-login after installing the .reg file Legal disclaimer: Usage of Evilreg for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program Usage: git clone https://github.com/thelinuxchoice/evilreg cd evilreg bash evilreg.sh Donate! Pay a coffee: Paypal: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CLKRT5QXXFJY4&source=url Sursa: https://github.com/thelinuxchoice/evilreg Quote
gigiRoman Posted April 16, 2020 Report Posted April 16, 2020 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aici e pus sa porneasca un cmd. 1 Quote
Nytro Posted April 16, 2020 Author Report Posted April 16, 2020 Da, pare ca scrie acolo, stupid Nu ma uitasem prin cod, ma gandeam ca scrie undeva in Registry din care sa rezulte executia "imediata", sau cel putin rapida, nu dupa restart... Quote
gigiRoman Posted April 16, 2020 Report Posted April 16, 2020 Stiu ca fusese o prezentare de la defcamp cu fileless attack. Era mai interesanta. https://www.google.com/url?sa=t&source=web&rct=j&url=https://m.youtube.com/watch%3Fv%3Dtoo1jVTLSIg&ved=2ahUKEwijr4ustezoAhUIVBUIHfJpBPMQwqsBMAB6BAgHEAQ&usg=AOvVaw2jMgdca27hBIPBizqENwez Oare asta e? Quote
Nytro Posted April 16, 2020 Author Report Posted April 16, 2020 Probabil, pare ca pentru persistence sa foloseasca acea cheie de registry ca sa ruleze Powershell (11:45). 1 Quote
gigiRoman Posted April 16, 2020 Report Posted April 16, 2020 11 minutes ago, Nytro said: Probabil, pare ca pentru persistence sa foloseasca acea cheie de registry ca sa ruleze Powershell (11:45). De tinut minte. Stiu ca mai vazusem un demo in care comanda/fisierul/binaryul se gasea(u) in alti registri. 1 Quote
