-
Posts
939 -
Joined
-
Last visited
-
Days Won
22
Posts posted by i8igmac
-
-
1) StartUp
C:\windows\start menu\programs\startup
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"
* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"
"Anything over here execute when you start up your computer"
2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.
3) c:\windows\winstart.bat
'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer
4) Registry :
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
5) "Autoexec.bat"
6) These reg keys will basically spawn your programs, as you can see this is very dangerous because these keys are very used by viruses and Trojans.
[HKEY_CLASSES_ROOT\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_CLASSES_ROOT\piffile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
[HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the
server.exe will be executed EVERYTIME an exe/pif/com/bat/hta is executed.
7) Explorer start-up
The problem with these operating systems is that they look for a file called "explorer.exe" whenever you start up your computer, that file is basically the one that you see all the time but dont realize it is there , if you go to your taskmaganer you can see it, you can even kill it and you will see that everything in your computer that belongs to Microsoft will disappear, except for the extra windows that you open such as cmd, regedit, services.msc etc, but your desktop will be gone.
As you can see this is dangerous because it also means that if somebody modify your explorer.exe file then your computer will be corrupted. In fact, to change the name of the start bottom, has to be done by modifying the explorer.exe file, so there is a clue of a small difference that can have an effect in your computer.
here is the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
if a Trojan changes that to a path of another "infected explorer.exe file" your computer will start up the file the Trojan told it to and not the one used by Microsoft.
8)"Active-X Component"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName]
StubPath=C:\PathToFile\Filename.exe
This key is great because it starts the program that it has in its path BEFORE the explorer.exe file and any other program starts in your computer, so if you can understand why your antivirus can't detect the virus when you boot up, it is maybe because your "virus" is taking care of it before it starts up. It could even kill your antivirus before your antivirus starts up
-
Destination =>01:01:06:00:f1:13
Source mac=>Af:a3:3f:ff:ff:00:00
-
#infect normal operations mode
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\run
#infect normal operations mode
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
#infect SAFE BOOT NETWORK MODE
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Spooler]
@="Service"
years ago I have spent some time making rootkits for windows machines... this was a lot of fun learning the ways to better infect a machine and keep a reverse shell running 100% of the time... I would deploy my rootkit from a meterpreter shell, upload and execute functions and make a few registry entry in a automated fashion...
I hope to get some feed back on all locations to infect, a very basic infection could be as simple as placing your exe in the startup folder (below)
C:\ProramData\Micsoft\Windows\Start Menu\Programs\Startup
Every time the machine reboots, then your application will startup... I hope you guys can share more simple and advanced examples such as
Safe mode registry locations
Current user locations
all user locations
Local machine locations
scheduled tasks
Etc...
I will attempt to recover a machine tonight and hope to get your feedback.
-
wlan2 ->192.168.97.1
eth0 -> 192.168.96.1
(dnsmasq.conf)
interface=eth0
dhcp-range=192.168.96.50,192.168.96.150,12h
interface=wlan2
dhcp-range=192.168.97.50,192.168.97.150,12hso, if a device connects over eth0 or wlan2, dnsmasq will do a fantastic job...
i have a machine struggling to connect and keeps attempting a dhcp request...
May 7 08:17:04 kali dhclient: DHCPREQUEST on wlan2 to 255.255.255.255 port 67
clients that connect to wlan2 should get a new ip on the 192.168.97.subnet.
im not sure what machine continues to flood dhcprequest...
here is a network packet, i dumped with this command
tcpick -yH -C -i wlan2 "port 67"
01 01 06 00 f1 13 af 3f ff ff 00 00 0a 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 ca 81 ee 5c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 35 01 03 0c 06 69 70 68 6f 6e 65 37 0d 01 1c 02 03 0f 06 77 0c 2c 2f 1a 79 2a ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
01 01 06 00 f1 13 af 3f ff ff
ill read about this packet and find the source and destination ip. witch might be this first string...
-
Can you dump the password hash... boot up kali usb on the machine... all the tools are there...
many many years ago I did this with backtrack 2. The password dumping tools were located on backtrack
/pentest/windows/binary/passdump.exe
lots of cool binaries located in this directory, was fun uploading each file to a windows machine from meterpreter and see what each executable can do., I used to have a copy of all these binaries...
Sbd.exe was bad ass netcat clone if any one can concur?
I think kali has a windows-binary package in the repo
-
I could use this... I am on company data plan and there sending me a bill for data over usage.
nott sure if this make sense or would even lighten the data usage... a squid like proxy caching for android
-
as cooper said. Create a new vm and install...
But this rootkit stuff is alot of fun trying to sort out. Its been years since I have played around.
find all the registry entries related to all scripts and executables.. HKLM /currentversion/run type stuff...
There have been few rootkits that had me defeated... just experienced one the other night to fix a friend's Alienware machine. I just ran out of time and set him up for a reinstall...
Could be a fun topic and conversation.
" how to make a unremovable rootkit"
Everyone can post All there working examples.
" post all the possible registry entries where a rootkit Might hide..."
-
I would assume, the firewall has banned your ip...
Try changing your local ip and perform a less aggressive port scan... it should look like normal activity...
Ip change in linux.
ifconfig wlan0 inet 192.168.0.66
Dhclient wlan0
Ip change on winblows
ipconfig /release
Ipconfig /renew
Now the nmap scan
nmap -O -p 135,139,445 (target ip)
-
Disregard my last post
-
my brain recalls years ago I was crafting all kinds of packets for ddos style attacks using hping3...
I'm sure any packet can be crafted with hping just takes proper research and a understanding of the 3 way handshake
-
navigating threw a files system where a directory includes spaces is frustrating.
Does tab completion work? Type the first sevral leters of the folder then press tab.
ls name(tab or double tab)
What about wild cards?
ls name*
ls name\ of\ folder\ location
The slash enables the space to be read (not sure if my illiterate brain has served this up properly)
You will find special characters will give you the same problem... if your file or folderhas fancy chars in it, place a slash befor it...
"Name of location(2015)"
ls Name\ of\ location\(2015\)
\(
\)
\ <---space
-
You can make that alfa card work with airbase-ng instead of hostapd... hostapd is best used with atheros chip, the card and driver must support master mode... I would think hostapd gave out some errors?
Ifconfig wlan0 down
Iwconfig wlan0 mode monitor
Ifconfig wlan0 up
Airbase-ng -i wlan0 -c 6 -b wifipi
(New tab device has been created at0)
Ifconfig at0 up 192.168.69.1
Dnsmasq should have identical configuration as explained in the tutorial but the device name is at0
-
I agree with fugu, p0f is the tool that comes to mind. passive OS fingerprint sniffing.
p0f -i eth0
Start up arpspoof to get some traffic passing threw eth0 or wlan0.
Lots of tutorials online.
-
I have experience identical problem with DDWRT. can I ask you to confirm the problem with a separate tools/services.. ftp, http, netcat, can the machines establish a connection with out worrying about encryption keys.
you say its a one way street. I have seen this with ddwrt via wifi connections... a machine connected to ddwrt by eth0 is accessible but not machines connected over wifi.
Its also in my situation a random occurrence...
-
can you show virus scan results?
-
I have hostapd running on my pi... 2 alfa cards, one for hostapd and another in monitor mode.
depending on the power consumption of these devices, may require a powered usb hub.
ssh root@kalipi
With my android phone I can accomplish alot threw ssh
Install hacker key board on your android, tab completion works over ssh for quicker execution
-
A tablet/phone/labtop ssh to the pi?
-
-
I have cleaned cap files before. When the are super large and only want the relevant information...
processing extremely large pcap files eat up resources and causes delay results if you plan on processing the file multiple times over and over again...
You should be fine.
-
I'm working on my pogoplug pro. I need to pull out the wifi card and replace with something supported by hostapd.
'Mini pcie atheros' searched on Amazon. Not sure if ill make the right purchase...
Ath5k
Ath9k
Ath10k seem to be the drivers supported by hostapd.
If any one has had success with a minipcie card please share a model number
-
Not exactly social engineer, you can arp spoof and inject a iframe src=metasploit.link exploit
It can happen in the background when the client is web surfing.
-
Personally I think the NANO is the best thing hak5 has to offer the rest in my view isn't wroth buying but thats just me..
I took the NANO out on the 16th to a place called Chillis walked in with the NANO clipped on to my pants and my Nexus 6 connected to it sat down at my table logged into the NANO had at least 20 people connected to it had I would've had bad intent I could've done stuff to people.
I was also At chillis on the 16th and spotted my Samsung s3 was somehow connected to my ddwrt-v7 home network. I thought hmmm interesting, i logged the hardware address and My attorney will contact hak5 soon to take legal actions...
Ps. change the default login credentials.
-
this device has a decent tool selection with a decent amount of automation and a user interface to help simplify certain tasks and techniques. Can give anyone the L33T hacker status at a party when conversation skills lack and you want to stand up a say look at me...
Learning how this stuff works is a lot of fun. learning your way around linux is my suggestion and following tutorials on these exploit techniques.
The problem here is the lifespan of a exploit like sslstrip. years ago I had so much fun exploiting, automating, hijacking traffic. if you design a device that relies on this exploit how long does the window stay open?
The lifespan of all exploits are somewhat limited, patches come out and a new holes are discovered but not made public until the secret is passed onto a child who don't understand how to use it but wants to stand up at a party to show off what he can't do.
Thanks to Edward snowden, security standards are now higher and tech giants are plugging these holes to ensure long term customer security. (Or so they say)
-
https://blog.g0tmi1k.com/2011/01/owning-windows-xp-sp2-vs/
client side attacks... try this tutorial
windows safe boot infection... please share registry locations
in Questions
Posted
http://www.symantec.com/connect/articles/most-common-registry-key-check-while-dealing-virus-issue
I found this article (content posted above). some useful information for manual removal of registry locations... they are missing the safeboot location witch I think symatec should have included in there article...
Any one think of othere techniques?