This handy little command reminds me by audio when my computer is back online. I just had a 30 minute Internett outage, and it was nice to get right back to my seat when my computer started bleeping out alarms.

for /l %i in (1,0,2) do @ping -n 2 8.8.8.8 2>1>nul && @powershell -command [System.console]::Beep(300,1000)

The for loop defines basically a while(true) loop in Windows. It will run for ever.

If the ping command runs successfully, the powershell command will run a small beep over 1 second.

Detecting if Volume Shadow Copies has been explicitly disabled through registry

Ransomware is very fond of disabling Volume Shadow Copies when infecting targets. Here is a script to remotely detect if Volume Shadow Copies has been disabled.

First, we use PSExec from Microsoft Sysinternals and a local reg query command. This is useful if you only have a list of IP addresses, not hostnames of the different machines:

psexec @systems.txt -u domain\ADMINISTRATOR reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore” /v DisableSR

Remember to change the domain and username you want to use for the query.

We can also use only built in commands to query for the information. In this example we use the reg command remotely, providing it with a list of hostnames to query from the file dns.txt: 

for /F %i in (dns.txt) do @reg query “\\%i\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /s >> %i.txt

This command will use your credentials to query for the information, meaning you would likely have to be a domain administrator running this command.

WannaCry

The ransomware dubbed WannaCry disables Volume Shadow Copies like this (warning: running this command will delete your local backups) :

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This leaves no good marks in the registry for us to audit, and I think the best way to detect this is to query machines where you know you have Volume Shadow Copies enabled, to see if they have any backups stored. To query for this information we can use wmic, another built in command which supports reaching network attached machines: 

wmic /node:@ip.txt shadowcopy list brief

This little command will run off every IP address in the file ip.txt and return the respective backup volumes.

Mapping attack surface for Ransomware / Cryptolocker

With all the ransomware hitting everyone, everywhere, I decided to share my scripts on how I map the attack surface of internal threats, and subsequently ransomware / cryptolocker. It is not fully automated yet, but hopefully sharing this will give people the right ideas, and perhaps some might even automate it. For now, this only works for file sharing using Windows default file sharing. PS: I realize this is far from perfect, and probably should all be doable with a simple nmap script, however this is what I use in conjunction with some other work.

A typical scenario for using these scripts and commands are for users that should not have access to a bunch of files on your file-servers. Close down those shares and permissions before the inevitable happens, and the files are stolen and encrypted.

We start off with scanning every host who has port 445 open (Microsoft SMB):

    nmap -p 445 -T4 -oG 445.txt 192.168.1.1-254 

Replace the IP address range with whatever suits your network. Next, we grep out the hosts which are relevant for checking which file shares they expose.

    cat tmp/445.txt  | grep “445/open” | cut -d ” ” -f 2 > hosts.txt

With the relevant hosts in a separate file, lets use enum4linux to enumerate all the potential shares on these servers. Remember to add the username and password of the account you want to use for the mapping.

    cat hosts.txt | while read in; do enum4linux -S -u <username> -p <PW> “$in”;done > shares.txt

This produces a file shares.txt containing potential shares we want to investigate and close down. Now we’ll edit the following script and put it in a bat file, and then let it work. Remember to add the necessary credentials and domain information.

    @echo off
    for /f “tokens=*” %%a in (input.txt) do (
    echo Mapping Disk:%%a
    net use Z: %%a /USER:DOMAIN\account password
    echo %%a >> log.txt
    dir /s /b /o:gn Z: >> log.txt
    net use Z: /DELETE
    echo. >> log.txt
    echo. >> log.txt
    echo. >> log.txt
    )
    pause

The log.txt file should then slowly but surely accumulate file paths and and the respective shares where those files are available, hopefully allowing you to know where to reduce and limit access.

Using Powershell to fetch file hashes with multiple algorithms

You might need to check file hashes across multiple directories and across multiple algorithms, e.g. verifying all files hashsums against both MD5 and SHA1. This is an example of how to accomplish such task using Powershell.

 

 

 

 

 

 

 

 

 

The command you run is:

gci -Recurse | select FullName | %{get-Filehash -Algorithm md5 -Path $_.FullName ; get-FileHash -Algorithm sha1 -Path $_.FullName} | format-list

Remotely lock a computer, and prevent them from logging back in

Sometimes you have to throw someone off a terminal, but at the same time preserve the evidence on the terminal. For example if someone is using a terminal to hack something, and you need to secure the running terminals to capture the commands that has been run. It is quite simple to accomplish this, as the process below demonstrates.

  1. First, change the target account’s AD password. This will prevent them from logging back in
  2. Next, target the terminal with psexec and use rundll32 to execute user32.dll with the LockWorkStation function. This will trigger the account lock. The following command can be tweaked for your purposes: PsExec.exe \\<ip> -d -u <domain>\Administrator -i cmd.exe /c “C:\windows\system32\rundll32.exe user32.dll, LockWorkStation”
  3. Now it’s time to sieze the terminal. Make sure you are standing by ready for this, as the victim could be distressed and shut down his workstation, essentially removing evidence.

This concept can be expanded further, as Darryl Griffiths pointed out to me on LinkedIn. Coupling the initial idea of locking the workstation with AD Group Policies to modify the Power settings on the target workstation, one can even prevent the machine from shutting down, e.g. when the power button is clicked or the laptop lid is turned off. The Power Management in Windows normally allows this type of overriding the functionality of the power button, and more can be read about this concept in the following TechNet article: https://blogs.technet.microsoft.com/askds/2008/03/21/managing-power-with-group-policy-part-3-of-3/

Get PSExec here: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx?f=255&MSPPError=-2147217396

Here is a video demonstrating the remote terminal lockout.

Finding files and grepping for information

Sometimes you have to find interesting files, then grep through those specific files dynamically. With Linux this is as easy as:

find . -name <file> -exec grep -i -H <match> {} \;

This will simply recursively look for files you want to find, e.g. *.txt, and for each file found, grep that file for whatever matching content you want to find. Additional interesting things to do with this is to grep with regex, or use the find command to further filter for specific types of files.

Slow DNS enumeration

Fierce is an excellent tool for doing DNS reconnaissance, i.e. querying the DNS server for potential domain names to be revealed. I’ve seen some setups where the enumeration has gone horrible slow.

If your DNS enumeration tool is going slow, fire up tcpdump and inspect the DNS traffic.

tcpdump -i <interface> -nn port 53 

Normally you should see tens and hundres of DNS queries flowing past the screen, but if the requests are slow, inspect the queries you are sending. Are you sending queries for .local domain as well?

This image shows 3 queries trying to resolve one name, but sends multiple queries

This is likely due to your DHCP settings are pushed out with a SearchDomain for <whatever>.local. Edit your /etc/resolv.conf and remove the line dictating the SearchDomain, and you should have a huge boost in speed!