Running commands as system on windows 10

Playing god on windows 10 :)

the method is to run PSEXEC which is part of windows pstools

Command

Run - > cmd as Administrator

psexec -i -s cmd

A new command prompt window will pop-out with system privileges

Now you can almost any command with elevated privileges

C:\Windows\system32>start regedit

Python oneliner - HTTP servers

Power of python :)

# python -m SimpleHTTPServer 8080

# python3 -m http.server 8000

# sudo python -m pyftpdlib.ftpserver.

Python - inserting data into excel file

Creating excel file with Python
----snip-----
import win32api
import win32con
import win32file

import win32com.client
xlapp = win32com.client.Dispatch("Excel.Application")
xlapp.visible=1
#xlwb=xlapp.workbooks.open("results.xls")
xlapp.workbooks.Add()
xlapp.cells(1,1).value ="Hello"
xlSheet = xlApp.Sheets(1)

----snip----

Python Script to Parse MBSA files

Simple python script to parse Microsoft MBSA files

#-------------------------------------------------------------------------------
# Name:        MBSA parser

# Author:      Azmath
# Created:     11/07/2012
# Copyright:   (c) 2012
#-------------------------------------------------------------------------------


from xml.etree import ElementTree

with open('test.mbsa', 'rt') as f:
    tree = ElementTree.parse(f)
print "servername" + "|"+"domainname" +"|"+"scandate"+"|"+"id" +"|"+ "severity" +"|"+ "Patchtype" + "|"+"Description"
for node in tree.iter('SecScan'):
    name = node.attrib.get('Machine')
    domain = node.attrib.get('Domain')
    scandate = node.attrib.get('LDate')
    if name and domain:
        print '  %s :: %s' % (name, domain)
    else:
        print name

for node in tree.iter('UpdateData'):
    id = node.attrib.get('ID')
    if id:
        isinstalled = node.attrib.get('IsInstalled')
        if isinstalled == 'false':
            bid = node.attrib.get('BulletinID')
            if bid:
                bulletinid = bid
            else:
                bulletinid = "None"
            idd = node.attrib.get('ID')
            #print "Patch id = " +idd
            severity = node.attrib.get('Severity')
            #print "Severity = "+severity
            dtype = node.attrib.get ('Type')
            #print "Patch type:" + dtype
            for p in node.getiterator('Title'):
                desc = p.text
            print name + "|"+domain +"|"+scandate+"|"+idd +"|"+ severity +"|"+ dtype + "|"+desc

AIX oneliners for auditing

Locked Accounts

#sudo cat /etc/security/user | grep -iE '\:|account_locked'|grep -iv '*'

Last password change date
#for a in `cut -f1 -d: /etc/passwd | grep -v '\+' `;do echo $a; /usr/bin/sudo /usr/lbin/getprpw $a; done|cut -f9 -d ','

NFS shares:
#/usr/bin/sudo cat /etc/exports||echo 'file not found'

Inactive Accounts:
#/usr/bin/sudo lsuser -a id ALL | awk '{ print $(NF-1) }' |while read user ; do sudo lssec -f /etc/security/lastlog -s $user -a time_last_login;done

Last password change date:
#/usr/bin/sudo lsuser -a id ALL | awk '{ print $(NF-1) }' |while read user ; do sudo lssec -f /etc/security/passwd -s $user -a lastupdate;done

All SNMP strings:
#/usr/bin/sudo cat /etc/snmpd.conf|grep -iE '^[a-z][A-Z]'

Default SNMP

#sudo cat /etc/snmpd.conf | grep -iE 'community|public|private' |grep -iv '# '

List of services:
#/usr/bin/sudo cat /etc/services |grep -iE '^[a-z][A-Z]'

Users with uid=0, gid=0

 #cat /etc/passwd | grep ':0:'

#cat /etc/group | grep ':0:'

Check if auditing service is running:
#/usr/bin/sudo ps -ef |grep auditd|grep -v 'grep'||echo 'not enabled'

List of sudoer:
#/usr/bin/sudo cat /etc/sudoers|grep -iE '^[a-z][A-Z]'

unmask value

sudo lssec -f /etc/security/user -s default -a umask

List of users:

sudo cat /etc/passwd|cut -d ':' -f1

account/password policy:

sudo lssec -f /etc/security/user -s default -a maxage

sudo lssec -f /etc/security/user -s default -a maxexpired

sudo lssec -f /etc/security/user -s default -a minalpha

sudo lssec -f /etc/security/user -s default -a minother

sudo lssec -f /etc/security/user -s default -a minlen

sudo lssec -f /etc/security/user -s default -a mindiff

sudo cat /etc/security/user | grep -iE '\:|loginretries'

sudo cat /etc/security/user | grep -iE '\:|histsize'

sudo cat /etc/profile |grep -i 'tmout'

sudo cat /etc/security/user | grep -iE '\:|histexpire'

sudo cat /etc/security/user | grep -iE '\:|pwdwarntime'

sudo cat /etc/security/user | grep -iE '\:|maxrepeats'

Login Delay

sudo cat /etc/security/login.cfg | grep -i 'logindelay'

Log Login attempts:

sudo ls -l /var/adm/ /etc/security |grep -iE 'loginlog|sulog|failedlogin'

cat /etc/services

Windows 7 God Mode

Lol.. what is god mode? i asked my self ... GodMode reminds me of shooting Games .. lol

Well we are talking abt windows

Getting Godmode is so Easy

1)Create a new folder

2)rename it to GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

There u have a god mode .. so easy isn't it

Detecting Load Balancers

While penetration testing we might require to find the load balancers on the site, it's pretty complicated to find the no of load balancers,
there is a good tool that comes in handy, it's halberd

installation
------------
# tar -xzvf halberd-0.2.3.ta.gz
# python setup.py install

running:
--------
# halberd www.site.com
or
# halberd