powershell - TzuSec.com

How to launch Command Prompt and powershell from MS Paint

Posted on 2022-05-14 by Rickard

This guide will show you how you can launch cmd and Powershell with help from Microsoft Paint. Sometimes organisations environments are being locked down and are preventing users from right clicking and opening tools such as cmd.exe or powershell.exe. When I face that during a penetration test I usually try this simple mspaint hack to check if I can get around the organisations defensive measures.

How to launch Command Prompt (cmd.exe)

Open Paint
Press Resize
Configure the size
1. Uncheck “Maintain Aspect Ratio”
2. Click on “Pixels”
3. Horizontal: 6
4. Vertical: 1
5. Press OK
Zoom in so you can see the pixels.
The next step is to color these six pixels in the correct colors. Press “Edit colors’ and then change the colors for each pixel according to the list below. You modify the colors by changing the values of Red, Green and Blue:

Colors for each pixel:
1. Red(10), Green(0), Blue(0)
2. Red(13), Green(10), Blue(13)
3. Red(100), Green(109), Blue(99)
4. Red(120), Green(101), Blue(46)
5. Red(0), Green(0), Blue(101)
6. Red(0), Green(0), Blue(0)
When you have filled the pixels with the correct colors it should look like this:
The next step is to save the file by pressing “Save As” and then changing file format to “24-bit Bitmap”.
Now the last step is to change the file format of the file from .BMP to .BAT
Now just double click on the new .BAT-file.
Voila

How to launch Powershell

The process is the same for powershell, the only difference are the colors. Instead of the colors above use these:

Red(10), Green(0), Blue(0)
Red(13), Green(10), Blue(13)
Red(119), Green(111), Blue(112)
Red(115), Green(114), Blue(101)
Red(108), Green(101), Blue(104)
Red(0), Green(0), Blue(108)

How it works:

What we do is changing the color of the six pixels so that they in heaxdecimal represents ‘cmd.exe’/’powershell’. When we save the file to .BMP the encoding algorithm converts the RGB colors to ASCII data. When that is done and we change the file format to .BAT the .BAT script containts the instruction ‘cmd.exe’/’powershell’ that will be executed when we double click on the script.

I hope you did found this useful. It’s a pretty cool trick to have in your arsenal during penetration tests.

// Rickard Carlsson

What is SPF and how do you configure it?

Posted on 2022-03-17 by Rickard

What is SPF?

SPF stands for Sender Policy Framework and is an email autentication method. It helps the receiving mail server to verify whether an email have been sent from an allowed email server or not.

Your SPF policy is set up by publishing it in the form of a TXT record in your DNS. It works as an allow list for your domain and you declare where emails from your domain can originate from. Worth to mention is that this policy doesn’t prevent spoofed emails from being sent, but it allows receiving email servers to verify if the email was sent from a legit source.

How to configure SPF?

You configure SPF by adding a TXT record to your DNS. Begin your spf record by adding the protocol version and version 1 (spf1) is currently being used:
v=spf1

Then add the IP adresses or other SPF-record that you want to include. For example:

Add a specific IP address:
ip4:23.103.224.10
Or include another SPF-record, for example the record for Microsoft Exchange Online:
include:spf.protection.outlook.com

Lastly add the instruction to receiving email servers on how to act if the sender address is not included in your SPF-record. The most common way is to set it to “StrictFail” which means that you instruct the server to reject the email.
-all

So in this case the SPF record would look like this:

v=spf1 ip4:23.103.224.10 include:spf.protection.outlook.com -all

Verify your SPF-record

When you have created your SPF-record it’s a good idea to verify that everything looks good. There are many different ways to inspect your SPF-record, you can either use an online tool like mxtoolbox or dmarcadvisor or you can check it manually.

Verify with MXToolbox

Open your browser and browse to https://mxtoolbox.com/SuperTool.aspx and enter the domain your want to inspect and then press “SPF Record Lookup”:

Verify with Dmarcadvisor

Open your browser and browse to https://dmarcadvisor.com/spf-check and enter the domain name your want to inspect and then press “Check SPF”:

Verify with Powershell (Windows)

Resolve-DnsName -Type TXT -Name tzusec.com

Verify using Linux

dig +short tzusec.com txt

// Rickard

Find all non-default services on you Windows machine with Powershell

Posted on 2020-09-012022-10-10 by Rickard

I just released a new video on Youtube where I show you how to use my new Powershell script for getting a list of all services that run on your windows machine that are not default services. You probably won’t need a video instruction on how to run a simple Powershell script but I’m sure it can help someone who is not so familiar with scripts.

The script is not something fancy, just a simple script that will list all non-default services and show you the info you might want to know.

Display Name
State
Start Mode
Status
Process ID
Exe Path
Description

Here is a link to the script:
https://github.com/tzusec/Get-NonDefault-Services

// Rickard

Grab All WiFi Passwords with just One Line of Code

Posted on 2020-04-112020-04-11 by Rickard

I just released a new video on my Youtube channel. The video will show you how you easily can grab SSID and password to all wireless that your Windows computer remember with a oneliner.

The command first lists all wlan profiles and then saves the SSID to a variable ($name). After that the password is gathered for each SSID and the password is saved to the variable $pass. After that a custom object is created were each SSID and password are being saved to a table.

The command to run in Powershell:
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize

It’s always great to have a oneliner for things like this. I used this method in one of my scripts that I show in the video “Grab login credentials with a BadUSB”.

//Rickard

Grab login credentials with a BadUSB

Posted on 2020-02-29 by Rickard

I just released a new video on my Youtube channel. The video will show you some things that can be done with a BadUSB.

A BadUSB is a device that simulates a HID in form of a keyboard and takes advantage of that the majority of today’s computers blindly trusts all USB-devices. The computer thinks that the device we plug in is a keyboard and that means that anything you we can do with a keyboard we can do with this device, but execute the payloads way faster.

There are many different versions of BadUSB. You can create your own using an arduino board or buy one from Hak5 or Maltronics. In the video I used a Malduino Elite.

//Rickard