Tools that I wish I had known about sooner
While preparing for the OSCP I found a couple of tools and tricks I didn’t know earlier. Notable, none of this was in the course - I learned most of it from the community, meaning mostly some random Chinese hackers.
fc
Short for “fix command”. This command is commonly found on Linux, but somehow forgotten. I’ve used Linux for years and only recently learned about it.
It allows you to fix previously typed command with default editor. It’s much easier to fix long nmap / dirsearch command with it!
rlwrap
rlwrap -cAr nc -lvnp 1337 - nc listener on port 1337 but wrapped in rlwrap which gives history and ability to delete characters.
I can’t count how many times I’ve accidentally broken my reverse shell by typing something weird, or pressed Ctrl + C. This one is my favorite tool for simple reverse shells.
As a bonus you can generate shells with it on: https://www.revshells.com/
Don’t forget to do python3 -c 'import pty; pty.spawn("/bin/bash")' in that shell to “upgrade” it.
AutoRecon
https://github.com/Tib3rius/AutoRecon
Simply makes recon faster. It’s obviously still important to know nmap well, but running this tool allows to quickly start attacking.
netexec - AD Swiss army knife
Mentioned during OSCP and generally well-known tool, but has so many options which I didn’t notice at first:
- can do Bloodhound collection
- SMB spidering
- generating hosts file based on IPS
- can do Kerberoasting and AS-REP roasting
- supports kerberos auth (like most AD related tools)
- with
ldapcan query things like active admins and similar information - very nice for quick AD recon or to check something
And much more. One of the best all-in-one tools for AD - https://www.netexec.wiki/smb-protocol/command-execution/execute-remote-command
faketime
Very useful for Kerberos related commands to sync time.
You can check time difference with nmap:
nmap -sC -p445 victim.com
Then you add faketime to any command that needs different time, for example add 8 hours to current time:
sudo faketime "$(date -d '+8 hours' '+%Y-%m-%d %H:%M:%S')" nmap -sC -p445 victim.com
impacket scripts
These are commonly suggested by Bloodhound as way of escalating privileges, but also the smb script is better for interactive SMB browsing than any other tool I used before.
I highly recommend getting familiar with most of them.
RunasCs
https://github.com/antonioCoco/RunasCs
Great for switching users on Windows without a GUI.
Honorable mentions
- chisel - great tool for pivoting, mentioned in OSCP course
- Evil-WinRM - well-known, but good tool
python3 -m http.server 80- quite well known and simple, but I love the idea of creating the server on the fly just to upload something.- vim and tmux - knew them before but can’t imagine life without them. Used them both on my machine and can often be found on random Linux boxes.