I used the 2020.1 version of the kali VM. https://support.offensive-security.com/kali-vm/
replace ${IP_WIN10}
and ${IP_DEBIAN}
with your kali and lab machine IPs
I ran Kali in VMWare Fusion (v11.5.6) on MacOS, and used VM shared folders so that I could work mostly with tools in my existing development setup on the (more responsive) host machine. VSCode has some fantastic extension to help you write markdown, and I could SSH into Kali and run TMUX with the excellent inbuilt terminal, meaning most things (those requireing a web gui) could be done without switching between windows much.
In some rare cases, you'll find a tool doesn't work properly in these shared folders (e.g. ftp
, samba
) because the folders are owned by dialout
, not kali
, so just watch out for that.
If you want to be a security expert, you gotta practice what you preach. Run things as kali
instead of root
whever possible, and change the default linux passwords on your machine with passwd
. Use a password manager to generate strong passwords and store any other passwords you set.
in a sudo shell (sudo -s
), add script to mount shared folders
cat <<EOF | sudo tee /usr/local/sbin/mount-shared-folders
#!/bin/sh
vmware-hgfsclient | while read folder; do
vmwpath="/mnt/hgfs/\${folder}"
echo "[i] Mounting \${folder} (\${vmwpath})"
sudo mkdir -p "\${vmwpath}"
sudo umount -f "\${vmwpath}" 2>/dev/null
sudo vmhgfs-fuse -o allow_other -o auto_unmount ".host:/\${folder}" "\${vmwpath}"
done
sleep 2s
EOF
sudo chmod +x /usr/local/sbin/mount-shared-folders
and add script to restart OVT
cat <<EOF | sudo tee /usr/local/sbin/restart-vm-tools
#!/bin/sh
systemctl stop run-vmblock\\\\x2dfuse.mount
sudo killall -q -w vmtoolsd
systemctl start run-vmblock\\\\x2dfuse.mount
systemctl enable run-vmblock\\\\x2dfuse.mount
sudo vmware-user-suid-wrapper vmtoolsd -n vmusr 2>/dev/null
sudo vmtoolsd -b /var/run/vmroot 2>/dev/null
EOF
sudo chmod +x /usr/local/sbin/restart-vm-tools
Create shared folder in VM e.g. workspace
, then link that to your home directory with ln -s /mnt/hgfs/workspace/ ~/
.
Add a directive to auto-mount the workspace at restart using sudo crontab -e
@reboot /usr/local/sbin/mount-shared-folders
- open a sudo shell,
sudo -s
- copy OS-XXXXX-PWK.ovpn into
/etc/openvpn/pwk.conf
(notice the file extension is now.conf
) - modify the line
auth-user-pass
to beauth-user-pass /etc/openvpn/pwk.creds
- create a vpn creds file
/etc/openvpn/pwk.creds
that contains only the VPN username and password separated by a newline sudo chmod 600 /etc/openvpn/pwk.*
- toggle the vpn with
systemctl [start|status|stop] openvpn@pwk
if you prefer gui, here's how to do that
Usually Ethernet / VPN connection gets broken if you sleep your host machine, check for this with ip -br a
If eth0
has no IP, then you can restart network manager with
sudo systemctl restart NetworkManager
If that doesn't work, I've found that right clicking the network manager icon and toggling the Enable Networking
checkbox twice usually fixes things.
if eth0
has an IP, and tun0
doesn't, you can resume the vpn connection with
sudo systemctl restart openvpn@pwk
When tun0
has an IP, then you should be good
Do regular VM snapshots, especially at the start when you're installing stuff. If you are using shared folders, you're not going to lose your write-ups if the machine gets trashed, but it's still a pain in the butt to set everything up again the way you like it.
If you're using VMWare fusion, you can enable daily, weekly and monthly AutoProtect snapshots so you don't have to think about it.
Note: Be aware of what network you are on when doing this, connecting to kali updates is a dead giveaway that you're running kali
searchsploit -u
sudo apt update
- (Optional) - this may break things and it not totally necessary. Do a Snapshot!
sudo apt full-upgrade -y
sudo apt install -y python3 python3-pip
The following is lifted from the autorecon install instructions:
Additionally, if you experience any issues with the stability of the python3-pip installation (as reported by a number of people installing pip3 via apt on the OSCP distribution of Kali), you can install it manually as follows:
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py
Further, it's recommended you use pipx to manage your python packages; this installs each python package in it's own virtualenv, and makes it available in the global context, which avoids conflicting package dependencies and the resulting instability. To summarise the installation instructions:
python3 -m pip install --user pipx
python3 -m pipx ensurepath
Because root
has a different $PATH
to kali
, extra information needs to be passed to sudo
to run scripts sometimes.
root
's path is:
$ sudo -s
kali# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Sometimes, scripts are not installed into this path, e.g.
which autorecon
/home/kali/.local/bin/autorecon
If this is the case, you can either:
-
Call the script directly
sudo $(which autorecon)
-
Add the script's path to the secure_path set in /etc/sudoers
sudo visudo /etc/sudoers
Add the path (e.g.
/home/kali/.local/bin/
) to the end ofDefaults.secure_path
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/kali/.local/bin/"
-
Provide
sudo
with some ofKali
's env:DECLARE_PYENV="$(declare -f pyenv)" sudo --preserve-env="PATH,PYENV_ROOT,PYENV_SHELL,PYENV_VERSION,PYENV_VIRTUALENV_INIT,VIRTUAL_ENV" bash -c "$DECLARE_PYENV; pyenv"
I prefer zsh
over bash
because it has better history search, looks prettier and has amazing quality of life features. Just watch out for commands that have special characters which need additional quoting (or get into the habit of quoting all your shell command arguments), e.g. curl 'url/?with=query&string=parameters'
Install Zsh with
sudo apt-get install -y zsh zsh-syntax-highlighting
setup zsh plugins
# echo "source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh" >> ${ZDOTDIR:-$HOME}/.zshrc
echo "source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ${ZDOTDIR:-$HOME}/.zshrc
setup oh my zsh. Note: always check scripts downloaded from this internet before running them
curl -Lo install.sh https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh
sh install.sh
git clone https://github.com/zsh-users/zsh-completions ${ZSH_CUSTOM:=~/.oh-my-zsh/custom}/plugins/zsh-completions
spaceship theme
git clone https://github.com/denysdovhan/spaceship-prompt.git "$ZSH_CUSTOM/themes/spaceship-prompt"
ln -s "$ZSH_CUSTOM/themes/spaceship-prompt/spaceship.zsh-theme" "$ZSH_CUSTOM/themes/spaceship.zsh-theme"
sed -i 's/ZSH_THEME=".*"/ZSH_THEME="spaceship"/g' ~/.zshrc
change default terminal
chsh -s /bin/zsh kali
(log out and in for this to take effect)
export IP_WIN10="${IP_WIN10}"
export IP_DEBIAN="${IP_DEBIAN}"
# Get the IPV4 address of the tun0 interface
alias ip_tun0="ip -j -f inet address show tun0 | jq '.[0].addr_info[0].local' -r"
# URL Encode arguments (or STDIN)
alias urlenc='ruby -e "require \"cgi\"; print CGI.escape ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 Encode arguments (or STDIN)
alias b64enc='ruby -e "require \"base64\"; print Base64.encode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 and URL Encode arguments (or STDIN)
alias urlb64enc='ruby -e "require \"base64\"; require \"cgi\"; print CGI.escape Base64.encode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# URL Decode arguments (or STDIN)
alias urldec='ruby -e "require \"cgi\"; print CGI.unescape ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 Decode arguments (or STDIN)
alias b64dec='ruby -e "require \"base64\"; print Base64.decode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 and URL Decode arguments (or STDIN)
alias urlb64dec='ruby -e "require \"base64\"; require \"cgi\"; print Base64.decode64 CGI.unescape ARGV.empty? ? STDIN.read : ARGV.join()"'
rdesktop -u offsec -p lab ${IP_WIN10} -r 'disk:winshare=/home/kali/winshare'
Note: you need to mkdir ~/winshare
first
rdesktop -u student -p lab ${IP_DEBIAN}
export session="labs" # or "exercises" or "exam"
mkdir -p "workspace/${session}/logs"
cd "workspace/${session}"
echo $'script -a "logs/$(tty | sed -E \'s/\\W/_/g\')-$(date -Iseconds)"' > .tmux_profile
tmux new -s "${session}"
then in your new session
source .tmux_profile
tmux set-option -s -t "${session}" default-command "source $PWD/.tmux_profile; $SHELL -l"
You will need this for Exercise 4.2.4.1.1
sudo apt install powercat
You will need this for Exercise 7.2.2.9.2
sudo apt install seclists
You will need this for Ch 14. open a root shell with sudo -s
dpkg --add-architecture i386 && apt-get update && apt-get install wine wine32 mingw-w64
sudo apt install xclip
You can use this to copy a selection out of Vim,
:'<,'>w !xclip -i -selection clipboard
sudo apt install gobuster
sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner smbclient smbmap smtp-user-enum snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf
pipx install git+https://github.com/Tib3rius/AutoRecon.git
Note: When you create this network drive, it won't be available from Administrator cmd / powershell.
Create the dir to share (files must be owned by kali
for this to work)
mkdir ~/winshare
add the workspace share to your samba config
cat <<EOF | sudo tee -a /etc/samba/smb.conf
min protocol = SMB2
[winshare]
path = /home/kali/winshare
browseable = yes
guest ok = no
write list = kali
read list = kali
EOF
Test your configuration with
sudo testparm /etc/samba/smb.conf
Start smbd
sudo systemctl start smbd
Change the default smb password
sudo smbpasswd -a kali
validate you are able to connect to the share locally with
smbclient //localhost/winshare -Ukali
Enable file sharing on all networks
Explorer -> Right Click Network -> Mount Network Drive
- Drive:
Z:\
- Folder:
\\${IP_WIN10}\winshare\
- Tick
Connect using different credentials
- Finish
Credentials
- User name: WORKSPACE\Kali
CLI doesn't seem to work, just mount shared drive in ui
net use Z: \\${IP_WIN10}\winshare\ /USER:kali
cd Z:
echo $null >> test
Delete mounts
net use * /del
+1