OSCP: People who stare at exploits.


EDITORS NOTE: First I wanted to make a lego version of that famous movie poster. Well now you guys get a lego pic and then some pics making your head go spinning .. that is my head right now.

Well I have some problems with the PWK course. Well not with the course so to say. More with the whole security industry as such. I have some contact with alumni of that course and actually most complain about the “finding the right exploits” part of the course. Not because you don’t know how to attack a machine. Nope, you KNOW how to attack that thing. But finding a nice working exploit is a bad experience.


Everybody talks about cyberweapons. Now everybody is thinking about cruise missile etc. But in reality we have more rusty unreliable fireworks. Could look but also could explode in your face.


The core problem is that the it-security research is far from a scientific research I’m used too from my engineering background. Exploit-DB is far from a proper Database in my eyes. Lets look at ordering an electronics component for a project. On most pages I can order by type, cost, mounting , wattage, voltage ,…..,…. etc etc. On exploit-db I have just one search field. It would be so much easier to search for os versions, date, programming language and such. The main problem is that exploits are a big business with 0day markets and such. Just look at the “framework” of metasploit. Here we have some “basic” metadata missing from the exploits. This feature is then sold as “smart” explotation in the better versions. Same for Nessus vs OpenVas. These databases are paid content for companies. To have a proper research it would be perfect to have a university host the exploit-db with a good search and good metadata.


For all the persons looking for a good exploit. Sorry having a exel spreadsheet with working explotits is the working base for each pentest company and cyberwar units So finding good information consist for the normal mortals of starring at your google results till your head spins and google starts to complain about all that evil search terms.

Latex Reporting: My HOSTtemplate

Hi a quicky .. maybe somebody will find that usefull …

I make one file per host and include them per include into my main report.

Packets used etc are in the main file .. if somebody wants it just give me a heads up . .don’t know if latex blogging is interessting.

Greetings ucki



\caption{Service enumeration \rechnername}\\
Open Port&Type&Service&Version\\
&&&\\ \hline


\subsubsection{Other Informationleakage}


%for niktoscans etc a code listing


Everybody knows https://en.wikipedia.org/wiki/Clarke’s_three_laws right ? The magic part …. Well today I had a moment of pure truth. I need wizard robes. Well to start with the beginning. I was working on the new version of my recon pack. URP-T .. while trying to figure out git .. not worth the hassle for some text files (now), I came across this (german) text http://www.heise.de/newsticker/meldung/Kommentar-Ein-Plaedoyer-fuer-die-aussaetzigen-Zauberer-3197127.html about https://en.wikipedia.org/wiki/Anathem . That we (the IT-community) actually like our “image”. Well I bet half of you (guys) are wearing a black shirt right now.

My whole life was magic for most people.

Engineering : MAGIC

IT-Support: MAGIC


Doing counterespionage and IT-security: DARK MAGIC


Now OSCP course: DARK MAGIC !!!!

Well actually I tried to write a script to search exploits based on my findings in the recon scripts …

I tell you one secret of my wizard powers: searchsploit is nice in theory .. searching from the bash .. but actually you have to read the description anyways .. so opens browser copy string .. hit search .. reads text beats any script ….

I mean lets have a look at the dark magics .. shall we ?

If you are honest with you all that pure magic stuff I mentioned earlier boils down to searching in files and reading up stuff. Be it in a library or on google.

Heck even I could write a virus scanner … grab a file .. make a md5 hash → look it up in a virus db . It turns out that this simple bash exercise http://www.mashthatkey.com/2014/09/using-curl-to-retrieve-virustotal.html is actually a big venture capital thing in the silicon valley. Look at this http://venturebeat.com/2016/05/08/software-security-suffers-as-upstarts-lose-access-to-virus-data/

This is not a rant .. more a question .. WHERE DID YOU GUYS GOT YOUR ROBES FROM ??

Any shopping advices ? I would like some cool circuit stitching … And I don’t have a LEGO wizard … meh …


BTW: URP-T is out .. I hope it is better to use this way from bash …https://github.com/ucki/URP-T-v.01

When reality clashes with ideas, another blog post about enumeration. – Presenting URP


If you started t read the blog from the beginning you will see that I failed hard. I ranted about scripting your enumeration. And now I release my own script pack. Well that escalated quickly.

Some background:

At first I was quite happy to type my nmap & co commands by hand.

Unfortunately I had some problems to make a useful folder structure.

Then each tool had a slightly different syntax how to add targets. One would need a singular ip, the next one needed a range like other like

So scanning got annoying quite fast. Do scan 1, then copy ip, changing names for the scans etc etc.

Then somebody introduced me to sparta and a book to magic tree. Two nice tools, but they have some problems in the flexible scanning department. Lets have a look at the sparta.conf :







As you see, nmap has a little problem with port specification. It is hard to select stuff like – -top-ports 1-10 and later 11-20 or so. And you can’t select (by default) which stages of the staged nmap to run.

And you have no convenient way to get a port list for your documentation. And it is mesy in the project folder.

So I started to build my custom scripts, first to make folders for each host. Then to generate a ip list for each tool with a different syntax. Then to find open ports.

Well lets have a look into each script (aka the tutorial, version 08.05.2016 )

All scripts are build for kali linux.

Script 00 the kali vm has sometimes a drifting clock, so just to make sure that the clock works.

Script 0, well just making sure that the /results folder is there. And building the most basic wordlist for onesixtyone.

Script 1, actually the main script of the tool. It manages the IP list. It is build for IP’s in a company network, not domains.

(this is a breaking point, don’t blame me if you run these scripts against the internet or www.google.com or so). It takes the arguments (nmap notation possible, so, and would be possible) and builds two lists. One of all possible targets > IP.txt. And one of all online IP after a nmap scan > online-IP.txt

Script 2 builds a folder for each online host. And it scans for SNMP, HTTP, FTP and SMB on each machine.

Script 3 runs some NETBIOS recons against online targets. Actually it runs more of them then necessary, but I wanted every possible output for later.

Script 4 generates UDP161-IP.txt, HTTP-IP.txt, FTP-IP.txt, SMB-IP.txt to have a subset of targets for more specialized scans.

Script 5 runs different SNMP attacks. Again some stuff double, but I want to have more output before I have some weird awk stuff going on etc …

Script 6 Nmap top 200 ports, UDP & TCP. A fast scan are 100 ports, a full scan are 1000 ports. I think 200 is a nice spot. Double the fast scan and the top 20% of the “full” scan.

Script 7 Nikto against all potential webserver, this script could be better. Right now it is more or less a default nikto.

Script 8 Enum4Linux, again more or less default, just easier to run this way because of syntax. So I have a nice file per host and not a HUGE file for the whole range.

Script 9 & 10 & 11 are nmap scans to get all ports of a target. One range at a time. Could make it more modular, because a huge scan with many ports against many targets will break. But then just use fewer ip’s in Script 1. Running THIS SCRIPTS AGAINST THE INTERNET would be stupid. SCRIPT 11 WILL TAKE TIME.. A LOT … REALLY

Script UU will try to get all unique usernames from the NETBIOS and SNMP scans. It will generate a alluser.txt. Could be useful.

Script XX tries to find all open and open|filtered ports form the nmap scans and puts them in different files. One just for UDP one for TCP, one easy to copy into your documentation with one port per line. One to copy into nmap in their port format. There is no guarantee to find every port, but chances are that if you stay in the -oA ./results/<hostip><hostip>-nmap<scanname> format with further nmap scans you should be golden.

Script YY are a set of different levels of version recon and OS detection for nmap. It grabs the ports from script XX and then tries to figure out what is running. JUST REMEMBER: high version-intensity might break some services, and also it will take longer. So start with the lower version intensity. If needed just copy these scripts with intensity up to 9 😉

So far so good: you can grab your copy here: https://github.com/ucki/URP

I’m glad for feedback, this project was a insane idea at midnight, so not perfect. But I hope it is easy enough to read.

Greetings Ucki

OSCP BOOOOTTTTTYYY and Bummelstreik.

ARRRRR got me booootttyyy … Just going back to the real old basics got me two proofs. Nice …

This will be just a quick post. The weather is to nice for hacking. Just a quick thought to tarpitting, or Bummelstreik (work to order) .

My worst fear so far for the exam. Getting the server equivalent of this http://jollyrogertelephone.com/category/jollyrogertelephone/

OSCP Day 3 A clean ship .. or better mapping that treasure Mate !! ARRRRRRRRRR



After 2 days in the lab I was drowning in infos (see my last post ).

I stumbled over some problems:

1) The tools are picky about how they get their ip ranges. Some want X.X.X.1-254 some want a single IP, some want /24 etc. Annoying.

2) Some Tools have HUGE LOGS .. and searching through them for one server is annoying

3) I suck at naming files scan1.txt .. helpful.

So I made this stupid script. Each tool gets added and I can activate or deactivate the tools via editing that script without messing up my filesystem with stupid names.


echo Making a IP list

nmap -sL $@ >./results/nmapiplist.txt

cat ./results/nmapiplist.txt |grep „Nmap sc“|cut -d “ “ -f 5 >./results/IP.txt

First stupid Hack …I “normalise” my IP input. Nmap is ok with any IP notation .. and the -sL option just converts that in a nice list. Grep etc and I have a nice file with all the IP. In this case I could do it in one line. But for other nmap scans I want to wait and have the nmap output. In this step I prepare my IP lists (more about that later).


for word in $(cat ./results/IP.txt);do mkdir ./results/$word ; done

Now I create a folder for each host ….

#Tool 1 (etc)

for word in $(cat ./results/IP.txt);do TOOLNAME $word>./results/$word/$word-TOOLNAME.txt & done

This spawns a copy of the tool for each IP. Not the most efficient way of doing it. But I get a good speed by running a lot in parallel. And every Tool puts the output in the folder of the host.

BEWARE: Only caveat is that you need to make separate IP lists for some tools. You don’t want an output file just saying:”No Host found”. So maybe first check if your IP list is online. In reality I have a bunch of different IP-List generated after step 1 and feed the tools only the list of candidates. So I reduce the false positives.

sleep 120

Waiting for a while .. some tools are slow to write their files ….

And then I remove every empty folder. So I have (ok some folders with empty files are left, but manageable) a nice structure. Every output sorted by tool.

echo Removing Empty folder

find ./ -type d -empty -delete

So much for this moment. Happy sailing …

Greetings Ucki


So daylong nmap scan crashed. Perfect. After watching the % tickling up .. I NEEEEDDDD MOOOOORRRREEE BBBRRRRAAAIIINNNZZZ

First of: Small hint –top-ports 1000 = useless. Read it up. After I did that, I felt stupid.

Then the V flag should also be a must read.

brainbobThen I have a gazzilllion files from some other enumeration stuff. You know sometimes it is hard to get somebody to talk. But when they talk .. THEY WON’T STOP !!!!!

So my status right now: To much info .. and the direct wisch to inflict some pain to the person thinking that 1312312.21312312312.213456746456.3432423423.23.23323..2332 or 13213-3423423-432423-3434247-436787543-57876546-3434-4 would be a great name for object in windows .. like better than lets say ports.open or if you want egon or so .. hell that stuff is annoying to grep.

While we are on grep .. I had that problem that I wanted to remove the “ from “string”.

My pro solution: cat input.txt | rev | cut -c2-|rev|cut -c2-

and because I used so much hyphen-minus here. A quick remark about the OS PWK course material.

If you brag about “TRY HARDERRRRRRR !!!!!!” and about that you expect a perfect spelling etc.


U+2012 is not U+002D

.. think about it.

A hyphen-minus is not a dash. The first examples have that bug. Annoying. Copy paste and then trying to find the error. Not to easy I you have scaled your terminal to small to see the different length.

And while we are encoding. Spent most of the day with my latex templates. Had to build in a function to mark changes in the code listings red. If somebody wants it, just comment and I will make a git or so …..

Greetings ucki

OSCP Day 1: Preparing for the Deep Dive.

Prepping for that deep dive into the unknown. But first I started quite shallow.


So today my course started. Downloading the manual. Connecting and then starring at a nmap output for a while. I did the Ramius .. JUST ONE PING.


But hell that was a stupid idea. My nmap sills are rusted. But I will keep the scan running. Wasted enough time on it. And got some good laughters out of the material so far. The team behind that course has a wicked humor. The only box I opened and owned today was a LEGO box. Well at least one box.