Up until now, we've discussed using Nmap to scan for open ports, web fuzzers that enumerate directories and files, hash cracking, and we've even taken it a little further toward the victim with brute force attacks where we were able to login to a web application.  But even with the successful login to a web application, I feel like we're sort of just pecking around the perimeter.  Shells take us to that next level where we're able to pierce the skin and get below the surface.

This can be a tricky subject to wrap ones mind around so rather than jumping into the idea of shells immediately, let's start off with leveraging a tool, Netcat, for two way communication.  

To better help (I hope!) keep this straight, I've colored each side.

A bunch of new releases on Vulnhub over the last few weeks.  Looks like two of the main contributors dumped quite a few new boxes and the one maker in particular has produced some very challenging boxes.  I'm torn between wanting to adhere to my strict allotted time and wanting to get sucked down a rabbit hole.  While I ponder that decision, I'll take a look at DC-6. 

Kicking off with an Nmap scan:

I own most, if not all, of the Hak5 gear because I like to see how each product works and possibly come up with a way to prevent the attack. 

The other day I received an email from them, went to their website, and was reminded of Bash Bunny.  I then wondered what it would take to make a Bash Bunny script to ping scan the network.  Then I wondered what it would take to do that in PowerShell, eliminating the Bunny from the equstion.  And that's where this post is headed.

In Linux, I might not necessarily know the exact syntax for what I want to do but I probably have a good idea as to which commands I can use to do it.  I know that from ifconfig, I can get the IP address.  And with various other commands like sed, awk, cut, head, and tail, I can isolate to what I want exactly. 

The following one-liner parses ifconfig for the subnet: