Guest User


a guest
Nov 19th, 2018
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.17 KB | None | 0 0
  1. OSCP Review/Cheat Sheet
  2. After 30 days of lab time, 24 boxes, and countless nights of no sleep, I can officially say I passed OSCP. And like every other person who’s passed the course, I’m going to do a little write up, except this time. Before I begin, I’ll make it very clear I had previous experience in pen testing and information security. Overall, what makes this course so valuable isn’t the exploits itself, but the technique behind them. Anyone can type “searchsploit ENTER_SOMETHING_HERE” and hope for the best. The hard part is enumerating everything, from dirb to crawling anonymous FTP servers. Cheat sheet time…
  4. Enumeration:
  6. Sparta
  7. Hands down your best friend for the lab and exam. It run multiple NMAP scans, TCP and UDP along with the option of using unicorn. What makes this tool incredibly useful is that you can right click open ports and see what tools are available to use on it. Plus, who doesn’t love a clean GUI?
  8. Nmap:
  10. Set the ip address as a variable
  11. export ip= nmap -A -T4 -p- $ip
  12. Netcat port Scanning
  13. nc -nvv -w 1 -z $ip 3388-3390
  14. Discover active IPs usign ARP on the network: arp-scan $ip/24
  15. Discover who else is on the network
  16. netdiscover
  17. Discover IP Mac and Mac vendors from ARP
  18. netdiscover -r $ip/24
  19. Nmap stealth scan using SYN
  20. nmap -sS $ip
  21. Nmap stealth scan using FIN
  22. nmap -sF $ip
  23. Nmap Banner Grabbing
  24. nmap -sV -sT $ip
  25. Nmap OS Fingerprinting
  26. nmap -O $ip
  27. Nmap Regular Scan:
  28. nmap $ip/24
  29. Enumeration Scan
  30. nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
  31. Enumeration Scan All Ports TCP / UDP and output to a txt file
  32. nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
  33. Nmap output to a file:
  34. nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
  35. Quick Scan:
  36. nmap -T4 -F $ip/24
  37. Quick Scan Plus:
  38. nmap -sV -T4 -O -F –version-light $ip/24
  39. Quick traceroute
  40. nmap -sn –traceroute $ip
  41. All TCP and UDP Ports
  42. nmap -v -sU -sS -p- -A -T4 $ip
  43. Intense Scan:
  44. nmap -T4 -A -v $ip
  45. Intense Scan Plus UDP
  46. nmap -sS -sU -T4 -A -v $ip/24
  47. Intense Scan ALL TCP Ports
  48. nmap -p 1-65535 -T4 -A -v $ip/24
  49. Intense Scan – No Ping
  50. nmap -T4 -A -v -Pn $ip/24
  51. Ping scan
  52. nmap -sn $ip/24
  53. Slow Comprehensive Scan
  54. nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” $ip/24
  55. Scan with Active connect in order to weed out any spoofed ports designed to troll you
  56. nmap -p1-65535 -A -T5 -sT $ip
  57. SMB
  59. SMB OS Discovery
  60. nmap $ip –script smb-os-discovery.nse
  61. Nmap port scan
  62. nmap -v -p 139,445 -oG smb.txt $ip-254
  63. Netbios Information Scanning
  64. nbtscan -r $ip/24
  65. Nmap find exposed Netbios servers
  66. nmap -sU –script nbstat.nse -p 137 $ip
  67. Nmap all SMB scripts scan
  68. SMB Enumeration Tools
  70. smbclient //MOUNT/share -I $ip -N
  71. rpcclient -U “” $ip
  72. enum4linux $ip
  73. enum4linux -a $ip
  74. SMB Finger Printing
  75. smbclient -L //$ip
  76. Nmap Scan for Open SMB Shares
  77. nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445
  78. Nmap scans for vulnerable SMB Servers
  79. nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 $ip
  80. Nmap List all SMB scripts installed
  81. ls -l /usr/share/nmap/scripts/smb*
  82. Linux OS Enumeration
  84. List all SUID files
  85. find / -perm -4000 2>/dev/null
  86. Determine the current version of Linux
  87. cat /etc/issue
  88. Determine more information about the environment
  89. uname -a
  90. List processes running
  91. ps -xaf
  92. List the allowed (and forbidden) commands for the invoking use
  93. sudo -l
  94. List iptables rules
  95. iptables –table nat –list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security
  96. Windows OS Enumeration
  98. net config Workstation
  99. systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
  100. hostname
  101. net users
  102. ipconfig /all
  103. route print
  104. arp -A
  105. netstat -ano
  106. netsh firewall show state
  107. netsh firewall show config
  108. schtasks /query /fo LIST /v
  109. tasklist /SVC
  110. net start
  112. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  113. reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  114. dir /s pass== cred == vnc == .config
  115. findstr /si password *.xml *.ini *.txt
  116. reg query HKLM /f password /t REG_SZ /s
  117. reg query HKCU /f password /t REG_SZ /s
  118. File Enumeration
  119. Find UID 0 files root execution
  120. /usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null
  121. Get handy linux file system enumeration script (/var/tmp)
  122. wget chmod +x ./ ./
  123. Find executable files updated in August
  124. find / -executable -type f 2> /dev/null | egrep -v “^/bin|^/var|^/etc|^/usr” | xargs ls -lh | grep Aug
  125. Find a specific file on linux
  126. find /. -name suid\*
  127. Find all the strings in a file
  128. strings <filename>
  129. Determine the type of a file
  130. file <filename>
  131. Spawning Shells:
  133. python -c ‘import pty; pty.spawn(“/bin/sh”)’
  134. echo os.system(‘/bin/bash’)
  135. /bin/sh -i
  136. perl —e ‘exec “/bin/sh”;’
  137. perl: exec “/bin/sh”;
  138. ruby: exec “/bin/sh”
  139. lua: os.execute(‘/bin/sh’)
  140. From within IRB: exec “/bin/sh”
  141. From within vi: :!bash or
  142. :set shell=/bin/bash:shell
  143. From within vim ‘:!bash’:
  144. From within nmap: !sh
Add Comment
Please, Sign In to add comment