API tools faq
paste
Advertisement
alice_killer

OSCP cheat sheet

alice_killer
Dec 23rd, 2023 (edited)
529
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.76 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. Help articles :
  2. https://shawnvoong.medium.com/how-to-pass-the-2023-oscp-pen-200-on-the-first-try-part-1-enumeration-a0b272a86cf7
  3.  
  4. ____--------------____--------$___-----
  5. Service and Ports: \\\\
  6. This is the best command to use:
  7. nmap -p- -sV -sC -v <IPADDRESS> —open -oN tcpfull.nmap ##TCP
  8. another best one and faster:
  9. nmap -p- --min-rate 5000 -T4 <ip adress>
  10. then for open ports
  11. nmap -sC -sV -p $ports $ip
  12.  
  13.  
  14. ADVANCED:
  15. ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.248 | grep ^[0-9] | cut -d '/' -f1 | tr
  16. '\n' ',' | sed s/,$//)
  17. nmap -sC -sV -p$ports 10.10.10.248
  18.  
  19. udp:
  20. sudo nmap -p 53,67,68,69,111,123,161,162,137,138,139,514,1900,5353,500,445 -sU <IPADDRESS> -oN udp.nmap
  21.  
  22. If you wish to use autorecon, this is the command I would use to skip Nikto and I use dirsearch as the directory searching tool:
  23.  
  24. autorecon — nmap-append=” — min-rate=2000" — exclude-tags=”top-100-udp-ports” — exclude-tags nikto — dirbuster.threads=40 — dirbuster.tool=dirsearch -vv <IP>
  25.  
  26. Web Application Enumeration and Attacks:
  27.  
  28. you should google them — for example if you see “Gunicorn 20.0.4” running on HTTP, google that along with the word “exploit” or “RCE” or “github”.
  29.  
  30. If it’s a webpage showing a service and version, google that service to see that the default credentials are. I would often look in searchsploit or google “service + hacktricks”, or “service + pentesting” or “service + hack the box” to see if anything would come back.
  31.  
  32. OSCP Chapter 8 (Introduction to Web Application Attacks), Chapter 9 (Common Web Application Attacks) and Chapter 10 (SQL Injection Attacks)
  33.  
  34. Assuming you probably see port 80, 8000, 443 or some other 8XXX port etc, based on your nmap scans you should see the host name, don’t forget to add it to your /etc/hosts file. For example if your nmap scan happens to show: “ Location: https://msxx.host.name:8000/login”, don’t forget to add “msxx.host.name” in the hosts file. It can make a big difference when dir searching.
  35. ////
  36. PIVOTING ////
  37. PING SWEEP # for discovering hosts
  38. On Linux:
  39. 1. one octet
  40. for i in {1..254} ;do (ping -c 1 -W 1 192.168.1.$i | grep "bytes from" &) ;done
  41.  
  42. 2. two octets
  43. for i in {1..254}; do
  44.    for j in {1..254}; do
  45.        (ping -c 1 192.168.$i.$j | grep "bytes from" &)
  46.    done
  47. done
  48.  
  49. On Windows: one octet
  50. You can save it as bat or copy promptly in cmd
  51. 1.
  52. for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.
  53.  
  54. 2. two octets
  55. for /L %%i in (1,1,254) do (
  56.    for /L %%j in (1,1,254) do (
  57.        @ping -n 1 -w 200 192.168.%%i.%%j > nul && echo 192.168.%%i.%%j is up.
  58.    )
  59. )
  60. ---------------------------------------------
  61. NMAP FILE:
  62. https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/nmap
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!