The goal of this repository is not to spoil the OSCP Exam, it's to save you as much time as possible when enumerating and exploiting potential low hanging fruit. It's very easy to get caught up in the weeds of debugging and troubleshooting broken payloads only to lose out on all your time to pass the exam.
You're on your own when the exploits start flying--I'll try to include potential tips and tricks you can try but it's up to you to fully understand the proper material before starting the exam. :)
| # | Step | Description |
|---|---|---|
| 1 | Discover |
Discover what's on the network |
| 2 | Document |
Document your findings in CherryTree |
| 3 | Select |
Select the specific cheatsheet for the box you are attacking |
Before you can follow my exploitation tips and tricks, you'll need to enumerate what's on the network.
Use these automated tools to save as much time as possible when enumerating vulnerabilities!
| # | Resource | Description |
|---|---|---|
| 1 | Reconnoitre | A tool specifically created for scanning OSCP labs. |
| 2 | AutoRecon | A tool for scanning both CTFs and OSCP. |
| # | Command | Description |
|---|---|---|
| 1 | nmap -sn 10.11.1.0/24 |
Enum IPs. Quick SYN scan without looking for open ports. |
| 2 | nmap -sC -sV -vv -oA quick 10.11.1.4 |
Quick TCP scan on target IP |
| 3 | nmap -sU -sV -vv -oA quick_udp 10.11.1.7 |
Quick UDP scan on target IP |
| 4 | nmap -sV -O -F --version-light 10.11.1.6 |
Quick OS Detection & Port Scan on target IP |
| 5 | nmap -sC -sV -p- -vv -oA full 10.11.1.8 |
Very long and aggressive TCP scan on target IP |
| Port # | Description |
|---|---|
| 21 | FTP server, unencrypted. |
| 22 | SSH server, can be connected to via SSH |
| 23 | Telnet. Basically an unencrypted SSH |
| 25 | SMTP - Email sending service. Query it to enum email addresses? |
| 69 | TFTP Server. Very uncommon and old. Uses UDP. |
| 80 | HTTP Server, hosting website? Try visiting IP with web browser |
| 88 | Kerboros Service. Check, MS14-068 |
| 110 | POP3 mail service. Login via telnet or SSH? |
| 111 | RPCbind. This can help us look for NFS-shares |
| 119 | Network Time Protocol |
| 135 | MSRPC - Microsoft RPC |
| 139 | SMB Service. likely vulnerable to an SMB RCE |
| 161, 162 | SNMP Service |
| 389, 636 | LDAP Directory Service |
| 443 | HTTPS, check for HeartBleed? View certificate for information? |
| 445 | SMB Shares service, likely vulnerable to an SMB RCE |
| 587 | Submission. If Postfix is run on it, it could be vunerable to shellshock |
| 631 | CUPS. Basically a Linux Printer Service for sharing printers. |
| 1433 | Default MSSQL port. sqsh -S 10.1.11.41 -U sa |
| 1521 | Oracle DB. tnscmd10g version -h 10.1.11.51 |
| 2021 | Oracle XML DB. Check Default Passwords |
| 2049 | Network File System. showmount -e 10.1.11.64 |
| 3306 | MySQL Database. Connect: mysql --host=10.1.11.69 -u root -p |
| 3389 | Listening for RDP connection |
| # | Script | Type | Description |
|---|---|---|---|
| 1 | smb-check-vulns.nse | SMB | Scans for multiple SMB vulnerabilities. |
| 2 | smb-vuln-cve2009-3103.nse | SMB | Windows Vista SP1/SP2 and Server 2008 (x86) |
| 3 | smb-vuln-ms06-025.nse | SMB | Windows 2000 and Windows XP (x86) |
| 4 | smb-vuln-ms07-029.nse | SMB | Windows 2003 SP1/SP2 |
| 5 | smb-vuln-ms08-067.nse | SMB | Windows XP |
| 6 | smb-vuln-ms10-054.nse | SMB | XP, Vista, 7 |
| 7 | smb-vuln-ms10-061.nse | SMB | XP, Vista, 7 |
| 8 | smb-vuln-ms17-010.nse | SMB | EternalBlue. XP, Vista, 7, 8.1, 10 |
| 9 | smb-enum-shares.nse | SMB | Enumerates SMB Shares |
| 10 | smb-enum-users.nse | SMB | Attempts to enumerate Windows users |
Example: Using an Nmap Script
nmap -p 445 -vv --script=[script.nse] 10.10.10.10
enum4linux -a 10.11.1.9
| # | Command | Description |
|---|---|---|
| 1 | /dev/tcp/$ip/$port | If nmap didn't banner grab or it's not installed. |
| # | Command | Description |
|---|---|---|
| 1 | dig example.com any |
View DNS records on a domain. |
| 2 | dnsrecon -d example.com |
Multiple queries to DNS server that enumerates DNS records. |
| # | Command | Description |
|---|---|---|
| 1 | nmap -script smtp-commands.nse 10.11.1.41 |
Scan for possible SMTP commands that can be executed |
| 2 | smtp-user-enum -M VRFY -U /root/sectools/SecLists/Usernames/Names/names.txt -t 10.11.1.41 |
SMTP Enum. -M for mode. -U for userlist. -t for target |