OSCP Lab & Exam Help

-

 

OSCP ROADMAP

Enumeration Roadmap



Step 1: Nmap basic scan
Nmap -Pn -p- -vv <ip address>
Nmap -Pn -p- -sU -vv <ip address>

Step 2: Nmap version and vulnerability Scan:
Nmap -Pn -sV -O -pT:{TCP ports found in step 1},U:{UDP ports found in step 1} -script *vuln* <ip address>
Grab banners manually for more clarity: nc -nv <ip-address> <port>



Step 3: Any web port(s) for further enumeration?
Nikto -port {web ports} -host <ip address> -o <output file.txt>
Dirb http{s}://<ip address>:<port> /usr/share/wordlist/dirb/{common/small/vulns}.txt
Gobuster -u http://<ip-address> -w /usr/share/Seclists/Discovery/Web_Content/common.txt
/usr/share/secLists/Discovery folder has some great word lists

If only web port visible try a bigger list in dirb: /usr/share/wordlist/dirb/big.txt

Use Burpsuite as needed

Do you see any interesting directory containing sensitive data?
Do you see any LFI/RFI vulnerability posted by Nikto? Try fimap: fimap -u <ip-address>

Step 4: Are there any exploits available publicly from the services discovered from Step 2?

Searchsploit <service name>

Copy exploit to local dir: searchsploit -m <ID>

Step 5: Manual Poking for Web Pages

Check the Page Source, Inspect elements, view cookies, tamper data, use curl/wget

  • Google alien terms!
  • Anything sensitive there?
  • Any version info?
Search repository online (like GitHub) if the application used is open source: this may assist in site enumeration and guessing versions etc.!

Check HTTP Options

Check for Input Validation in forms (like: 1′ or 1=1 limit 1;#   AND   1′ or 1=1–)



  • NULL or null
    • Possible error messages returned.
  • ‘ , ” , ; , <!
    • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
  • – , = , + , ”
    • Used to craft SQL Injection queries.
  • ‘ , &, ! , ¦ , < , >
    • Used to find command execution vulnerabilities.
  • ../
    Directory Traversal Vulnerabilities.
Step 6: Are there any NETBIOS, SMB, RPC ports discovered from Step 1?

enum4linux -a <ip address>

Rpcclient <ip address> -U “” -N

Rpcinfo: What services are running? Rpcinfo -p <target ip>

Is portmapper running? Is rlogin running? Or NFS or Mountd?

Showmount -e <ip address>/<port>

Can you mount the smb share locally?
Mount -t cifs //<server ip>/<share> <local dir> -o username=”guest”,password=””

Rlogin <ip-address>

Smbclient -L \\<ip-address> -U “” -N

Nbtscan -r <ip address>

Net use \\<ip-address>\$Share “” /u:””

Net view \\<ip-address>

Check NMAP Scripts for SMB, DCERPC and NETBIOS

Step 7: Any SMTP ports available?

Enumerate Users:

Mail Server Testing
  •   Enumerate users
VRFY username (verifies if username exists – enumeration of accounts)
EXPN username (verifies if username is valid – enumeration of accounts)


Step 8: How about SNMP ports?
Default Community Names: public, private, cisco, manager

Enumerate MIB:
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts
1.3.6.1.2.1.6.13.1.3 TCP Local Ports

Use tools:
Onesixtyone – c <community list file> -I <ip-address>

Snmpwalk -c <community string> -v<version> <ip address>
Eg: enumerating running processes:

root@kali:~# snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2

Step 9: FTP Ports Discovered
Is anonymous login allowed?
If yes, is directory listing possible? Can a file be ‘get’ or ‘send’?
Use browser: ftp://<ip-address> , What do you find?

Step 10: Password Cracking / Brute Forcing
Try this as the last resort or in case the Passwd/Shadow/SAM files are in possession:

For linux, first combine passwd & shadow files:  unshadow [passwd-file] [shadow-file] > unshadowed.txt

Then, use John on the unshadowed file using a wordlist or rules mangling : john –rules –wordlist=<wordlist file> unshadowed.txt
Identifying Hash: hash-identifier

For other services, use Medusa or Hydra. Eg:
Hydra -L <username file> -P <Password file> -v <ip-address> ssh
Medusa -h <ip-address> -U <username file> -P <password file> -M http -m DIR:/admin -T 30

Using hashcat for cracking hashes:
For WordPress MD5 with salt: hashcat -m 400 -a 0 <hash file> <wordlist file>
Sample Password list: /usr/share/wordlist/rockyou.txt

Step 11: Packet Sniffing
Use Wireshark / tcpdump to capture traffic on the target host:
“tcpdump -i tap0  host <target-ip> tcp port 80 and not arp and not icmp -vv”

 







Comments

Post a Comment

Popular posts from this blog

Cheat Sheet : Wireshark

-
 Now that you know some command line packet sniffing, lets go over some wireshark display filters: * If you want to filter by a protocol, just type it in, like arp, dns, etc.   * If you click the analyze tab you can filter here as well   * If you did it by tp, you can go to preferences/protocols/tcp and take the check out of “relative sequence numbers” and they will show the real seq numbers   * Right click a packet and follow tcp stream to see the whole conversation between the client and the server . if you do this and you close out of the window you will see that the filter is listed for these packets   * A source filter can be applied to restrict the packet view in wireshark to only those packets that have source IP as mentioned in the filter. The filter applied in the example below is: ip.src == 10.10.10.5   * A destination filter can be applied to restrict the packet view in wireshark to only those packets that have destination IP as m...
Read more

Cheat Sheet : Google Hacking

-
Google hacking is a great way to do some recon using advanced operators in the google search engine. Heres some examples: google hacking lessons: * google queries are not case-sensitive   * google doesnt use wildcard like most, it sees it just as another character   * google ignores certain common words, characters, and single digits in a search, but you can force google into using them by including them in quotes. You can also precede the word with a + sign like +and with no spaces between the + and the word "and"   * google limits searches to 32 words, but we could use wildcards to omit common words and extend that limit. so a phrase like "we the people of the united states in order to form a more perfect union establish jusice" is 17 words, but if i omit the common words and replace with wildcards: we * people * * united states * order * form * more perfect * establish *  would be couonted as 9 words   * if i do a phrase search, which means ...
Read more

Cheat Sheet : TCP Dump

-
Wireshark is a very popular packet sniffing tool, but sometimes you may be on a pentest and you only have a linux shell, no gui, no wireshark. Good thing is a lot of linux and unix machines come with tcpdump installed which is essentially a command line wireshark. Lets look at some examples: * First off, I like to add a few options to the tcpdump command itself, depending on what I’m looking at. The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed. The second is -X, which displays both hex and ascii content within the packet. The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can’t see weirdness in the sequence numbers if they’re being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets. * It’s also important to note that tcpdump only takes the first 6...
Read more