You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Go to file

Jordan ERNST 5a3dd698eb Add HTTP -> Apps links		2 months ago
HTTP	Add HTTP -> Apps links	2 months ago
Active_Directory.md	Several additions/edits	2 months ago
Aerospike.md	Several additions/edits	2 months ago
Binary_exploitation.md	Big update	2 months ago
Bruteforce.md	Big update	2 months ago
Buffer_Overflow.md	Big update	9 months ago
DNS.md	Big update	2 months ago
Deserialization.md	Big Update. WIP: Oracle	11 months ago
FTP.md	Big update	2 months ago
Finger.md	Big update ;)	1 year ago
IMAP.md	Several additions/edits	2 months ago
IPsec.md	Big update	10 months ago
Kerberos.md	Big update	10 months ago
LDAP.md	Big update	2 months ago
MSRPC.md	Big update	10 months ago
MSSQL.md	Several additions/edits	2 months ago
Mobile_Mouse.md	Several additions/edits	2 months ago
NFS.md	Big Update. WIP: Oracle	11 months ago
Oracle.md	Oracle	11 months ago
POP3.md	Several additions/edits	2 months ago
Pivoting.md	Several additions/edits	2 months ago
Privesc-Linux.md	Big update	10 months ago
Privesc-Windows.md	Several additions/edits	2 months ago
RDP.md	Big update	2 months ago
README.md	Several additions/edits	2 months ago
RSIP.md	Big update ;)	1 year ago
Redis.md	Add Redis	1 year ago
SMB.md	Several additions/edits	2 months ago
SMTP.md	Big update	2 months ago
SNMP.md	Several additions/edits	2 months ago
SSH.md	Big update	2 months ago
SVN.md	Big update	10 months ago
Shells.md	Big update ;)	1 year ago
Sirep.md	Big Update. WIP: Oracle	11 months ago
Splunkd.md	Big Update. WIP: Oracle	11 months ago
VestaCP.md	Several additions/edits	2 months ago
WiFi_Mouse.md	Several additions/edits	2 months ago
WinRM.md	Big update ;)	1 year ago

README.md

Cheatsheet-OSCP

⛔ Forbidden tools ⛔

You cannot use any of the following on the exam

Spoofing (IP, ARP, DNS, NBNS, etc)
Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
Features in other tools that utilize either forbidden or restricted exam limitations

Enumeration

Nmap

First of all, we need to know what boxes exist on the network nmap run a ping scan:

nmap -sn 10.0.0.0/24

Once I have chosen a host, the first thing I always do is:

export targetip=X.X.X.X

nmap -A -oA nmap $targetip

This will scan the 1024 most common ports, run OS detection, run default nmap scripts, and save the results in a number of formats in the current directory.

Scanning more deeply:

nmap -v -p 0-65535 -A $targetip

This will scan all 65535 ports on $targetip with a full connect scan. This scan will probably take a very long time. The -v stands for verbose, so that when a new port is discovered, it will print it out straight away instead of having to wait until the end of the scan, scanning this many ports over the internet takes a long time. I would often leave the scan running overnight, or move on to a different box in the meantime.

Also try UDP

Services

Service name(s)	Default port(s)	Alternative port(s)
FTP	20 (Data), 21 (Control)
SSH/SFTP	22	2222, 22222
SMTP	25 , 465 (SSL), 587 (TLS)	2525
DNS	53
Finger	79
HTTP	80	8080
Kerberos	88
POP3	110
MSRPC	135, 593
SMB/SAMBA	139, 445
IMAP	143
SNMP	161,162 (Trap)
LDAP	389, 3268
HTTPS	443	8443
IPsec /IKE	500	4500 (NAT mode)
LDAPS	636, 3269
IMAPS	993
POP3S	995
Microsoft SQL	1433
Oracle TNS	1521	1522-1529
WifiMouse	1978
NFS	2049
Aerospike	3000,3001, 3002, 3003
RDP	3389
Subversion (SVN)	3690
RSIP/JAMES Remote Administration Tool	4555
WinRM/Microsoft HTTPAPI	5985 (HTTP), 5986 (HTTPS)
Redis	6379
Vesta Control Panel	8083
Splunkd	8089
Mobile Mouse	9099
Secure SNMP	10161,10162 (Trap)
Sirep (Windows IoT)	29819, 29820

Privilege escalation

Windows