You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
Jordan ERNST 2f6dde2aa4 Big update 3 weeks ago
HTTP Big update 3 weeks ago
Active_Directory.md Big update 3 weeks ago
Binary_exploitation.md Big update 3 weeks ago
Bruteforce.md Big update 2 months ago
Buffer_Overflow.md Big update 3 weeks ago
DNS.md Big update ;) 5 months ago
Deserialization.md Big Update. WIP: Oracle 3 months ago
FTP.md Big update 3 weeks ago
Finger.md Big update ;) 5 months ago
IPsec.md Big update 2 months ago
Kerberos.md Big update 2 months ago
LDAP.md Big update 2 months ago
MSRPC.md Big update 2 months ago
NFS.md Big Update. WIP: Oracle 3 months ago
Oracle.md Oracle 3 months ago
POP3.md Big update ;) 5 months ago
Pivoting.md Big update 3 weeks ago
Privesc-Linux.md Big update 2 months ago
Privesc-Windows.md Big update 3 weeks ago
RDP.md Big update ;) 5 months ago
README.md Big update 2 months ago
RSIP.md Big update ;) 5 months ago
Redis.md Add Redis 5 months ago
SMB.md Big update 2 months ago
SMTP.md Big Update. WIP: Oracle 3 months ago
SNMP.md Big update 2 months ago
SVN.md Big update 2 months ago
Shells.md Big update ;) 5 months ago
Sirep.md Big Update. WIP: Oracle 3 months ago
Splunkd.md Big Update. WIP: Oracle 3 months ago
WinRM.md Big update ;) 5 months ago

README.md

Cheatsheet-OSCP

Forbidden tools

You cannot use any of the following on the exam

  • Spoofing (IP, ARP, DNS, NBNS, etc)
  • Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
  • Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
  • Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
  • Features in other tools that utilize either forbidden or restricted exam limitations

Enumeration

Nmap

First of all, we need to know what boxes exist on the network nmap run a ping scan:

nmap -sn 10.0.0.0/24

Once I have chosen a host, the first thing I always do is:

export targetip=X.X.X.X

nmap -A -oA nmap $targetip

This will scan the 1024 most common ports, run OS detection, run default nmap scripts, and save the results in a number of formats in the current directory.

Scanning more deeply:

nmap -v -p 0-65535 -A $targetip

This will scan all 65535 ports on $targetip with a full connect scan. This scan will probably take a very long time. The -v stands for verbose, so that when a new port is discovered, it will print it out straight away instead of having to wait until the end of the scan, scanning this many ports over the internet takes a long time. I would often leave the scan running overnight, or move on to a different box in the meantime.

Also try UDP

Services

Service name(s) Default port(s) Alternative port(s)
FTP 20 (Data), 21 (Control)
SMTP 25 , 465 (SSL), 587 (TLS) 2525
DNS 53
Finger 79
HTTP 80 8080
Kerberos 88
POP3 110
MSRPC 135, 593
SMB/SAMBA 139, 445
SNMP 161,162 (Trap)
LDAP 389, 3268
HTTPS 443 8443
IPsec /IKE 500 4500 (NAT mode)
LDAPS 636, 3269
POP3S 995
Oracle TNS 1521 1522-1529
NFS 2049
RDP 3389
Subversion (SVN) 3690
RSIP/JAMES Remote Administration Tool 4555
WinRM/Microsoft HTTPAPI 5985 (HTTP), 5986 (HTTPS)
Redis 6379
Splunkd 8089
Secure SNMP 10161,10162 (Trap)
Sirep (Windows IoT) 29819, 29820

Privilege escalation

Windows

Pivoting

Pivoting

Deserialization

Deserialization