Skip to content

Latest commit

 

History

History
218 lines (193 loc) · 9.52 KB

README.md

File metadata and controls

218 lines (193 loc) · 9.52 KB

PEN-200 OSCP Exercise Checklist

Getting Comfortable with Kali

PDF Number Portal Number Heading No. of Exercises Required Completed?
2.3.6 2.3.6 Kali Documentation 3 No
2.4.3.4 2.4.4 Finding Your Way Around Kali 5 Yes
2.5.3 2.5.3 Managing Kali Linux Services 2 No
2.6.6.1 2.6.7 Searching, Installing and Removing Tools 5 No

Command Line Fun

PDF Number Portal Number Heading No. of Exercises Required Completed?
3.1.3.1 3.1.4 The Bash Environment 2 Yes
3.2.5.1 3.2.6 Piping and Redirection 2 Yes
3.3.5.1 3.3.6 Text Searching and Manipulation 3 Yes
3.5.3.1 3.5.4 Comparing Files 2 Yes
3.6.3.1 3.6.4 Managing Processes 5 Yes
3.7.2.1 3.7.3 File and Command Monitoring 2 Yes
3.8.3.1 3.8.4 Downloading Files 1 Yes
3.9.3.1 3.9.4 Customising the Bash Environment 2 Yes

Practical Tools

PDF Number Portal Number Heading No. of Exercises Required Completed?
4.1.4.3 4.1.5 Netcat 4 No
4.2.4.1 4.2.5 Socat 4 Yes
4.3.8.1 4.3.9 PowerShell and Powercat 3 Yes
4.4.5.1 4.4.6 Wireshark 5 Yes
4.5.3.1 4.5.3 Tcpdump 4 Yes

Bash Scripting

PDF Number Portal Number Heading No. of Exercises Required Completed?
5.7.3.1 5.7.4 Practical Examples 4 Yes

Passive Information Gathering

PDF Number Portal Number Heading No. of Exercises Required Completed?
6.3.1.1 6.3.1 Whois Enumeration 1 Yes
6.4.1.1 6.4.1 Google Hacking 2 Yes
6.5.1.1 6.5.1 Netcraft 2 Yes
6.6.1.1 6.6.1 Recon-ng 2 No
6.7.1.1 6.7.1 Open-Source Code 1 Yes
6.12.1.1 6.12.3 User Information Gathering 2 Yes
6.13.2.1 6.13.2 Social Media Tools 1 Yes

Active Information Gathering

PDF Number Portal Number Heading No. of Exercises Required Completed?
7.1.6.3 7.1.7 DNS Enumeration 3 Yes
7.2.2.9 7.2.3 Port Scanning 5 Yes
7.3.2.1 7.3.3 SMB Enumeration 3 Yes
7.4.2.1 7.4.3 NFS Enumeration 2 Yes
7.5.1.1 7.5.1 SMTP Enumeration 2 Yes
7.6.3.6 7.6.4 SNMP Enumeration 2 Yes

Vulnerability Scanning

PDF Number Portal Number Heading No. of Exercises Required Completed?
8.2.4.2 8.2.5 Unauthenticated Scanning With Nessus 3 Yes
8.2.5.2 8.2.7 Authenticated Scanning With Nessus 2 Yes
8.2.6.1 8.2.9 Scanning With Individual Nessus Plugins 3 Yes
8.3.1.1 8.3.1 Vulnerability Scanning With Nmap 1 Yes

Web Application Attacks

PDF Number Portal Number Heading No. of Exercises Required Completed?
9.3.3.1 9.3.4 Web Application Assessment Tools 1 Yes
9.5.1.1 9.5.2 Exploiting Admin Consoles 2 Yes
9.6.4.1 9.6.6 Cross-Site Scripting (XSS) 3 Yes
9.7.1.1 9.7.2 Directory Traversal Vulnerabilities 1 Yes
9.8.4.1 9.8.5 LFI Code Execution 2 Yes
9.8.5.1 9.8.7 Remote File Inclusion 3 Yes
9.8.7.1 9.8.10 PHP Wrappers 2 Yes
9.9.3.1 9.9.4 Authentication Bypass 4 Yes
9.9.7.1 9.9.9 Extracting Data From The Database 3 Yes
9.9.8.1 9.9.11 From SQL Injection to Code Execution 2 Yes
9.9.9.1 9.9.13 Automating SQL Injection 2 Yes
9.5.1 9.10.1 Extra Miles 3 No

Introduction to Buffer Overflows

PDF Number Portal Number Heading No. of Exercises Required Completed?
10.2.5 10.2.5 Introduction to Buffer Overflows 2 Yes

Windows Buffer Overflows

PDF Number Portal Number Heading No. of Exercises Required Completed?
11.1.1.2 11.1.2 Discovering the Vulnerability 2 Yes
11.2.3.1 11.2.4 Controlling EIP 3 Yes
11.2.5.1 11.2.8 Checking for Bad Characters 2 Yes
11.2.7.1 11.2.10 Finding a Return Address 2 Yes
11.2.9.1 11.2.13 Getting a Shell 3 Yes
11.2.10.1 11.2.15 Improving the Exploit 1 Yes
11.2.10.2 11.2.16 Extra Miles 1 No

Linux Buffer Overflows

PDF Number Portal Number Heading No. of Exercises Required Completed?
12.2.1.2 12.2.1 Replicating the Crash 3 Yes
12.3.1.1 12.3.1 Controlling EIP 2 Yes
12.5.1.1 12.5.1 Checking for Bad Characters 2 Yes
12.6.1.1 12.6.1 Finding a Return Address 2 Yes
12.7.1.1 12.7.1 Getting a Shell 2 Yes

Client Side Attacks

PDF Number Portal Number Heading No. of Exercises Required Completed?
13.1.2.3 13.1.5 Know Your Target 3 No
13.2.2.1 13.2.3 Leveraging HTML Applications 2 Yes
13.3.2.1 13.3.3 Microsoft Word Macro 1 Yes
13.3.3.1 13.3.5 Object-Linking and Embedding 1 Yes
13.3.4.1 13.3.7 Evading Protected View 3 Yes

Locating Public Exploits

PDF Number Portal Number Heading No. of Exercises Required Completed?
14.3.1.1 14.3.1 Putting It All Together 5 Yes

Fixing Exploits

PDF Number Portal Number Heading No. of Exercises Required Completed?
15.1.3.1 15.1.4 Cross-Compiling Exploit Code 2 Yes
15.1.4.1 15.1.6 Changing the Socket Information 2 Yes
15.1.5.1 15.1.8 Changing the Return Address 1 Yes
15.1.6.1 15.1.10 Changing the Payload 4 Yes
15.1.7.1 15.1.12 Changing the Overflow Buffer 2 Yes
15.2.3.1 15.2.4 Changing Connectivity Information 5 Yes
15.2.4.1 15.2.6 Troubleshooting the "Index Out Of Range" Error 5 Yes

File Transfers

PDF Number Portal Number Heading No. of Exercises Required Completed?
16.1.3.2 16.1.4 Considerations and Preparations 3 No
16.2.5.1 16.2.6 Transferring Files With Windows Hosts 4 No

Antivirus Evasion

PDF Number Portal Number Heading No. of Exercises Required Completed?
17.3.3.2 17.3.4 PowerShell In-Memory Injection 3 Yes
17.3.3.4 17.3.5 Antivirus Evasion 4 Yes

Privilege Escalation

PDF Number Portal Number Heading No. of Exercises Required Completed?
18.1.1.13 18.1.2 Manual Enumeration 1 Yes
18.1.2.1 18.1.4 Automated Enumeration 2 Yes
18.2.3.2 18.2.4 User Account Control (UAC) Bypass: fodhelper.exe Case Study 1 Yes
18.2.4.1 18.2.6 Insecure File Permissions: Seviio Case Study 2 Yes
18.3.2.1 18.3.3 Insecure File Permissions: Cron Case Study 1 Yes
18.3.3.1 18.3.5 Insecure File Permissions: /etc/passswd Case Study 1 Yes

Password Attacks

PDF Number Portal Number Heading No. of Exercises Required Completed?
19.1.1.1 19.1.2 Wordlists 1 No
19.2.1.1 19.2.1 Brute Force Wordlists 1 No
19.3.1.1 19.3.2 HTTP htaccess Attack with Medusa 2 No
19.3.2.1 19.3.4 Remote Desktop Protocol Attack With Crowbar 1 No
19.3.3.1 19.3.6 SSH Atttack With THC-Hydra 1 No
19.3.4.1 19.3.8 HTTP Post Attack With THC-Hydra 2 No
19.4.1.1 19.4.2 Retrieving Password Hashes 2 No
19.4.2.1 19.4.4 Passing the Hash in Windows 2 Yes
19.4.3.1 19.4.6 Password Cracking 1 No

Port Redirection and Tunnelling

PDF Number Portal Number Heading No. of Exercises Required Completed?
20.1.1.1 20.1.2 Port Forwarding 2 Yes
20.2.1.1 20.2.2 SSH Local Port Forwarding 4 Yes
20.2.2.2 20.2.4 SSH Remote Port Forwarding 3 Yes
22.2.3.1 20.2.6 SSH Dynamic Port Forwarding 5 Yes
20.3.1.1 20.3.1 PLINK.exe 3 Yes
20.4.1.1 20.4.1 NETSH 2 Yes
20.5.1.1 20.5.1 HTTPTunnel-ing Through Deep Packet Insection 3 Yes

Active Directory Attacks

PDF Number Portal Number Heading No. of Exercises Required Completed?
21.2.1.1 21.2.2 Traditional Approach 1 Yes
21.2.2.1 21.2.4 A Modern Approach 3 Yes
21.2.3.1 21.2.6 Resolving Nested Groups 2 Yes
21.2.4.1 21.2.8 Currently Logged On Users 3 Yes
21.2.5.2 21.2.10 Enumeration Through Service Principal Names 4 Yes
21.3.3.1 21.3.4 Cached Credential Storage and Retrieval 2 Yes
21.3.4.1 21.3.6 Service Account Attacks 4 Yes
21.3.5.1 21.3.8 Low and Slow Password Guessing 2 Yes
21.4.2.1 21.4.3 Overpass the Hash 1 Yes
21.4.3.1 21.4.5 Pass the Ticket 3 Yes
21.4.4.1 21.4.7 Distributed Component Object Model 3 Yes
21.5.1.1 21.5.2 Golden Tickets 2 Yes

Metasploit Framework

PDF Number Portal Number Heading No. of Exercises Required Completed?
22.1.3.1 22.1.4 Metasploit User Interfaces and Setup 3 Yes
22.2.1.1 22.2.2 Exploit Modules 1 Yes
22.3.3.2 22.3.4 Experimenting with Meterpeter 1 Yes
22.3.7.1 22.3.9 Metasploit Payloads 7 Yes
22.4.1.1 22.4.1 Building Our Own MSF Module 1 Yes
22.5.4.1 22.5.5 Post-Exploitation with Metasploit 1 Yes
22.6.1.1 22.6.1 Metasploit Automation 1 Yes

PowerShell Empire

PDF Number Portal Number Heading No. of Exercises Required Completed?
23.1.3.1 23.1.4 Installation, Setup and Usage 3 Yes
23.3.1.1 23.3.1 PowerShell Modules 4 Yes

Assembling the Pieces

PDF Number Portal Number Heading No. of Exercises Required Completed?
24.2.2.2 24.2.2 SQL Injection Exploitation 1 Yes
24.5.1.1 24.5.1 Exploitation 2 Yes