It will teach you about connection tools like netcat/socat/PowerShell/Powercat, and using them practically for file transfers, reverse/bind listeners, and channelizing I/O.
We also learn to make simple bash scripts for automation. You'll have practical exercises for each module.
The modules passive info gathering isn't much of a requirement in the exam, though there are some useful tools like google dorks and shodan that might help.
Active info gathering is useful for DNS, SMB, Port scanning, NFS, SMTP and SNMP Enumerations.
The web part is not very elaborate (reasons for selling WEB-200/300), they have some basic attacks like XSS, SQLi, Directory Traversal and File Inclusion, that are just used for initial access via some web application.
The tools used are BurpSuite, dirb and nikto.
Buffer Overflow is a big module. It is very elaborate and well designed. They have separate sections for Windows and Linux, and explain the complete workflow in x86 arch.
They've mentioned BO is optional in the new scheme, but as far as I've heard it's coming for everyone.
You'll need extensive knowledge about subnetting and networking protocols, as there will be multiple pivot points for a full attack chain.
File transfers are imp between Windows and Linux machines, various cases include inbound/outbound traffic restrictions on popular services.
You'll learn ways to evade antiviruses, on disk and in memory.
Two major methods are In memory injection via Powershell and with a PE injector tool like shelltor.
The labs would be easy as we don't require much any deeper obfuscation, even in the exam.
You'll learn to Pass-The-Hash with msf and mimikatz, and brute forcing common services with tools like Hydra, Medusa, and crowbar.
You'll crack password hashes with John and Hashcat.
After initial access, the enumeration is the key to getting elevated privileges. The Privilege Escalation module has sections for Windows and Linux.
Major focus is on Windows where you'll learn to enumerate manually user permissions, services and kernel hotfixes.
The Active Directory part is still less in the course. I don't think you should worry about this.
There are limited attack techniques, majority of the scripts will use Powershell so that should be strong. We start with enumeration on the domain joined computer, and enumerate.
We learn to attack authentication and retrieve cached credentials with mimikatz.
We learn Kerberoasting and Pass The Hash with impacket.
You'll learn to create silver and golden tickets and use them to obtain persistence. Keep handy all the scripts and tools will be available.
They introduced Metasploit, msfconsole and Empire after all these modules (seriously?).
You'll learn about modules like exploit, payload, encoders, post, etc.
Post exploitation content is good.
The usage of MS is restricted in the exam, please read the exam rules and make a note.
Lastly they put all the pieces together and demonstrate a complete penetration test. They target multiple hosts inside internal networks, by tunneling and redirection, and finally compromise the AD.
Exploitation is not a challenge, the enumeration is. Focus accordingly.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
LEARNING OSCP: Day #8
Initial Access tips #1 1. Don't rely on a single wordlist. I had instances where I couldn't find a hidden directory with dirbuster list, I got it when I ran with the dirb big.txt. 2. Don't forget to add extensions to directories: php, txt, html, etc. #oscp
3. Try default passwords on every login function, ftp, ssh, mysql, smb, webdav, pop, etc. Search for the default creds for a specific web software and try to apply an educated guess if the original ones don't work. 4. Always check the source code, for usernames, passwords, etc.
5. Bruteforce all authenticated services with identified strings which look like usernames. 6. Use README.txt/LICENSE.txt/CHANGELOG.txt for enumerating service versions. 7. Not every exploit is available on searchsploit, many times custom exploits from google/github work fine.
For initial access: 1. Start with the box having a web server, it is the most common path. 2. Use revshells.com for powershell payloads, I prefer the base64 one 3. Just remember Windows prefers '\' rather than '/', don't mess up the syntax. (C:\Users and not C:/Users)
For AD enumeration: 1. Use adPEAS, just like linpeas and winpeas, it is a powershell script for automating domain info gathering and lateral movement vectors: github.com/61106960/adPEAS 2. I would recommend to perform the enum manually before using this to understand better.