OSCP: Hacker Methodology 101

​The OSCP is an animal indeed but it most certainly can be conquered. This blog will be an overview of the methodology I used during the labs not necessarily for pen testing projects. I have simplified some of the commands for better understanding. Keep in mind that this is just what I found useful for my style of testing, you can use parts or the whole thing but feel free to color outside the lines with this. Have fun and please send feedback with any improved commands or tricks you find helpful.

​Initial Enumeration

​Enumeration, aka enum, is a type of recon to figure out what kind of attack surface you are working with. You conduct enum at the beginning of an assessment and after gaining a foothold. For this section, we are only focused on the activities before the initial compromise. 

Host DiscoveryThis is the initial stage where your sole purpose is to discover the hosts that can be touched from your current location on the network. Nmap is an excellent tool for this step.
Sample Command
Nmap doing ping scan
# nmap -sn -oG [output file name] [IP space to scan]
Service DetectionAfter discovering the available hosts, you need to determine what ports are open and the services listening. Nmap is an excellent tool for this stage as well.

Sample Command
TCP scan against all ports treating all hosts online with version detection and a host list specified
# nmap -Pn -sS -sV -p- -iL [live hosts.txt] -oG [output file name.txt]

• We treat all hosts online because we already have a list of live hosts, no need to make nmap do this step again

UDP scan against top 100 ports
# nmap -sU -sV -F -iL [live hosts.txt] -oG [output file name.txt]

• I scan UDP separate because I am lazy and don’t want to list out the UDP ports to scan. If you know which ones to scan feel free to specify and use one scan
• -F does the top 100 ports however you could also do this using the switch --top-ports [x] where x is any number
• Also with UDP we don’t want to do a full port scan down. According to nmap documentation, this would take about 18 hours. Therefore we focus on the most probable ones at this stage.

Service ValidationEven though Nmap has listed all the live ports, there will always be false positives. We should use Netcat (nc) to test the services to make sure they are listening.
# nc -v [IP] [port]

Check for Vulns

I use this term loosely here. We won’t use an actual scanner, although we will use tools to test for issues specific to the identified service. Nmap has a great library of NSE scripts that can be used to find issues and usually a great place to start with every service.
Refer to this page for some commands: https://www.thecyberunion.com/enumeration.html
​

Web App Testing

Web applications are a different animal usually require a different kind of scanning after Nmap. Because the services are essentially a file server, you not only have to look for vulnerabilities in the hosting software, like WordPress and Drupal but also enumerate the file architecture. When done right, web servers can take a while to finish enumeration.
Tools to use here are:
Nikto
Dirb
Zap
Check out my web enumeration page for sample commands: https://www.thecyberunion.com/web-enumeration.html
​

​Exploitation

After all that recon, you should be ready to pop some boxes. This is also one of the biggest hangups for beginners; they get to this part and still don’t see anything they should be abusing. If you did the recon correctly, you should know all your live hosts, ports open, services running on ports, version of services, and a map of any web applications. With that information, you can look up any vulnerabilities in the software or typical misconfigurations.
​
For example, you navigate to https://www.exploit-db.com/ and type in Drupal 1.5. you get
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload. You read about the vulnerability and try to get it to work. If the versions match, the system may not be vulnerable. Be aware that not every entry in exploit DB has a proof of concept (PoC), you may need to hit up Google. Also just typing in version information and the keyword “exploit” usually results in some good info.

​Also don’t forget to check the easy stuff like default passwords, no password, passwords that are the same as the username. These are quick wins and are often overlooked by people working too hard. I have spent hours on a box, and the answer was something stupidly simple.

​Post Exploitation

​Hallelujah, you got a shell! Now, what do you do? Here are some tips:

• See who you are (“whoami” or “id”),
• What privileges do you have (“net user %username%” or “sudo -l”).
• What kind of operating system, version number, kernel information?
• Create a more stable shell if all you have is a non-interactive janky shell.
• Look around for interesting files to plunder.
• Look for a way to escalate privs …

For sample, commands check out the Post Ex page: https://www.thecyberunion.com/windows-post-ex.html

​Password Cracking

This is always a last resort to me because there are usually easier and more time-effective ways in. John comes in kali so let that puppy run on any hashes you find. Here is a cheat sheet for the commands. If you don’t have a hash and you need to password crack a service, check out hydra.

​Privilege Escalation

Privilege escalation is the act of moving to an increased level of access. Whether this is moving from a regular user to an admin or Apache to root, you are increasing your access on a system. This can be a topic in itself and is different on between Windows and Linux environments.
Some suggestions for this step are:

• Look for kernel exploits
• Look for misconfigured file access, including folders
• Look for binaries and utilities that have priv esc exploits; check out nmap and vim

Practice

If you have little understanding of red team/pen test tactics, why not practice before you drop some dollars on OSCP?

​Check out these links for lists of practice VM’s and CTF’s:
https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms
https://backdoorshell.gitbooks.io/oscp-useful-links/content/vulnhub-vms.html
https://github.com/ferreirasc/oscp