# OSCP Cheatsheet
The following collection is a wild (but structured) selection of commands, snippets, links, exploits, tools, lists and techniques I personally tested and used on my journey to becoming an OSCP. I will extend, restructure and update it from time to time, so let's see where this is going.
**THIS IS WORK IN PROGRESS**
## Disclaimer
This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, used most of them in the wrong way with unnessecary flags and you'll probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list.
**Use for educational purposes only!**
***
# Table Of Content
- [OSCP Cheatsheet](#oscp-cheatsheet)
* [Disclaimer](#disclaimer)
- [Reconnaissance](#reconnaissance)
* [Autorecon](#autorecon)
* [Nmap](#nmap)
+ [Initial Fast TCP Scan](#initial-fast-tcp-scan)
+ [Full TCP Scan](#full-tcp-scan)
+ [Limited Full TCP Scan](#limited-full-tcp-scan)
+ [Top 100 UDP Scan](#top-100-udp-scan)
+ [Full Vulnerability scan](#full-vulnerability-scan)
+ [Vulners Vulnerability Script](#vulners-vulnerability-script)
+ [SMB Vulnerabitlity Scan](#smb-vulnerabitlity-scan)
* [Gobuster](#gobuster)
+ [HTTP](#http)
- [Fast Scan (Small List)](#fast-scan--small-list-)
- [Fast Scan (Big List)](#fast-scan--big-list-)
- [Slow Scan (Check File Extensions)](#slow-scan--check-file-extensions-)
+ [HTTPS](#https)
* [SMBCLIENT](#smbclient)
+ [List Shares (As Guest)](#list-shares--as-guest-)
+ [Connect to A Share (As User John)](#connect-to-a-share--as-user-john-)
+ [Download All Files From A Directory Recursively](#download-all-files-from-a-directory-recursively)
+ [Alternate File Streams](#alternate-file-streams)
- [List Streams](#list-streams)
- [Download Stream By Name (:SECRET)](#download-stream-by-name---secret-)
* [Enum4Linux](#enum4linux)
+ [Scan Host](#scan-host)
+ [Scan Host, Suppress Errors](#scan-host--suppress-errors)
* [NFS](#nfs)
+ [Show mountable drives](#show-mountable-drives)
+ [Mount Drive](#mount-drive)
* [WebApp Paths](#webapp-paths)
* [SQLMAP](#sqlmap)
+ [Get Request](#get-request)
+ [Test All (Default Settings)](#test-all--default-settings-)
- [Test All (Default Settings, High Stress)](#test-all--default-settings--high-stress-)
+ [Post Request (Capture with BURP)](#post-request--capture-with-burp-)
- [Test All (Default Settings)](#test-all--default-settings--1)
- [Test All (Default Settings, High Stress)](#test-all--default-settings--high-stress--1)
- [Get A Reverse Shell (MySQL)](#get-a-reverse-shell--mysql-)
- [Brute Force](#brute-force)
* [Hydra](#hydra)
+ [HTTP Basic Authentication](#http-basic-authentication)
+ [HTTP Get Request](#http-get-request)
+ [HTTP Post Request](#http-post-request)
+ [MYSQL](#mysql)
- [File Transfer](#file-transfer)
* [Powershell](#powershell)
+ [As Cmd.exe Command](#as-cmdexe-command)
+ [Encode Command for Transfer](#encode-command-for-transfer)
* [Certutil](#certutil)
+ [Download](#download)
+ [Download & Execute Python Command](#download---execute-python-command)
* [SMB](#smb)
+ [Start Impacket SMB Server (With SMB2 Support)](#start-impacket-smb-server--with-smb2-support-)
+ [List Drives (Execute on Victim)](#list-drives--execute-on-victim-)
+ [Copy Files (Execute on Victim)](#copy-files--execute-on-victim-)
* [PureFTP](#pureftp)
+ [Install](#install)
+ [Create setupftp.sh Execute The Script](#create-setupftpsh-execute-the-script)
+ [Get Service Ready](#get-service-ready)
- [Reset Password](#reset-password)
- [Commit Changes](#commit-changes)
- [Restart Service](#restart-service)
+ [Create FTP Script (On Victim)](#create-ftp-script--on-victim-)
+ [Exectue Script (on Victim)](#exectue-script--on-victim-)
* [Netcat](#netcat)
* [Receiving Shell](#receiving-shell)
* [Sending Shell](#sending-shell)
* [TFTP](#tftp)
+ [Start TFTP Daemon (Folder /var/tftp)](#start-tftp-daemon--folder--var-tftp-)
+ [Transfer Files](#transfer-files)
* [VBScript](#vbscript)
+ [Create wget.vbs File](#create-wgetvbs-file)
+ [Download Files](#download-files)
- [Shells](#shells)
* [Upgrade Your Shell (TTY Shell)](#upgrade-your-shell--tty-shell-)
* [Enable Tab-Completion](#enable-tab-completion)
* [Catching Reverse Shells (Netcat)](#catching-reverse-shells--netcat-)
* [Netcat](#netcat-1)
+ [Reverse Shell](#reverse-shell)
- [Unix](#unix)
- [Windows](#windows)
+ [Bind shell](#bind-shell)
- [Unix](#unix-1)
- [Windows](#windows-1)
* [Bash](#bash)
+ [Reverse Shell](#reverse-shell-1)
* [Python](#python)
+ [As Command (Reverse Shell)](#as-command--reverse-shell-)
+ [Python Code (Reverse Shell)](#python-code--reverse-shell-)
* [PHP](#php)
+ [Kali Default PHP Reverse Shell](#kali-default-php-reverse-shell)
+ [Kali Default PHP CMD Shell](#kali-default-php-cmd-shell)
+ [PHP Reverse Shell](#php-reverse-shell)
+ [CMD Shell](#cmd-shell)
+ [WhiteWinterWolf Webshell](#whitewinterwolf-webshell)
* [MSFVENOM](#msfvenom)
+ [Windows Binary (.exe)](#windows-binary--exe-)
- [32 Bit (x86)](#32-bit--x86-)
- [64 Bit (x64)](#64-bit--x64-)
+ [Linux Binary (.elf)](#linux-binary--elf-)
- [32 Bit (x86)](#32-bit--x86--1)
- [64 Bit (x64)](#64-bit--x64--1)
+ [Java Server Pages (.jsp)](#java-server-pages--jsp-)
+ [Active Sever Pages Extended (.aspx)](#active-sever-pages-extended--aspx-)
* [Active Sever Pages Extended (.aspx)](#active-sever-pages-extended--aspx--1)
+ [Transfer A File (Certutil)](#transfer-a-file--certutil-)
+ [Execute a File](#execute-a-file)
* [Jenkins / Groovy (Java)](#jenkins---groovy--java-)
+ [Linux Reverse Shell](#linux-reverse-shell)
+ [Windows Reverse Shell](#windows-reverse-shell)
* [Perl](#perl)
+ [Reverse Shell](#reverse-shell-2)
* [PhpmyAdmin](#phpmyadmin)
***
# Reconnaissance
## Autorecon
https://github.com/Tib3rius/AutoRecon
```bash
autorecon -vv 192.168.0.1
```
***
## Nmap
### Initial Fast TCP Scan
```bash
nmap -v -sS -sV -Pn --top-ports 1000 -oA initial_scan_192.168.0.1 192.168.0.1
```
### Full TCP Scan
```bash
nmap -v -sS -Pn -sV -p 0-65535 -oA full_scan_192.168.0.1 192.168.0.1
```
### Limited Full TCP Scan
*If the syn scan is taking very long to complete, the following command is an alternative (no service detection).*
```bash
nmap -sT -p- --min-rate 5000 --max-retries 1 192.168.0.1
```
### Top 100 UDP Scan
```bash
nmap -v -sU -T4 -Pn --top-ports 100 -oA top_100_UDP_192.168.0.1 192.168.0.1
```
### Full Vulnerability scan
```bash
nmap -v -sS -Pn --script vuln --script-args=unsafe=1 -oA full_vuln_scan_192.168.0.1 192.168.0.1
```
### Vulners Vulnerability Script
```bash
nmap -v -sS -Pn --script nmap-vulners -oA full_vuln_scan_192.168.0.1 192.168.0.1
```
### SMB Vulnerabitlity Scan
```bash
nmap -v -sS -p 445,139 -Pn --script smb-vuln* --script-args=unsafe=1 -oA smb_vuln_scan_192.168.0.1 192.168.0.1
```
***
## Gobuster
### HTTP
#### Fast Scan (Small List)
```bash
gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirb/big.txt -t 20
```
#### Fast Scan (Big List)
```bash
gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20
```
#### Slow Scan (Check File Extensions)
```bash
gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,cgi,sh,bak,aspx -t 20
```
### HTTPS
*Set the `--insecuressl` flag.*
***
## SMBCLIENT
To fix
oscp_cheatsheet:我在成为OSCP的过程中使用的命令,摘要,漏洞利用,工具,列表,集合和技术
5星 · 超过95%的资源 需积分: 9 26 浏览量
2021-03-08
13:53:15
上传
评论 1
收藏 17KB ZIP 举报
林John
- 粉丝: 38
- 资源: 4601
最新资源
- NetOps-py通过sftp替换网络设备启动文件
- STM32单片机FPGA毕设电路原理论文报告任务驱动教学法在单片机课程教学中的应用
- STM32单片机FPGA毕设电路原理论文报告任务驱动法在单片机教学中的应用
- STM32单片机FPGA毕设电路原理论文报告人造金刚石压机智能化压力测控系统设计
- 以某列为依据匹配多项(Excel版)
- STM32单片机FPGA毕设电路原理论文报告人体短臂离心机实验台的显示控制系统
- STM32单片机FPGA毕设电路原理论文报告人工气候室监控系统的环境控制器研究
- STM32单片机FPGA毕设电路原理论文报告染整自动线张力控制系统的设计
- 数据挖掘与机器学习-实验
- 基于Linux系统Nginx的动态网站的LNMP环境源码包
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
- 1
- 2
前往页