🐲
OSCP Notes
  • 🐲OSCP Notes
  • 🐲OSCP Methodology
  • 💡Misc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • 🧠Mindmap
    • 🥝Mimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page

OSCP Methodology

Find the foothold

Host Discovery

The first go to is to search hosts available on the given subnet.

Host Discovery

Port Scanning

After finding the hosts are available , the next step will be to scan the open ports in order to identify target exposed services.

Port scanning

Identify a vulnerable service

There are many possible attack vectors:

Web service

  • Brute-force directories and files.

  • Brute-force subdomains.

  • Read source pages and search for comments or libraries\frameworks vulnerable version.

  • Leverage Web attacks.

File services

SSH

Search for the SSH private key .ssh/id_rsa using pwned machine or web vulnerability like Directory Traversal.

Privilege escalation

Linux

First enumerate the system - Local Enumeration

Then exploit any attack vector in order to escalate to root - Local Privileges Escalation

Windows

First enumerate the system - Local Privilege Escalation

Then exploit any attack vector to escalate to admin - Local Privilege Escalation

Active directory compromise

  1. Enumerate the system - Local Privilege Escalation

  2. Exploit any attack vector to escalate to root - Local Privilege Escalation

  3. Credential Harvesting - Mimikatz Basics

  4. Move between ad machines - Lateral Movement

  5. Until getting Domain Admin or DC Sync privilege Repeat 1.

  6. DC Sync

PreviousOSCP NotesNextMetasploit

Last updated 2 months ago

SMTP - 25 or can be useful for phishing attacks.

To generate the phishing use Client Side attacks or generate exe using .

When SSH is open try brute-force it - .

🐲
  • Find the foothold
  • Host Discovery
  • Port Scanning
  • Identify a vulnerable service
  • Privilege escalation
  • Linux
  • Windows
  • Active directory compromise
SMB
MSFVenom
Hydra