- Resources:
- Pre-requisites
- Getting Comfortable with Kali Linux
- Command Line Fun
- Practical Tools
- Bash Scripting
- Passive Information Gathering
- Active Information Gathering
- Vulnerability Scanning
- Web Application Attacks
- Buffer Overflow
- Client-side Attacks
- Locating Public Exploits
- Antivirus Evasion
- Privilege Escalation
- Password Attacks
- Port Redirection and Tunneling
- Active Directory Attacks
- The Metasploit Framework
- Powershell Empire
- Trying Harder: The Labs
- Solid understanding of TCP/IP networking
- Familiarity with basic Bash and/or Python scripting
Update (16th Oct 2022):
One of the above python course wasn't available anymore. But you can use waybackmachine to access it again.
A quick tip for any broken link that might exist here in this repository:
Use Wayback machine
Thoughts:
Learn python 3 the hard way is the best book for python according to me!
Estimated Time: 24 hours
- Should learn
(imp):
- man - apropos - ls - cd - pwd - mkdir - rm - which - locate - find - ssh - grep - apt
Estimated Time: 8 hours
- Linux Commands cheatsheet
- Book: The Linux Command Line
- Practice:
- Vim Tutorial: https://youtu.be/IiwGbcd8S7I
- Should learn:
- Environment Variables in Bash
- grep
- awk
- cut
- sed
- comm
- diff
- vimdiff
- ping
- bg
- fg
- jobs
- kill
- ps
- wget
- curl
- axel
- Text Editors you should be familiar with:
- nano
- vi(m)
Excepted time (without practice): 12 hours
- Official Syllabus Tools
- Netcat
- Socat
- Powershell
- Powercat
- Wireshark
- Tcpdump
- Enumeration
AutoRecon — https://github.com/Tib3rius/AutoRecon
nmapAutomator — https://github.com/21y4d/nmapAutomator
Reconbot — https://github.com/Apathly/Reconbot
Raccoon — https://github.com/evyatarmeged/Raccoon
RustScan — https://github.com/RustScan/RustScan
BashScan — https://github.com/astryzia/BashScan
- Web Related
Dirsearch — https://github.com/maurosoria/dirsearch
GoBuster — https://github.com/OJ/gobuster
Recursive GoBuster — https://github.com/epi052/recursive-gobuster
wfuzz — https://github.com/xmendez/wfuzz
goWAPT — https://github.com/dzonerzy/goWAPT
ffuf — https://github.com/ffuf/ffuf
Nikto — https://github.com/sullo/nikto
dirb — https://tools.kali.org/web-applications/dirb
dirbuster — https://tools.kali.org/web-applications/dirbuster
feroxbuster — https://github.com/epi052/feroxbuster
FinalRecon — https://github.com/thewhiteh4t/FinalRecon
- Network tools:
Impacket (SMB, psexec, etc) — https://github.com/SecureAuthCorp/impacket
- File Transfers:
updog — https://github.com/sc0tfree/updog
- Wordlists:
SecLists — https://github.com/danielmiessler/SecLists
- Payload Generators:
Reverse Shell Generator — https://github.com/cwinfosec/revshellgen
Windows Reverse Shell Generator — https://github.com/thosearetheguise/rev
MSFVenom Payload Creator — https://github.com/g0tmi1k/msfpc
- Php reverse shell:
Windows PHP Reverse Shell — https://github.com/Dhayalanb/windows-php-reverse-shell
PenTestMonkey Unix PHP Reverse Shell — http://pentestmonkey.net/tools/web-shells/php-reverse-shell
- Terminal Related:
tmux — https://tmuxcheatsheet.com/ (cheat sheet)
tmux-logging — https://github.com/tmux-plugins/tmux-logging
Oh My Tmux — https://github.com/devzspy/.tmux
screen — https://gist.github.com/jctosta/af918e1618682638aa82 (cheat sheet)
Terminator — http://www.linuxandubuntu.com/home/terminator-a-linux-terminal-emulator-with-multiple-terminals-in-one-window
vim-windir — https://github.com/jtpereyda/vim-windir
- Exploits:
Exploit-DB — https://www.exploit-db.com/
Windows Kernel Exploits — https://github.com/SecWiki/windows-kernel-exploits
AutoNSE — https://github.com/m4ll0k/AutoNSE
Linux Kernel Exploits — https://github.com/lucyoa/kernel-exploits
- Password Brute Forcer:
BruteX — https://github.com/1N3/BruteX
Hashcat — https://hashcat.net/hashcat/
John the Ripper — https://www.openwall.com/john/
- Post Exploitation / Privilege Escalation
LinEnum — https://github.com/rebootuser/LinEnum
linprivchecker —https://www.securitysift.com/download/linuxprivchecker.py
Powerless — https://github.com/M4ximuss/Powerless
PowerUp — https://github.com/HarmJ0y/PowerUp
Linux Exploit Suggester — https://github.com/mzet-/linux-exploit-suggester
Windows Exploit Suggester — https://github.com/bitsadmin/wesng
Windows Privilege Escalation Awesome Scripts (WinPEAS) — https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
CHECK THE VERSION NUMBER!!! Linux Privilege Escalation Awesome Script (LinPEAS) — https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
GTFOBins (Bypass local restrictions) — https://gtfobins.github.io/
Get GTFOBins — https://github.com/CristinaSolana/ggtfobins
sudo_killer — https://github.com/TH3xACE/SUDO_KILLER
WADComs — https://wadcoms.github.io/
LOLBAS — https://lolbas-project.github.io/
- Buffer Overflow Practice
Vulnserver for Windows — https://github.com/stephenbradshaw/vulnserver
Vulnserver for Linux — https://github.com/ins1gn1a/VulnServer-Linux
Tib3rius TryHackMe BOF — https://tryhackme.com/jr/bufferoverflowprep
- Privilege Escalation Practice
Local Privilege Escalation Workshop — https://github.com/sagishahar/lpeworkshop
Linux Privilege Escalation — https://www.udemy.com/course/linux-privilege-escalation/
Windows Privilege Escalation — https://www.udemy.com/course/windows-privilege-escalation/
- Netcat
- PowerShell Learning Resources
- PowerShell for Pentesting In Kali Linux
- Hands on Challenges for learning PowerShell:
- underthewire.tech: https://underthewire.tech/wargames.htm
- codewars: https://www.codewars.com/
Expected Tools Overview: 12 hours
Expected Time: 4 hours
- Website Recon
- Whois Enumeration
- Google hacking : https://www.exploit-db.com/google-hacking-database
- Netcraft
- Recon-ng : https://github.com/lanmaster53/recon-ng
- Open source code
- Shodan
- Security Headers Scanner
- SSL Server Test
- Pastebin
- User information Gathering
- Email Harvesting
- Stack Overflow
- OSINT Framework
- Maltego
Expected time: 30 mins
- DNS Enumeration
- Forward Lookup
- Reverse Lookup
- DNS Zone Transfers
- Tools:
- DNSrecon
- DNSenum
- Port Scanning
- TCP Scanning
- UDP Scanning
- Nmap:
- https://nmap.org/book/toc.html
- https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717
- https://blog.zsec.uk/nmap-rtfm/
- Masscan
- SMB Enumeration
- NFS Enumeration
- SMTP Enumeration
- SNMP Enumeration
Expected Time: 12 hours
- Vulnerability Scanning using Nessus
- Vulnerability Scanning using Nmap
Expected Time: 4 hours
- Web Tools:
- DIRB: http://dirb.sourceforge.net/
- Dirsearch: https://github.com/maurosoria/dirsearch
- Dirbuster: https://tools.kali.org/web-applications/dirbuster
- Gobuster: https://github.com/OJ/gobuster
- Wfuzz: https://github.com/xmendez/wfuzz
- ffuf: https://github.com/ffuf/ffuf
- Burpsuite
- Nikto
- HTTPIe https://httpie.io/
- Practice:
- Metasploitable 2
- OWASP Juice Shop
- Overthewire Natas
- Web Security Academy
- https://www.hackthissite.org/
- Blogs:
- Buffer Overflows Made Easy
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
- What is Buffer Overflow? — TryHackMe: Buffer Overflow Prep Walkthrough
- Buffer Overflow personal cheatsheet
- Easy OSCP Bufferoverflow Preparation
- The Braindead Buffer Overflow Guide to Pass the OSCP Blindfolded
- Simplifying Buffer Overflows for OSCP
- OSCP Buffer Overflow Guide (Windows)
- Practice:
1. https://tryhackme.com/room/oscpbufferoverflowprep 2. protostar on vulnhub 3. vulnserver 4. Brainpan on vulnhub 5. warFTP 6. miniserv 7. https://overthewire.org/wargames/behemoth/ 8. https://overthewire.org/wargames/narnia/ 9. Brainpan 1: https://www.vulnhub.com/entry/brainpan-1,51/ 10. Pinky’s Palace version 1: https://www.vulnhub.com/entry/pinkys-palace-v1,225/ 11. Stack Overflows for Beginners: https://www.vulnhub.com/entry/stack-overflows-for-beginners-101,290/ 12. SmashTheTux: https://www.vulnhub.com/entry/smashthetux-101,138/ 13. Pandora’s Box: https://www.vulnhub.com/entry/pandoras-box-1,111/
- Windows Binaries (Recommend that you run these on Windows 7/XP 32 bit):
Vulnserver: https://samsclass.info/127/proj/vuln-server.htm
Minishare 1.4.1: https://www.exploit-db.com/exploits/636
Savant Web Server 3.1: https://www.exploit-db.com/exploits/10434
Freefloat FTP Server 1.0: https://www.exploit-db.com/exploits/40673
Core FTP Server 1.2: https://www.exploit-db.com/exploits/39480
WarFTP 1.65: https://www.exploit-db.com/exploits/3570
VUPlayer 2.4.9: https://www.exploit-db.com/exploits/40018
- Linux Binaries
Linux Buffer Overflow: https://samsclass.info/127/proj/lbuf1.htm
- Videos:
- Github:
1. https://github.com/justinsteven/dostackbufferoverflowgood
2. https://github.com/3isenHeiM/OSCP-BoF
3. https://github.com/gh0x0st/Buffer_Overflow
4. https://github.com/sradley/overflow (You should not use it in the exam)
5. https://github.com/onecloudemoji/BOF-Template (Buffer overflow template)
6. https://github.com/V1n1v131r4/OSCP-Buffer-Overflow
- Other Resources:
Whitepaper Introduction to Immunity Debugger: https://www.sans.org/reading-room/whitepapers/malicious/basic-reverse-engineering-immunity-debugger-36982
Do Stack Buffer Overflow Good: https://github.com/justinsteven/dostackbufferoverflowgood
Buffer Overflows for Dummies: https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
Vortex Stack Buffer Overflow Practice: https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
Smashing the Stack For Fun and Profit: http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
Buffer Overflow Guide: https://github.com/johnjhacking/Buffer-Overflow-Guide
Stack based Linux Buffer Overflow: https://www.exploit-db.com/docs/english/28475-linux-stack-based-buffer-overflows.pdf
Expected time (without practice): 8 hours
https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/
Expected Time: (not sure)
- Places to Find Exploits:
- Tools for finding exploits:
Searchsploit: a command line search tool for Exploit-DB Nmap NSE Script The Browser Exploitation Framework (BeEF)
Manual for searchsploit: https://www.exploit-db.com/searchsploit
Expected Time: 1 hour
- Book
Antivirus Bypass Techniques: Learn Practical Techniques and Tactics to Combat, Bypass, and Evade Antivirus Software
Link: https://g.co/kgs/WzEjAH
- Tools to play with Anti-Virus evasion:
Veil-Framework: https://github.com/Veil-Framework/Veil
Shellter: https://www.shellterproject.com/
Unicorn https://github.com/trustedsec/unicorn
UniByAV: https://github.com/Mr-Un1k0d3r/UniByAv
- Tools to play with for Obfuscation:
Pyarmor: https://pypi.org/project/pyarmor/ PyObfx: https://github.com/PyObfx/PyObfx C#:
ConfuserEx: https://github.com/yck1509/ConfuserEx">
PowerShell:Invoke-Obfuscation: https://github.com/danielbohannon/Invoke-Obfuscation Chimera: https://github.com/tokyoneon/Chimera Python:
Pyarmor: https://pypi.org/project/pyarmor/ PyObfx: https://github.com/PyObfx/PyObfx C#:
ConfuserEx: https://github.com/yck1509/ConfuserEx
- Testing Payloads Publicly. (Keep in mind that submitting your samples to online scanners may be distributed to other AV engines):
Nodistribute: https://nodistribute.com/
Virustotal: https://www.virustotal.com/gui/home
Hybrid-Analysis: https://www.hybrid-analysis.com/
Any-Run: https://app.any.run
Reverse.it: https://reverse.it
Anti-Virus Evasion Tool: https://github.com/govolution/avet
DefenderCheck: https://github.com/matterpreter/DefenderCheck
ThreatCheck: https://github.com/rasta-mouse/ThreatCheck
Expected: 12 hours
- Blogs:
- Windows elevation of privileges
- Linux elevation of privileges
- Basic Linux Privilege Escalation
- Checklist - Local Windows Privilege Escalation
- Linux Privilege Escalation
- Linux
- Linux Privilege Escalation Exploiting Capabilities
- I absolutely suck at privilege escalation
- Privilege escalations in windows
- Windows Privilege Escalation Guide
- Hacking Linux Part I: Privilege Escalation
- Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation Methods for Pentesters
- Windows Services - All roads lead to SYSTEM
- I hate hate hate HATEE privilege escalation.
- Practice:
- Videos/Courses
- https://www.udemy.com/course/linux-privilege-escalation/
- Tiberius and TCM udemy courses
- OSCP - Windows Privilege Escalation Methodology
- Encyclopaedia Of Windows Privilege Escalation - Brett Moore
- DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates
- Privilege Escalation
- Ippsec
- Github:
1. https://github.com/sagishahar/lpeworkshop 2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources 3. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md 4. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md 5. https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md 6. https://github.com/abatchy17/WindowsExploits 7. https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc 8. https://github.com/rasta-mouse/Sherlock 9. https://github.com/AonCyberLabs/Windows-Exploit-Suggester
- Others
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
- https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/
- https://www.vulnhub.com/entry/linsecurity-1,244/
- https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html#section-10-buffer-overflows-for-windows-and-linux
- http://pwnwiki.io/#!privesc/windows/index.md
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://github.com/N7WEra/SharpAllTheThings
- https://github.com/411Hall/JAWS/commits?author=411Hall
- https://github.com/bitsadmin/wesng
- https://github.com/rasta-mouse/Sherlock
- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
- https://github.com/rasta-mouse/Watson
- https://github.com/GhostPack/Seatbelt
- https://github.com/gladiatx0r/Powerless
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/breenmachine/RottenPotatoNG
- https://github.com/ohpe/juicy-potato
- https://rahmatnurfauzi.medium.com/windows-privilege-escalation-scripts-techniques-30fa37bd194
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://github.com/jondonas/linux-exploit-suggester-2
Expected: 12 hours
- Offline tools for password cracking
Hashcat: https://hashcat.net/hashcat/ Sample Hashes to test with Hashcat: https://hashcat.net/wiki/doku.php?id=example_hashes
John the Ripper: https://www.openwall.com/john/
Metasploit Unleashed using John the Ripper with Hashdump: https://www.offensive-security.com/metasploit-unleashed/john-ripper/
- Online Tools for password cracking
THC Hydra: https://github.com/vanhauser-thc/thc-hydra
Crowbar: https://github.com/galkan/crowbar
- Wordlist Generator
Cewl: https://digi.ninja/projects/cewl.php
Crunch: https://tools.kali.org/password-attacks/crunch
Cupp (In Kali Linux): https://github.com/Mebus/cupp
- Tools to check the hash type:
Hash-Identifier: https://github.com/psypanda/hashID
- Tools to dump for hashes:
Mimikatz: https://github.com/gentilkiwi/mimikatz
Mimipenguin: https://github.com/huntergregal/mimipenguin
Pypykatz: https://github.com/skelsec/pypykatz
- Wordlists:
In Kali: /usr/share/wordlists
Seclists: apt-get install seclists You can find all of his password lists here: https://github.com/danielmiessler/SecLists/tree/master/Passwords
Xajkep Wordlists: https://github.com/xajkep/wordlists
- Online Password Crackers:
https://hashkiller.io/
https://www.cmd5.org/
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://crackstation.net/
https://passwordrecovery.io/
https://md5decrypt.net/en/
https://hashes.com/en/decrypt/hash
http://cracker.offensive-security.com/
- Others
Introduction to Password Cracking: https://alexandreborgesbrazil.files.wordpress.com/2013/08/introduction_to_password_cracking_part_1.pdf
Pwning Wordpress Passwords: https://medium.com/bugbountywriteup/pwning-wordpress-passwords-2caf12216956
Expected: 12 hours
- Blogs
- Tools
Proxychains: https://github.com/haad/proxychains
Proxychains-ng: https://github.com/rofl0r/proxychains-ng
SSHuttle (Totally Recommend learning this): https://github.com/sshuttle/sshuttle
SSHuttle Documentation: https://sshuttle.readthedocs.io/en/stable/
Chisel https://github.com/jpillora/chisel
Ligolo: https://github.com/sysdream/ligolo
- Online Tunneling Services
Ngrok: https://ngrok.com/
Twilo: https://www.twilio.com/
- Practice
Wintermute: https://www.vulnhub.com/entry/wintermute-1,239/
Expected: 12 hours
- Blogs
- Github:
- Practice:
- https://tryhackme.com/room/attacktivedirectory
- https://tryhackme.com/network/throwback
- Heist, Hutch, Vault on PG Play
- Tryhackme Holo, Throwback networks in addition to attacktive and post exploitation rooms
- Hackthebox: Forest, Sauna, dante, active, Arctic and Granny.
- CyberSecLabs
- Razorblack, Enterprise, VulnNet - Active on tryhackme
- wreath on tryhackme
- blackfield, intelligence, multimaster, cascade, heist...crap was that htb heist or pg heist or both, Reel, Sauna, Fuse, Sizzle, Mantis, and Resolute.
- https://drive.google.com/file/d/1RktnrenlhOMIqdPDAv-u60_yzW7K0KS0/view
- Rastalabs on HTB
- Videos:
- TJNull's suggestion:
ADLab: https://github.com/browninfosecguy/ADLab Automated Lab: https://github.com/AutomatedLab/AutomatedLab MSLab: https://github.com/microsoft/MSLab Invoke-ADLabDeployer: https://github.com/outflanknl/Invoke-ADLabDeployer Active Directory User Setup: https://github.com/bjiusc/Active-Directory-User-Setup-Script Enumerating Active Directory:
Active Directory Enumeration with Powershell: https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf Active Directory Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#domain-enumeration Powersploit: https://github.com/PowerShellMafia/PowerSploit Understanding Authentication protocols that Active Directory Utilizes:
NTLM Authentication: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview Kerberos Authentication https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview Cache and Stored Credentials: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11) Group Managed Service Accounts: https://adsecurity.org/?p=4367 Lateral Movement in Active Directory:
Paving the Way to DA: https://blog.zsec.uk/path2da-pt1 Part 2, 3 Pass the Hash with Machine Accounts: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts Overpass the hash (Payload All the things): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#overpass-the-hash-pass-the-key Red Team Adventures Overpass the Hash: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash Pass the Ticket (Silver Tickets): https://adsecurity.org/?p=2011 Lateral Movement with DCOM: https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model Active Directory Persistence:
Cracking Kerberos TGS Tickets Using Kerberoast: https://adsecurity.org/?p=2293 Kerberoasting Without Mimikatz: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ Golden Tickets: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets Pass the Ticket (Golden Tickets): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#pass-the-ticket-golden-tickets Understanding DCSync Attacks: https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync Tools for Active Directory Lateral Movement and Persistence:
ADRecon: https://github.com/sense-of-security/ADRecon Kerbrute: https://github.com/ropnop/kerbrute Rubeus: https://github.com/GhostPack/Rubeus Impacket: https://github.com/SecureAuthCorp/impacket Other Resources:
Building an Active Directory with PowerShell: https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/ Lateral Movement for AD: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash Lateral Movement with CrackMapExec: https://www.hackingarticles.in/lateral-moment-on-active-directory-crackmapexec/">
Setting up Active Directory:Note: Make sure when you are setting up the Active Directory Server that you assign a static IP address to it and also a workstation that you will be joining the server to for further testing. I recommend that you set up a Windows 10 Workstation if you plan to use Windows Server 2016/2019.
Microsoft Documentation to install Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services–level-100- Install Windows Active Directory on Windows Server 2019: https://computingforgeeks.com/how-to-install-active-directory-domain-services-in-windows-server/ Understanding Users Accounts in Active Directory: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts Three ways to create an Active Directory User: https://petri.com/3-ways-to-create-new-active-directory-users Join a Workstation to the Domain: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain Tools to help you automate the installation for Active Directory:
ADLab: https://github.com/browninfosecguy/ADLab Automated Lab: https://github.com/AutomatedLab/AutomatedLab MSLab: https://github.com/microsoft/MSLab Invoke-ADLabDeployer: https://github.com/outflanknl/Invoke-ADLabDeployer Active Directory User Setup: https://github.com/bjiusc/Active-Directory-User-Setup-Script Enumerating Active Directory:
Active Directory Enumeration with Powershell: https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf Active Directory Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#domain-enumeration Powersploit: https://github.com/PowerShellMafia/PowerSploit Understanding Authentication protocols that Active Directory Utilizes:
NTLM Authentication: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview Kerberos Authentication https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview Cache and Stored Credentials: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11) Group Managed Service Accounts: https://adsecurity.org/?p=4367 Lateral Movement in Active Directory:
Paving the Way to DA: https://blog.zsec.uk/path2da-pt1 Part 2, 3 Pass the Hash with Machine Accounts: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts Overpass the hash (Payload All the things): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#overpass-the-hash-pass-the-key Red Team Adventures Overpass the Hash: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash Pass the Ticket (Silver Tickets): https://adsecurity.org/?p=2011 Lateral Movement with DCOM: https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model Active Directory Persistence:
Cracking Kerberos TGS Tickets Using Kerberoast: https://adsecurity.org/?p=2293 Kerberoasting Without Mimikatz: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ Golden Tickets: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets Pass the Ticket (Golden Tickets): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#pass-the-ticket-golden-tickets Understanding DCSync Attacks: https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync Tools for Active Directory Lateral Movement and Persistence:
ADRecon: https://github.com/sense-of-security/ADRecon Kerbrute: https://github.com/ropnop/kerbrute Rubeus: https://github.com/GhostPack/Rubeus Impacket: https://github.com/SecureAuthCorp/impacket Other Resources:
Building an Active Directory with PowerShell: https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/ Lateral Movement for AD: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash Lateral Movement with CrackMapExec: https://www.hackingarticles.in/lateral-moment-on-active-directory-crackmapexec/
- Others:
- https://wadcoms.github.io/
- https://www.xmind.net/m/5dypm8/
- Cybermentor's Practical Ethical Hacking Course - Active Directory Section
Expected: 48 hours
- Metasploit Unleashed: https://www.offensive-security.com/metasploit-unleashed/
- Book:
- MSFvenom Cheat Sheets:
http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/
https://netsec.ws/?p=331
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
Expected: 4 hours
- Powershell Empire: https://github.com/BC-SECURITY/Empire
- Powershell Empire Guide: https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/
Expected: 4 hours
- HTB VM List: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
- Vulnhub VM List: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0
- Overview:
Phase I: Theory, Preparation and Note Taking
Phase II: Practice
Phase III: OSCP Labs & Origial Course Material
Phase IV: OSCP Exam
Thought Process:
Let's divide OSCP into fundamental components that will require for us to crack OSCP:
- Theory, theory and theory. In-depth Understanding of lot of topics.
- Ability to apply knowledge practically.
- Critical Thinking
- High Pain threshold.
- Consistency
- Note taking
</div>
Go
<div class="pt-3" >
<details class="details-reset details-overlay details-overlay-dark " >
<summary data-view-component="true" class="btn-link"> Give feedback
<details-dialog class="Box d-flex flex-column anim-fade-in fast Box--overlay overflow-visible" aria-label="Provide feedback" src="/FlareXes/oscp-pre-preparation-plan-and-notes/repos/code_nav_survey"
>
<div class="Box-header">
<button class="Box-btn-octicon btn-octicon float-right" type="button" aria-label="Close dialog" data-close-dialog>
<svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x">
<path fill-rule="evenodd" d="M3.72 3.72a.75.75 0 011.06 0L8 6.94l3.22-3.22a.75.75 0 111.06 1.06L9.06 8l3.22 3.22a.75.75 0 11-1.06 1.06L8 9.06l-3.22 3.22a.75.75 0 01-1.06-1.06L6.94 8 3.72 4.78a.75.75 0 010-1.06z"></path>
</div>
</main>
<footer class="footer width-full container-xl p-responsive">
<nav aria-label='footer' class="col-12 col-lg-8">
<h3 class='sr-only' id='sr-footer-heading'>Footer navigation</h3>
<ul class="list-style-none d-flex flex-wrap col-12 flex-justify-center flex-lg-justify-between mb-2 mb-lg-0" aria-labelledby='sr-footer-heading'>
<li class="mr-3 mr-lg-0"><a href="https://docs.github.com/en/github/site-policy/github-terms-of-service" data-analytics-event="{"category":"Footer","action":"go to terms","label":"text:terms"}">Terms</a></li>
<li class="mr-3 mr-lg-0"><a href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement" data-analytics-event="{"category":"Footer","action":"go to privacy","label":"text:privacy"}">Privacy</a></li>
<li class="mr-3 mr-lg-0"><a data-analytics-event="{"category":"Footer","action":"go to security","label":"text:security"}" href="https://github.com/security">Security</a></li>
<li class="mr-3 mr-lg-0"><a href="https://www.githubstatus.com/" data-analytics-event="{"category":"Footer","action":"go to status","label":"text:status"}">Status</a></li>
<li class="mr-3 mr-lg-0"><a data-ga-click="Footer, go to help, text:Docs" href="https://docs.github.com">Docs</a></li>
<li class="mr-3 mr-lg-0"><a href="https://support.github.com?tags=dotcom-footer" data-analytics-event="{"category":"Footer","action":"go to contact","label":"text:contact"}">Contact GitHub</a></li>
<li class="mr-3 mr-lg-0"><a href="https://github.com/pricing" data-analytics-event="{"category":"Footer","action":"go to Pricing","label":"text:Pricing"}">Pricing</a></li>
<li class="mr-3 mr-lg-0"><a href="https://docs.github.com" data-analytics-event="{"category":"Footer","action":"go to api","label":"text:api"}">API</a></li>
<li class="mr-3 mr-lg-0"><a href="https://services.github.com" data-analytics-event="{"category":"Footer","action":"go to training","label":"text:training"}">Training</a></li>
<li class="mr-3 mr-lg-0"><a href="https://github.blog" data-analytics-event="{"category":"Footer","action":"go to blog","label":"text:blog"}">Blog</a></li>
<li><a data-ga-click="Footer, go to about, text:about" href="https://github.com/about">About</a></li>
</ul>
</nav>
<div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;" tabindex="0">
<template id="snippet-clipboard-copy-button">
<style>
.user-mention[href$="/AayushMehta"] {
color: var(--color-user-mention-fg);
background-color: var(--color-user-mention-bg);
border-radius: 2px;
margin-left: -2px;
margin-right: -2px;
padding: 0 2px;
}
</style>
</div>
<div id="js-global-screen-reader-notice" class="sr-only" aria-live="polite" ></div>