Note: These are my notes for personal reference!
๐๐๐๐ ๐๐ซ๐-๐๐ซ๐๐ฉ๐๐ซ๐๐ญ๐ข๐จ๐ง ๐๐ฅ๐๐ง ๐๐ง๐ ๐๐จ๐ญ๐๐ฌ
21st March 2022: Start Date19th Sept 2022: Expected End Date180 days: Goal
- Resources:
- Pre-requisites
- Getting Comfortable with Kali Linux
- Command Line Fun
- Practical Tools
- Bash Scripting
- Passive Information Gathering
- Active Information Gathering
- Vulnerability Scanning
- Web Application Attacks
- Buffer Overflow
- Client-side Attacks
- Locating Public Exploits
- Antivirus Evasion
- Privilege Escalation
- Password Attacks
- Port Redirection and Tunneling
- Active Directory Attacks
- The Metasploit Framework
- Powershell Empire
- Trying Harder: The Labs
- Solid understanding of TCP/IP networking
- Familiarity with basic Bash and/or Python scripting
Update (16th Oct 2022):
One of the above python course wasn't available anymore. But you can use waybackmachine to access it again.
A quick tip for any broken link that might exist here in this repository:
- Use Wayback machine
Thoughts:
`Learn python 3 the hard way` is the best book for python according to me!
Estimated Time: 24 hours
๐๐๐ญ๐ญ๐ข๐ง๐ ๐๐จ๐ฆ๐๐จ๐ซ๐ญ๐๐๐ฅ๐ ๐ฐ๐ข๐ญ๐ก ๐๐๐ฅ๐ข ๐๐ข๐ง๐ฎ๐ฑ
- Should learn
(imp):
- man
- apropos
- ls
- cd
- pwd
- mkdir
- rm
- which
- locate
- find
- ssh
- grep
- apt
Estimated Time: 8 hours
- Linux Commands cheatsheet
- Book: The Linux Command Line
- Practice:
- Vim Tutorial: https://youtu.be/IiwGbcd8S7I
- Should learn:
- Environment Variables in Bash
- grep
- awk
- cut
- sed
- comm
- diff
- vimdiff
- ping
- bg
- fg
- jobs
- kill
- ps
- wget
- curl
- axel
- Text Editors you should be familiar with:
- nano
- vi(m)
Excepted time (without practice): 12 hours
- Official Syllabus Tools
- Netcat
- Socat
- Powershell
- Powercat
- Wireshark
- Tcpdump
- Enumeration
AutoRecon โ https://github.com/Tib3rius/AutoRecon
nmapAutomator โ https://github.com/21y4d/nmapAutomator
Reconbot โ https://github.com/Apathly/Reconbot
Raccoon โ https://github.com/evyatarmeged/Raccoon
RustScan โ https://github.com/RustScan/RustScan
BashScan โ https://github.com/astryzia/BashScan
- Web Related
Dirsearch โ https://github.com/maurosoria/dirsearch
GoBuster โ https://github.com/OJ/gobuster
Recursive GoBuster โ https://github.com/epi052/recursive-gobuster
wfuzz โ https://github.com/xmendez/wfuzz
goWAPT โ https://github.com/dzonerzy/goWAPT
ffuf โ https://github.com/ffuf/ffuf
Nikto โ https://github.com/sullo/nikto
dirb โ https://tools.kali.org/web-applications/dirb
dirbuster โ https://tools.kali.org/web-applications/dirbuster
feroxbuster โ https://github.com/epi052/feroxbuster
FinalRecon โ https://github.com/thewhiteh4t/FinalRecon
- Network tools:
Impacket (SMB, psexec, etc) โ https://github.com/SecureAuthCorp/impacket
- File Transfers:
updog โ https://github.com/sc0tfree/updog
- Wordlists:
SecLists โ https://github.com/danielmiessler/SecLists
- Payload Generators:
Reverse Shell Generator โ https://github.com/cwinfosec/revshellgen
Windows Reverse Shell Generator โ https://github.com/thosearetheguise/rev
MSFVenom Payload Creator โ https://github.com/g0tmi1k/msfpc
- Php reverse shell:
Windows PHP Reverse Shell โ https://github.com/Dhayalanb/windows-php-reverse-shell
PenTestMonkey Unix PHP Reverse Shell โ http://pentestmonkey.net/tools/web-shells/php-reverse-shell
- Terminal Related:
tmux โ https://tmuxcheatsheet.com/ (cheat sheet)
tmux-logging โ https://github.com/tmux-plugins/tmux-logging
Oh My Tmux โ https://github.com/devzspy/.tmux
screen โ https://gist.github.com/jctosta/af918e1618682638aa82 (cheat sheet)
Terminator โ http://www.linuxandubuntu.com/home/terminator-a-linux-terminal-emulator-with-multiple-terminals-in-one-window
vim-windir โ https://github.com/jtpereyda/vim-windir
- Exploits:
Exploit-DB โ https://www.exploit-db.com/
Windows Kernel Exploits โ https://github.com/SecWiki/windows-kernel-exploits
AutoNSE โ https://github.com/m4ll0k/AutoNSE
Linux Kernel Exploits โ https://github.com/lucyoa/kernel-exploits
- Password Brute Forcer:
BruteX โ https://github.com/1N3/BruteX
Hashcat โ https://hashcat.net/hashcat/
John the Ripper โ https://www.openwall.com/john/
- Post Exploitation / Privilege Escalation
LinEnum โ https://github.com/rebootuser/LinEnum
linprivchecker โhttps://www.securitysift.com/download/linuxprivchecker.py
Powerless โ https://github.com/M4ximuss/Powerless
PowerUp โ https://github.com/HarmJ0y/PowerUp
Linux Exploit Suggester โ https://github.com/mzet-/linux-exploit-suggester
Windows Exploit Suggester โ https://github.com/bitsadmin/wesng
Windows Privilege Escalation Awesome Scripts (WinPEAS) โ https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
CHECK THE VERSION NUMBER!!! Linux Privilege Escalation Awesome Script (LinPEAS) โ https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
GTFOBins (Bypass local restrictions) โ https://gtfobins.github.io/
Get GTFOBins โ https://github.com/CristinaSolana/ggtfobins
sudo_killer โ https://github.com/TH3xACE/SUDO_KILLER
WADComs โ https://wadcoms.github.io/
LOLBAS โ https://lolbas-project.github.io/
- Buffer Overflow Practice
Vulnserver for Windows โ https://github.com/stephenbradshaw/vulnserver
Vulnserver for Linux โ https://github.com/ins1gn1a/VulnServer-Linux
Tib3rius TryHackMe BOF โ https://tryhackme.com/jr/bufferoverflowprep
- Privilege Escalation Practice
Local Privilege Escalation Workshop โ https://github.com/sagishahar/lpeworkshop
Linux Privilege Escalation โ https://www.udemy.com/course/linux-privilege-escalation/
Windows Privilege Escalation โ https://www.udemy.com/course/windows-privilege-escalation/
- Netcat
- PowerShell Learning Resources
- PowerShell for Pentesting In Kali Linux
- Hands on Challenges for learning PowerShell:
- underthewire.tech: https://underthewire.tech/wargames.htm
- codewars: https://www.codewars.com/
Expected Tools Overview: 12 hours
Expected Time: 4 hours
๐๐๐ฌ๐ฌ๐ข๐ฏ๐ ๐๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐๐ญ๐ก๐๐ซ๐ข๐ง๐
- Website Recon
- Whois Enumeration
- Google hacking : https://www.exploit-db.com/google-hacking-database
- Netcraft
- Recon-ng : https://github.com/lanmaster53/recon-ng
- Open source code
- Shodan
- Security Headers Scanner
- SSL Server Test
- Pastebin
- User information Gathering
- Email Harvesting
- Stack Overflow
- OSINT Framework
- Maltego
Expected time: 30 mins
๐๐๐ญ๐ข๐ฏ๐ ๐๐ง๐๐จ๐ซ๐ฆ๐๐ญ๐ข๐จ๐ง ๐๐๐ญ๐ก๐๐ซ๐ข๐ง๐
- DNS Enumeration
- Forward Lookup
- Reverse Lookup
- DNS Zone Transfers
- Tools:
- DNSrecon
- DNSenum
- Port Scanning
- TCP Scanning
- UDP Scanning
- Nmap:
- https://nmap.org/book/toc.html
- https://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717
- https://blog.zsec.uk/nmap-rtfm/
- Masscan
- SMB Enumeration
- NFS Enumeration
- SMTP Enumeration
- SNMP Enumeration
Expected Time: 12 hours
- Vulnerability Scanning using Nessus
- Vulnerability Scanning using Nmap
Expected Time: 4 hours
- Web Tools:
- DIRB: http://dirb.sourceforge.net/
- Dirsearch: https://github.com/maurosoria/dirsearch
- Dirbuster: https://tools.kali.org/web-applications/dirbuster
- Gobuster: https://github.com/OJ/gobuster
- Wfuzz: https://github.com/xmendez/wfuzz
- ffuf: https://github.com/ffuf/ffuf
- Burpsuite
- Nikto
- HTTPIe https://httpie.io/
- Practice:
- Metasploitable 2
- OWASP Juice Shop
- Overthewire Natas
- Web Security Academy
- https://www.hackthissite.org/
Expected Time: 30 days
- Blogs:
- Buffer Overflows Made Easy
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 2 : Stack Based Overflows โ jumping to shellcode
- What is Buffer Overflow? โ TryHackMe: Buffer Overflow Prep Walkthrough
- Buffer Overflow personal cheatsheet
- Easy OSCP Bufferoverflow Preparation
- The Braindead Buffer Overflow Guide to Pass the OSCP Blindfolded
- Simplifying Buffer Overflows for OSCP
- OSCP Buffer Overflow Guide (Windows)
- Practice:
1. https://tryhackme.com/room/oscpbufferoverflowprep
2. protostar on vulnhub
3. vulnserver
4. Brainpan on vulnhub
5. warFTP
6. miniserv
7. https://overthewire.org/wargames/behemoth/
8. https://overthewire.org/wargames/narnia/
9. Brainpan 1: https://www.vulnhub.com/entry/brainpan-1,51/
10. Pinkyโs Palace version 1: https://www.vulnhub.com/entry/pinkys-palace-v1,225/
11. Stack Overflows for Beginners: https://www.vulnhub.com/entry/stack-overflows-for-beginners-101,290/
12. SmashTheTux: https://www.vulnhub.com/entry/smashthetux-101,138/
13. Pandoraโs Box: https://www.vulnhub.com/entry/pandoras-box-1,111/
- Windows Binaries (Recommend that you run these on Windows 7/XP 32 bit):
Vulnserver: https://samsclass.info/127/proj/vuln-server.htm
Minishare 1.4.1: https://www.exploit-db.com/exploits/636
Savant Web Server 3.1: https://www.exploit-db.com/exploits/10434
Freefloat FTP Server 1.0: https://www.exploit-db.com/exploits/40673
Core FTP Server 1.2: https://www.exploit-db.com/exploits/39480
WarFTP 1.65: https://www.exploit-db.com/exploits/3570
VUPlayer 2.4.9: https://www.exploit-db.com/exploits/40018
- Linux Binaries
Linux Buffer Overflow: https://samsclass.info/127/proj/lbuf1.htm
- Videos:
- Github:
1. https://github.com/justinsteven/dostackbufferoverflowgood
2. https://github.com/3isenHeiM/OSCP-BoF
3. https://github.com/gh0x0st/Buffer_Overflow
4. https://github.com/sradley/overflow (You should not use it in the exam)
5. https://github.com/onecloudemoji/BOF-Template (Buffer overflow template)
6. https://github.com/V1n1v131r4/OSCP-Buffer-Overflow
- Other Resources:
Whitepaper Introduction to Immunity Debugger: https://www.sans.org/reading-room/whitepapers/malicious/basic-reverse-engineering-immunity-debugger-36982
Do Stack Buffer Overflow Good: https://github.com/justinsteven/dostackbufferoverflowgood
Buffer Overflows for Dummies: https://www.sans.org/reading-room/whitepapers/threats/buffer-overflows-dummies-481
Vortex Stack Buffer Overflow Practice: https://www.vortex.id.au/2017/05/pwkoscp-stack-buffer-overflow-practice/
Smashing the Stack For Fun and Profit: http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
Buffer Overflow Guide: https://github.com/johnjhacking/Buffer-Overflow-Guide
Stack based Linux Buffer Overflow: https://www.exploit-db.com/docs/english/28475-linux-stack-based-buffer-overflows.pdf
Expected time (without practice): 8 hours
https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/
Expected Time: (not sure)
- Places to Find Exploits:
- Tools for finding exploits:
Searchsploit: a command line search tool for Exploit-DB
Nmap NSE Script
The Browser Exploitation Framework (BeEF)
Manual for searchsploit: https://www.exploit-db.com/searchsploit
Expected Time: 1 hour
- Book
Antivirus Bypass Techniques: Learn Practical Techniques and Tactics to Combat, Bypass, and Evade Antivirus Software
Link: https://g.co/kgs/WzEjAH
- Tools to play with Anti-Virus evasion:
Veil-Framework: https://github.com/Veil-Framework/Veil
Shellter: https://www.shellterproject.com/
Unicorn https://github.com/trustedsec/unicorn
UniByAV: https://github.com/Mr-Un1k0d3r/UniByAv
- Tools to play with for Obfuscation:
PowerShell:
Invoke-Obfuscation: https://github.com/danielbohannon/Invoke-Obfuscation
Chimera: https://github.com/tokyoneon/Chimera
Python:
Pyarmor: https://pypi.org/project/pyarmor/
PyObfx: https://github.com/PyObfx/PyObfx
C#:
ConfuserEx: https://github.com/yck1509/ConfuserEx
- Testing Payloads Publicly. (Keep in mind that submitting your samples to online scanners may be distributed to other AV engines):
Nodistribute: https://nodistribute.com/
Virustotal: https://www.virustotal.com/gui/home
Hybrid-Analysis: https://www.hybrid-analysis.com/
Any-Run: https://app.any.run
Reverse.it: https://reverse.it
Anti-Virus Evasion Tool: https://github.com/govolution/avet
DefenderCheck: https://github.com/matterpreter/DefenderCheck
ThreatCheck: https://github.com/rasta-mouse/ThreatCheck
Expected: 12 hours
- Blogs:
- Windows elevation of privileges
- Linux elevation of privileges
- Basic Linux Privilege Escalation
- Checklist - Local Windows Privilege Escalation
- Linux Privilege Escalation
- Linux
- Linux Privilege Escalation Exploiting Capabilities
- I absolutely suck at privilege escalation
- Privilege escalations in windows
- Windows Privilege Escalation Guide
- Hacking Linux Part I: Privilege Escalation
- Windows Privilege Escalation Fundamentals
- Windows Privilege Escalation Methods for Pentesters
- Windows Services - All roads lead to SYSTEM
- I hate hate hate HATEE privilege escalation.
- Practice:
- Videos/Courses
- https://www.udemy.com/course/linux-privilege-escalation/
- Tiberius and TCM udemy courses
- OSCP - Windows Privilege Escalation Methodology
- Encyclopaedia Of Windows Privilege Escalation - Brett Moore
- DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller And Chris Gates
- Privilege Escalation
- Ippsec
- Github:
1. https://github.com/sagishahar/lpeworkshop
2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Methodology%20and%20Resources
3. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
4. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md
5. https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md
6. https://github.com/abatchy17/WindowsExploits
7. https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
8. https://github.com/rasta-mouse/Sherlock
9. https://github.com/AonCyberLabs/Windows-Exploit-Suggester
- Others
- https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
- https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/
- https://www.vulnhub.com/entry/linsecurity-1,244/
- https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html#section-10-buffer-overflows-for-windows-and-linux
- http://pwnwiki.io/#!privesc/windows/index.md
- https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
- https://github.com/N7WEra/SharpAllTheThings
- https://github.com/411Hall/JAWS/commits?author=411Hall
- https://github.com/bitsadmin/wesng
- https://github.com/rasta-mouse/Sherlock
- https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
- https://github.com/rasta-mouse/Watson
- https://github.com/GhostPack/Seatbelt
- https://github.com/gladiatx0r/Powerless
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://github.com/breenmachine/RottenPotatoNG
- https://github.com/ohpe/juicy-potato
- https://rahmatnurfauzi.medium.com/windows-privilege-escalation-scripts-techniques-30fa37bd194
- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
- https://github.com/jondonas/linux-exploit-suggester-2
Expected: 12 hours
- Offline tools for password cracking
Hashcat: https://hashcat.net/hashcat/ Sample Hashes to test with Hashcat: https://hashcat.net/wiki/doku.php?id=example_hashes
John the Ripper: https://www.openwall.com/john/
Metasploit Unleashed using John the Ripper with Hashdump: https://www.offensive-security.com/metasploit-unleashed/john-ripper/
- Online Tools for password cracking
THC Hydra: https://github.com/vanhauser-thc/thc-hydra
Crowbar: https://github.com/galkan/crowbar
- Wordlist Generator
Cewl: https://digi.ninja/projects/cewl.php
Crunch: https://tools.kali.org/password-attacks/crunch
Cupp (In Kali Linux): https://github.com/Mebus/cupp
- Tools to check the hash type:
Hash-Identifier: https://github.com/psypanda/hashID
- Tools to dump for hashes:
Mimikatz: https://github.com/gentilkiwi/mimikatz
Mimipenguin: https://github.com/huntergregal/mimipenguin
Pypykatz: https://github.com/skelsec/pypykatz
- Wordlists:
In Kali: /usr/share/wordlists
Seclists: apt-get install seclists You can find all of his password lists here: https://github.com/danielmiessler/SecLists/tree/master/Passwords
Xajkep Wordlists: https://github.com/xajkep/wordlists
- Online Password Crackers:
https://hashkiller.io/
https://www.cmd5.org/
https://www.onlinehashcrack.com/
https://gpuhash.me/
https://crackstation.net/
https://passwordrecovery.io/
https://md5decrypt.net/en/
https://hashes.com/en/decrypt/hash
http://cracker.offensive-security.com/
- Others
Introduction to Password Cracking: https://alexandreborgesbrazil.files.wordpress.com/2013/08/introduction_to_password_cracking_part_1.pdf
Pwning Wordpress Passwords: https://medium.com/bugbountywriteup/pwning-wordpress-passwords-2caf12216956
Expected: 12 hours
๐๐จ๐ซ๐ญ ๐๐๐๐ข๐ซ๐๐๐ญ๐ข๐จ๐ง ๐๐ง๐ ๐๐ฎ๐ง๐ง๐๐ฅ๐ข๐ง๐
- Blogs
- Tools
Proxychains: https://github.com/haad/proxychains
Proxychains-ng: https://github.com/rofl0r/proxychains-ng
SSHuttle (Totally Recommend learning this): https://github.com/sshuttle/sshuttle
SSHuttle Documentation: https://sshuttle.readthedocs.io/en/stable/
Chisel https://github.com/jpillora/chisel
Ligolo: https://github.com/sysdream/ligolo
- Online Tunneling Services
Ngrok: https://ngrok.com/
Twilo: https://www.twilio.com/
- Practice
Wintermute: https://www.vulnhub.com/entry/wintermute-1,239/
Expected: 12 hours
- Blogs
- Github:
- Practice:
- https://tryhackme.com/room/attacktivedirectory
- https://tryhackme.com/network/throwback
- Heist, Hutch, Vault on PG Play
- Tryhackme Holo, Throwback networks in addition to attacktive and post exploitation rooms
- Hackthebox: Forest, Sauna, dante, active, Arctic and Granny.
- CyberSecLabs
- Razorblack, Enterprise, VulnNet - Active on tryhackme
- wreath on tryhackme
- blackfield, intelligence, multimaster, cascade, heist...crap was that htb heist or pg heist or both, Reel, Sauna, Fuse, Sizzle, Mantis, and Resolute.
- https://drive.google.com/file/d/1RktnrenlhOMIqdPDAv-u60_yzW7K0KS0/view
- Rastalabs on HTB
- Videos:
- TJNull's suggestion:
Setting up Active Directory:
Note: Make sure when you are setting up the Active Directory Server that you assign a static IP address to it and also a workstation that you will be joining the server to for further testing. I recommend that you set up a Windows 10 Workstation if you plan to use Windows Server 2016/2019.
Microsoft Documentation to install Active Directory: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-servicesโlevel-100-
Install Windows Active Directory on Windows Server 2019: https://computingforgeeks.com/how-to-install-active-directory-domain-services-in-windows-server/
Understanding Users Accounts in Active Directory: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
Three ways to create an Active Directory User: https://petri.com/3-ways-to-create-new-active-directory-users
Join a Workstation to the Domain: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/join-a-computer-to-a-domain
Tools to help you automate the installation for Active Directory:
ADLab: https://github.com/browninfosecguy/ADLab
Automated Lab: https://github.com/AutomatedLab/AutomatedLab
MSLab: https://github.com/microsoft/MSLab
Invoke-ADLabDeployer: https://github.com/outflanknl/Invoke-ADLabDeployer
Active Directory User Setup: https://github.com/bjiusc/Active-Directory-User-Setup-Script
Enumerating Active Directory:
Active Directory Enumeration with Powershell: https://www.exploit-db.com/docs/english/46990-active-directory-enumeration-with-powershell.pdf
Active Directory Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet#domain-enumeration
Powersploit: https://github.com/PowerShellMafia/PowerSploit
Understanding Authentication protocols that Active Directory Utilizes:
NTLM Authentication: https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Kerberos Authentication https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Cache and Stored Credentials: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)
Group Managed Service Accounts: https://adsecurity.org/?p=4367
Lateral Movement in Active Directory:
Paving the Way to DA: https://blog.zsec.uk/path2da-pt1
Part 2, 3
Pass the Hash with Machine Accounts: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/pass-the-hash-with-machine-accounts
Overpass the hash (Payload All the things): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#overpass-the-hash-pass-the-key
Red Team Adventures Overpass the Hash: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash
Pass the Ticket (Silver Tickets): https://adsecurity.org/?p=2011
Lateral Movement with DCOM: https://www.ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model
Active Directory Persistence:
Cracking Kerberos TGS Tickets Using Kerberoast: https://adsecurity.org/?p=2293
Kerberoasting Without Mimikatz: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
Golden Tickets: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets
Pass the Ticket (Golden Tickets): https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md#pass-the-ticket-golden-tickets
Understanding DCSync Attacks: https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync
Tools for Active Directory Lateral Movement and Persistence:
ADRecon: https://github.com/sense-of-security/ADRecon
Kerbrute: https://github.com/ropnop/kerbrute
Rubeus: https://github.com/GhostPack/Rubeus
Impacket: https://github.com/SecureAuthCorp/impacket
Other Resources:
Building an Active Directory with PowerShell: https://1337red.wordpress.com/building-and-attacking-an-active-directory-lab-with-powershell/
Lateral Movement for AD: https://riccardoancarani.github.io/2019-10-04-lateral-movement-megaprimer/#overpass-the-hash
Lateral Movement with CrackMapExec: https://www.hackingarticles.in/lateral-moment-on-active-directory-crackmapexec/
- Others:
- https://wadcoms.github.io/
- https://www.xmind.net/m/5dypm8/
- Cybermentor's Practical Ethical Hacking Course - Active Directory Section
Expected: 48 hours
- Metasploit Unleashed: https://www.offensive-security.com/metasploit-unleashed/
- Book:
- MSFvenom Cheat Sheets:
http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/
https://netsec.ws/?p=331
https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
Expected: 4 hours
- Powershell Empire: https://github.com/BC-SECURITY/Empire
- Powershell Empire Guide: https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/
Expected: 4 hours
- HTB VM List: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
- Vulnhub VM List: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0
- Overview:
Phase I: Theory, Preparation and Note Taking
Phase II: Practice
Phase III: OSCP Labs & Origial Course Material
Phase IV: OSCP Exam
Thought Process:
So, Yeah! We have 180 days i.e. 175 remaining. I took a lot of time planning, it's ok tho.
One shot, game khallas karna hai. Let's plan:
Let's divide OSCP into fundamental components that will require for us to crack OSCP:
1. Theory, theory and theory. In-depth Understanding of lot of topics.
2. Ability to apply knowledge practically.
3. Critical Thinking
4. High Pain threshold.
5. Consistency
6. Note taking
Step by step dekha jaye toh, you should have basic understanding of almost everything beforehand so that you don't keep jumping back on phase I from phase II.
Do theory, make notes and refer to notes. Have everything at one place! That's it for today, hehe!