oscp certification syllabus

oscp certification syllabus 

Offensive Security Certified Professional

Offensive Security Certified Professional (OSCP) is an ethical hacking certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution . The OSCP is a hands-on penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. It is considered more technical than other ethical hacking certifications, and is one of the few certifications that requires evidence of practical penetration testing skills.

Table of Contents:

1Penetration Testing with Kali Linux: General Course Information


1.1About The PWK Course1.1.1PWK Course Materials1.1.2Access to the Internal VPN Lab Network1.1.3The Offensive Security Student Forum1.1.4Live Support1.1.5OSCP Exam Attempt1.2Overall Strategies for Approaching the Course1.2.1Welcome and Course Information Emails1.2.2Course Materials1.2.3Course Exercises1.2.4PWK Labs1.3Obtaining Support1.4About Penetration Testing1.5Legal1.6The MegaCorpone.com and Sandbox.local Domains1.7About the PWK VPN Labs1.7.1Lab Warning1.7.2Control Panel1.7.3Reverts1.7.4Client Machines1.7.5Kali Virtual Machine1.7.6Lab Behavior and Lab Restrictions1.8Reporting1.8.1Consider the Objective1.8.2Consider the Audience1.8.3Consider What to Include1.8.4Consider the Presentation1.8.5The PWK Report1.8.6Note Taking1.9About the OSCP Exam1.9.1Metasploit Usage - Lab vs Exam 1.10Wrapping Up

2Getting Comfortable with Kali Linux

2.1Booting Up Kali Linux2.2The Kali Menu2.3Kali Documentation2.3.1The Kali Linux Official Documentation2.3.2The Kali Linux Support Forum2.3.3The Kali Linux Tools Site2.3.4The Kali Linux Bug Tracker2.3.5The Kali Training Site2.3.6Exercises2.4Finding Your Way Around Kali2.4.1The Linux Filesystem2.4.2Basic Linux Commands2.4.3Finding Files in Kali Linux2.5Managing Kali Linux Services2.5.1SSH Service2.5.2HTTP Service2.5.3Exercises2.6Searching, Installing, and Removing Tools2.6.1apt update2.6.2apt upgrade2.6.3apt-cache search and apt show2.6.4apt install2.6.5apt remove –purge2.6.6dpkg2.7Wrapping Up

3Command Line Fun

3.1The Bash Environment3.1.1Environment Variables3.1.2Tab Completion3.1.3Bash History Tricks3.2Piping and Redirection3.2.1Redirecting to a New File 2.2Redirecting to an Existing File3.2.3Redirecting from a File3.2.4Redirecting STDERR3.2.5Piping3.3Text Searching and Manipulation3.3.1grep3.3.2sed3.3.3cut3.3.4awk3.3.5Practical Example3.4Editing Files from the Command Line3.4.1nano3.4.2vi3.5Comparing Files3.5.1comm3.5.2diff3.5.3vimdiff3.6Managing Processes3.6.1Backgrounding Processes (bg)3.6.2Jobs Control: jobs and fg3.6.3Process Control: ps and kill3.7File and Command Monitoring3.7.1tail3.7.2watch3.8Downloading Files3.8.1wget3.8.2curl3.8.3axel3.9Customizing the Bash Environment3.9.1Bash History Customization3.9.2Alias3.9.3Persistent Bash Customization3.10Wrapping Up

4Practical Tools

Penetration Testing with Kali Linux Syllabus | Updated February 20204.1Netcat4.1.1Connecting to a TCP/UDP Port4.1.2Listening on a TCP/UDP Port4.1.3Transferring Files with Netcat4.1.4Remote Administration with Netcat4.2Socat4.2.1Netcat vs Socat4.2.2Socat File Transfers4.2.3Socat Reverse Shells4.2.4Socat Encrypted Bind Shells4.3PowerShell and Powercat4.3.1PowerShell File Transfers4.3.2PowerShell Reverse Shells4.3.3PowerShell Bind Shells4.3.4Powercat4.3.5Powercat File Transfers4.3.6Powercat Reverse Shells4.3.7Powercat Bind Shells4.3.8Powercat Stand-Alone Payloads4.4Wireshark4.4.1Wireshark Basics4.4.2Launching Wireshark4.4.3Capture Filters4.4.4Display Filters4.4.5Following TCP Streams4.5Tcpdump4.5.2Filtering Traffic4.5.3Advanced Header Filtering4.6Wrapping Up

5Bash Scripting

5.1Intro to Bash Scripting5.2Variables5.2.1Arguments5.2.2Reading User Input5.3If, Else, Elif Statements5.4Boolean Logical Operations5.5Loops5.5.1For Loops5.5.2While Loops5.6Functions5.7Practical Examples5.7.1Practical Bash Usage – Example 15.7.2Practical Bash Usage – Example 25.7.3Practical Bash Usage – Example 35.8Wrapping Up

6Passive Information Gathering

6.1Taking Notes6.2Website Recon6.3Whois Enumeration6.4Google Hacking6.5Netcraft6.6Recon-ng6.7Open-Source Code6.8Shodan6.9Security Headers Scanner6.10SSL Server Test6.11Pastebin6.12User Information Gathering6.12.1Email Harvesting6.12.2Password Dumps6.13Social Media Tools6.13.2Site-Specific Tools6.14Stack Overflow6.15Information Gathering Frameworks6.15.1OSINT Framework6.15.2Maltego6.16Wrapping Up

7Active Information Gathering

7.1DNS Enumeration7.1.1Interacting with a DNS Server7.1.2Automating Lookups7.1.3Forward Lookup Brute Force7.1.4Reverse Lookup Brute Force7.1.5DNS Zone Transfers7.1.6Relevant Tools in Kali Linux7.2Port Scanning7.2.1TCP / UDP Scanning7.2.2Port Scanning with Nmap7.2.3Masscan7.3SMB Enumeration7.3.1Scanning for the NetBIOS Service7.3.2Nmap SMB NSE Scripts7.4NFS Enumeration7.4.1Scanning for NFS Shares7.4.2Nmap NFS NSE Scripts7.5SMTP Enumeration7.6SNMP Enumeration7.6.1The SNMP MIB Tree7.6.2Scanning for SNMP7.6.3Windows SNMP Enumeration Example7.7Wrapping Up

8Vulnerability Scanning

8.1Vulnerability Scanning Overview and Considerations8.1.1How Vulnerability Scanners Work8.1.2Manual vs. Automated Scanning8.1.3Internet Scanning vs Internal Scanning8.1.4Authenticated vs Unauthenticated Scanning8.2Vulnerability Scanning with Nessus8.2.1Installing Nessus8.2.2Defining Targets8.2.3Configuring Scan Definitions Penetration Testing with Kali Linux Syllabus | Updated February 20208.2.4Unauthenticated Scanning With Nessus8.2.5Authenticated Scanning With Nessus8.2.6Scanning with Individual Nessus Plugins8.3Vulnerability Scanning with Nmap8.4Wrapping Up
###################
9Web Application Attacks
9.1Web Application Assessment Methodology9.2Web Application Enumeration9.2.1Inspecting URLs9.2.2Inspecting Page Content9.2.3Viewing Response Headers9.2.4Inspecting Sitemaps9.2.5Locating Administration Consoles9.3Web Application Assessment Tools9.3.2DIRB9.3.3Burp Suite9.3.4Nikto9.4Exploiting Web-based Vulnerabilities9.4.1Exploiting Admin Consoles9.4.2Cross-Site Scripting (XSS)9.4.3Directory Traversal Vulnerabilities9.4.4File Inclusion Vulnerabilities9.4.5SQL Injection9.5Extra Miles9.5.1Exercises9.6Wrapping Up

10Introduction to Buffer Overflows

10.1Introduction to the x Architecture10.1.1Program Memory10.1.2CPU Registers10.2Buffer Overflow Walkthrough10.2.1Sample Vulnerable Code10.2.2Introducing the Immunity Debugger10.2.3Navigating Code 10.2.4Overflowing the Buffer10.2.5Exercises10.3Wrapping Up

11Windows Buffer Overflows

11.1Discovering the Vulnerability11.1.1Fuzzing the HTTP Protocol11.2Win Buffer Overflow Exploitation11.2.1A Word About DEP, ASLR, and CFG11.2.2Replicating the Crash11.2.3Controlling EIP11.2.4Locating Space for Our Shellcode11.2.5Checking for Bad Characters11.2.6Redirecting the Execution Flow11.2.7Finding a Return Address11.2.8Generating Shellcode with Metasploit11.2.9Getting a Shell11.2.10Improving the Exploit11.3Wrapping Up

12Linux Buffer Overflows

12.1About DEP, ASLR, and Canaries12.2Replicating the Crash12.3Controlling EIP12.4Locating Space for Our Shellcode12.5Checking for Bad Characters12.6Finding a Return Address12.7Getting a Shell12.8Wrapping Up

13Client-Side Attacks

13.1Know Your Target13.1.1Passive Client Information Gathering13.1.2Active Client Information Gathering13.2Leveraging HTML Applications13.2.1Exploring HTML Applications13.2.2HTA Attack in Action 13.3Exploiting Microsoft Office13.3.1Installing Microsoft Office13.3.2Microsoft Word Macro13.3.3Object Linking and Embedding13.3.4Evading Protected View13.4Wrapping Up

14Locating Public Exploits

14.1A Word of Caution14.2Searching for Exploits14.2.1Online Exploit Resources14.2.2Offline Exploit Resources14.3Putting It All Together14.4Wrapping Up

15Fixing Exploits

15.1Fixing Memory Corruption Exploits15.1.1Overview and Considerations15.1.2Importing and Examining the Exploit15.1.3Cross-Compiling Exploit Code15.1.4Changing the Socket Information15.1.5Changing the Return Address15.1.6Changing the Payload15.1.7Changing the Overflow Buffer15.2Fixing Web Exploits15.2.1Considerations and Overview15.2.2Selecting the Vulnerability15.2.3Changing Connectivity Information15.2.4Troubleshooting the “index out of range” Error15.3Wrapping Up

16File Transfers

16.1Considerations and Preparations16.1.1Dangers of Transferring Attack Tools16.1.2Installing Pure-FTPd16.1.3The Non-Interactive Shell16.2Transferring Files with Windows Hosts 16.2.1Non-Interactive FTP Download16.2.2Windows Downloads Using Scripting Languages16.2.3Windows Downloads with exe2hex and PowerShell16.2.4Windows Uploads Using Windows Scripting Languages16.2.5Uploading Files with TFTP16.3Wrapping Up

17Antivirus Evasion

17.1What is Antivirus Software17.2Methods of Detecting Malicious Code17.2.1Signature-Based Detection17.2.2Heuristic and Behavioral-Based Detection17.3Bypassing Antivirus Detection17.3.1On-Disk Evasion17.3.2In-Memory Evasion17.3.3AV Evasion: Practical Example17.4Wrapping Up18

18 Privilege Escalation

18.1Information Gathering18.1.1Manual Enumeration18.1.2Automated Enumeration18.2Windows Privilege Escalation Examples18.2.1Understanding Windows Privileges and Integrity Levels18.2.2Introduction to User Account Control (UAC)18.2.3User Account Control (UAC) Bypass: fodhelper.exe Case Study18.2.4Insecure File Permissions: Serviio Case Study18.2.5Leveraging Unquoted Service Paths18.2.6Windows Kernel Vulnerabilities: USBPcap Case Study18.3Linux Privilege Escalation Examples18.3.1Understanding Linux Privileges18.3.2Insecure File Permissions: Cron Case Study18.3.3Insecure File Permissions: /etc/passwd Case Study18.3.4Kernel Vulnerabilities: CVE-7-2 Case Study18.4Wrapping Up

19Password Attack

19.1Wordlists19.1.1Standard Wordlists19.2Brute Force Wordlists19.3Common Network Service Attack Methods19.3.1HTTP htaccess Attack with Medusa19.3.2Remote Desktop Protocol Attack with Crowbar19.3.3SSH Attack with THC-Hydra19.3.4HTTP POST Attack with THC-Hydra19.4Leveraging Password Hashes19.4.1Retrieving Password Hashes19.4.2Passing the Hash in Windows19.4.3Password Cracking19.5Wrapping Up

20Port Redirection and Tunneling

20.1Port Forwarding20.1.1RINETD20.2SSH Tunneling20.2.1SSH Local Port Forwarding20.2.2SSH Remote Port Forwarding20.2.3SSH Dynamic Port Forwarding20.3PLINK.exe20.4NETSH20.5HTTPTunnel-ing Through Deep Packet Inspection20.6Wrapping Up

21Active Directory Attacks

21.1Active Directory Theory21.2Active Directory Enumeration21.2.1Traditional Approach21.2.2A Modern Approach21.2.3Resolving Nested Groups21.2.4Currently Logged on Users21.2.5Enumeration Through Service Principal Names21.3Active Directory Authentication21.3.1NTLM Authentication 21.3.2Kerberos Authentication21.3.3Cached Credential Storage and Retrieval21.3.4Service Account Attacks21.3.5Low and Slow Password Guessing21.4Active Directory Lateral Movement21.4.1Pass the Hash21.4.2Overpass the Hash21.4.3Pass the Ticket21.4.4Distributed Component Object Model21.5Active Directory Persistence21.5.1Golden Tickets21.5.2Domain Controller Synchronization21.6Wrapping Up

22The Metasploit Framework

22.1Metasploit User Interfaces and Setup22.1.1Getting Familiar with MSF Syntax22.1.2Metasploit Database Access22.1.3Auxiliary Modules22.2Exploit Modules22.2.1SyncBreeze Enterprise22.3Metasploit Payloads22.3.1Staged vs Non-Staged Payloads22.3.2Meterpreter Payloads22.3.3Experimenting with Meterpreter22.3.4Executable Payloads22.3.5Metasploit Exploit Multi Handler22.3.6Client-Side Attacks22.3.7Advanced Features and Transports22.4Building Our Own MSF Module22.5Post-Exploitation with Metasploit22.5.1Core Post-Exploitation Features22.5.2Migrating Processes22.5.3Post-Exploitation Modules22.5.4Pivoting with the Metasploit Framework Penetration Testing with Kali Linux Syllabus | Updated February 202022.6Metasploit Automation22.7Wrapping Up

23PowerShell Empire

23.1Installation, Setup, and Usage23.1.1PowerShell Empire Syntax23.1.2Listeners and Stagers23.1.3The Empire Agent23.2PowerShell Modules23.2.1Situational Awareness23.2.2Credentials and Privilege Escalation23.2.3Lateral Movement23.3Switching Between Empire and Metasploit23.4Wrapping Up

24Assembling the Pieces: Penetration Test Breakdown

24.1Public Network Enumeration24.2Targeting the Web Application24.2.1Web Application Enumeration24.2.2SQL Injection Exploitation24.2.3Cracking the Password24.2.4Enumerating the Admin Interface24.2.5Obtaining a Shell24.2.6Post-Exploitation Enumeration24.2.7Creating a Stable Pivot Point24.3Targeting the Database24.3.1Enumeration24.3.2Attempting to Exploit the Database24.4Deeper Enumeration of the Web Application Server24.4.1More Thorough Post Exploitation24.4.2Privilege Escalation24.4.3Searching for DB Credentials24.5Targeting the Database Again24.5.1Exploitation24.5.2Post-Exploitation Enumeration24.5.3Creating a Stable Reverse Tunnel 24.6Targeting Poultry24.6.2Enumeration24.6.3Exploitation (Or Just Logging In)24.6.4Post-Exploitation Enumeration24.6.5Unquoted Search Path Exploitation24.6.6Post-Exploitation Enumeration24.7Internal Network Enumeration24.7.1Reviewing the Results24.8Targeting the Jenkins Server24.8.1Application Enumeration24.8.2Exploiting Jenkins24.8.3Post Exploitation Enumeration24.8.4Privilege Escalation24.8.5Post Exploitation Enumeration24.9Targeting the Domain Controller24.9.1Exploiting the Domain Controller24.10Wrapping Up

25Trying Harder: The Labs

25.1Real Life Simulations
25.2Machine Dependencies
25.3Cloned Lab Machines
25.4Unlocking Networks
25.5Routing
25.6Machine Ordering & Attack Vectors
25.7Firewall / Routers / NAT
25.8Passwords

Post a Comment

0 Comments