OSCP Notes

2025-04-19 18:55:19.3066667
Github Link

Disclaimer: The OSCP notes presented here are not my own, but they serve as an invaluable learning resource for aspiring cybersecurity professionals. Compiled over many years by dedicated ethical hackers and penetration testers, these notes form the foundation for any cybersecurity enthusiast.

The OSCP Exam is a highly regarded certification in penetration testing, requiring deep knowledge of ethical hacking, exploit development, and network security. Many security professionals share their OSCP notes online, creating a valuable collection of commands, methodologies, and practical knowledge. These OSCP study resources offer summarized insights into key topics covered in the exam, often structured as subject trees on GitHub repositories. Whether you are reviewing exploit techniques, privilege escalation methods, or enumeration strategies, these curated notes provide essential guidance for OSCP candidates looking to refine their skills and succeed in the exam.

File Titles Tree

  OSCP-Notes: The central repository for all exam notes and procedures.
  ├── General: Overview information and guidelines for OSCP exam preparation.
  ├── OSCP Commands: A collection of essential commands and scripts for penetration testing.
  │     ├── Quick setup: Guidelines for rapidly configuring your testing environment.
  │     │     ├── Exports: Configure required environment variables.
  │     │     ├── Aliases suggestion: Predefined command shortcuts to accelerate your workflow.
  │     │     └── Scanning: Tools and techniques for scanning networks and services.
  │     ├── Important Locations: Key file system locations critical to investigations.
  │     │     ├── Windows: Common directories and files on Windows systems.
  │     │     ├── Linux: Essential configuration paths for Linux systems.
  │     │     └── GitHub recon: Techniques for discovering leaked credentials and useful scripts.
  │     ├── Connecting to RDP: Instructions to access target machines via Remote Desktop Protocol.
  │     ├── Adding SSH Public key: Steps for configuring SSH key-based authentication on Linux targets.
  │     ├── File Transfers: Methods to transfer files between attacker and target.
  │     │     └── Windows to Kali: Specific techniques to transfer files from Windows systems to Kali Linux.
  │     ├── Adding Users: Techniques for creating user accounts on compromised systems.
  │     │     ├── Windows: Commands for adding and managing local users on Windows.
  │     │     └── Linux: Commands for user creation and management on Linux.
  │     ├── Password-Hash Cracking: Methods and tools for identifying, extracting, and cracking password hashes.
  │     │     ├── Hash Identifier: Tools to determine the hash type before cracking.
  │     │     ├── fcrackzip: Used to crack password-protected zip files.
  │     │     ├── John: John the Ripper is widely used for password cracking.
  │     │     ├── keepass2John: Converts KeePass files into a format usable by John the Ripper.
  │     │     └── Hashcat: A state-of-the-art, GPU-based password cracking tool.
  │     ├── Pivoting through SSH: Techniques to use SSH tunnels for network pivoting.
  │     ├── Impacket: Python scripts designed for network exploitation and enumeration.
  │     ├── Evil-Winrm: Tool to harness Windows Remote Management for post-exploitation.
  │     ├── Mimikatz: Tool for extracting credentials and sensitive data from Windows systems.
  │     ├── Ligolo-ng: Sets up reverse proxies to assist in network pivoting.
  │     └── Recon and Enumeration: Methods to gather crucial information about the target environment.
  │           ├── Port Scanning: Identify open ports and services.
  │           ├── FTP enumeration: Assess FTP services and check for anonymous access.
  │           ├── SSH enumeration: Gather SSH configuration details and potential weaknesses.
  │           ├── SMB enumeration: Enumerate SMB shares, users, and vulnerabilities.
  │           ├── HTTP/S enumeration: Analyze web servers and detect hidden directories.
  │           │     ├── Wordpress: Enumerate vulnerabilities in WordPress sites.
  │           │     ├── Drupal: Identify exploitable weaknesses in Drupal installations.
  │           │     └── Joomla: Assess Joomla frameworks for misconfigurations.
  │           ├── DNS enumeration: Gather domain and subdomain information.
  │           ├── SMTP enumeration: Analyze SMTP server configurations.
  │           ├── LDAP Enumeration: Extract user and group information from LDAP.
  │           ├── NFS Enumeration: List and exploit NFS shares.
  │           ├── SNMP Enumeration: Query SNMP data for network details.
  │           └── RPC Enumeration: Discover and enumerate RPC services.
  ├── Web Attacks: Techniques to compromise web applications.
  │     ├── Directory Traversal: Exploit path traversal vulnerabilities.
  │     ├── Local File Inclusion: Inject commands by including local files.
  │     └── SQL Injection: Manipulate SQL queries to bypass authentication.
  ├── Exploitation: Advanced methods to fully exploit target systems.
  │     ├── Finding Exploits: Use databases and tools (e.g., Searchsploit) to locate vulnerabilities.
  │     │     └── Searchsploit: Offline exploit database for known vulnerabilities.
  │     └── Reverse Shells: Generate payloads to provide remote shell access.
  │           ├── Msfvenom: Create custom payloads using Metasploit’s msfvenom.
  │           ├── One Liners: Compact shell commands for quick exploitation.
  │           └── Groovy reverse-shell: Payloads built in Groovy, often for Jenkins environments.
  ├── Windows Privilege Escalation: Techniques to escalate privileges on Windows systems.
  │     ├── Manual Enumeration commands: Direct commands for revealing misconfigurations.
  │     ├── Automated Scripts: Scripts to automate enumeration and escalation.
  │     ├── Token Impersonation: Methods to impersonate tokens for higher privileges.
  │     ├── Services: Exploit Windows service vulnerabilities.
  │     │     ├── Binary Hijacking: Replace service binaries with malicious executables.
  │     │     ├── Unquoted Service Path: Exploit misconfigured service paths.
  │     │     ├── Insecure Service Executables: Identify and use insecure executables.
  │     │     └── Weak Registry permissions: Modify registry keys with lax permissions.
  │     ├── DLL Hijacking: Exploit DLL search order vulnerabilities.
  │     │     └── DLL Hijacking adding New user into Administrators group: Inject commands via a hijacked DLL to create a new admin user.
  │     ├── Autorun: Modify autorun settings for persistence and escalation.
  │     ├── AlwaysInstallElevated: Exploit elevated installation settings.
  │     ├── Schedules Tasks: Manipulate scheduled tasks to run your payload.
  │     ├── Startup Apps: Replace or modify startup applications for malicious code execution.
  │     ├── Insecure GUI apps: Exploit high-privilege GUI applications.
  │     ├── SAM and SYSTEM: Access sensitive Windows system files to extract hashes.
  │     └── Passwords: Discover and crack stored passwords.
  │           ├── Sensitive files: Files that may contain plaintext or weakly encrypted passwords.
  │           ├── Config files: Locate configuration files with embedded credentials.
  │           ├── Registry: Inspect registry keys for stored passwords.
  │           ├── VNC: Examine VNC configurations for security weaknesses.
  │           ├── Windows autologin: Identify autologin settings that expose credentials.
  │           ├── SNMP Paramters: Review SNMP settings for potential password leakage.
  │           ├── Putty: Check PuTTY session logs for stored credentials.
  │           ├── Search for password in registry: Scan the registry for potential password strings.
  │           ├── RunAs - Savedcreds: Exploit saved credentials through the RunAs feature.
  │           └── Pass the Hash: Authenticate using captured password hashes.
  ├── Linux Privilege Escalation: Tools and methods to elevate privileges on Linux systems.
  │     ├── TTY Shell: Spawn interactive shells with proper TTY allocation.
  │     ├── Basic: Fundamental Linux enumeration commands.
  │     ├── Manual Enumeration: Detailed manual techniques to explore vulnerabilities.
  │     ├── Automated Scripts: Scripts to automate privilege escalation checks.
  │     ├── Sensitive Information: Identify sensitive files and configuration details.
  │     ├── Sudo/SUID/Capabilities: Investigate elevated permissions and privileges.
  │     │     ├── Sudo: Commands allowed to run as root without a password.
  │     │     ├── SUID:(Set owner User ID): Identify programs with SUID bits.
  │     │     └── Capabilities: Examine Linux capabilities for privilege escalation.
  │     ├── Cron Jobs: Enumerate scheduled tasks with potential for exploitation.
  │     ├── NC Netcat: Use netcat for reverse shells or file transfers.
  │     ├── NFS: Identify misconfigured NFS shares for local exploitation.
  │     ├── Mountable shares: Discover network shares with weak permissions.
  │     │     └── Check for "no_root_squash" in the output of shares: Verify if root-level operations are permitted.
  │     ├── PATH: Manipulate the PATH environment variable to execute arbitrary binaries.
  │     ├── Writable /etc/passwd file: Locate writable passwd files to add new users.
  │     ├── Exploiting Kernel Vulnerabilities: Leverage known kernel vulnerabilities.
  │     └── CVE - Linux: Target specific Linux CVEs for privilege escalation.
  ├── Post Exploitation: Tasks after obtaining elevated access.
  │     ├── Sensitive Information: Identify logs and documents that hold critical data.
  │     │     ├── Powershell History: Review PowerShell command history.
  │     │     ├── Searching for passwords: Locate plaintext or weakly protected credentials.
  │     │     ├── Searching in Registry for Passwords: Query registry for stored password data.
  │     │     └── KDBX Files: Extract and crack KeePass databases for credentials.
  │     └── Dumping Hashes: Use tools to dump system password hashes for cracking.
  ├── Active Directory Pentesting: Techniques for attacking Active Directory environments.
  │     ├── Enumeration: Map the domain, users, and groups.
  │     │     └── Powerview: Use Powerview scripts to visualize AD relationships.
  │     ├── Checking for "GenericAll" right for a specific group: Assess if a group holds full control.
  │     │     ├── Domain: Investigate domain details critical for exploitation.
  │     │     ├── Bloodhound: Visualize AD permissions and trust relationships.
  │     │     ├── LDAPDOMAINDUMP: Dump structured LDAP data from AD.
  │     │     ├── PlumHound: Perform deep vulnerability assessments in AD.
  │     │     ├── PingCastle: Evaluate the security posture of AD.
  │     │     ├── PsLoggedon: Identify active user sessions on remote systems.
  │     │     └── GPP or CPassword: Extract credentials from Group Policy Preferences.
  │     ├── Attacking Active Directory: Advanced methods to compromise AD.
  │     │     ├── Zerologon: Exploit vulnerabilities in the domain controller.
  │     │     ├── Password Spraying: Use common passwords across multiple accounts.
  │     │     ├── DeadPotato SeImpersonatePrivilege: Exploit token impersonation vulnerabilities.
  │     │     │     └── PrintSpoofer: Leverage PrintSpoofer to spawn a privileged prompt.
  │     │     ├── AS-REP Roasting: Dump AS-REP hashes from accounts without pre-authentication.
  │     │     ├── Kerberoasting: Extract service tickets to crack service account credentials.
  │     │     ├── Silver Tickets: Forge Kerberos tickets for targeted service access.
  │     │     ├── Secretsdump: Dump credentials and security data from AD.
  │     │     └── Dumping NTDS.dit: Extract the AD database to retrieve domain credentials.
  │     ├── Active Directory Pentesting (Reiterated): Additional AD assessment techniques.
  │     │     └── Enumeration: Further AD mapping and analysis.
  │     │           └── Powerview: Additional AD insights using Powerview.
  ├── Lateral Movement in Active Directory: Methods for moving laterally within a compromised domain.
  │     ├── psexec - smbexec - wmiexec - atexec: Tools for remote command execution in AD environments.
  │     ├── winrs: Use Windows Remote Shell for remote command execution.
  │     ├── crackmapexec: A versatile tool for lateral movement and domain enumeration.
  │     ├── netexec: Remote execution tool for performing commands across protocols.
  │     ├── kpcli - keepass massword manager: Retrieve credentials from KeePass databases.
  │     ├── Pass the ticket: Use Kerberos ticket injection for impersonation.
  │     ├── DCOM: Exploit Distributed COM for remote code execution.
  │     ├── Golden Ticket: Forge Kerberos golden tickets for domain-wide control.
  │     ├── Shadow Copies: Exploit shadow copy features to access sensitive data.
  │	└── Windows Powershell payload encrypt: Generate Base64 encoded PowerShell payloads.
  └── References: Source links and credits for tools and methodologies.

Other Video Resources

IppSec (IppSec's YouTube Channel) is highly regarded as a network security professional, known for his exceptional educational content on penetration testing, cybersecurity strategies, and ethical hacking. His video tutorials provide deep technical insights, breaking down complex security concepts into digestible lessons that benefit both beginners and experienced professionals. Whether you're preparing for security certifications or improving your hacking skills, his content serves as a valuable resource for mastering cybersecurity techniques.