How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide – Recon & Scanning PART 1

Passing the Offensive Security Certified Professional Exam is not like passing any other exam, this isn’t a multiple choice “what runs on port 22?” Security+ style brain dump exam. This is a 24 hour hands on, prove you have what it takes exam.

If you think your up to the challenge we have created a guide for passing this exam, the tools, tips, tricks and techniques are provided by people who have passed this exam.

Phase 1:

You will be provided a list of 5 IP addresses that you will be trying to compromise,one of them will have an exploitable application and an exploit for it that needs to be modified in order to successfully compromise the machine. The vulnerable application will be propriety so don’t bother google’n for a PoC to exploit it.

In the first phase of your exam you will want to gather as much information about the hosts you are attacking as possible, we will do this with nmap.

I like to start with a command like:

nmap -sS -vv -O -sV 10.10.10.10 -p1-65000

(stealth scan, verbose, identify OS, grab port service information and scan ports 1 – 65000)

followed by:

nmap -sU -vv -sV 10.10.10.10 -p1-65000

***** NOTE THIS WILL TAKE A VERY LONG TIME AS WE ARE SCANNING ALL PORTS! ******

it is also fine to scan common ports, I have only once seen something exploitable outside the common port range.

Your first scan should leave you with something like:

PORT STATE SERVICE REASON VERSION
21/tcp open ftp? syn-ack ttl 128
23/tcp open telnet syn-ack ttl 128 Microsoft Windows XP telnetd
53/tcp open domain syn-ack ttl 128 Microsoft DNS 6.1.7600
111/tcp open rpcbind syn-ack ttl 128 2-4 (RPC #100000)
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows 98 netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 128 Microsoft Windows Server 2008 R2 microsoft-ds
1039/tcp open status syn-ack ttl 128 1 (RPC #100024)
1047/tcp open nlockmgr syn-ack ttl 128 1-4 (RPC #100021)
1048/tcp open mountd syn-ack ttl 128 1-3 (RPC #100005)
2049/tcp open nfs syn-ack ttl 128 2-3 (RPC #100003)
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 128
8080/tcp open http syn-ack ttl 128 Microsoft IIS httpd 7.5
49152/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC

And hopefully your UDP scan:

PORT STATE SERVICE REASON VERSION
53/udp open domain udp-response Microsoft DNS 6.1.7600 (1DB04228)
111/udp open rpcbind udp-response ttl 128 2-4 (RPC #100000)
123/udp open ntp udp-response ttl 128 NTP v3
137/udp open netbios-ns udp-response ttl 128 Microsoft Windows XP netbios-ssn
1039/udp open status udp-response 1 (RPC #100024)
1047/udp open nlockmgr udp-response 1-4 (RPC #100021)
1048/udp open mountd udp-response 1-3 (RPC #100005)
1434/udp open ms-sql-m udp-response Microsoft SQL Server 10.50.6000.34 (ServerName: LOOKAROUNDYOU)
2049/udp open nfs udp-response ttl 128 2-3 (RPC #100003)
52225/udp open domain udp-response ttl 128 Zoom X5 ADSL modem DNS
52503/udp open domain udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53006/udp open domain udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53037/udp open domain udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53571/udp open domain udp-response Zoom X5 ADSL modem DNS
54281/udp open domain udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
54321/udp open domain udp-response Microsoft DNS 6.1.7600 (1DB04228)

After you have scanned all the host in your target lists keep a list of all the services running and versions because if we can’t get on the machine through other means we will attempt to find vulnerable applications and exploit those.

If you want to scan anonymously you can use TOR and Proxychains like so:

apt-get install tor

Then downloaded and ran Tor bundle:

tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-en-US.tar.gz cd tor-browser_en-US ./start-tor-browser

Follow the prompts and voi-la. Works like a charm, way too easy. Then I asked myself, how do I use other programs over the Tor network, such as iceweasel? The answer (so far) is using proxychains.

“locate proxychains” in /usr/bin/proxychains

located the proxychains.conf file. I edit it using vi and added “socks5 127.0.0.1 9050”, so it uses Tor’s socks5.

Check your IP address proxychains iceweasel www.whatismyipaddress.com

proxychains nmap -sS 192.168.0.1

If you have errors do the following (ERROR: ld.so: object ‘libproxychains.so.3′ from LD_PRELOAD cannot be preloaded: ignored), so I decided to update it proxychains-ng by doing the following:

apt-get remove proxychains (remove old proxychains)
git clone https://github.com/rofl0r/proxychains-ng (download proxychains4)
cd proxychains-ng ./configure –prefix=/usr –sysconfdir=/etc
sudo make
sudo make install
sudo make install-config (install configuration file)

Ensure it works:

proxychains4 iceweasel

Please follow and like us: