Offensive Security Certified Professional (OSCP) is an ethical hacking certification offered by Offensive Security that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution . The OSCP is a hands-on penetration testing certification, requiring holders to successfully attack and penetrate various live machines in a safe lab environment. It is considered more technical than other ethical hacking certifications, and is one of the few certifications that requires evidence of practical penetration testing skills.

Course content

1. Penetration Testing with Kali Linux: General Course Information

1.1. About The PWK Course

• PWK Course Materials
• Access to the Internal VPN Lab Network
• The Offensive Security Student Forum
• Live Support
• OSCP Exam Attempt

1.2. Overall Strategies for Approaching the Course

• Welcome and Course Information Emails
• Course Materials
• Course Exercises
• PWK Labs

1.3. Obtaining Support

1.4. About Penetration Testing

1.5. Legal

1.6. The MegaCorpone.com and Sandbox.local Domains

1.7. About the PWK VPN Labs

• Lab Warning
• Control Panel
• Reverts
• Client Machines
• Kali Virtual Machine
• Lab Behavior and Lab Restrictions

1.8. Reporting

• Consider the Objective
• Consider the Audience
• Consider What to Include
• Consider the Presentation
• The PWK Report
• Note Taking

1.9. About the OSCP Exam

• Metasploit Usage – Lab vs Exam

2. Getting Comfortable with Kali Linux

2.1. Booting Up Kali Linux

2.2. The Kali Menu

2.3. Kali Documentation

• The Kali Linux Official Documentation
• The Kali Linux Support Forum
• The Kali Linux Tools Site
• The Kali Linux Bug Tracker
• The Kali Training Site
• Exercises

2.4. Finding Your Way Around Kali

• The Linux Filesystem
• Basic Linux Commands
• Finding Files in Kali Linux

2.5. Managing Kali Linux Services

• SSH Service
• HTTP Service
• Exercises

2.6. Searching, Installing, and Removing Tools

• apt update
• apt upgrade
• apt-cache search and apt show
• apt install
• apt remove –purge
• dpkg

3. Command Line Fun

3.1. The Bash Environment

• Environment Variables
• Tab Completion
• Bash History Tricks

3.2. Piping and Redirection

• Redirecting to a New File
• Redirecting to an Existing File
• Redirecting from a File
• Redirecting STDERR
• Piping

3.3. Text Searching and Manipulation

• grep
• sed
• cut
• awk
• Practical Example

3.4. Editing Files from the Command Line

• nano
• vi

3.5. Comparing Files

• comm
• diff
• vimdiff

3.6. Managing Processes

• Backgrounding Processes (bg)
• Jobs Control: jobs and fg
• Process Control: ps and kill

3.7. File and Command Monitoring

• tail
• watch

3.8. Downloading Files

• wget
• curl
• axel

3.9. Customizing the Bash Environment

• Bash History Customization
• Alias
• Persistent Bash Customization

4. Practical Tools

4.1. Netcat

• Connecting to a TCP/UDP Port
• Listening on a TCP/UDP Port
• Transferring Files with Netcat
• Remote Administration with Netcat

4.2 Socat

• Netcat vs Socat
• Socat File Transfers
• Socat Reverse Shells
• Socat Encrypted Bind Shells

4.3 PowerShell and Powercat

• PowerShell File Transfers
• PowerShell Reverse Shells
• PowerShell Bind Shells
• Powercat
• Powercat File Transfers
• Powercat Reverse Shells
• Powercat Bind Shells
• Powercat Stand-Alone Payloads

4.4 Wireshark

• Wireshark Basics
• Launching Wireshark
• Capture Filters
• Display Filters
• Following TCP Streams

4.5 Tcpdump

• Filtering Traffic
• Advanced Header Filtering

5. Bash Scripting

5.1 Intro to Bash Scripting

5.2 Variables

• Arguments
• Reading User Input

5.3 If, Else, Elif Statements

5.4 Boolean Logical Operations

5.5 Loops

• For Loops
• While Loops

5.6 Functions

5.7 Practical Examples

• Practical Bash Usage – Example 1
• Practical Bash Usage – Example 2
• Practical Bash Usage – Example 3

6. Passive Information Gathering

• Taking Notes
• Website Recon
• Whois Enumeration
• Google Hacking
• Netcraft
• Recon-ng
• Open-Source Code
• Shodan
• Security Headers Scanner
• SSL Server Test
• Pastebin

6.1 User Information Gathering

• Email Harvesting
• Password Dumps

6.2 Social Media Tools

• 13.2 Site-Specific Tools

6.3 Stack Overflow

6.4 Information Gathering Frameworks

• OSINT Framework
• Maltego

7. Active Information Gathering

7.1 DNS Enumeration

• Interacting with a DNS Server
• Automating Lookups
• Forward Lookup Brute Force
• Reverse Lookup Brute Force
• DNS Zone Transfers
• Relevant Tools in Kali Linux

7.2 Port Scanning

• TCP / UDP Scanning
• Port Scanning with Nmap
• Masscan

7.3 SMB Enumeration

• Scanning for the NetBIOS Service
• Nmap SMB NSE Scripts

7.4 NFS Enumeration

• Scanning for NFS Shares
• Nmap NFS NSE Scripts

7.5 SMTP Enumeration

7.6 SNMP Enumeration

• The SNMP MIB Tree
• Scanning for SNMP
• Windows SNMP Enumeration Example

8. Vulnerability Scanning

8.1 Vulnerability Scanning Overview and Considerations

• How Vulnerability Scanners Work
• Manual vs. Automated Scanning
• Internet Scanning vs Internal Scanning
• Authenticated vs Unauthenticated Scanning

8.2 Vulnerability Scanning with Nessus

• Installing Nessus
• Defining Targets
• Configuring Scan Definitions
• Unauthenticated Scanning With Nessus
• Authenticated Scanning With Nessus
• Scanning with Individual Nessus Plugins

8.3 Vulnerability Scanning with Nmap

9. Web Application Attacks

9.1 Web Application Assessment Methodology

9.2 Web Application Enumeration

• Inspecting URLs
• Inspecting Page Content
• Viewing Response Headers
• Inspecting Sitemaps
• Locating Administration Consoles

9.3 Web Application Assessment Tools

• DIRB
• Burp Suite
• Nikto

9.4 Exploiting Web-based Vulnerabilities

• Exploiting Admin Consoles
• Cross-Site Scripting (XSS)
• Directory Traversal Vulnerabilities
• File Inclusion Vulnerabilities
• SQL Injection

9.5 Extra Miles

• Exercises

10. Introduction to Buffer Overflows

10.1 Introduction to the x Architecture

• Program Memory
• CPU Registers

10.2 Buffer Overflow Walkthrough

• Sample Vulnerable Code
• Introducing the Immunity Debugger
• Navigating Code
• Overflowing the Buffer
• Exercises

11. Windows Buffer Overflows

11.1 Discovering the Vulnerability

• Fuzzing the HTTP Protocol

11.2 Win Buffer Overflow Exploitation

• A Word About DEP, ASLR, and CFG
• Replicating the Crash
• Controlling EIP
• Locating Space for Our Shellcode
• Checking for Bad Characters
• Redirecting the Execution Flow
• Finding a Return Address
• Generating Shellcode with Metasploit
• Getting a Shell
• Improving the Exploit

12. Linux Buffer Overflows

• About DEP, ASLR, and Canaries
• Replicating the Crash
• Controlling EIP
• Locating Space for Our Shellcode
• Checking for Bad Characters
• Finding a Return Address
• Getting a Shell
• Wrapping Up

13. Client-Side Attacks

13.1 Know Your Target

• Passive Client Information Gathering
• Active Client Information Gathering

13.2 Leveraging HTML Applications

• Exploring HTML Applications
• HTA Attack in Action

13.3 Exploiting Microsoft Office

• Installing Microsoft Office
• Microsoft Word Macro
• Object Linking and Embedding
• Evading Protected View

14. Locating Public Exploits

14.1 A Word of Caution

14.2 Searching for Exploits

• Online Exploit Resources
• Offline Exploit Resources

14.3 Putting It All Together

15. Fixing Exploits

15.1 Fixing Memory Corruption Exploits

• Overview and Considerations
• Importing and Examining the Exploit
• Cross-Compiling Exploit Code
• Changing the Socket Information
• Changing the Return Address
• Changing the Payload
• Changing the Overflow Buffer

15.2 Fixing Web Exploits

• Considerations and Overview
• Selecting the Vulnerability
• Changing Connectivity Information
• Troubleshooting the “index out of range” Error

15.3 Wrapping Up

15.4 File Transfers

15.5 Considerations and Preparations

• Dangers of Transferring Attack Tools
• Installing Pure-FTPd
• The Non-Interactive Shell

15.6 Transferring Files with Windows Hosts

• Non-Interactive FTP Download
• Windows Downloads Using Scripting Languages
• Windows Downloads with exe2hex and PowerShell
• Windows Uploads Using Windows Scripting Languages
• Uploading Files with TFTP

17. Antivirus Evasion

17.1 What is Antivirus Software

17.2 Methods of Detecting Malicious Code

• Signature-Based Detection
• Heuristic and Behavioral-Based Detection

17.3 Bypassing Antivirus Detection

• On-Disk Evasion
• In-Memory Evasion
• AV Evasion: Practical Example

18. Privilege Escalation

18.2 Information Gathering

• Manual Enumeration
• Automated Enumeration

18.3 Windows Privilege Escalation Examples

• Understanding Windows Privileges and Integrity Levels
• Introduction to User Account Control (UAC)
• User Account Control (UAC) Bypass: fodhelper.exe Case Study
• Insecure File Permissions: Serviio Case Study
• Leveraging Unquoted Service Paths
• Windows Kernel Vulnerabilities: USBPcap Case Study

18.3 Linux Privilege Escalation Examples

• Understanding Linux Privileges
• Insecure File Permissions: Cron Case Study
• Insecure File Permissions: /etc/passwd Case Study
• Kernel Vulnerabilities: CVE-7-2 Case Study

19. Password Attacks

19.1 Wordlists

• Standard Wordlists

19.2 Brute Force Wordlists

19.3 Common Network Service Attack Methods

• HTTP htaccess Attack with Medusa
• Remote Desktop Protocol Attack with Crowbar
• SSH Attack with THC-Hydra
• HTTP POST Attack with THC-Hydra

19.4 Leveraging Password Hashes

• Retrieving Password Hashes
• Passing the Hash in Windows
• Password Cracking

20. Port Redirection and Tunneling

20.1 Port Forwarding

• RINETD

20.2 SSH Tunneling

• SSH Local Port Forwarding
• SSH Remote Port Forwarding
• SSH Dynamic Port Forwarding

20.3 PLINK.exe

20.4 NETSH

20.5 HTTPTunnel-ing Through Deep Packet Inspection

21. Active Directory Attacks

21.1 Active Directory Theory

21.2 Active Directory Enumeration

• Traditional Approach
• A Modern Approach
• Resolving Nested Groups
• Currently Logged on Users
• Enumeration Through Service Principal Names

21.3 Active Directory Authentication

• NTLM Authentication
• Kerberos Authentication
• Cached Credential Storage and Retrieval
• Service Account Attacks
• Low and Slow Password Guessing

21.4 Active Directory Lateral Movement

• Pass the Hash
• Overpass the Hash
• Pass the Ticket
• Distributed Component Object Model

21.5 Active Directory Persistence

• Golden Tickets
• Domain Controller Synchronization

22. The Metasploit Framework

22.1 Metasploit User Interfaces and Setup

• Getting Familiar with MSF Syntax
• Metasploit Database Access
• Auxiliary Modules

22.2 Exploit Modules

• SyncBreeze Enterprise

22.3 Metasploit Payloads

• Staged vs Non-Staged Payloads
• Meterpreter Payloads
• Experimenting with Meterpreter
• Executable Payloads
• Metasploit Exploit Multi Handler
• Client-Side Attacks
• Advanced Features and Transports

22.4 Building Our Own MSF Module

22.5 Post-Exploitation with Metasploit

• Core Post-Exploitation Features
• Migrating Processes
• Post-Exploitation Modules
• Pivoting with the Metasploit Framework

22.6 Metasploit Automation

23. PowerShell Empire

23.1 Installation, Setup, and Usage

• PowerShell Empire Syntax
• Listeners and Stagers
• The Empire Agent

23.2 PowerShell Modules

• Situational Awareness
• Credentials and Privilege Escalation
• Lateral Movement

23.3 Switching Between Empire and Metasploit

24. Assembling the Pieces: Penetration Test Breakdown

24.1 Public Network Enumeration

24.2 Targeting the Web Application

• Web Application Enumeration
• SQL Injection Exploitation
• Cracking the Password
• Enumerating the Admin Interface
• Obtaining a Shell
• Post-Exploitation Enumeration
• Creating a Stable Pivot Point

24.3 Targeting the Database

• Enumeration
• Attempting to Exploit the Database

24.4 Deeper Enumeration of the Web Application Server

• More Thorough Post Exploitation
• Privilege Escalation
• Searching for DB Credentials

24.5 Targeting the Database Again

• Exploitation
• Post-Exploitation Enumeration
• Creating a Stable Reverse Tunnel

24.6 Targeting Poultry

• Enumeration
• Exploitation (Or Just Logging In)
• Post-Exploitation Enumeration
• Unquoted Search Path Exploitation
• Post-Exploitation Enumeration

24.7 Internal Network Enumeration

• Reviewing the Results

24.8 Targeting the Jenkins Server

• Application Enumeration
• Exploiting Jenkins
• Post Exploitation Enumeration
• Privilege Escalation
• Post Exploitation Enumeration

24.9 Targeting the Domain Controller

• Exploiting the Domain Controller

25. Trying Harder: The Labs

• Real Life Simulations
• Machine Dependencies
• Cloned Lab Machines
• Unlocking Networks
• Routing
• Machine Ordering & Attack Vectors
• Firewall / Routers / NAT
• Passwords

To see the full course content Download now