# OSCP Methodology

## **Important Notice**

⚠️ **I have migrated all my notes to the new website:** [**https://hackwithmike.com**](https://hackwithmike.com)**. All future updates will only be pushed on the new site** [**https://hackwithmike.com/oscp**](https://hackwithmike.com/oscp)**/.** 

## Introduction

***

The OSCP is an practical hacking exam with a strict 24-hour time constraint. Therefore, time management is the most important aspect of the exam. The ability to identify potentially vulnerable attack vectors within the time constraint is key —you can always research and learn the exploitation process on the fly.

Note that this guide expects you to have basic understanding on hacking and the OSCP exam itself. 

To begin with, let's filter out what we <mark style="color:orange;">**should not spend time on**</mark>. Here is what you will likely not expect in the OSCP exam:

* **OSINT** (E.g., Google Dorking & DNS enumeration).
* **Network Poisoning and Spoofing** (LLMNR / NBT-NS Attacks)
* **Client-side Attacks** (E.g., Phishing, XSS, CSRF, etc - highly unlikely)&#x20;
  * Some practice boxes on PGs and HTBs do simulate client interactions.
  * In the case that this is the intended path, there should also be hints (e.g., "An admin will review your comment")

With these constraints *(plus the fact that OSCP is an entry-to-intermediate level certification)*, we can expect a limited number of possible attack vectors, which can mostly be grouped into the following 3 categories:

{% stepper %}
{% step %} <mark style="color:green;">**Vulnerable Versions**</mark> & Public Exploits
{% endstep %}

{% step %}
Secure Versions but <mark style="color:green;">**Misconfigurations**</mark>
{% endstep %}

{% step %}
Hunting <mark style="color:green;">**Sensitive Information**</mark>
{% endstep %}
{% endstepper %}

Noted that the 3 categories can be mixed & matched in a full attack path. For example:

* Vulnerable Apache Web Server *(Vulnerable Version)* -> Path Traversal into reading SSH Private Key *(Misconfiguration & Sensitive Information)*.
* Anonymous SMB Share *(Misconfiguration)* -> Discovered user credentials *(Sensitive Information)*.
* Username used as Password *(Misconfiguration)* *->* Run an authenticated RCE exploit *(Vulnerable Version)*.

These three attack vectors apply not only to initial footholds but also to privilege escalation and Active Directory attacks. It is a cyclic process:&#x20;

{% stepper %}
{% step %}
Enumerate the three vectors.
{% endstep %}

{% step %}
Escalate privileges (Could be lateral - another user account).
{% endstep %}

{% step %}
Re-enumerate the three vectors with new privileges.
{% endstep %}

{% step %}
Escalate to higher privileges.
{% endstep %}

{% step %}
Repeat until root / administrator.
{% endstep %}
{% endstepper %}

As the old saying goes — OSCP is an <mark style="color:orange;">**enumeration exam**</mark>. If you find yourself crafting complex exploits, or fixing kernel driver dependencies, you are likely 90% on the wrong path. Try to take a step back and redo your enumeration, such as look for another available public exploit, a previous missed open port, some hidden credentials, etc.

## Vulnerable Versions

***

Vulnerable versions of services and applications are usually quick wins when there are <mark style="color:orange;">**Proof-of-Concepts (PoCs)**</mark> and <mark style="color:orange;">**Public Exploits**</mark> available out there.&#x20;

### Key strategies

{% stepper %}
{% step %} <mark style="color:purple;">**Enumerating versions**</mark>

Use automated scanning tools like `nmap`, `netcat`, `wpscan`, etc., to perform banner grabbing or service scanning. Manually walk through each running services and look for service & version information.&#x20;
{% endstep %}

{% step %} <mark style="color:purple;">**Look for public exploits**</mark>

Utilize `searchsploit`, GitHub repos, [Exploit-DB](https://www.exploit-db.com/), etc., for existing public exploits.
{% endstep %}

{% step %} <mark style="color:purple;">**Fixing and using exploits**</mark>

Make sure the exploit is applicable to the service version. Some exploits have a range of vulnerable versions, and older versions may not be vulnerable. Also some public exploits require fixing and modifying before using.
{% endstep %}
{% endstepper %}

If you find a vulnerable version with public exploit available, prioritizing trying out all the available exploits online. Don't spending too much time on making your own exploits or bypassing filters. OSCP is all about finding and using the right exploit, with a slight touch on "<mark style="color:orange;">**fixing the exploit**</mark>" (which is usually just changing the target IPs, fixing typos, removing unnecessary spaces, etc.)

{% hint style="danger" %}
**Beware of Rabbit Holes**

It is always possible that the vulnerable versions have already been **patched**, and they are only here as rabbit holes. So if you find the public exploits not working despite all the conditions are met, take a step back and re-enumerate other possible attack paths.&#x20;
{% endhint %}

### Enumerating Versions

{% tabs %}
{% tab title="Web Pages" %}
This is the most common attacker vector of outdated version attacks. It could be in the form of an outdated CMS, a web portal for vulnerable systems, a page running on outdated web servers, etc.

* Wappalzyer Plugin ([Firefox](https://addons.mozilla.org/en-CA/firefox/addon/wappalyzer/), or [Chrome](https://chromewebstore.google.com/detail/wappalyzer-technology-pro/gppongmhjkpfnbhagpmjfkannfbllamg?pli=1) for Burp).
* Check the HTML source codes.
  * Look for URLs, folder names, developer comments, etc.
* Check HTTP Response Headers.
  * Look for headers like: `Server`, `X-Powered-By`, etc.
* For CMS, use WPScan / Droopescan / JoomlaScan / etc.
  {% endtab %}

{% tab title="Services on Open Port" %}
As for other running services, we can either detect their versions automatically with existing scanning tools, or interacting with them manually.

* Service Detection with Nmap. (With the `-sV` flag.)
* Banner Grabbing with Netcat & Telnet.
* Interact with the service directly (E.g., SMB, FTP, SSH, etc.)
  {% endtab %}

{% tab title="Internal Services (Priv Esc)" %}
If you have <mark style="color:orange;">**CLI access**</mark> to the machine (E.g., Reverse Shell, SSH, etc.):

* Run the service binary with `--help` ,`-h` , `--version` ,`-v` , etc.
* Check if there is a installation file of the service.

If you have <mark style="color:orange;">**GUI access**</mark> to the machine (E.g., RDP):

* Open the application and manually look for the version in the `About` section.
* Check if there is a installation file of the service.
* Sometimes the version number is also in the installation path / folder.&#x20;

If the service is running on an internally opened port, try to port-forward the service externally for Nmap Scanning.
{% endtab %}
{% endtabs %}

### Finding Exploits

{% tabs %}
{% tab title="Exploit Databases" %}
Most of the time, you will be able to find the exploit PoC on these databases&#x20;

* [Searchsploit](https://www.exploit-db.com/searchsploit) on Kali command line.
* [Exploit-DB](https://www.exploit-db.com/), [Packet Storm](https://packetstorm.news/),&#x20;
* CVE databases (like [MITRE](https://cve.mitre.org/)) are usually not too helpful as they do not provide PoCs.
  * Although some may link to the blogs & articles that may contain PoCs.
    {% endtab %}

{% tab title="GitHub " %}
If an exploit has a publicly available exploit, you can most likely find a PoC on GitHub written by some great security researchers. (It could be me or you someday!)

* Google "*CVE-XXX-XXX GitHub PoC*" or "*\<service name> \<version> exploit*"
* There are also some famous exploit repos like SecWiki's [Windows Kernel Exploits](https://github.com/SecWiki/windows-kernel-exploits).
* Always CHECK the codes before running exploits from GitHub - they could be malicious.
  {% endtab %}

{% tab title="Metasploit" %}
Personally I never find the need to use Metasploit in the exam, since there will always be alternative PoCs available if that particular exploit is the intended path.

* Regardless, it can sometimes be the easier way to exploit a vulnerability. For example, using Metasploit is probably the easiest way to exploit EternalBlue (apart from AutoBlue)
* Alternatively, you can always review the [Metasploit module source code](https://github.com/rapid7/metasploit-framework/tree/master/modules) to understand how they exploit a vulnerability and do it manually. This is of course not recommended to be performed during the actual exam.
  {% endtab %}
  {% endtabs %}

### Using Exploits

{% tabs %}
{% tab title="Fixing Exploits" %}
While the exploits are publicly available, not all of them are ready-to-use without some <mark style="color:orange;">**cleaning and fixing**</mark>.&#x20;

* The most common way of "fixing" an exploit is simply to change the source & target IP addresses, modify the exploit URI paths, provide the correct user credentials, etc.
* Older Python exploits are written in Python2 and should be run with `python2.7` instead of `python3`.
* Always remember to with add run permission with `chmod +x <script file>`.
* Note that many exploits from Exploit-DB are not polished. On the another hand, GitHub usually have better quality PoCs.
  * There can be all sorts of errors, such as incorrect indentations, extra spaces, incorrect spellings, etc. This would require you to have basic knowledge on the programming language to effective debug the exploits.
    {% endtab %}

{% tab title="Compiling Exploits" %}
Some exploits require <mark style="color:orange;">**manual compilation**</mark> using `gcc`, `mingw`, `make`, etc, but for OSCP level they should be relatively straightforward and shouldn't require a lot of fixing.&#x20;

* Look for pre-compiled exploits, and have them saved in your Kali machine for easy reuse.
* I have a folder containing over 50 precompiled exploits, especially for very commonly used ones such as Potato exploits, EXE reverse shells, PEAS, etc.
* I also have another folder storing web shell payloads in many different languages, such as php, aspx, Go, Java, WordPress, etc.
  {% endtab %}

{% tab title="Matching Versions" %}
Make sure the exploit is applicable to the service version. Some exploits have a range of vulnerable versions, and older versions may not be vulnerable.

* E.g. The famous [Apache Path Traversal Vulnerability](https://www.hackthebox.com/blog/cve-2021-41773-explained) is only vulnerable on Apache 2.4.49 and 2.4.50, but not other versions.
  {% endtab %}
  {% endtabs %}

## Misconfigurations

***

If there are no vulnerable versions, we can then look into <mark style="color:orange;">**misconfigurations**</mark> in different services. The service itself may not be not vulnerable, but it can be set up incorrectly and unsafely.

The definition of misconfiguration here is pretty broad, since it basically covers <mark style="color:orange;">**anything else that are NOT public exploits**</mark> that can be plugged and played. You can expect all the "hacking techniques" being categorized here.&#x20;

### Key strategies

{% stepper %}
{% step %} <mark style="color:purple;">**Enumerate Services**</mark>

Understand what services are running, and their common attack vectors. For example, FTP Server -> Anonymous login? MySQL Service -> UDF code execution? Webpage with File Upload -> Uploading web shell? etc.
{% endstep %}

{% step %} <mark style="color:purple;">**Finding Misconfigurations**</mark>

This part requires mostly pattern recognition and experiences gained from grinding boxes and studying existing materials. Not many shortcuts here, but try to look for walkthroughs of boxes with similar services if you are stuck during the exam.
{% endstep %}

{% step %} <mark style="color:purple;">**Exploiting Misconfigurations**</mark>

The last step is much easier once you identified the vulnerable service. Some harder boxes may require you to chain multiple misconfigurations and other vulnerabilities, so make sure to take good notes for mapping the final attack path.
{% endstep %}
{% endstepper %}

### Enumerating Services

{% tabs %}
{% tab title="Web" %}
Make sure to thoroughly enumerate the web server. Few points to note here:

* <mark style="color:orange;">**Directory Busting**</mark>**:**
  * Hidden admin panels / Sensitive pages.
  * Config files / `.git` Directory.
  * Open directory listing.
* <mark style="color:orange;">S</mark><mark style="color:orange;">**ubdomain Enumeration**</mark>**:**
  * Hidden admin panels / Sensitive pages.
  * API Endpoints.
* <mark style="color:orange;">**Webpage & Source code Review**</mark>**:**
  * Look for potential usernames / emails / credentials on page contents.
  * Check HTML source codes (Hard-coded credentials / Developer comments / Hidden endpoints, etc.).
  * Understand all functionalities, such as user login, file upload, etc, so that you can focus or skip relevant attack vectors based on the existing functions.

Remember to perform directory busting on <mark style="color:orange;">**all the endpoints**</mark>, including <mark style="color:orange;">**different web ports and subdomains**</mark>.&#x20;

* Always use more than 2 directory busting tools and wordlists to avoid missing important endpoints.
* Personally I run FeroxBuster with its default wordlist & DirSearch with "directory-list-2.3-medium.txt" separately on the same domain.
  {% endtab %}

{% tab title="Databases" %}
This mostly refers to SQL databases.&#x20;

* Identify the SQL server in use - Is it MSSQL? MySQL? SQLite? etc.
* Check for <mark style="color:orange;">**anonymous login**</mark> & <mark style="color:orange;">**default / weak credentials**</mark>.
  * If that does not work, we will likely get the login credentials from elsewhere, such as web pages, file shares, email servers, etc.
* For file-based databases like SQLite, the data is stored as a separate `.db` file, and can be usually be accessed without credentials if you can get your hands on the file.&#x20;
  {% endtab %}

{% tab title="File Shares" %}
This includes all the file shares such as FTP, SMB and NFS.

* Always check for <mark style="color:orange;">**anonymous login**</mark> & <mark style="color:orange;">**default / weak credentials**</mark> first.
  * If that does not work, we will likely get the login credentials from elsewhere, such as web pages, databases, email servers, etc.
    {% endtab %}

{% tab title="Remote Access" %}
This refers to services like Telnet, SSH, RDP, WinRM, etc.

* These services are usually not directly exploitable without <mark style="color:orange;">**correct credentials**</mark>.
* Regardless, there could still be some useful information.&#x20;
  * For example, the Nmap script on SSH (`ssh-hostkey`) tells you what key algorithms are used for authentication (e.g., RSA, ECDSA, etc.)
  * If RSA is in use, perhaps we will be hunting for `id_rsa` private key somewhere. Similarly, the discovered SSH private key may be in `id_ecdsa` format if ECDSA is in use.
    {% endtab %}
    {% endtabs %}

{% tabs %}
{% tab title="Mail Services" %}
This refers to services such as POP, IMAP and SMTP.

* Check for <mark style="color:orange;">**default & weak credentials**</mark> like "`admin:admin`".
  * If that does not work, we will likely get the login credentials from elsewhere, such as web pages, file shares, email servers, etc.
* Even if un-authenticated, try to enumerate usernames from mail services.
* It is also possible that they are designed for client-side attacks such as sending and received phishing emails.
  {% endtab %}

{% tab title="Other External Services" %}
This includes all other uncategorized services such as DNS, SNMP, or all other non-common services.

* SNMP on UDP port 161 is often missed during port scan.&#x20;
  * Always remember to run a separate <mark style="color:orange;">**UDP scan**</mark> on Nmap. You can do it with the `-F` flag to only scan for the top 100 common ports if the scanning is taking too long.
* DNS is usually not designed to be exploitable especially in simulated boxes. Only try when everything else did not work.
* All other services will require deeper research on what services usually use those ports. If names of the services are identified, try to go through their documentations to understand how to interact with them.
  * Also check if there are any boxes walkthroughs that contain the service / port.
  * Amazing resources from IppSec & 0xdf. You can use keywords of a service to search for walkthroughs:
    * [https://ippsec.rocks/](https://ippsec.rocks/?)
    * <https://0xdf.gitlab.io/tags>
      {% endtab %}

{% tab title="Internal Services (Priv Esc)" %}
Enumerate services running internally via different methods such as:

* Listing internal network connections (`netstat -anolp`).
  * Look for open ports that are not exposed externally - maybe there is an MSSQL service running internally only?
  * Identify what processes are running on the open ports.
* List internal running processes.
* Listing scheduled tasks.
* Look for uncommon binaries / applications installed.
  {% endtab %}
  {% endtabs %}

{% tabs %}
{% tab title="Active Directory" %}
For AD environments in OSCP, 90% of the time it is about moving around different services and users by abusing <mark style="color:orange;">**misconfigured user ACL**</mark> or using <mark style="color:orange;">**discovered credentials**</mark>. To do so, we must map out all available services, as well as the relationships between the AD objects.

* Bloodhound is the go-to tool for identifying misconfigured user & system ACL.&#x20;
* Always remember to conduct full port scan on internal targets that are previously unreachable. There can be a MSSQL service running on an uncommon port, and your controlled user may have admin access to the service.
  {% endtab %}
  {% endtabs %}

### **Finding & Exploiting Misconfigurations**

{% tabs %}
{% tab title="Web" %}
This refers to all the basic web hacking stuff, with heavy focus on either getting sensitive information (LFI, File Read, etc), or directly getting system access (Web shell, RCE, etc). Here is a list of common attack vectors:

* <mark style="color:orange;">**Authentication Attacks**</mark>: Default credentials / Anonymous Login / Weak Passwords
* <mark style="color:orange;">**Exposed Sensitive Files**</mark>: Open Directory Listing / `.git` / Hidden admin panels, etc.
* <mark style="color:orange;">**SQL injection**</mark>: Authentication Bypass / File Read & Write / RCE
* <mark style="color:orange;">**File Upload & Write**</mark>: Web shell RCE / Overwrite Login & Config Files / Client side attacks
* <mark style="color:orange;">**File Read**</mark>: Credential Files / Config Files / Process & Logs for sensitive information
* <mark style="color:orange;">**Path Traversal / File Inclusion**</mark>: File Read / RCE
* <mark style="color:orange;">**Mass Assignment**</mark>: Authentication Bypass
* etc.

In the rare cases of client side attacks, here are also something you can be looking at:

* <mark style="color:orange;">**File Upload**</mark>: Malicious Files for Reverse Shell
* <mark style="color:orange;">**XSS**</mark>: Hijacking Session Token / Extracting Webpage Information
* <mark style="color:orange;">**CSRF**</mark>: Sending URL for one-click attack
* etc.
  {% endtab %}

{% tab title="Databases" %}
This assumes that you have already gained initial access to the database services.

* Upon successful login, go through all of the non-default tables and databases.
  * Mainly looking for <mark style="color:orange;">**credentials**</mark> (passwords & hashes).
  * It may also be some weird stuff like emails about configurations, etc.
  * List out all users of the database to look for new attack vectors.
* All SQL injection attacks are naturally applicable once you can make SQL queries in the database.
  * <mark style="color:orange;">**MSSQL**</mark> -> File Read & Write / RCE / NLTM Theft / etc.
  * <mark style="color:orange;">**MySQL**</mark> -> File Read & Write / UDF for RCE / Dumping SQL User Creds / etc.
  * Different attacks can be specific to certain database services.
    {% endtab %}

{% tab title="File Shares" %}
This assumes that you have already gained initial access to the file shares.

* Upon successful login, go through all directories and files.
  * Mainly looking for <mark style="color:orange;">**credentials**</mark> - It could be in configuration files, PDF files for onboarding employees, email backups, database files (`.db` file), Excel files, ZIP files, etc.&#x20;
  * Apart from credentials, it can also be <mark style="color:orange;">**sensitive information**</mark> such as hidden endpoints, service versions, etc.
  * Metadata may contain useful information such as usernames. (Check with `exiftool`)
  * Sometimes the files (especially Excel & ZIP files) are <mark style="color:orange;">**encrypted**</mark> and require us to perform brute-force attacks with tools like `zip2john` and `hashcat`.&#x20;
  * Always check for <mark style="color:orange;">**Write Access**</mark>. It is possible that the file share directory is also hosted in the web server, and we can upload a web shell onto the server.&#x20;

File shares are also privilege escalation vectors when there are misconfigurations or we have elevated permissions:

* For NFS, if `no_root_squash` is set, we can escalate to root by uploading a SUID-bit set shell.
* For SMB, admin access can lead to command execution with tools like `NetExec` and `Impacket` Suite. Username enumeration is also possible with brute-forcing RID.
  {% endtab %}

{% tab title="Remote Access" %}
This refers to services like Telnet, SSH, RDP, WinRM, etc.

* As suggested, these services are usually not designed to be directly exploitable without correct credentials.
* Regardless, always take notes on the services & their versions to check if there are public exploits.
* Otherwise, this vector is mostly intended for weak authentication attacks, such as <mark style="color:orange;">**default / weak credentials**</mark>, <mark style="color:orange;">**password spraying**</mark> and <mark style="color:orange;">**brute-forcing attacks**</mark>.
  {% endtab %}
  {% endtabs %}

{% tabs %}
{% tab title="Mail Services" %}
This refers to services such as POP, IMAP and SMTP.

* Even if un-authenticated, try to <mark style="color:orange;">**enumerate usernames**</mark> from mail services.
* Upon successful login, go through all the email records.
  * Mainly looking for <mark style="color:orange;">**credentials**</mark> in emails, such as employee onboarding emails, service reminders, credential updates, etc.
  * If <mark style="color:orange;">**client-side attacks**</mark> are intended, there will be hints in the emails or other places such as the web pages.
    {% endtab %}

{% tab title="Other External Services" %}
This includes all other uncategorized services such as DNS, SNMP, or all other non-common services.

* For SNMP on UDP port 161,  try to run `smnpwalk` with <mark style="color:orange;">**default community strings**</mark> (`public`, `private`, `manager`, etc.)&#x20;
  * Look for sensitive information such as user emails, passwords, command history, etc.
* As mentioned above, DNS is usually not designed to be exploitable in simulated boxes, and all other services will require deeper research on what services usually use those ports.&#x20;
  {% endtab %}

{% tab title="Internal Services (Priv Esc)" %}
Internal services are usually used to either escalate to a higher privilege, or move laterally to another user that have different sets of privileges.

* For services running internally, if you have difficult using the services internally, you can always <mark style="color:orange;">**port-forward**</mark> the services to your Kali attacker machine.
  * For example, I often port-forward internally running MSSQL services to my local Kali to use `impacket-mssqlclient` for easier enumeration and exploitation.
  * SSH is mostly used for single port-forwarding, but there are also tools like `plink.exe`, `socat`, `chisel`, `ligolo-ng`, etc.
* For scheduled tasks, locate the <mark style="color:orange;">**source binary or script**</mark> that is running.
  * [pspy](https://github.com/DominicBreuker/pspy) is the go-to tool to discover scheduled tasks.
  * Scheduled tasks are 99% the intended attack vector in simulated boxes, especially when it is running as root, or another high privilege user.
  * Upon locating the binary or script, try to replace or modify it for reverse shells, spawning root shell, etc. This is usually within a <mark style="color:orange;">**longer attack chain**</mark>, where the scripts themselves are not directly editable, but can be modified by exploit another vulnerability.
* For uncommon apps & binaries installed:
  * They may either have <mark style="color:orange;">**publicly available exploits**</mark> once you identified the service and version;
  * Alternatively, they may be custom-made services that are intentionally designed to be vulnerable to different attacks, such as command injection, dumping hardcoded credentials with `strings`, etc.
  * They may also be (mis)configured to be able to run with admin privileges.
* For apps & binaries that can be run with <mark style="color:orange;">**admin privileges**</mark> (e.g., SUID-bit set or `sudo` ):
  * For Linux, [GTFOBins](https://gtfobins.github.io/) is the go-to repository to abuse binaries for privilege escalation.
  * For Windows,  it is usually less straightforward. Regardless, the end goal is always to escalate your current privileges by actions such as getting admin credentials, spawning reverse shells, creating a new admin user, etc.
    {% endtab %}
    {% endtabs %}

{% tabs %}
{% tab title="System Misconfigurations" %}
This refers to system-level misconfigurations that are not associated with any particular services.&#x20;

* Readable / Writable Sensitive Files.
  * `/etc/passwd`, `/etc/shadow`, Extractable `SAM` & `SYSTEM` hives, SSH key files, Readable root / admin directories, etc.
* Misconfigured / Elevated Privileges.
  * Anything that can elevate privileges, for example:
    * On Linux: `sudo -l` , Kernel Exploits, Privileged Group Memberships, etc.&#x20;
    * On Windows, `cmdkey /list` , `whoami /priv`, Kernel Exploits, Registry Exploits, Service Path Misconfigurations, etc.
  * Note that there are numerous priv-esc techniques that cannot be fully listed here.
    {% endtab %}

{% tab title="Active Directory" %}
While most of the Windows privilege escalation techniques also apply to that when working on an AD environment, there are AD-specific misconfigurations that work on a domain level, for example:

* <mark style="color:orange;">**User ACL**</mark>: A user is allowed to change the password of another user, adding oneself to another group, etc.
* <mark style="color:orange;">**Disabled Kerberos Pre-auth**</mark>: Allowing AS-REP roasting attacks to extract password hashes of misconfigured users.
* <mark style="color:orange;">**SPN Configured**</mark>: Allowing Kerberoasting attacks to extract password hashes of misconfigured users.
* etc.
  {% endtab %}
  {% endtabs %}

## Sensitive Information

***

If none of the above vulnerabilities can be identified after thorough enumeration, it is likely that the weakness lies not on the services nor misconfigurations, but on <mark style="color:orange;">**human errors**</mark> such as leaked credentials, exposed internal directories, or any type of disclosed <mark style="color:orange;">**sensitive information**</mark>.

This particular attack vector is usually a by-product of enumerating the running services. Sensitive information can be revealed in all sorts of formats, such as error messages when poking around, hidden directories discovered with directory busting, credential files found in file shares, etc. The key here is to always take good notes on all discovery, and to always make sure you have not missed a single detail during enumeration. Remember, enumerate, enumerate, enumerate!

### Key strategies

{% stepper %}
{% step %} <mark style="color:purple;">**Gathering Information**</mark>

Collect and record whatever you can during the enumeration process. Pay extra attention to things that related to authentication functions, user credentials (names, emails & passwords), error messages, hidden directories and files, and more.
{% endstep %}

{% step %} <mark style="color:purple;">**Using Information**</mark>

With the gathered information, we can now put the pieces together. Do we have credentials that we can brute-force or spray? Do the hidden directories and files contain credentials or configurations? The possibilities are endless and would require case-by-case analysis.
{% endstep %}
{% endstepper %}

### Gathering Information

{% tabs %}
{% tab title="Web" %}
Make sure to thoroughly enumerate the web server. This will look a lot similar to the previous sections:

* <mark style="color:orange;">**Directory Busting**</mark>**:**
  * Hidden admin panels / Sensitive pages (e.g., `phpinfo`).
  * Config files (e.g., `.htaccess`) / `.git` Directory.
    * `.git` is a gold mine for information. You can get your hands on the application's source code to identify potential attack vectors (e.g., SQL injections), or there can be hardcoded credentials and session tokens within the source codes.
  * Open directory listing.
* <mark style="color:orange;">S</mark><mark style="color:orange;">**ubdomain Enumeration**</mark>**:**
  * Sometimes the good stuffs are hidden behind another Vhost. Always run subdomain enumeration and directory busting on the newly discovered subdomains.
* <mark style="color:orange;">**Webpage & Source code Review**</mark>**:**
  * Look for potential usernames / emails / credentials on page contents.
    * The `About Us` & `Contacts` sections usually contain emails & domain name information.
    * For blog-like applications, the blog articles often come with author names and comments with commenter names.
    * Some may also put down passwords under the blog posts or comments.
  * Check HTML source codes (Hard-coded credentials / Developer comments / Hidden endpoints, etc.).
    {% endtab %}

{% tab title="Databases" %}
Upon successful login, go through all of the non-default tables and databases.

* Mainly looking for <mark style="color:orange;">**credentials**</mark> (password & hashes).
  * Many CMS stores user passwords and hashes under tables such as `users`, `login`, etc.
* List out all users of the database for new usernames.
* Some SQL services, such as MySQL, also store password hashes of the users. Remember to dump those out for cracking.
  {% endtab %}

{% tab title="File Shares" %}
Upon successful login, go through all directories and files.

* Mainly looking for <mark style="color:orange;">**credentials**</mark> - It could be in configuration files, PDF files for onboarding employees, email backups, database files (`.db` file), Excel files, ZIP files, etc.&#x20;
* Apart from credentials, it can also be <mark style="color:orange;">**sensitive information**</mark> such as hidden endpoints, service versions, etc.
* Metadata may contain useful information such as usernames. (Check with `exiftool`)
* Sometimes the files (especially Excel & ZIP files) are <mark style="color:orange;">**encrypted**</mark> and require us to perform brute-force attacks with tools like `zip2john` and `hashcat`.&#x20;
  {% endtab %}

{% tab title="Remote Access" %}
This refers to services like Telnet, SSH, RDP, WinRM, etc.

* These services are usually not directly exploitable without <mark style="color:orange;">**correct credentials**</mark>.
* Regardless, there could still be some useful information.&#x20;
  * For example, the Nmap script on SSH (`ssh-hostkey`) tells you what key algorithms are used for authentication (e.g., RSA, ECDSA, etc.)
  * If RSA is in use, perhaps we will be hunting for `id_rsa` private key somewhere. Similarly, the discovered SSH private key may be in `id_ecdsa` format if ECDSA is in use.
    {% endtab %}
    {% endtabs %}

{% tabs %}
{% tab title="Mail Services" %}
Emails are often designed to be a realistic scenario of where sensitive information lies:

* Upon successful login, go through all the emails to check if they have mentioned anything about credentials, development site, configurations, etc.
* Even if un-authenticated, try to enumerate usernames from mail services such as POP3 and SMTP (See the [example](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#username-bruteforce-enumeration) here at HackTricks). The identified usernames can then be passed to other services for brute-forcing / password spraying attacks.
  {% endtab %}

{% tab title="Other External Services" %}
This includes all other uncategorized services such as DNS, SNMP, or all other non-common services, but I would like to put heavy focus on SNMP here.

* For SNMP on UDP port 161,  try to run `smnpwalk` with <mark style="color:orange;">**default community strings**</mark> (`public`, `private`, `manager`, etc.)&#x20;
* I have seen the following sensitive information exposed in SNMP:
  * Command histories containing passwords
    * User Emails
    * Usernames
    * Processes running
    * etc.
      {% endtab %}

{% tab title="Internal Enumeration" %}
In case of hunting for sensitive information internally, here are some general directions you can look into:

* Go through ALL <mark style="color:orange;">**configuration files**</mark> of the running services. 90% of the time there are hard-coded credentials that can be sprayed again to escalate privileges.
* Look for SSH key files. They can be in a user's home directory (`/.ssh/`), or they can be lying on some file share, some notes, etc.
* Go for <mark style="color:orange;">**command histories**</mark>. They may have records of previous commands that contain user credentials.
* In a realistic scenario, a user may leave their credentials in a text file lying on the Desktop, or in a note app, in an excel file, etc.&#x20;
* System administrators also often store credentials in the <mark style="color:orange;">**environmental variables**</mark> for easier access.
* Look for Password Manager Database files, e.g., `.kdbx` for KeePass.&#x20;
* For Windows, credentials may be stored within <mark style="color:orange;">**registry**</mark> entries, unattended installation files, etc. There may even be system backups of the SAM and SYSTEM hive that allow you to dump all credentials of the Windows machine.
  {% endtab %}
  {% endtabs %}

{% tabs %}
{% tab title="Active Directory" %}
For AD environments, we can enumerate sensitive information in many ways, for example:

* Extract valid usernames via <mark style="color:orange;">**anonymous LDAP dumping**</mark>,  <mark style="color:orange;">**SMB RID cycling**</mark> and running Kerberos pre-auth brute-forcing (with [Kerbrute](https://github.com/ropnop/kerbrute)).
* Go through all the readable file shares and databases.
* Dump domain-level credentials with local administrator privileges.
  * Once you escalated your privilege on a domain machine as the local administrator, you will mostly discover new credentials of other domain users, either via dumping them with tools like `mimikatz` & `impacket-secretsdump`, or finding them in registry, config files, or any other locations that are previously inaccessible.
    {% endtab %}
    {% endtabs %}

### Using Information

{% tabs %}
{% tab title="Brute-forcing" %}
Suppose you only found potential usernames. We can always run a quick brute-force login attack to check if this is the intended path.

* Always start out with <mark style="color:orange;">**default & common credentials**</mark>. It also doesn't hurt to try username, service name, or box name as passwords&#x20;
* As for the password wordlist, `rockyou.txt` will do the job within 10-20 minutes if brute-forcing is the intended attack path.

Note that you can also brute-force for usernames if you have a valid password, or if the service itself is vulnerable to username enumeration.

* For example, some mail services like POP3 and SMTP may be misconfigured to allow username enumeration (See the [example](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html#username-bruteforce-enumeration) here at HackTricks)
* Some web applications may also be vulnerable to username enumeration due to improper error messages (e.g., `Username does not exist!`)
* As mentioned above, we can also brute-force domain usernames from Kerberos running on Port 88 with [Kerbrute](https://github.com/ropnop/kerbrute).
* I usually use `/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt` from [SecLists](https://github.com/danielmiessler/SecLists).  You can run `sudo apt install seclists` to install SecLists on Kali.
  {% endtab %}

{% tab title="Password Spraying" %}
Suppose you have a few different potential usernames and passwords, the best approach is to <mark style="color:orange;">**spray all passwords**</mark> to all identified usernames <mark style="color:orange;">**in all combinations**</mark>.

* For example, if you have found the following user list: `peter, john, mary`, with the following passwords, `P@ss123!, Letme1n#`, then you will have 6 possible combinations in total. However, you should also include <mark style="color:orange;">**default usernames**</mark> such as administrator in to the user list, making it 8 possible combinations in total.
  * Just put all the usernames in a `user.txt`, and the passwords in a `pass.txt`, and supply the files as arguments when running tools like `Hydra` and `NetExec`.
* Always remember to spray them on <mark style="color:orange;">**ALL services**</mark>, such as webpages, SQL, SMB, FTP, SSH, and anything with a login function.
  {% endtab %}

{% tab title="Other Usages" %}
This is a general section on all other information that can be classified as sensitive, but are not credentials, such as hidden directories, config files, etc.

* Generally, these types of information provide you with hints to continue on the attack path, where you may either discover misconfigurations or version info that can be exploited, or actual credentials hidden in a deeper layer of the attack path.&#x20;
* All you have to do is to follow the lead and rerun the enumeration cycle on the three attack vectors, until you discover information that can help escalate your current privileges.
  {% endtab %}
  {% endtabs %}

{% tabs %}
{% tab title="Active Directory" %}
Here are some specific tips for brute-forcing & password spraying in Active Directory:

* [NetExec](https://www.netexec.wiki/) has all the functionality you need for spraying passwords on different services.&#x20;
  * I always run NetExec with the possible credential combinations on ALL available services: `SMB, LDAP, MSSQL, WinRM, WMI, RDP, SSH, FTP`, etc.
  * When the `-d` flag (domain) is not specified, NetExec will by default authenticate the user with the domain provided by the target machine.
  * Remember to add `--local-auth` at the end of the command for a second round of spraying. While the credential pairs may not be valid in the domain, it is always possible that it is a local account (I have success with this in actual engagements).
* Always check the <mark style="color:orange;">**password policies**</mark> to see if there is account lockout. If that is the case, it means that brute-forcing AD authentication is likely not the intended path.
  * You can do that with `nxc smb <ip> -u <user> -p <pass> --pass-pol`.
    {% endtab %}
    {% endtabs %}

## Conclusion

***

If you read till the end, I sincerely thank you for having the patience to go through my two cents on how to approach the OSCP exam. This is definitely not an exhaustive list, and it may also come across as a bit too exam-oriented. While I understand that real-life hacking involves way more techniques and depths, I truly hope this guide can be a good start to build one's methodology from scratch.

Hopefully what I have learnt along the way had provide some value to your journey, and I am always open to constructive feedbacks for improvements.