Offensive Security Certified Professional (OSCP)

Foundational Reconnaissance and Enumeration

Learners will gain mastery in systematically gathering information about target systems and networks, essential for identifying potential attack vectors and understanding the target's attack surface.

Passive Information Gathering

• Conducting Open-Source Intelligence (OSINT) to collect publicly available information without directly interacting with the target, including domain registration details, historical website data, and employee information from public profiles.
• Utilizing specialized search engines and databases like Shodan to discover internet-connected devices and services, identifying their versions, open ports, and potential vulnerabilities from publicly available banners.

Active Network Enumeration

• Performing comprehensive port scanning using tools like Nmap to identify active hosts, open ports, and the services running on them, including version detection and operating system fingerprinting.
• Enumerating common network services such as SMB/CIFS, NFS, SMTP, and DNS to extract valuable information like shared folders, user lists, and domain configurations, often revealing misconfigurations or exploitable settings.
• Understanding and applying various DNS enumeration techniques to map out domain structures, identify subdomains, and gather mail exchange (MX) and name server (NS) records, critical for understanding network topology.

Vulnerability Identification and Analysis

This section focuses on the deep understanding and practical application of identifying known vulnerabilities and misconfigurations that can be leveraged for unauthorized access.

Systematic Vulnerability Scanning

• Identifying common software vulnerabilities by cross-referencing enumerated service versions with public vulnerability databases and security advisories (e.g., CVE, Exploit-DB).
• Analyzing configuration files and system settings on target hosts to uncover misconfigurations that lead to weak permissions, exposed credentials, or unnecessary open services.

Manual Vulnerability Assessment

• Developing the ability to manually inspect and analyze target system behaviors for signs of vulnerabilities, rather than relying solely on automated scanners. This includes interpreting error messages, network traffic, and application responses.
• Understanding how to identify and validate exploitable conditions such as outdated software, insecure protocols, and default credentials that might be present on various network services.

System Exploitation Techniques

Learners will master various techniques to gain initial access to target systems through known vulnerabilities and carefully crafted exploits.

Buffer Overflow Exploitation

• Understanding the stack frame, EIP/RIP control, and crafting malicious payloads to achieve arbitrary code execution on vulnerable applications. This includes identifying buffer overflow conditions through fuzzing, locating precise offsets, handling bad characters, and generating shellcode using tools like Metasploit's MSFvenom.
• Applying techniques for both Windows and Linux environments, focusing on overcoming basic protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) through understanding their mechanisms.

Exploiting Network Services

• Leveraging publicly available exploits for various network services (e.g., FTP, SSH, web servers, database services) after proper enumeration and vulnerability identification.
• Modifying existing exploit code written in languages like Python or Ruby to suit specific target environments, ensuring successful payload delivery and execution.
• Utilizing the Metasploit Framework for rapid prototyping and deployment of exploits against identified vulnerabilities, including understanding its modules (auxiliary, exploit, payload, post).

Web Application Exploitation

This section delves into the specific vulnerabilities prevalent in web applications and methods to exploit them to gain access or extract sensitive information.

Common Web Vulnerabilities

• Mastering SQL Injection (SQLi) techniques, including error-based, union-based, and blind SQLi, to extract data from databases or gain command execution on underlying systems.
• Understanding and exploiting Cross-Site Scripting (XSS) vulnerabilities (reflected, stored, DOM-based) to inject malicious client-side scripts into web pages viewed by other users.
• Identifying and exploiting Local File Inclusion (LFI) and Remote File Inclusion (RFI) vulnerabilities to read sensitive files or execute arbitrary code on the server.
• Exploiting command injection flaws, where user-supplied input is executed as system commands, often leading to full system compromise.
• Identifying and exploiting insecure file upload functionalities to upload malicious scripts (e.g., web shells) that grant remote code execution.

Authentication and Authorization Bypass

• Applying techniques to bypass authentication mechanisms, such as manipulating cookies, session tokens, or exploiting weak login logic.
• Discovering and leveraging insecure direct object references (IDOR) to access unauthorized resources by manipulating parameters pointing to objects.

Client-Side and Password Attacks

Learners will understand how to target user-facing applications and common credential-based weaknesses.

Client-Side Exploitation

• Crafting malicious files (e.g., Office macros, PDF exploits) to gain access when a target user interacts with them, often used in conjunction with social engineering tactics.
• Understanding how to set up and deliver client-side exploits that leverage browser vulnerabilities or common software flaws on user workstations.

Password and Credential Attacks

• Performing brute-force and dictionary attacks against various services (e.g., SSH, FTP, web logins) to guess valid credentials.
• Executing password spraying attacks to test a small number of common passwords against a large list of usernames.
• Cracking password hashes obtained from compromised systems using tools like John the Ripper or Hashcat, leveraging wordlists and rulesets.

Post-Exploitation and Privilege Escalation

After gaining initial access, learners will master techniques to maintain presence, move laterally, and elevate privileges to gain full control over a system.

Linux Privilege Escalation

• Identifying misconfigurations such as insecure SUID/SGID binaries, weak file permissions, and vulnerable kernel versions that allow for local privilege escalation.
• Exploiting PATH variable vulnerabilities, cron jobs, and insecure service configurations to elevate privileges to root.
• Discovering and leveraging credentials stored in configuration files or memory on the compromised system.

Windows Privilege Escalation

• Exploiting common Windows misconfigurations including unquoted service paths, weak service permissions, and insecure registry settings.
• Leveraging kernel exploits, missing patches, and DLL hijacking vulnerabilities to escalate privileges to System or Administrator.
• Identifying and utilizing credentials found in memory, registry, or configuration files, including techniques like token impersonation.

Advanced Network Pivoting and Persistence

This section focuses on establishing a foothold, moving through segmented networks, and ensuring continued access to compromised environments.

Lateral Movement and Pivoting

• Utilizing techniques like SSH tunneling, port forwarding, and tools such as ProxyChains, Chisel, or Ligolo to establish network connectivity to otherwise unreachable internal networks from a compromised host.
• Enumerating internal network segments and identifying new targets after gaining a foothold, understanding network segmentation and trust boundaries.
• Applying techniques like NTLM relay attacks and understanding how to leverage credentials for Pass-the-Hash or Pass-the-Ticket scenarios to move between systems within a domain.

Maintaining Persistence

• Establishing persistent access to compromised systems by creating hidden accounts, modifying startup scripts, or scheduling malicious tasks.
• Deploying various backdoors and covert channels to ensure continued access even after system reboots or user logouts.

Exploit Development and Scripting

Learners will develop the ability to understand, modify, and create custom scripts and exploits to adapt to unique scenarios.

Custom Scripting for Penetration Testing

• Developing proficiency in scripting languages such as Python, Bash, and PowerShell to automate reconnaissance, exploit delivery, and post-exploitation tasks.
• Writing custom scripts to parse data, interact with APIs, or automate repetitive manual processes during a penetration test.

Exploit Adaptation and Debugging

• Understanding the structure of existing exploit code and modifying it to bypass specific protections or fit unique target environments.
• Utilizing debuggers and analysis tools to understand program behavior, identify vulnerabilities, and craft reliable exploits.