Passing the Offensive Security Certified Professional Exam is not like passing any other exam, this isn’t a multiple choice “what runs on port 22?” Security+ style brain dump exam. This is a 24 hour hands on, prove you have what it takes exam.

If you think your up to the challenge we have created a guide for passing this exam, the tools, tips, tricks and techniques are provided by people who have passed this exam.

Phase 1:

You will be provided a list of 5 IP addresses that you will be trying to compromise,one of them will have an exploitable application and an exploit for it that needs to be modified in order to successfully compromise the machine. The vulnerable application will be propriety so don’t bother google’n for a PoC to exploit it.

In the first phase of your exam you will want to gather as much information about the hosts you are attacking as possible, we will do this with nmap.

I like to start with a command like:

nmap -sS -vv -O -sV 10.10.10.10 -p1-65000

(stealth scan, verbose, identify OS, grab port service information and scan ports 1 – 65000)

followed by:

nmap -sU -vv -sV 10.10.10.10 -p1-65000

***** NOTE THIS WILL TAKE A VERY LONG TIME AS WE ARE SCANNING ALL PORTS! ******

it is also fine to scan common ports, I have only once seen something exploitable outside the common port range.

Your first scan should leave you with something like:

PORT      STATE SERVICE            REASON          VERSION
21/tcp    open  ftp?               syn-ack ttl 128
23/tcp    open  telnet             syn-ack ttl 128 Microsoft Windows XP telnetd
53/tcp    open  domain             syn-ack ttl 128 Microsoft DNS 6.1.7600
111/tcp   open  rpcbind            syn-ack ttl 128 2-4 (RPC #100000)
135/tcp   open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack ttl 128 Microsoft Windows 98 netbios-ssn
445/tcp   open  microsoft-ds       syn-ack ttl 128 Microsoft Windows Server 2008 R2 microsoft-ds
1039/tcp  open  status             syn-ack ttl 128 1 (RPC #100024)
1047/tcp  open  nlockmgr           syn-ack ttl 128 1-4 (RPC #100021)
1048/tcp  open  mountd             syn-ack ttl 128 1-3 (RPC #100005)
2049/tcp  open  nfs                syn-ack ttl 128 2-3 (RPC #100003)
3389/tcp  open  ssl/ms-wbt-server? syn-ack ttl 128
8080/tcp  open  http               syn-ack ttl 128 Microsoft IIS httpd 7.5
49152/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49153/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49154/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC
49155/tcp open  msrpc              syn-ack ttl 128 Microsoft Windows RPC

And hopefully your UDP scan:

PORT      STATE SERVICE    REASON               VERSION
53/udp    open  domain     udp-response         Microsoft DNS 6.1.7600 (1DB04228)
111/udp   open  rpcbind    udp-response ttl 128 2-4 (RPC #100000)
123/udp   open  ntp        udp-response ttl 128 NTP v3
137/udp   open  netbios-ns udp-response ttl 128 Microsoft Windows XP netbios-ssn
1039/udp  open  status     udp-response         1 (RPC #100024)
1047/udp  open  nlockmgr   udp-response         1-4 (RPC #100021)
1048/udp  open  mountd     udp-response         1-3 (RPC #100005)
1434/udp  open  ms-sql-m   udp-response         Microsoft SQL Server 10.50.6000.34 (ServerName: LOOKAROUNDYOU)
2049/udp  open  nfs        udp-response ttl 128 2-3 (RPC #100003)
52225/udp open  domain     udp-response ttl 128 Zoom X5 ADSL modem DNS
52503/udp open  domain     udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53006/udp open  domain     udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53037/udp open  domain     udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
53571/udp open  domain     udp-response         Zoom X5 ADSL modem DNS
54281/udp open  domain     udp-response ttl 128 Microsoft DNS 6.1.7600 (1DB04228)
54321/udp open  domain     udp-response         Microsoft DNS 6.1.7600 (1DB04228)

After you have scanned all the host in your target lists keep a list of all the services running and versions because if we can’t get on the machine through other means we will attempt to find vulnerable applications and exploit those.

If you want to scan anonymously you can use TOR and Proxychains like so:

apt-get install tor

Then downloaded and ran Tor bundle:

tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-en-US.tar.gz cd tor-browser_en-US ./start-tor-browser

Follow the prompts and voi-la. Works like a charm, way too easy. Then I asked myself, how do I use other programs over the Tor network, such as iceweasel? The answer (so far) is using proxychains.

“locate proxychains” in /usr/bin/proxychains

located the proxychains.conf file. I edit it using vi and added “socks5 127.0.0.1 9050”, so it uses Tor’s socks5.

Check your IP address proxychains iceweasel www.whatismyipaddress.com

proxychains nmap -sS 192.168.0.1

If you have errors do the following  (ERROR: ld.so: object ‘libproxychains.so.3′ from LD_PRELOAD cannot be preloaded: ignored), so I decided to update it proxychains-ng by doing the following:

apt-get remove proxychains (remove old proxychains)
git clone https://github.com/rofl0r/proxychains-ng (download proxychains4)
cd proxychains-ng ./configure –prefix=/usr –sysconfdir=/etc
sudo make
sudo make install
sudo make install-config (install configuration file)

Ensure it works:

proxychains4 iceweasel