Few months ago, I didn’t know what Bash is, who that root guy people were scared of, and definitely never heard of SSH tunneling. I also didn’t like paying for the PWK lab time without using it, so I went through a number of resources till I felt ready for starting the course.
Warning: Don’t expect to be spoon-fed if you’re doing OSCP, you’ll need to spend a lot of time researching, neither the admins or the other students will give you answers easily.
1. PWK Syllabus
- Linux and Bash
- Basic tools
- Passive Recon
- Active Recon
- Buffer Overflow
- Using public exploits
- File Transfer
- Privilege Escalation
- Client Side Attacks
- Web Application Attacks
- Password Attacks
- Port Redirection/Tunneling
- Metasploit Framework
- Antivirus Bypassing
2. Wargames
- Over The Wire: Bandit
- Over The Wire: Natas
- Root-me.org
3. Vulnerable VMs
1. PWK Syllabus:
Simply the most important reference in the list, it shows the course modules in a detailed way. Entire preparation I did was based on it. Can be found here.
Linux and Bash:
You don’t need to use Kali Linux right away, a good alternative is Ubuntu till you get comfortable with Linux.
Linux Journey
Bash for Beginners
: Best Bash reference IMO.OverTheWire: Bandit
: Great start for people who aren’t used to using a terminal, aren’t familiar with Bash or other *nix in general. Each challenge gives you hints on which commands you can use, you need to research them.Explainshell
: Does NOT replace man pages, but breaks down commands easily for new comers.
Basic tools:
You will use these tools a lot. Make sure you understand what they do and how you can utilize them.
Netcat
: Most important tool in the entire course. Understand what it does, what options you have, difference between a reverse shell and a bind shell. Experiment a lot with it.Ncat
: Netcat’s mature brother, supports SSL. Part of Nmap.Wireshark
: Network analysis tool, play with it while browsing the internet, connecting to FTP, read/write PCAP files.TCPdump
: Not all machines have that cute GUI, you could be stuck with a terminal.
Passive Recon:
Read about the following tools/techniques, experiment as much as possible.
Google dorks
Whois
Netcraft
Recon-ng
: Make sure you check the Usage guide to know how it works.
Active Recon:
- Understand what DNS is, how it works, how to perform forward and reverse lookup, what zone transfers are and how to perform them. Great resource here.
- Nmap: One of the most used tools during the course (if not the most). I’d recommend to start by reading the man pages, understand different scanning techniques and other capabilities it has (scripts, OS detection, Service detection, …)
- Services enumeration:
SMTP
,SNMP
, SMB, and a lot others. Don’t just enumerate them, understand what they’re used for and how they work. - Great list for enumeration and tools.
Buffer Overflow:
Most fun part in my opinion. There are countless resources on how to get started, I’d recommend Corelan’s series. You probably need the first part only for PWK.
Using public exploits:
Occasionally, you’ll need to use a public exploit, maybe even modify the shellcode or other parts. Just go to Exploit-db and pick one of the older more reliable exploits (FTP ones for example). The vulnerable version is usually present with the exploit code.
File Transfer:
Not every machine has netcat installed, you’ll need to find a way around it to upload exploits or other tools you need. Great post on this is here.
Privilege Escalation:
A never ending topic, there are a lot of techniques, ranging from having an admin password to kernel exploits. Great way to practice this is by using Vulnhub VMs for practice. Check my OSCP-like VMs list here.
Client Side Attacks:
Try out the techniques provided in Metasploit Unleashed or an IE client side exploit.
Web Application Attacks
Another lengthy subject, understand what XSS is, SQL injection
, LFI
, RFI, directory traversal, how to use a proxy like Burp Suite. Solve as much as you can from OverTheWire: Natas
. It has great examples on Code Injection, Session hijacking and other web vulnerabilities.
Key is research till you feel comfortable.
Password Attacks:
Understand the basics of password attacks, difference between online and offline attacks. How to use Hydra
, JTR
, Medusa
, what rainbow tables are, the list goes on. Excellent post on this topic here.
Port redirection/tunneling:
Not all machines are directly accessible, some are dual homed, connected to an internal network. You’ll use such techniques a lot in non-public networks. This post did a great job explaining it.
Metasploit Framework:
Decided to skip this part, but if you still want to study it, check out Metasploit Unleashed course.
Antivirus Bypassing
Skipped this part too. Pretty basic in OSCP.
2. Wargames
Consider these a prep for vulnerable machines.
OverTheWire: Bandit
Great start for people who aren’t familiar with Linux or Bash. Check my walkthroughs here.
Over The Wire: Natas
Focused on web application, many challenges aren’t required for OSCP, but it helps for sure. Check my walkthroughs here.
Root-me.org
Has great challenges on privilege escalation, SQL injection, Javascript obfuscation, password cracking and analyzing PCAP files
3. Vulnerable Machines
Boot-to-root VMs are excellent for pentesting, you import a VM, run it and start enumerating from your attacking machine. Most of them result in getting root access. Check my post on which machines are the closest to OSCP. Rooting VMs is as important as studying the material. You can’t depend on theoretical knowledge only, yet you still need this knowledge to help you tackle harder machines.
If you still have questions, feel free to comment below or ask on our NetSecFocus slack!
- Abatchy