How to prepare for PWK/OSCP, a noob-friendly guide
 Saturday, March 4, 2017
/////////////////////////////////////////////////////////////////////////////////////////// 
Found at: https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob

Few months ago, I didnt know what Bash is, who that root guy people were scared of, and definitely never heard of SSH tunneling. I also didnt like paying for the PWK lab time without using it, so I went through a number of resources till I felt ready for starting the course.

Warning: Dont expect to be spoon-fed if youre doing OSCP, youll need to spend a lot of time researching, neither the admins or the other students will give you answers easily.
/////////////////////////////////////////////////
1. PWK Syllabus

    Linux and Bash
    Basic tools
    Passive Recon
    Active Recon
    Buffer Overflow
    Using public exploits
    File Transfer
    Privilege Escalation
    Client Side Attacks
    Web Application Attacks
    Password Attacks
    Port Redirection/Tunneling
    Metasploit Framework
    Antivirus Bypassing

2. Wargames

    Over The Wire: Bandit
    Over The Wire: Natas
    Root-me.org

3. Vulnerable VMs

/////////////////////////////////////////////////
1. PWK Syllabus:

Simply the most important reference in the list, it shows the course modules in a detailed way. Entire preparation I did was based on it. Can be found here.[https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf]
-------------------------
Linux and Bash:

You dont need to use Kali Linux right away, a good alternative is Ubuntu till you get comfortable with Linux.

    Linux Journey [https://linuxjourney.com/]
    Bash for Beginners: Best Bash reference IMO. [http://www.tldp.org/LDP/Bash-Beginners-Guide/html/]
    OverTheWire: Bandit: Great start for people who arent used to using a terminal, arent familiar with Bash or other *nix in general. Each challenge gives you hints on which commands you can use, you need to research them. [http://overthewire.org/wargames/bandit/]
    Explainshell: Does NOT replace man pages, but breaks down commands easily for new comers. [http://www.explainshell.com/]
-------------------------
Basic tools:

You will use these tools a lot. Make sure you understand what they do and how you can utilize them.

    Netcat: Most important tool in the entire course. Understand what it does, what options you have, difference between a reverse shell and a bind shell. Experiment a lot with it.
    Ncat: Netcats mature brother, supports SSL. Part of Nmap.
    Wireshark: Network analysis tool, play with it while browsing the internet, connecting to FTP, read/write PCAP files.
    TCPdump: Not all machines have that cute GUI, you could be stuck with a terminal.
-------------------------
Passive Recon:

Read about the following tools/techniques, experiment as much as possible.

    Google dorks [http://whatis.techtarget.com/definition/Google-dork-query]
    Whois [https://whois.icann.org/en/about-whois]
    Netcraft [https://searchdns.netcraft.com/]
    Recon-ng: Make sure you check the Usage guide to know how it works. [https://bitbucket.org/LaNMaSteR53/recon-ng] [https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Usage%20Guide]
-------------------------
Active Recon:

    Understand what DNS is, how it works, how to perform forward and reverse lookup, what zone transfers are and how to perform them. Great resource here. [http://resources.infosecinstitute.com/dns-hacking/#gref]
    Nmap: One of the most used tools during the course (if not the most). Id recommend to start by reading the man pages[https://nmap.org/book/man.html], understand different scanning techniques and other capabilities it has (scripts, OS detection, Service detection, )
    Services enumeration: SMTP, SNMP, SMB, and a lot others. Dont just enumerate them, understand what theyre used for and how they work.
    Great list for enumeration and tools. [http://0daysecurity.com/penetration-testing/enumeration.html]
-------------------------
Buffer Overflow:

Most fun part in my opinion. There are countless resources on how to get started, Id recommend Corelans series. You probably need the first part only for PWK. [https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/]
-------------------------
Using public exploits:

Occasionally, youll need to use a public exploit, maybe even modify the shellcode or other parts. Just go to Exploit-db and pick one of the older more reliable exploits (FTP ones for example). The vulnerable version is usually present with the exploit code.
-------------------------
File Transfer:

Not every machine has netcat installed, youll need to find a way around it to upload exploits or other tools you need. Great post on this is here. [https://blog.ropnop.com/transferring-files-from-kali-to-windows/]
-------------------------
Privilege Escalation:

A never ending topic, there are a lot of techniques, ranging from having an admin password to kernel exploits. Great way to practice this is by using Vulnhub VMs for practice. Check my OSCP-like VMs list here. [https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html]

Windows:Elevating privileges by exploiting weak folder permissions [http://www.greyhathacker.net/?p=738]
Windows: Privilege Escalation Fundamentals [http://www.fuzzysecurity.com/tutorials/16.html]
Windows: Windows-Exploit-Suggester [https://github.com/GDSSecurity/Windows-Exploit-Suggester]
Windows: Privilege Escalation Commands [http://pwnwiki.io/#!privesc/windows/index.md]
Linux: Basic Linux Privilege Escalation [https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/]
Linux: linuxprivchecker.py [http://www.securitysift.com/download/linuxprivchecker.py]
Linux: LinEnum [https://github.com/rebootuser/LinEnum]
Practical Windows Privilege Escalation [https://www.youtube.com/watch?v=PC_iMqiuIRQ]
MySQL Root to System Root with UDF [https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/]
-------------------------
Client Side Attacks:

Try out the techniques provided in Metasploit Unleashed or an IE client side exploit. [https://www.offensive-security.com/metasploit-unleashed/client-side-attacks/]
-------------------------
Web Application Attacks 

Another lengthy subject, understand what XSS is, SQL injection[https://www.exploit-db.com/papers/13045/], LFI[https://www.exploit-db.com/docs/40992.pdf], RFI, directory traversal, how to use a proxy like Burp Suite. Solve as much as you can from OverTheWire: Natas[http://overthewire.org/wargames/natas/]. It has great examples on Code Injection, Session hijacking and other web vulnerabilities.

Key is research till you feel comfortable.
-------------------------
Password Attacks:

Understand the basics of password attacks, difference between online and offline attacks. How to use Hydra[http://sectools.org/tool/hydra/], JTR[https://github.com/magnumripper/JohnTheRipper], Medusa[https://en.kali.tools/?p=200], what rainbow tables are, the list goes on. Excellent post on this topic here.[https://alexandreborgesbrazil.files.wordpress.com/2013/08/introduction_to_password_cracking_part_1.pdf]
-------------------------
Port redirection/tunneling:

Not all machines are directly accessible, some are dual homed, connected to an internal network. Youll use such techniques a lot in non-public networks. This post [https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/] did a great job explaining it.
-------------------------
Metasploit Framework:

Decided to skip this part, but if you still want to study it, check out Metasploit Unleashed course. [https://www.offensive-security.com/metasploit-unleashed/]
-------------------------
Antivirus Bypassing

Skipped this part too. Pretty basic in OSCP.

/////////////////////////////////////////////////
2. Wargames

Consider these a prep for vulnerable machines.
-------------------------
OverTheWire: Bandit

Great start for people who arent familiar with Linux or Bash. Check my walkthroughs here. [http://localhost:4000/tag/bandit/]
-------------------------
Over The Wire: Natas

Focused on web application, many challenges arent required for OSCP, but it helps for sure. Check my walkthroughs here. [http://localhost:4000/tag/natas/]
-------------------------
Root-me.org

Has great challenges on privilege escalation, SQL injection, Javascript obfuscation, password cracking and analyzing PCAP files

/////////////////////////////////////////////////
3. Vulnerable Machines

Boot-to-root VMs are excellent for pentesting, you import a VM, run it and start enumerating from your attacking machine. Most of them result in getting root access. Check my post [https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html] on which machines are the closest to OSCP. Rooting VMs is as important as studying the material. You cant depend on theoretical knowledge only, yet you still need this knowledge to help you tackle harder machines.

If you still have questions, feel free to comment below or ask on our NetSecFocus slack! [https://netsecfocus.herokuapp.com/]

- Abatchy

/////////////////////////////////////////////////////////////////////////////////////////// 
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 