OSCP
OSCP
OSCP
OSCP
All About OSCP
OSCP- One Page Repository
About the Author
Basic Linux & Windows Commands
Recon (Scanning & Enumeration)
Active Info Gathering
My Network Recon Checklist
My Web Recon Checklist
Network Enumeration
Port Scanning
Common Ports and Services
DNS Zone Transfer Attack
SNMP Enumeration
SMB Enumeration
Web Application Directory bruteforcing / fingerprinting
Port & Services Scanning
Web Application
Brute Force
Shells
Transferring files
Priv Escalation
Post Exploitation
Pivoting
Buffer Overflow
Main Tools
MISC
CheatSheet (Short)
OSCP/ Vulnhub Practice learning
Powered by GitBook

Network Enumeration

NMAP
# Alive hosts
nmap -sn 10.0.0.0/24	
# scan the 1024 most common ports, run OS detection, run default nmap scripts
nmap -A -oA nmap <targetip>	
# Scan more deeply, scan all 65535 ports on $targetip with a full connect scan
nmap -v -sT <targetip> -p- 
# more options
nmap -sV -sC -v -A <targetip> -p- 
nmap -sT -sV -A -O -v -p 1–65535 <targetip> 
# my preference
nmap -sV -sC -v -oA output <targetip>
nmap -p- -v <targetip>
------------------------
SMB
Port 139 and 445- SMB/Samba shares
Samba is a service that enables the user to share files with other machines
works the same as a command line FTP client, may browse files without even having credentials
# Share List:
smbclient --list <targetip>
smbclient -L <targetip>
# Check SMB vulnerabilities:
nmap --script=smb-check-vulns.nse <targetip> -p445
# basic nmap scripts to enumerate shares and OS discovery
nmap -p 139,445 192.168.1.1/24 --script smb-enum-shares.nse smb-os-discovery.nse
# Connect using Username
root@kali:~# smbclient -L <targetip> -U username -p 445
# Connect to Shares
smbclient \\\\<targetip>\\ShareName
smbclient \\\\<targetip>\\ShareName -U john
# enumarete with smb-shares, -a “do everything” option
enum4linux -a 192.168.1.120
# learn the machine name and then enumerate with smbclient
nmblookup -A 192.168.1.102
smbclient -L <server_name> -I 192.168.1.105
# rpcclient - Connect with a null-session (only works for older windows servers)
rpcclient -U james 10.10.10.52
rpcclient -U "" 192.168.1.105
(press enter if asks for a password)
rpcclient $> srvinfo
rpcclient $> enumdomusers
rpcclient $> enumalsgroups domain
rpcclient $> lookupnames administrators
rpcclient> querydominfo
rpcclient> enumdomusers
rpcclient> queryuser john
# scan for vulnerabilities with nmap
nmap --script "vuln" <targetip> -p139,445
------------------------
SMTP
# telnet or netcat connection
nc <targetip> 25
VRFY root
# Check for commands
nmap -script smtp-commands.nse <targetip>
------------------------
Port 111 - RPC
Rpcbind can help us look for NFS-shares. So look out for nfs. Obtain list of services running with RPC:
rpcbind -p <targetip>
rpcinfo –p x.x.x.x
# using nmap, see which port NFS is listening
locate *rpc*.nse
nmap --script rpcinfo.nse <targetip> -p 111
-------------------------
NFS
# to find the public share
locate *nfs*.nse
nmap --script nfs-showmount.nse <targetip>
# mount the share to a folder under /tmp
mkdir /tmp/nfs
/sbin/mount.nfs <targetip>:/home/box /tmp/nfs
Previous
My Web Recon Checklist
Next
Port Scanning
Last updated 1 year ago