Enumeration (정보 수집 및 열거)

All you need to know about basic host-based enumeration for OSCP

Network Discovery

Common Nmap Scan

nmap -sV -sT -sC -T5 -v -A $targetip
  • -sV (Version detection)

  • -sT (TCP connect scan)

  • -sC (Performs a script scan using the default set of scripts)

  • -T5 (Insane mode)

  • -v (Increase verbosity level)

  • -A (OS Detection)

All TCP port scan

nmap -p- -sT -v $targetip

All UDP Port Scan (With Service and Script Scan)

nmap -p- -sV -sU -sC $targetip

100 most common ports

nmap $targetip -F 100

Nmap Script Scan

Find the nse scripts

locate *.nse | grep <script.nse>

For example, the below command will find smb scripts.

locate *.nse | grep smb

Scan using a specific NSE script

nmap -sV -p 443 --script=ssl-heartbleed.nse $targetip

For example, below command will find any smb scripts running on port 139 & 445.

nmap -p 139,445 --script=smb-* $targetip

All smb scripts:

nmap --script smb-vuln* -p 139,445 [ip] 

SMB share paths enumeration:

nmap --script smb-enum-shares -p 139,445 [ip]

Using Metasploit portscan

use auxiliary/scanner/portscan/

Service Discovery

Port 80 & 443 - Web Discovery

Find SSL Heartbleed Vulnerablity

sslscan $targetip:443
nmap -sV --script=ssl-heartbleed

Scan Web Servers

Nikto -h $targethost -p $targetport

Dictionary Attacks for finding hidden web objects

gobuster dir –url http://$targetip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x aspx,php

You can also use the common web_content list.


For cgi-bin,

gobuster dir –url http://$targetip/cgi-bin/ -w /usr/share/seclists/Discovery/Web_Content/cgis.txt -x aspx,php

Or for faster scan

ffuf -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -u 

ffuf Github link: https://github.com/ffuf/ffuf

Port 445 - SMB Discovery

To discover “All” of SMB

enum4linux -a $targetip

To discover the userlist

enum4linux -U $targetip

You can create a username list with awk.

cat user.txt | awk -F'[][]' '{print $2}' >> users.txt

Bruteforce the share names

enum4linux -s file

To find Password Policy

enum4linux -p $targetip

Alternative samba enumeration using smbmap

smbmap -H $targetip -d $domain -R

You can download file by smbmap directly from the victim host

smbmap -H -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 --download "Users\SVC_TGS\Desktop\user.txt"

SMBCLIENT copying whole directory

mount -t cifs //IPADDESS/SHARE /mnt -o "user=SMBUSER,password=SMBPASS"

Check the list of shares via SMB null session

smbclient –list //$targetip/ -U ‘’ -N

Connect to a spefic share path you found

smbclient \\$targetip\\$share

smbclient to list out share paths with sambaNTPasswrod

smbclient -U alice1978%0B186E661BBDBDCF6047784DE8B9FD8B --pw-nt-hash -L //ypuffy.htb/

Useful SMB commands

  • get $file to extract file to your host.

  • put $file to inject file to the victim.

Port 135 - RPC Discovery

rpcclient -U "" $targetip

Then use the below commands for more information

  • srvinfo

  • enumdomusers

  • getdompwinfo

  • querydominfo

  • netshareenum

  • netshareenumall

rpcbind -p

Port 389 & 636 for SSL - LDAP Discovery

ldapsearch -h -p 389 -x -b "dc=mywebsite,dc=com"

or using nmap

nmap -p 389 --script ldap-search ypuffy.htb

Port 21 - FTP Discovery

ftp $targetip
nc $targetip 21

FTP Commands List: https://www.serv-u.com/features/file-transfer-protocol-server-linux/commands

Port 3306 - MySQL

mysql --host=$targetip -u root -p
telnet 3306

ERROR 1130 (HY000): Host '' is not allowed to connect to this MySQL server means only localhost can log in as root.

MYSQL Commands List : http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html

SQL Password Storage

You can check the web server configuration php file if it contains any credentials.


Port 3389 - RDP

RDP to Windows

rdesktop -u $username -p $password <IP>

Ruby winrm package from

gem install -r winrm
ruby winrm_shell.rb 

Bruteforce RDP

ncrack -vv --user Administrator -P /root/passwords.txt rdp://

Port 21 - FTP

ftp $targetip
nc $targetip 21

Port 22 - SSH

Information Gathering using nc

nc -nv 22

The target OS is "Ubuntu", using "OpenSSH v6.6" (and package is 2ubuntu2)

Login with SSH key

ssh -i id_rsa alice1978@ypuffy.htb


/usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgencyB4ckd00r -I root .ssh/id_rsa

Bruteforce SSH Credential with hydra

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip ssh -t 5

Port 161 UDP - SNMP

snmpwalk -c public -v 1

To check if snmp port is opened

nc -nv -u -z -w 1 160-162

Port 88 - Kerberos

Bruteforce the username list with nmap script.

nmap -p88 --script=krb5-enum-users --script-args krb5-enum-users.realm='HTB',userdb=/root/oscp/forest/users.txt

Port 1433 -SQL

Command Injection using nmap

nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=poiuytrewq,mssql.database=bankdb,ms-sql-xp-cmdshell.cmd="whoami"

Telnet - 25

telnet $targetip 25

Finding known exploits from Exploit-DB

To update to latest Exploit-DB

searchsploit -u 

To find a exploit

searchsploit $item

To copy the file to your current directory.

searchsploit -m $item 

To find item wihtout DOS attack

searchsploit apache 2.x | grep -v '/dos/'

Local File inclusions

Simple test if the target is vulnerable to LFI


Simple test if you can run a local script against the target


Last updated