Certification

OSCP notes dump: #RECON

Philipp Fragstein

Jan 29, 2023 • 5 min read

Satellite Dish — Photo by Marat Gilyadzinov / Unsplash

This is my first post covering my notes taken during the OSCP preparation. Before continuing my journey of cyber security certifications, I want to store most of my cherry tree into several blog posts. Please don't consider my notes to be a complete ressource for the exam.

This is my first blog post about commands of the reconnaissance attack phase.

SNMP

# scanning for snmp 
onesixtyone -c <community_strings> -i <iplist>
# enumerating the entire MIB tree #v1 defines the SNMP version -t10 a timeout 
snmpwalk -c <community_string> -v1 -t 10 10.11.1.14
# enumerating the entire MIB treeII
snmp-check <IP>
# enumerating windows users
snmpwalk -c public -v1 10.11.1.14 1.3.6.1.4.1.77.1.2.25
# enumerating running windows processes
snmpwalk -c public -v1 10.11.1.73 1.3.6.1.2.1.25.4.2.1.2 
# enumerating open tcp portssnmpwalk -c public -v1 10.11.1.14 1.3.6.1.2.1.6.13.1.3
# enumerating installed software
snmpwalk -c public -v1 10.11.1.50 1.3.6.1.2.1.25.6.3.1.2

NFS/RPC

# list all rpc services 
nmap -sV -p 111 --script=rpcinfo <IP>
# running all NFS related scripts from nmap
nmap -p 111 --script nfs* <IP>

DNS

# generic check
dnsenum <domain>
# zone transfer
host -l <domain> <dns-server>
dnsrecon -d <domain name> -t axfr
# hostname brute force
dnsrecon -d <domain> -D list.txt -t brt
# nslookup
> server TARGETIP
# domain enum with fierce
fierce --domain example.com
# nmap dns hostnames Lookup 
nmap -F --dns-server <dns server ip> <target ip range>
# Host Lookup
host -t ns example.com
# reverse Lookup Brute Force - find domains in the same range
for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
# perform dns ip lookup
dig a domain-name-here.com @nameserver
# perform mx record lookup
dig mx domain-name-here.com @nameserver
# perform zone transfer with dig
dig axfr domain-name-here.com @nameserver
# dns zone transfers under Windows 
nslookup -> set type=any -> ls -d blah.com
# linux dns zone transfer
dig axfr blah.com @ns1.blah.com
# dnsrecon DNS Brute Force
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml
# dnsrecon dns list of megacorp
dnsrecon -d megacorpone.com -t axfr
# dnsenum
dnsenum zonetransfer.me

SMB

# the following tools are recommended: 
# nmap with smb related scripts, enum4linux, nbtscan
# smb os discovery
nmap $ip --script smb-os-discovery.nse
# netbios information scanning
nbtscan -r $ip/24
# enum4linux basic usage
enum4linux -a $ip
# nfs discovery
rpcinfo 127.0.0.1 
showmount -e 127.0.0.1
mount -o no lock -t nfs source dst 
# list available shares from target with SMB 
# -L = netbios name
# -N try blank pass
smbclient -L 192.168.192.62 -N
# connect via smb client to smb server
smbclient //192.168.192.62/IPC$ -N
# nmap port scan
nmap -v -p 139,445 -oG smb.txt $ip-254
nmap find exposed Netbios servers
nmap -sU --script nbstat.nse -p 137 $ip
# nmap all SMB scripts scan
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
# nmap all SMB scripts authenticated scan
nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
# smb enumeration tools
nmblookup -A $ip
smbclient //MOUNT/share -I $ip -N
rpcclient -U "" $ip
enum4linux $ip
enum4linux -a $ip
# smb os discovery
nmap $ip --script smb-os-discovery.nse
# nmap port scan
nmap -v -p 139,445 -oG smb.txt $ip-254
# netbios Information Scanning
nbtscan -r $ip/24
# nmap find exposed Netbios servers
nmap -sU --script nbstat.nse -p 137 $ip
# nmap all SMB scripts scan
nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip
# nmap all SMB scripts authenticated scan
nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb*) and not (brute or broadcast or dos or external or fuzzer)' --script-args=unsafe=1 $ip

SMTP

# connect to the SMTP server using telnet
telnet smtp.example.com 25
# identify yourself as the sender of the email
HELO sender.example.com
# specify the recipient of the email
MAIL FROM: sender@example.com
RCPT TO: recipient@example.com
# start the email message
DATA
# type the subject and body of the email message
Subject: Example email
Hello, this is an example email message.
# end the email message with a period on a new line
.
# close the connection to the SMTP server
QUIT

IMAP

openssl s_client -connect 127.0.0.1:993
01 LOGIN admin@example.com password
02 LIST "" *
03 SELECT INBOX
04 STATUS INBOX (MESSAGES)
05 FETCH 1 ALL
06 LOGOUT
check entire message: A FETCH 1 BODY.PEEK[]

POP3

 telnet $ip 110
 +OK beta POP3 server (BILLIES POP3 Server 1.2.23 ready 
 USER SILLY    
 +OK
 PASS password
 +OK Welcome silly
 list
 +OK 2 1807
 1 786
 2 1021
 retr 1
 +OK Message follows
 From: silly@example.com
 Dear Silly,
 Here is your login for remote desktop ... try not to forget it this time!
 username: silly
 password: password

HTTP(S)

# enumerate all wordpress plugins //doesn't work because API token is required!
wpscan --url http://10.10.10.88/webservices/wp -e ap --log wpscan.out
# wp vuln scan including all installed plugins
ruby vane.rb --url http://10.10.10.88/webservices/wp --enumerate p
# default directory scan
gobuster dir -u http://10.10.10.88/webservices -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
# scan for directories and common file extensions 
gobuster dir -u http://10.10.10.88/webservices -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt
# nikto vuln scan 
nikto -h https://10.10.10.88

GENERIC NMAP

# script dir
/usr/share/nmap/scripts
nmap --script=<scriptname> //--script-help # for info
# providing args
nmap --script=<scriptname> --script-args=unsafe=1
# netcat port Scanning
nc -nvv -w 1 -z $ip 3388-3390
# discover active IPs usign ARP on the network: 
arp-scan $ip/24
# discover who else is on the network
netdiscover
# discover ip mac and mac vendors from arp
netdiscover -r $ip/24
# nmap stealth scan using SYN
nmap -sS $ip
# nmap stealth scan using FIN
nmap -sF $ip
# nmap banner grabbing
nmap -sV -sT $ip
# nmap os fingerprinting
nmap -O $ip
# nmap Regular Scan:
nmap $ip/24
# enumeration Scan
nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt
# enumeration Scan All Ports TCP / UDP and output to a txt file
nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip
# nmap output to a file:
nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24
# quick Scan:
nmap -T4 -F $ip/24
# quick Scan +:
nmap -sV -T4 -O -F --version-light $ip/24
# quick traceroute
nmap -sn --traceroute $ip
# all tcp and udp ports
nmap -v -sU -sS -p- -A -T4 $ip
# intense scan
nmap -T4 -A -v $ip
# intense scan + udp
nmap -sS -sU -T4 -A -v $ip/24
# intense scan tcp all ports
nmap -p 1-65535 -T4 -A -v $ip/24
# intense Scan - without Ping
nmap -T4 -A -v -Pn $ip/24
# ping scan
nmap -sn $ip/24
# slow comprehensive scan
nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)" $ip/24
# scan with active connect
nmap -p1-65535 -A -T5 -sT $ip