Skip to content

Instantly share code, notes, and snippets.

@ssstonebraker

ssstonebraker/OSCP_discovery.md

Last active June 13, 2023 19:06
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save ssstonebraker/a476014624ed432994525c179388824c to your computer and use it in GitHub Desktop.
Save ssstonebraker/a476014624ed432994525c179388824c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OSCP_discovery.md

Fuff

ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://10.11.1.39/FUZZ

Opendoor

IP=10.11.1.128

## 80
PORT=80
cd /opendoor
opendoor --host http://${IP} -p ${PORT} --scan=directories -t 50 --reports json,html,txt --reports-dir=/root/labs/boxes/${IP}/web_${PORT}
IP=10.11.1.8
## 443
PORT=443
cd /opendoor
opendoor --host https://${IP} --scan=directories -t 50 --reports json,html,txt --reports-dir=/root/labs/boxes/${IP}/web_${PORT}

IP=10.11.1.128
## 4167
PORT=4167
cd /opendoor
opendoor --host http://${IP} -p ${PORT} --scan=directories -t 50 --reports json,html,txt --reports-dir=/home/kali/labs/boxes/${IP}/web_${PORT}

amap

Application mapping

[root@kali:~/labs/boxes/10.11.1.227/scans]# amap -bqv 10.11.1.227 139

Protocol on 10.11.1.227:139/tcp matches netbios-session - banner:

amap v5.4 finished at 2020-04-25 21:40:29

nmap

image

Quick Scan

Scan all ports with default set of scripts and SYNC for faster run time

nmap -sC -sS -p0-65535 sandbox.local -oA sandbox

Identify Services

nmap -sC -sV -Pn --disable-arp-ping 10.1.11.17 -oA './10.1.11.17/scans/10.1.11.17.quick'

Identify OS

nmap -A <ip>
nmap -p 139,445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.11.1.227

Favorite scans

IP=10.11.1.11
mkdir ./${IP}_scan
# Quick scan to Identify OS and some applications
nmap -A -oA ./${IP}_scan/${IP}_versions ${IP}

# Top 1000 ports

nmap -sC -sV -oA tcp -vv -oA ./${IP}_scan/${IP}_top1000 ${IP}



# All ports, Identify service versions, run all vuln scripts
nmap -T5 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' -oA ./${IP}_scan/${IP}_vuln ${IP}

nmap -T5 -n -sC -sV -p- -oN nmap-versions --script='*vuln*' -oA ./${IP}_scan/${IP}_vuln ${IP}
# top 20 udp ports
IP=10.11.1.8
nmap -sU -vvv --top-ports 20 -oA ./${IP}_scan/${IP}_udp_top_20 ${IP}
nmap -sU -vvv --top-ports 100 -oA ./${IP}_scan/${IP}_udp_top_100 ${IP}

# check all UDP ports
nmap -sU -oA ./${IP}_scan/${IP}-udp-fast ${IP}

All Ports TCP and UDP

IP="10.11.1.146"
nmap -sC -sS -p0-65535 -oA ./${IP}_scan/${IP}_tcp-all-ports ${IP}
nmap -sUV -p- -T4 -F --version-intensity 0 ./${IP}_scan/${IP}_udp-all-ports ${IP}

Parse nmap grep output

I use the ultimate nmap parser for this https://raw.githubusercontent.com/shifty0g/ultimate-nmap-parser/master/ultimate-nmap-parser.sh

gparse 10.11.1.227.gnmap --tcp
cat ports_tcp.txt

Scan for SMB

# nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
# grep "netbios-ssn/" smb.txt  | grep "open" | awk '{ print $2 }' | sort | uniq > smb-ips.txt


# nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -iL smb-ips.txt -oG smb_scan.txt

# nmap -p 139,445 --script=smb-vuln* --script-args=unsafe=1 -oA 10.1.1.227_smb 10.1.1.227

[root@kali:~/labs/boxes/10.11.1.227/scans]# nmap -p 139,445 -T4 -n -sC -sV -oN nmap-versions --script='smb-vuln*' 10.11.1.227
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-25 21:38 EDT
Nmap scan report for 10.11.1.227
Host is up (0.039s latency).

PORT    STATE SERVICE      VERSION
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows 2000 microsoft-ds
Service Info: OSs: Windows, Windows 2000; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_2000

Host script results:
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|

Identify SMB Version manually

See screenshot image

List SMB Shares

smbclient -N -L \\\\10.11.1.31
smbclient -N -L \\\\10.11.1.31\\wwwroot -m SMB3

Mount SMB Share

mkdir /mnt/10.11.1.31 && mount -v -t cifs //10.11.1.31/wwwroot /mnt/10.11.1.31
mount -v -t cifs //10.11.1.31/wwwroot /mnt/10.11.1.31
umount /mnt/10.11.1.31

masscan

top 100 ports entire subnet - TCP

masscan -p7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157 10.11.1.0/24 --rate=1000 -e tun0 --router-ip 10.11.0.1 
> masscan_top100_entire_subnet.txt

sed -i 's|Discovered open port ||g' masscan_top100_entire_subnet.txt

awk '{ print $3 , $1}' masscan_top100_entire_subnet.txt | sort -t . -k 3,3n -k 4,4n > final_lab_open_ports.txt

Top 100 ports entire subnet - TCP/UDP

masscan -p7,9,13,21-23,25-26,37,53,79-81,88,106,110-111,113,119,135,139,143-144,179,199,389,427,443-445,465,513-515,543-544,548,554,587,631,646,873,990,993,995,1025-1029,1110,1433,1720,1723,1755,1900,2000-2001,2049,2121,2717,3000,3128,3306,3389,3986,4899,5000,5009,5051,5060,5101,5190,5357,5432,5631,5666,5800,5900,6000-6001,6646,7070,8000,8008-8009,8080-8081,8443,8888,9100,9999-10000,32768,49152-49157,U:2-3,U:7,U:9,U:13,U:17,U:19-23,U:37-38,U:42,U:49,U:53,U:67-69,U:80,U:88,U:111-113,U:120,U:123,U:135-139,U:158,U:161-162,U:177,U:192,U:199,U:207,U:217,U:363,U:389,U:402,U:407,U:427,U:434,U:443,U:445,U:464,U:497,U:500,U:502,U:512-515,U:517-518,U:520,U:539,U:559,U:593,U:623,U:626,U:631,U:639,U:643,U:657,U:664,U:682-689,U:764,U:767,U:772-776,U:780-782,U:786,U:789,U:800,U:814,U:826,U:829,U:838,U:902-903,U:944,U:959,U:965,U:983,U:989-990,U:996-1001,U:1007-1008,U:1012-1014,U:1019-1051,U:1053-1060,U:1064-1070,U:1072,U:1080-1081,U:1087-1088,U:1090,U:1100-1101,U:1105,U:1124,U:1200,U:1214,U:1234,U:1346,U:1419,U:1433-1434,U:1455,U:1457,U:1484-1485,U:1524,U:1645-1646,U:1701,U:1718-1719,U:1761,U:1782,U:1804,U:1812-1813,U:1885-1886,U:1900-1901,U:1993,U:2000,U:2002,U:2048-2049,U:2051,U:2148,U:2160-2161,U:2222-2223,U:2343,U:2345,U:2362,U:2967,U:3052,U:3130,U:3283,U:3296,U:3343,U:3389,U:3401,U:3456-3457,U:3659,U:3664,U:3702-3703,U:4000,U:4008,U:4045,U:4444,U:4500,U:4666,U:4672,U:5000-5003,U:5010,U:5050,U:5060,U:5093,U:5351,U:5353,U:5355,U:5500,U:5555,U:5632,U:6000-6002,U:6004,U:6050,U:6346-6347,U:6970-6971,U:7000,U:7938,U:8000-8001,U:8010,U:8181,U:8193,U:8900,U:9000-9001,U:9020,U:9103,U:9199-9200,U:9370,U:9876-9877,U:9950 10.11.1.0/24 --rate=1000 -e tun0 --router-ip 10.11.0.1 > masscan_top100_entire_subnet_tcp_udp.txt

sed -i 's|Discovered open port ||g' masscan_top100_entire_subnet_tcp_udp.txt

awk '{ print $3 , $1}' masscan_top100_entire_subnet_tcp_udp.txt | sort -t . -k 3,3n -k 4,4n > final_lab_open_ports_tcp_udp.txt
awk '{ print $1 }' final_lab_open_ports_tcp_udp.txt | sort -u  > unique_ips.txt

whatweb

[root@kali:~/labs/boxes/10.11.1.227/scans]# whatweb yahoo.com
http://yahoo.com [301 Moved Permanently] Content-Language[en], Country[UNITED STATES][US], HTTPServer[ATS], IP[98.137.246.8], RedirectLocation[https://yahoo.com/], X-Frame-Options[SAMEORIGIN]
https://yahoo.com/ [301 Moved Permanently] Content-Language[en], Country[UNITED STATES][US], HTTPServer[ATS], IP[72.30.35.9], RedirectLocation[https://www.yahoo.com/], Strict-Transport-Security[max-age=31536000], UncommonHeaders[expect-ct,referrer-policy,x-content-type-options], X-Frame-Options[SAMEORIGIN], X-XSS-Protection[1; mode=block]
https://www.yahoo.com/ [200 OK] Cookies[autorf], Country[UNITED STATES][US], HTML5, HTTPServer[ATS], IP[98.138.219.231], Open-Graph-Protocol[458584288257241], OpenSearch[https://search.yahoo.com/opensearch.xml], Script[application/json,application/json>,text/javascript,text/javascript>,text/x-safeframe], Strict-Transport-Security[max-age=31536000], Title[Yahoo], UncommonHeaders[accept-ch,accept-ch-lifetime,x-content-type-options,referrer-policy,content-security-policy,expect-ct], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge], X-XSS-Protection[1; mode=block]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment