Cheat sheet for OSCP Link to heading
Reconnaisance Link to heading
Nmap Commands for Port scan Link to heading
The below 2 nmap scan used to find out the TCP ports opened on server
nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( faster)
nmap -sT -p- -Pn -T4–min-rate 10000 -oN alltcp1.txt 10.10.10.58( little slower)
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.58 1 ⨯
[sudnmap -sT -p- -Pn -T4--min-rate 10000 -oN alltcp1.txt 10.10.10.58o] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.10% done; ETC: 19:43 (0:00:09 remaining)
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Nmap done: 1 IP address (1 host up) scanned in 13.50 seconds
┌──(rocky㉿kali)-[~/hckbox]
└─$ nmap -sT -p- -Pn -T4--min-rate 10000 -oN alltcp1.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:01:01 elapsed; 0 hosts completed (2 up), 2 undergoing Connect Scan
Connect Scan Timing: About 28.70% done; ETC: 19:47 (0:02:32 remaining)
Nmap scan report for 10000 (0.0.39.16)
Host is up.
All 65535 scanned ports on 10000 (0.0.39.16) are filtered
Nmap scan report for 10.10.10.58
Host is up (0.045s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp
Nmap done: 2 IP addresses (2 hosts up) scanned in 163.89 seconds
For UDP ports use this command
sudo nmap -sU -p- -Pn -T4 –min-rate 10000 -oN alludp.txt 10.10.10.58
$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.58 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:57 EDT
Nmap scan report for 10.10.10.58
Host is up.
All 65535 scanned ports on 10.10.10.58 are open|filtered
Nmap done: 1 IP address (1 host up) scanned in 13.90 seconds
Nmap Vulnarability Scan Link to heading
Run the nmap scripts on identified ports above to save time than iitially running on all ports.
nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 20:04 EDT
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info:
|_ Logs: /login
| hadoop-tasktracker-info:
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.37 seconds
Directory Scan Link to heading
Gobuster scan with output to a file ( when number of directories are more)
gobuster dir -u 10.10.10.58:3000/ -w /usr/share/wordlists/dirb/common.txt -o directory.txt
Look for any specific file extensions
gobuster -u http://10.10.10.10 -w /usr/share/directorywordlist -x php,css,html,sh,py,js,cgi,txt
To show only specific status codes use -s flag
gobuster dir -u http://10.10.10.81 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s “204,301,302,307,401,403gobuster dir -u http://10.10.10.81 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s “204,301,302,307,401,403”,200”
To hide banners and status use -q and -n