OSCP Cheatsheet
  • Reference List
  • Basic
  • Methodology
    • Basic Scans
    • Service Enumeration
      • TCP: HTTP(S) - 80 / 443
      • TCP: SMB - 139 / 445
      • TCP: FTP - 21
      • TCP/UDP: DNS - 53
      • TCP: SSH - 22
      • TCP/UDP: LDAP - 389 / 636 / 3268
      • TCP/UDP: Kerberos - 88
      • UDP: SNMP - 161
      • TCP: SMTP - 25
      • TCP: RDP - 3389
      • TCP: RPC - 135 / 593
      • TCP: Evil-WinRM - 5985 / 5986
      • TCP: MYSQL - 3306
      • TCP: MSSQL - 1433
      • TCP: Confluence - 8090
    • Extras
  • File Transfer
  • KeePass Database
  • Shells
  • Enumeration
    • Linux
    • Windows
    • Git
  • Privilege Escalation
    • Linux
      • Abusing Cron Jobs
      • Abusing Password Authentication
      • Abusing Setuid Binaries and Capabilities
      • Abusing Sudo
      • Exploits
    • Windows
      • Service Binary Hijacking
      • DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Exploits
  • Port Forwarding
    • Linux
    • Windows
  • Attacks
    • Public Exploits
    • User Creation
    • Password Cracking
      • Custom Rules
      • Custom Password List
    • Phishing
    • SQLi
  • Active Directory
    • Enumeration
    • Attack
    • Lateral Movement
    • Persistence
Powered by GitBook
On this page
  • Nmap
  • Do the following
  • Network Scan
  • Port Scan
  • Vulnerability Scan
  • UDP Scan
  • S1REN Scan
  1. Methodology

Basic Scans

Nmap

Do the following

  1. Ping sweep first

sudo nmap <IP Address>/<Subnet> -o network.nmap

  1. Scan top 100 TCP ports

nmap -sV -sC -sT -T4 -A --top-ports=100 --open -Pn -oN target.tcp <Target IP Address>

  1. Scan all ports

nmap -sV -sC -sT -T4 -A -p- --open -Pn -oN target.fullnmap <Target IP Address>

  1. Scan top 100 UDP ports

nmap -sV -sC -sU -T4 --top-ports=100 --open -Pn -oN target.udp <Target IP Address>

Network Scan

The following command scan the entire network

sudo nmap <IP Address>/<Subnet> -o network.nmap

Port Scan

The following command scan the top 100 ports of a specific IP address

sudo nmap --top-ports=100 <IP Address> -Pn -o target.openmap

The following command scan all ports of a specific IP address, outputting open ports

sudo nmap -p- --open <IP Address> -Pn -o target.nmap

The following command scan the top 100 ports of a specific IP address aggressively and output open ports to target.fullmap. It does OS detection, version detection, script scanning and traceroute.

sudo nmap -sT -T4 -A --top-ports=100 --open <IP Address> -Pn -o target.fullmap

The following command scan all ports of a specific IP address aggressively and output open ports to target.fullmap. It does OS detection, version detection, script scanning and traceroute.

sudo nmap -sT -T4 -A -p- --open <IP Address> -Pn -o target.fullmap

The following command scan all ports of a specific IP address aggressively stealthily, outputting open ports

sudo nmap -sS -vv -T4 -A -p- --open <IP Address> -Pn -o nmap.fullmap

Vulnerability Scan

The following command identify the services and versions running, and then runs vulnerability-checking scripts

sudo nmap -sV -p <Ports> --script "vuln" <IP Address>

UDP Scan

The following command scan for top 100 UDP ports of a specific IP address and output to target.udp

sudo nmap -sU --top-ports=100 -vvv <IP Address> -o target.udp

S1REN Scan

The following performs S1REN scan on a specific IP address and output to target.s1ren

sudo nmap -sC -sV -p- -n -Pn --open --min-rate 2000 <IP Address> -o target.s1ren
PreviousBasicNextService Enumeration

Last updated 18 days ago