OSCP Cheatsheet
  • Reference List
  • Basic
  • Methodology
    • Basic Scans
    • Service Enumeration
      • TCP: HTTP(S) - 80 / 443
      • TCP: SMB - 139 / 445
      • TCP: FTP - 21
      • TCP/UDP: DNS - 53
      • TCP: SSH - 22
      • TCP/UDP: LDAP - 389 / 636 / 3268
      • TCP/UDP: Kerberos - 88
      • UDP: SNMP - 161
      • TCP: SMTP - 25
      • TCP: RDP - 3389
      • TCP: RPC - 135 / 593
      • TCP: Evil-WinRM - 5985 / 5986
      • TCP: MYSQL - 3306
      • TCP: MSSQL - 1433
      • TCP: Confluence - 8090
    • Extras
  • File Transfer
  • KeePass Database
  • Shells
  • Enumeration
    • Linux
    • Windows
    • Git
  • Privilege Escalation
    • Linux
      • Abusing Cron Jobs
      • Abusing Password Authentication
      • Abusing Setuid Binaries and Capabilities
      • Abusing Sudo
      • Exploits
    • Windows
      • Service Binary Hijacking
      • DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Exploits
  • Port Forwarding
    • Linux
    • Windows
  • Attacks
    • Public Exploits
    • User Creation
    • Password Cracking
      • Custom Rules
      • Custom Password List
    • Phishing
    • SQLi
  • Active Directory
    • Enumeration
    • Attack
    • Lateral Movement
    • Persistence
Powered by GitBook
On this page
  • Interesting Files
  • Directory Enumeration
  • GoBuster
  • Dirbuster
  • Fuzz Faster U Fool (FFUF)
  • Vulnerability Scanning
  • Nmap
  • nikto
  1. Methodology
  2. Service Enumeration

TCP: HTTP(S) - 80 / 443

NOTE: Remember to update /etc/hosts if there is any redirect issues to target site

NOTE: While waiting for the scan to be completed, do the following

  • Attempt Weak Credentials on any login features found

  • Look for user input fields

  • Look for file upload fields

  • Run through source code of webpages

Interesting Files

robots.txt

sitemap.xml

Directory Enumeration

GoBuster

  • HTTP - Port 80

The following command brute forces web directories and files against a target IP

gobuster dir -u http://<IP Address>/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 42 -b 400,401,404 -f -o <>.gobuster

The following command brute forces web directories and files against a target IP and trying various file extensions

gobuster dir -u http://<IP Address>/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

The following command brute forces web aggressively of directories and files against the target server and appending common web file extensions

gobuster dir -u http://<IP Address>/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

  • HTTPS - Port 443

The following command brute forces directories and files over HTTPS, ignoring SSL errors, trying multiple file extensions

gobuster dir -u https://<IP Address>/ -k -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster
gobuster dir -u https://<IP Address>/ -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,xml,asp,aspx -t 42 -b 400,401,404 -f -o <>.gobuster

Dirbuster

The following is a command to run Dirbuster - another alternatives to GoBuster

dirb http://<IP Address>/

Fuzz Faster U Fool (FFUF)

The following is a command to brute force directories/files on the target at the root path using FFUF

ffuf -c -u http:///FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Vulnerability Scanning

Nmap

The following command scans port 80 and retrieves the HTTP response headers from the web server

nmap -p80 --script http-headers <IP Address>

The following command scans port 80 and extracts the title of the web page from the HTML response.

nmap -p80 --script http-title <IP Address>

The following command scans port 80, detects the service version, and checks for known vulnerabilities (CVEs) against it.

nmap -p80 -sV --script vulners <IP Address>

nikto

The following command scans the target web server for common vulnerabilities, misconfigurations, outdated software, and dangerous files using Nikto.

nikto -host http://<IP Address>/

wpscan (Wordpress Sites)

NOTE: Look for signs that it is a WordPress site

  • URL paths include "wp-admin", "wp-content", "wp-login.php", "wp-includes"

The following command scans the WordPress site to enumerate all installed plugins and all users.

wpscan --url http://<IP Address> --enumerate ap u

The following command scans the WordPress site to enumerate plugins (p) using aggressive detection methods

wpscan --url http://<IP Address> --enumerate p --plugins-detection aggressive
PreviousService EnumerationNextTCP: SMB - 139 / 445

Last updated 24 days ago