Hacking the OSCP: Recon
As I start moving my notes from Notion to Obsidian in order to reduce the chance of losing access to them on exam day, I thought I’d share the initial recon process I’ve been using to work through boxes in the lab. If you’re like me, you occasionally find yourself hitting a wall; falling back on a repeatable process will usually uncover the foothold(s) you need to climb over it.
That said - as I stated in my original “Hacking the OSCP” blog post: there is no substitute for practice. Or doing the exercises. Or spending some time reading through chapters on content you’re less familiar with. The notes shared in this post represent the most useful and repeatable steps within my process - but are by no means comprehensive. Doing the work is the only way to truly build the habits and confidence you need in order to be successful.
Please note that in a real-world setting you’ll want to use rate limiting and timeouts judiciously, whereas such things are mostly absent in my scripts below. You wouldn’t want to accidentally consume all of an application’s resources by hitting it with a fire hose on a real pentest 😅
Enumerate the Network
On my first day in the labs I decided it would be good to take stock of how boxes in the public network responded to the tools I like to use for network scanning - masscan and nmap. I figure that I will need to do this immediately after starting the exam, so getting into the habit of enumerating the network for “signs of life” comes first. You can do this with one of a handful of commands:
masscan against specific ports:
sudo masscan -p<port1>,<port2> <ip address/range>
masscan against a range of ports:
sudo masscan -p<port1>-<portN> <ip address/range>
nmap to find which IPs are responding:
nmap -v -sn <firstip-range> -oG output.txt && grep output.txt | cut -d " " -f 2
nmap against specific ports:
nmap -p port1,port2 -oX output.xml <firstip-range>
nmap against a range of ports:
nmap -p 1-65535 -oX output.xml <firstip-range>
nmap against top ports:
nmap --top-ports=<Top-N ports> -oX output.xml <firstip-range>
There are of course other flags you can use with both masscan and nmap to add rate limiting, specify interface and router IP addresses, change the output format, specify the protocol, modify the TCP handshake, and set the timeout. Picking up a copy of the Red Team Field Manual and adding some tabs for quick reference would be worthwhile if you want to have these details at-hand.
Enumerating an individual IP
Once I’ve identified targets that are responding on the network, I usually dive into performing a more thorough nmap scan, along with running several of the nmap scripting engine scripts based on what the thorough scan finds. More on that later. Anyway, my go-to nmap one-liner for scanning a single IP usually involves aliasing IP to the target address and then running:
nmap -vvv -p- -sV --reason --open -oX tcp-version-detection.xml $IPsudo nmap -vvv -p- -sU -sS -oX udp-version-detection.xml $IP
Note that you may need to add the -Pn flag if the box is unresponsive with the above commands. After the first command completes I then usuallyx run the following two lines in order to open the output in a nice, readable table that I can screenshot and add to my Mind Map:
xsltproc tcp-version-detection.xml -o tcp-version-detection.htmlchromium tcp-version-detection.html
Once complete, I usually have a good sense of the services running on the box. At this point I can begin identifying several attack vectors, and will further enumerate a few key services before I start actively searching for exploits.
How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉
Enumerating FTP (21 / 69)
When I see FTP (or TFTP) open on a box, I usually perform a couple of quick checks and make quick notes in my mind map if they are successful. FTP alone isn’t usually enough to get a foothold on a box - but knowing that I can upload files might allow me to place executables or scripts that allow me to gain access. Likewise, if I can download files I might be able to gain additional intel that leads to exploitation.
Checking if FTP is reachable:
ftp $IP
Default credentials:
anonymous / anonymous
If login is successful, what system am I running on?
system
What current directory am I in?
pwd
Can I upload files?
put FILENAME_FROM_MY_CURRENT_DIR.ext
Can I download files?
get FILENAME.ext
If it’s TFTP, can nmap find anything interesting?
sudo nmap -n -Pn -sU -oN tftp.txt -p 69 -sV --script tftp-enum $IP
Enumerating SMB (139 / 445)
Seeing SMB open is usually a reason to celebrate, as it can reveal quite a lot about the system you are attempting to hack into (if it’s not secured). I usually start by running a few scripts from the nmap scripting engine to kick things off and determine if there are any “easy wins” available to me. The 3 commands I run are usually:
OS Discovery
nmap -vvv -p 139,445 -oG smb-os.txt --script=smb-os-discovery $IP
SMB Enumeration
nmap -vvv -p 139,445 -oG smb-enum.txt --script=smb-enum* $IP
and Vulnerability Discovery
nmap -vvv -p 139,445 -oG smb-vulns.txt --script=smb-vuln* $IP
After that I usually try to enumerate SMB shares by using the following command:
smbclient -L $IP -U <user>- Default credentials are guest / guest or sometimes guest / -blank-
Then I try connecting to the SMB share:
smbclient //<ip-addr>/ShareName -U <user>
Or mount the SMB share(s) locally:
sudo mkdir /mnt/share_namesudo mount -t cifs -o port=445 //$IP/<share> -o username=<username,password=<password> /mnt/share_name
Enumerating port 111
While less commonly something I look for, port 111 can sometimes uncover highly valuable information - whether from Network File Shares (NFS), Linux OS information, or other vulnerable services - such as RPC. One of the first things I try is the trusty nmap scripting engine.
Scanning for rpcinfo:
nmap -sV -p 111 --script=rpcinfo $IP
You can also try mounting the NFS locally
sudo mount -o nolock <ip addr>:/home ~/path/to/dirsudo mount -o nolock <ip addr>:/home ${PWD}
If successful, try reading file ownership in the directory
ls -laR
From here you can get really clever and try spoofing a username with permissions to read the files in the mounted directory. It doesn’t always work - but when it does you can usually find interesting things from the directory’s contents, which can lead to further opportunities for exploitation and gaining a foothold later.
How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉
Enumerating Web Apps (80 / 443)
Probably my favorite - and most extensive - enumeration process involves web applications. When my initial scan report shows a web application is available on my target, I kick-off at least three command line tools before browsing through the page. The command line tools I run are as follows:
Nikto
nikto -host=https://<web-address> -maxtime=60m -o <filename>
Dirb
dirb http://<site-address> -z 10 -o filename
Gobuster (via my own bash script concoction from bug bounty hunting)
gobustr http://$IP:$PORT
FFuF
ffuf -c -w wordlist.txt -u http://<$IP>/FUZZ -recursion -recursion-depth 2
While these three commands run in a screen session on one monitor, on a second monitor I manually walk the website using Firefox to capture interesting information in Burp Suite Sometimes you’ll find useful information directly on the page itself - like version information, login portals, of even file types and how the URI is written. I will also periodically check my command line tools for interesting directories and files they’ve identified, then manually browse to those as well.
I will likely write a follow-up post on my web application hacking process at a future date, as there’s a lot more additional work that goes into determining areas for exploitation like file inclusion, SQL Injection, admin portals, Wordpress or Drupal pages, etc.
Identifying Exploits
When it comes to searching for exploits, I keep it simple and usually resort to using searchsploit. That said, there are a couple of commands worth keeping in your back pocket to make this process easier:
Filtering out DoS results:
searchsploit $App $Version | grep -vE '/dos/'
Including exploit-db links
searchsploit -w $App $Version
Copying the exploit to your current directory
searchsploit -m $Vulnerability_Number_from_Search
Beyond that, I will usually move on to search engines like Google where I will look for something along the lines of “Exploiting $App $Version” and discover either HackTheBox guides that walk through exploiting similar systems, or find vulnerability information from esoteric forum and messaging board posts.
Mind Map Everything
Finally - and most importantly - I am mind mapping all of the information I’m gathering throughout this process. I usually lean on a snapshot tool called Flameshot to capture the table of open ports, interesting website information, and a list of possible exploits. I then drop this information into XMind nodes associated with the current target I’m working on.
Once I’ve gathered details about my target, I then move on to prioritizing which exploit paths are most likely to gain a successful foothold - but I’ll share more about that in a future blog post 😉
As always, thanks again for stopping by to read my pseudo-random musing 😊 While I draft my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper - or go back and read my original “Hacking the OSCP” blog post for life lessons that the OSCP can’t teach you.
Until next time, remember to git commit && stay classy!
Cheers,
Keith // securingdev
If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!