Hacking the OSCP: Recon

As I start moving my notes from Notion to Obsidian in order to reduce the chance of losing access to them on exam day, I thought I’d share the initial recon process I’ve been using to work through boxes in the lab. If you’re like me, you occasionally find yourself hitting a wall; falling back on a repeatable process will usually uncover the foothold(s) you need to climb over it.

That said - as I stated in my original “Hacking the OSCP” blog post: there is no substitute for practice. Or doing the exercises. Or spending some time reading through chapters on content you’re less familiar with. The notes shared in this post represent the most useful and repeatable steps within my process - but are by no means comprehensive. Doing the work is the only way to truly build the habits and confidence you need in order to be successful.

Please note that in a real-world setting you’ll want to use rate limiting and timeouts judiciously, whereas such things are mostly absent in my scripts below. You wouldn’t want to accidentally consume all of an application’s resources by hitting it with a fire hose on a real pentest 😅

Enumerate the Network

On my first day in the labs I decided it would be good to take stock of how boxes in the public network responded to the tools I like to use for network scanning - masscan and nmap. I figure that I will need to do this immediately after starting the exam, so getting into the habit of enumerating the network for “signs of life” comes first. You can do this with one of a handful of commands:

masscan against specific ports:

  • sudo masscan -p<port1>,<port2> <ip address/range>

masscan against a range of ports:

  • sudo masscan -p<port1>-<portN> <ip address/range>

nmap to find which IPs are responding:

  • nmap -v -sn <firstip-range> -oG output.txt && grep output.txt | cut -d " " -f 2

nmap against specific ports:

  • nmap -p port1,port2 -oX output.xml <firstip-range>

nmap against a range of ports:

  • nmap -p 1-65535 -oX output.xml <firstip-range>

nmap against top ports:

  • nmap --top-ports=<Top-N ports> -oX output.xml <firstip-range>

There are of course other flags you can use with both masscan and nmap to add rate limiting, specify interface and router IP addresses, change the output format, specify the protocol, modify the TCP handshake, and set the timeout. Picking up a copy of the Red Team Field Manual and adding some tabs for quick reference would be worthwhile if you want to have these details at-hand.

Enumerating an individual IP

Once I’ve identified targets that are responding on the network, I usually dive into performing a more thorough nmap scan, along with running several of the nmap scripting engine scripts based on what the thorough scan finds. More on that later. Anyway, my go-to nmap one-liner for scanning a single IP usually involves aliasing IP to the target address and then running:

  • nmap -vvv -p- -sV --reason --open -oX tcp-version-detection.xml $IP
  • sudo nmap -vvv -p- -sU -sS -oX udp-version-detection.xml $IP

Note that you may need to add the -Pn flag if the box is unresponsive with the above commands. After the first command completes I then usuallyx run the following two lines in order to open the output in a nice, readable table that I can screenshot and add to my Mind Map:

  • xsltproc tcp-version-detection.xml -o tcp-version-detection.html
  • chromium tcp-version-detection.html

Once complete, I usually have a good sense of the services running on the box. At this point I can begin identifying several attack vectors, and will further enumerate a few key services before I start actively searching for exploits.

How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉

Enumerating FTP (21 / 69)

When I see FTP (or TFTP) open on a box, I usually perform a couple of quick checks and make quick notes in my mind map if they are successful. FTP alone isn’t usually enough to get a foothold on a box - but knowing that I can upload files might allow me to place executables or scripts that allow me to gain access. Likewise, if I can download files I might be able to gain additional intel that leads to exploitation.

Checking if FTP is reachable:

  • ftp $IP

Default credentials:

  • anonymous / anonymous

If login is successful, what system am I running on?

  • system

What current directory am I in?

  • pwd

Can I upload files?


Can I download files?

  • get FILENAME.ext

If it’s TFTP, can nmap find anything interesting?

  • sudo nmap -n -Pn -sU -oN tftp.txt -p 69 -sV --script tftp-enum $IP

Enumerating SMB (139 / 445)

Seeing SMB open is usually a reason to celebrate, as it can reveal quite a lot about the system you are attempting to hack into (if it’s not secured). I usually start by running a few scripts from the nmap scripting engine to kick things off and determine if there are any “easy wins” available to me. The 3 commands I run are usually:

OS Discovery

  • nmap -vvv -p 139,445 -oG smb-os.txt --script=smb-os-discovery $IP

SMB Enumeration

  • nmap -vvv -p 139,445 -oG smb-enum.txt --script=smb-enum* $IP

and Vulnerability Discovery

  • nmap -vvv -p 139,445 -oG smb-vulns.txt --script=smb-vuln* $IP

After that I usually try to enumerate SMB shares by using the following command:

  • smbclient -L $IP -U <user>
  • Default credentials are guest / guest or sometimes guest / -blank-

Then I try connecting to the SMB share:

  • smbclient //<ip-addr>/ShareName -U <user>

Or mount the SMB share(s) locally:

  • sudo mkdir /mnt/share_name
  • sudo mount -t cifs -o port=445 //$IP/<share> -o username=<username,password=<password> /mnt/share_name

Enumerating port 111

While less commonly something I look for, port 111 can sometimes uncover highly valuable information - whether from Network File Shares (NFS), Linux OS information, or other vulnerable services - such as RPC. One of the first things I try is the trusty nmap scripting engine.

Scanning for rpcinfo:

  • nmap -sV -p 111 --script=rpcinfo $IP

You can also try mounting the NFS locally

  • sudo mount -o nolock <ip addr>:/home ~/path/to/dir
  • sudo mount -o nolock <ip addr>:/home ${PWD}

If successful, try reading file ownership in the directory

  • ls -laR

From here you can get really clever and try spoofing a username with permissions to read the files in the mounted directory. It doesn’t always work - but when it does you can usually find interesting things from the directory’s contents, which can lead to further opportunities for exploitation and gaining a foothold later.

How to support this content: If you find this post useful, enjoyable, or influential (and have the coin to spare) - you can support the content I create via Patreon.️ Thank you to those who already support this blog! 😊 And now, back to that content you were enjoying! 🎉

Enumerating Web Apps (80 / 443)

Probably my favorite - and most extensive - enumeration process involves web applications. When my initial scan report shows a web application is available on my target, I kick-off at least three command line tools before browsing through the page. The command line tools I run are as follows:


  • nikto -host=https://<web-address> -maxtime=60m -o <filename>


  • dirb http://<site-address> -z 10 -o filename

Gobuster (via my own bash script concoction from bug bounty hunting)

  • gobustr http://$IP:$PORT


  • ffuf -c -w wordlist.txt -u http://<$IP>/FUZZ -recursion -recursion-depth 2

While these three commands run in a screen session on one monitor, on a second monitor I manually walk the website using Firefox to capture interesting information in Burp Suite Sometimes you’ll find useful information directly on the page itself - like version information, login portals, of even file types and how the URI is written. I will also periodically check my command line tools for interesting directories and files they’ve identified, then manually browse to those as well.

I will likely write a follow-up post on my web application hacking process at a future date, as there’s a lot more additional work that goes into determining areas for exploitation like file inclusion, SQL Injection, admin portals, Wordpress or Drupal pages, etc.

Identifying Exploits

When it comes to searching for exploits, I keep it simple and usually resort to using searchsploit. That said, there are a couple of commands worth keeping in your back pocket to make this process easier:

Filtering out DoS results:

  • searchsploit $App $Version | grep -vE '/dos/'

Including exploit-db links

  • searchsploit -w $App $Version

Copying the exploit to your current directory

  • searchsploit -m $Vulnerability_Number_from_Search

Beyond that, I will usually move on to search engines like Google where I will look for something along the lines of “Exploiting $App $Version” and discover either HackTheBox guides that walk through exploiting similar systems, or find vulnerability information from esoteric forum and messaging board posts.

Mind Map Everything

Finally - and most importantly - I am mind mapping all of the information I’m gathering throughout this process. I usually lean on a snapshot tool called Flameshot to capture the table of open ports, interesting website information, and a list of possible exploits. I then drop this information into XMind nodes associated with the current target I’m working on.

Once I’ve gathered details about my target, I then move on to prioritizing which exploit paths are most likely to gain a successful foothold - but I’ll share more about that in a future blog post 😉

As always, thanks again for stopping by to read my pseudo-random musing 😊 While I draft my next blog post, you can git checkout other (usually off-topic) content I’m reading over at Instapaper - or go back and read my original “Hacking the OSCP” blog post for life lessons that the OSCP can’t teach you.

Until next time, remember to git commit && stay classy!


Keith // securingdev

If you found this post useful or interesting, I invite you to support my content through Patreon 😊 and thanks once again to those who already support this content!

This post is licensed under CC BY 4.0 by the author.