Cheat Sheet How to pass the OSCP Offensive Security Certified Professional Exam Step-by-Step Guide- ENUMERATING SERVICES – PART 2

By | March 20, 2017



Enumeration Services is a vital next step, this will help us identify users, host information, protocol weaknesses and vulnerabilities we can use to our advantage.

nmap -vv -Pn -A -sC -sS -T 4 -p-
Web Enumeration:

dirb /usr/share/wordlists/dirb/common.txt

nikto –host
SMB\RPC Enumeration:


smb4k (graphical interface – lists shares)

metasploit auxiliary scanner

./msfconsole show
use scanner/smb/version


Enumerate Usernames (SNMP/SMTP/SMB[NETBIOS]/Add others here)

nmap -sT -p 445 -oG smb_results.txt (then grep open sessions) (on my machine /root/offsec) ./ (results from above)


nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse
Mysql Enumeration:

nmap -sV -Pn -vv –script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 -p 3306
SMTP Enumeration:

nmap –script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25
SNMP Enumeration:

snmpwalk -c public -v1 1 |grep hrSWRunName|cut -d” ” -f

snmpwalk -c public -v1

snmpenum -t (displays all snmp informations for that server)

nmap -sT -p 161 -oG snmp_results.txt (then grep)

– snmpwalk public -v1 1 |grep |cut -d” “ -f4

For SMTP – (/pentest/enumeration/vrfy)


SAMRDUMP.PY – (/pentest/python/impacket-examples/

– ./ SNMP server

nc -v 25
FTP Enumeration:

nmap –script=ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21



he types of enumeration that performs include the following:

  • Zone Transfer
  • Reverse Lookup
  • Domain and Host Brute-Force
  • Standard Record Enumeration (wildcard,SOA,MX,A,TXT etc.)
  • Cache Snooping
  • Zone Walking
  • Google Lookup

Standard Record Enumeration

In order to perform standard DNS enumeration with the DNSRecon the command that we have to use is the ./ -d <domain>.So let’s try that command against the domain to see what kind of information can we retrieve.

Zone Transfer

The security problem with DNS zone transfer is that it can be used to decipher the topology of a company’s network.Specifically when a user is trying to perform a zone transfer it sends a DNS query to list all DNS information like name servers,host names,MX and CNAME records,zone serial number,Time to Live records etc.Due to the amount of information that can be obtained DNS zone transfer cannot be easily found in nowadays.However DNSRecon provides the ability to perform Zone Transfers with the commands

./ -d <domain> -a or

./ -d <domain> -t axfr

Reverse Lookup

According to Wikipedia reverse DNS lookup is the determination of a domain name with the associated IP address.DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges.To run reverse lookup enumeration the command

./ -r <startIP-endIP>

must be used.Also reverse lookup can be performed against all ranges in SPF records with the command ./ -d <domain> -s.In the next image you can see the output that produces a reverse lookup in a range of IP addresses.

Domain Brute-Force

For performing this technique all we have to do is to give a name list and it will try to resolve the A,AAA and CNAME records against the domain by trying each entry one by one.In order to run the Domain Name Brute-Force we need to type:

./ -d <domain> -D <namelist> -t brt

Cache Snooping

DNS cache snooping is occurred when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information.However DNS cache snooping is not happening very often.The command that can be used in order to perform cache snooping is the following:

./ -t snoop -n Sever -D <Dict>

Zone Walking

This technique may unveils internal records if zone is not configured properly.The information that can be obtained can help us to map network hosts by enumerating the contents of a zone.In order to perform the zone walking we need to type the command:

./ -d <host> -t zonewalk

SMB\RPC Enumeration:

nmap –script=smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse,smbv2-enabled.nse
You can also use:
nmap –script=smb* -p 139,445
permalinkembedsavereportgive goldreply
[–]ok_bye_now_[S] 1 point 2 months ago
If you run all of them it’ll take forever because of the brute force NSE scripts. That’s why I chose to list all of them minus the bruters.
permalinkembedsaveparentreportgive goldreply
[–]ak_z 6 points 2 months ago*
nicie, but I’ve seen better
permalinkembedsavereportgive goldreply
[–]m_ros101 2 points 2 months ago
Great work mate. Thanks for this.
permalinkembedsavereportgive goldreply
[–]ok_bye_now_[S] 1 point 2 months ago
Enumerating snmp strings is also something I should add to that list. It’s fairly easy to overlook but you sometimes find really useful information in there.
permalinkembedsavereportgive goldreply
[–]qasimchadhar 1 point 2 months ago
Thanks. One thing to note, these cheat sheets will come handy in your professional career too. And as you learn something new, be sure to add to your favorite cheat sheet.
permalinkembedsavereportgive goldreply
nmap -PN

rpcclient $>

Now type in enumdomusers, this will dump a list of user accounts that are present on the share like so:

rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]

Yes enumerating user accounts through open samba or smb is that simple. There are many more options that can be used with this program, if you type help at the rpcclient prompt you will see all of the options. There are a few different commands that I used to create the log file for this tutorial.

****Append Log File****
root@bt:~# rpcclient -U “”
Enter ‘s password:

rpcclient $> enumdomusers
user:[nobody] rid:[0x1f5]
user:[gh0s7] rid:[0x3e8]
rpcclient $> netshareenum
netname: test
path: C:\media\Gh0$7\test
rpcclient $> netshareenumall
netname: IPC$
remark: IPC Service (gh0s7-serverhome server (Samba, Ubuntu))
path: C:\tmp
netname: test
path: C:\media\Gh0$7\test
netname: print$
remark: Printer Drivers
path: C:\var\lib\samba\printers

rpcclient $> querydominfo
Domain: MSHOME
Comment: gh0s7-serverhome server (Samba, Ubuntu)
Total Users: 2
Total Groups: 0
Total Aliases: 0
Sequence No: 1321411072
Force Logoff: -1
Domain Server State: 0x1
Unknown 3: 0x1

Mounting unprotected (guest) network folders

First, let’s create the mount directory. You will need a separate directory for each mount.

sudo mkdir /media/windowsshare

Then edit your /etc/fstab file (with root privileges) to add this line:

//servername/sharename  /media/windowsshare  cifs  guest,uid=1000,iocharset=utf8  0  0


guest indicates you don’t need a password to access the share,

uid=1000 makes the Linux user specified by the id the owner of the mounted share, allowing them to rename files,

iocharset=utf8 allows access to files with names in non-English languages. This doesn’t work with shares of devices like the Buffalo Tera Station, or Windows machines that export their shares using ISO8895-15.

If there is any space in the server path, you need to replace it by \040, for example //servername/My\040Documents

After you add the entry to /etc/fstab type:

sudo mount -a

This will (re)mount all entries listed in /etc/fstab.

Mount password protected network folders

The quickest way to auto-mounting a password-protected share is to edit /etc/fstab (with root privileges), to add this line:
//servername/sharename  /media/windowsshare  cifs  username=msusername,password=mspassword,iocharset=utf8,sec=ntlm  0  0

To see which shares are available on a given host, run:

/usr/bin/smbclient -L host

where ‘host’ is the name of the machine that you wish to view. this will return a list of ‘service’ names – that is, names of drives or printers that it can share with you. Unless the SMB server has no security configured, it will ask you for a password. Get it the password for the ‘guest’ account or for your personal account on that machine.

For example:

smbclient -L zimmerman

The output of this command should look something like this:

Server time is Sat Aug 10 15:58:27 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]

Server=[ZIMMERMAN] User=[] Workgroup=[WORKGROUP] Domain=[]

Sharename      Type      Comment
———      —-      ——-
ADMIN$         Disk      Remote Admin
public         Disk      Public
C$             Disk      Default share
IPC$           IPC       Remote IPC
OReilly        Printer   OReilly
print$         Disk      Printer Drivers

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *