OSCP Commands Cheat Sheet

Information Gathering

1. Network Scanning

• Nmap:

  // Stealth scanning
  sudo nmap -sS <target>

  // Full TCP connection is made
  nmap -sT <target>

  // UDP scan
  nmap -sU <target>

  // Network sweeping
  nmap -sn 192.168.100.1-253 -oG sweep.txt
  grep Up sweep.txt | cut d " " -f 2
  
  nmap -p 80 -sn 192.168.100.1-253 -oG web-sweep.txt
  grep open web-sweep.txt | cut d " " -f 2

  // OS scan
  nmap -O <target> --osscan-guess

  // Scan with NSE script
  nmap --script http-headers <target>
  nmap --script-help http-headers

• On Windows:

  // Port scan
  Test-NetConnection -Port 445 <target>

  // Port sweeping
  foreach ($port in 1..1024) {if (($a=Test-Connection <target&rt; -Port $port -WarningAction SilentlyCongiue).tcp TestSucceeded -eq $true){"TCP port $port is open"}}

2. Enumeration

• DNS Enumeration:

  host <target-domain>
  host -t <query type> <target-domain>

  Common query types:
  A → IPv4 address
  AAAA → IPv6 address
  CNAME → Canonical name (alias)
  MX → Mail exchange servers
  NS → Name servers
  PTR → Reverse lookup (IP to domain)
  SOA → Start of Authority (DNS zone nformation)
  TXT → Text records (e.g., SPF, DKIM, etc.)
  SRV → Service records
  CAA → Certification Authority Authorization
  

  // list.txt contains a candidate list of subdomains
  for ip in $(cat list.txt); do host $ip.example.com; done
                      
  // Search by IP addr
  for ip in $(seq 200 245); do host 52.10.10.$ip; done | grep -v "not found"

  dnsrecon -d <target-domain> -t std
  dnsrecon -d <target-domain> -D ~/list.txt -t brt

  dnsenum <target-domain>

• Enum4linux:

  enum4linux -a <target>

• SMB Client Listing:

  smbclient -L <target> -U username

3. Vulnerability Scanning

• Nmap Vuln Scanning with NSE:

  // NSE script with "vuln"
  sudo nmap -sV -p 443 --script "vuln" 192.168.100.2

  Using specific CVE NSE Script
  1. Search for the CVE NSE script on internet
  2. Download the script and save it on /usr/share/nmap/scripts
  3. Update the NSE DB:
     sudo nmap --script-updatedb
  4. Give the CVE NSE file as an argument:
     sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.100.2

Exploitation

1. Exploitation on Web Application

• Nmap

  sudo nmap -p 80 -sV <target>
  sudo nmap -p 80 --script=http-enum <target>

• GoBuster

  gobuster dir -u <target> -w /usr/share/wordlists/dirb/common.txt -t <# of threads>

• BurpSuite (Repeater/Intruder)
  • HTTP Packet inspection
  • Brute force attacks
• Web Enum

Post-Exploitation

• Privilege Escalation Enumeration:

  ./linpeas.sh

• Search for SUID Files:

  find / -perm -4000 2>/dev/null

• Check Active Network Connections:

  netstat -tulpn