A Comprehensive Guide to Finding Every Attack Surface
Network scanning and enumeration are the foundation of penetration testing. In the OSCP exam, missing a single port or service can cost you the entire machine. This guide covers proven techniques to ensure you donβt overlook anything.
π Phase 1: Host Discovery (Finding Live Hosts)
Before attacking, identify which hosts are alive in the target network.
1. Ping Sweep (Basic Detection)
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 & done- Alternative:
nmap -sn 192.168.1.0/24(ICMP ping sweep). - If ICMP is blocked: Use
-Pn(treat all hosts as live).
2. ARP Scanning (Local Networks)
sudo arp-scan -l- Works even if ICMP is disabled.
- Alternative:
netdiscover -i eth0 -r 192.168.1.0/24.
3. Masscan (Ultra-Fast Scanning)
sudo masscan -p1-65535 192.168.1.0/24 --rate=1000 -e eth0- Best for large networks (scans all ports in seconds).
π‘ Phase 2: Port Scanning (Finding Open Services)
Once hosts are found, identify open ports & services.
1. Basic Nmap Scan
nmap -sV -sC -oA initial_scan 192.168.1.100-sVβ Service detection.-sCβ Default Nmap scripts.-oAβ Saves output in 3 formats (XML, normal, grepable).
2. Aggressive Scan (OS & Version Detection)
nmap -A -T4 -p- 192.168.1.100-Aβ Enables OS detection, version detection, and script scanning.-p-β Scans all 65,535 ports.
3. UDP Scanning (Often Missed!)
sudo nmap -sU -p 53,67,68,69,123,161 192.168.1.100- Key UDP ports:
53(DNS)161(SNMP)69(TFTP)
4. Stealthy Scanning (Avoiding Detection)
sudo nmap -sS -Pn -n --disable-arp-ping -T2 192.168.1.100-sSβ SYN scan (half-open, stealthier).-T2β Slower (less likely to trigger alarms).
π Phase 3: Service Enumeration (Deep Dive)
Now, extract maximum info from each open port.
1. SMB (Windows Shares)
smbclient -L //192.168.1.100 -N
enum4linux -a 192.168.1.100- Check for:
- Guest access (
-Ntries null session). - Sensitive files (
*.txt,backup.zip).
2. HTTP/HTTPS (Web Apps)
gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
nikto -h http://192.168.1.100- Check for:
- Hidden directories (
/admin,/backup). - Default creds (
admin:admin).
3. FTP (File Transfer)
ftp 192.168.1.100
anonymous- Try anonymous login.
- Check for:
passwords.txt,config.php.
4. SSH (Secure Shell)
nmap -sV -p 22 --script=ssh-auth-methods 192.168.1.100
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100- Brute-force only if allowed (OSCP rules).
5. SNMP (Network Devices)
snmpwalk -c public -v1 192.168.1.100- Look for:
- Running processes (
hrSWRunTable). - Usernames (
hrSWRunPerfTable).
6. RDP (Remote Desktop)
nmap -p 3389 --script=rdp-enum-encryption 192.168.1.100
xfreerdp /u:admin /v:192.168.1.100- Check for weak credentials.
π₯ Bonus: Automated Enumeration Tools
1. AutoRecon (OSCP Favorite)
autorecon 192.168.1.100- Runs multiple scans (TCP, UDP, web, SMB, etc.) automatically.
2. Recon-ng (Web Recon)
recon-ng
marketplace install all
workspaces add oscp_target- Gathers WHOIS, subdomains, emails.
3. Metasploit (For Quick Checks)
msfconsole
use auxiliary/scanner/portscan/tcp
set RHOSTS 192.168.1.100
run- Useful for quick service checks.
π OSCP Exam Tips
β Document everything (even failed attempts).
β Prioritize high-value ports (80, 443, 445, 22, 3389).
β If stuck, re-enumerate (missed ports = missed shells).
β Use -Pn if host seems dead (firewalls block ICMP).
π Final Checklist Before Exploitation
β
All TCP/UDP ports scanned?
β
Web directories brute-forced?
β
SMB/NFS checked for anonymous access?
β
SNMP/SMTP queried for info leaks?
β
SSH/RDP tested for weak creds?
π‘ Key Takeaway
Enumeration is 80% of hacking. The more you dig, the more you find.
π₯ Now go own those boxes π₯