enumeration and methodology

Ok, I understand your point of view. I use -oA because it’s in the nmap manual so I never try something else… In an other way I like the HTML format, i found that more readable even for a unique machine scan.

some nmap stuff I like:
nmap -n -Pn -sV --version-all --open -sC -oA [target] --stats-every 120
(for IDS evasion use -sT)
(timing parameters:)

  • max-retries
  • min/max parallelism
  • min/max hosts
  • min-hostgroup
  • min/max-rate
  • initial/max-rtt-timeout

somebody should just try nmap -sS -T5 -A -f -v IP Address.It will bring up the best of infos from nmap try it

As a beginner, It is nice to see UDP examples:

nmap -sU -F --min-rate 1000 -n -Pn --max-retries 2 -oA UDPFast
fun things to build on when gather firewall info:
94 open|filtered ports

Here are a few things that I do…

For initial scanning:
nmap -T4 -sV -sC -Pn [box ip] -oA [box_name]_initial_scan

then I usually go for a full portscan depending on the results from that.

nmap -T4 -sV -sC -Pn -p- [box ip] -oA [box_name]_fullscan

I start doing UDP scans when all ports are filtered/ports don’t respond at all.

I run masscan/zmap if a scan says it will take >20 minutes, then I only scan the ports masscan/zmap detects as open with nmap.

This thread is pure gold!

For what it’s worth, here are my thoughts on the subject.

I put -v for nmap so that it prints out it’s findings during the scan before it is finished, but otherwise the same as others here. If necessary, split the port range to run several nmap scans.

Something like this script for gobustering the host. Not the most pretty or the most efficient possible, but I find this wordlist scanning quite boring. Luckily not all the machines require that.

After the initial scan there is usually something to work with. HTTP proxy is usually quite handy and it seems that on HTB you must be very careful to notice all sorts of delicate tips at this point. More than once I have missed something essential on my initial enumeration and spent hours looking elsewhere without finding anything useful.

As there are intentional rabbit holes that lead to nowhere, I often have more than one lead on a machine that could potentially lead to somewhere. I keep notes.txt file for each machine about what I find and what I have tried out to keep track of progress. I wouldn’t remember otherwise, but I should put more effort into this. Writing clear notes helps my brains to think more logically since they have to rearrange the stuff.

I’m new here. Sparta is really good for the initial flypast. Listen to lokori. Take notes.

@cdf123 said:
script is also a lifesaver. It works like it’s own shell, but writes all output to a script file. This is great for logging a reverse shell locally. It doesn’t just save text output, formatting is also preserved. To make it easier I have this in my .bashrc:

logme () { export SCRIPTFILE="$(date +%s)-${$}" echo "Starting tty logging to ~/scripts/${SCRIPTFILE}..." script -c /bin/bash -q "~/scripts/${SCRIPTFILE}" } scriptfile () { echo "${SCRIPTFILE}"; }

I loved this idea but using TMUX didn’t want to have to enable logging every time I opened a new window so I added a bit more functionality to it. I will probably do a bit more tweaking but wanted to share what I’ve got.

– Trying to paste code here using markdown but I can’t get codeblocks working only single line… I made a post on my blog about it.

http://www.bulbafett.com/index.php/2018/07/07/oscp-and-logging/

small script to question targets in bulk mode) https://raw.githubusercontent.com/charlesrocket/CTFx00/master/yo.sh