Passing Offensive Security’s OSCP was quite a challenge. In this post I’m going to list the tools that assisted me throughout my journey when studying for the OSCP.

Enumeration

Enumerations is a broad word when it comes to pentesting and ethical hacking. You can choose to use cloud services, local tools on a virtual machine, and even hardware for Wi-fi sniffing. The enumeration tools listed below are by default installed in Kali Linux.

Nmap

This is the go too tool that I used for network enumeration. A thing to note, is that Nmap has been around for a while and has tons of advanced features that not many learn about. The most important thing about nmap is high customization one can set up when doing network enumeration. One final thing. Nmap has tons of other uses such as brute forcing, vulnerability scanning, and more.

Nmap Syntax Example:

nmap -Pn -sV 192.168.1.1 -vv

Above is an example of a basic nmap scan that will scan the top 1000 ports according to Nmap, do a service version scan according to the type of response the network gives, and no ping.

nmap -Pn -sT --data-length 25 -vv 192.168.1.1

This second nmap scan syntax shown. Is a more tailored network scan that is running a scan with no ping attempt, full tcp connection scan, changing the default network data length scan packets that nmap uses, and adding some more verbosity to the output of the scan. The important factor here is changing the default syn scan to a full tcp connect scan while also change the default data length in the probe. This scan is more tailored to bypassing a firewall or some sort of explicit deny rule.

DNSRecon

I like to use DNSRecon to quickly get some information on mail servers of a domain. This tool is useful when trying to obtain detailed information including txt records, ns records, SOA records, A records and more. You can also use this tool to attempt DNS zone transfers and attempt to do DNS brute force enumeration with a wordlist.

dnsrecon -d customerdomainname.com -a -n Dns.Server.To.Use

The syntax shown above attempts a DNS zone transfer with a specified DNS server.

dnsrecon -d dc.mailman.com -n 192.168.183.149

The syntax shown above is to run the default dnsrecon scan that attempts to enumerate various name server records .