Back to Blog
OSCP Notes2 min read

OSCP Enumeration Strategy and Methodology

A structured approach to enumeration for OSCP-style assessments, covering initial reconnaissance through privilege escalation.

#OSCP#Enumeration#Methodology#Checklist

OSCP Enumeration Strategy and Methodology

A systematic enumeration approach is crucial for successful penetration tests. This post outlines a structured methodology.

Phase 1: Initial Reconnaissance

Port Scanning

Start with a comprehensive port scan:

nmap -sC -sV -oA initial_scan target_ip

Follow up with a full port scan:

nmap -p- -oA full_scan target_ip

Service Enumeration

For each discovered service, run service-specific enumeration:

SMB:

smbclient -L //target_ip
enum4linux -a target_ip

HTTP/HTTPS:

nikto -h http://target_ip
dirb http://target_ip /usr/share/wordlists/dirb/common.txt

SSH:

ssh-audit target_ip

Phase 2: Vulnerability Identification

Version Detection

Compare discovered versions against known vulnerabilities:

searchsploit "service name version"

Manual Testing

Don't rely solely on automated tools. Manual testing often reveals issues scanners miss.

Phase 3: Exploitation

Proof of Concept

Always test exploits in a safe environment first. Document the exact steps taken.

Initial Access

Once initial access is gained, immediately:

  1. Stabilize the shell
  2. Upgrade to a full TTY
  3. Document the access method

Phase 4: Post-Exploitation

Enumeration Scripts

Run automated enumeration scripts:

Linux:

./linpeas.sh

Windows:

.\winpeas.exe

Manual Checks

Automated scripts are helpful, but manual checks are essential:

  • Check for world-writable files
  • Review cron jobs and scheduled tasks
  • Examine environment variables
  • Look for credentials in configuration files

Phase 5: Privilege Escalation

Common Vectors

  • SUID/SGID binaries
  • Misconfigured sudo permissions
  • Kernel exploits
  • Scheduled tasks with weak permissions
  • Service misconfigurations

Documentation

Document every step:

  • Commands run
  • Outputs received
  • Screenshots of important findings
  • Time spent on each phase

Time Management

Allocate time wisely:

  • Initial enumeration: 30-40%
  • Exploitation: 30-40%
  • Privilege escalation: 20-30%

Tools Checklist

  • Nmap
  • Enumeration scripts (LinPEAS, WinPEAS)
  • Exploit frameworks
  • Note-taking tools
  • Screenshot utilities

Disclaimer

This content is for educational and ethical hacking purposes only. Only use these techniques on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.