Service Enumeration Priority

Based on discovered services, follow this priority order:

Critical Services (Immediate Focus)

Active Directory Services

Database Services

Remote Access Services

3389 RDP
VNC (5900+) - Remote desktop

Other Common Services

Initial Setup & Information Gathering

Host Information

Target IP: 
Operating System: 
Domain/Hostname: 
Difficulty: 
Start Time:

Environment Variables / Setup

export IP=
export DOMAIN=
mkdir $IP && cd $IP
mkdir {nmap,web,smb,ftp,exploit,loot}

Phase 1: Port Discovery

AutoRecon

autorecon $IP --only-scans-dir

cat results/$IP/scans/_full_tcp_nmap.txt

Manual Scanning

Fast Port Discovery

nmap --min-rate 4500 --max-rtt-timeout 1500ms -p- -Pn $IP -oG nmap/all_ports.gnmap

Extract open ports:

TCP_PORTS=$(grep -oP '\d+/open' nmap/all_ports.gnmap | cut -d/ -f1 | paste -sd, -)
echo "Open TCP ports: $TCP_PORTS"

Service Detection & Scripts

nmap -sC -sV -T4 -Pn -p$TCP_PORTS $IP -oA nmap/full_tcp

UDP Top Ports

nmap -sU --top-ports 100 -T4 -Pn $IP -oA nmap/top_udp

# If time permits, scan more UDP ports
nmap -sU --top-ports 1000 -T4 -Pn $IP -oA nmap/extended_udp

Veilcat

Explorer

Latest

OSCP 🐲

Medjed

OSCP Note Template and Runbooks

Service Discovery

Service Enumeration Priority

Critical Services (Immediate Focus)

Active Directory Services

Database Services

Remote Access Services

Other Common Services

Initial Setup & Information Gathering

Host Information

Environment Variables / Setup

Phase 1: Port Discovery

AutoRecon

Manual Scanning

Fast Port Discovery

Service Detection & Scripts

UDP Top Ports

Graph View

Table of Contents

Backlinks