OSCP Playbook
Comment on page


Nmap command

nmap -sC -sV -p53 $ip/24

Find the IP and authoritative servers.

nslookup $ip

Dig deeper

dig axfr cronos.htb @

Find name servers

host -t ns $ip

Find txt records

host -t txt $ip

Fierce – Domain DNS scanner

fierce -dns $domain

Find email servers

host -t mx $ip

Subdomain bruteforcing using common hostname

for ip in $(cat list.txt); do host $ip.website.com; done

Reverse dns lookup bruteforcing

for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"
The ip is based on subdomain bruteforcing result

Zone transfer request

host -l $ip ns1.$ip
host -l $ip ns2.$ip
# Simple Zone Transfer Bash Script
# $1 is the first argument given after the bash script
# Check if argument was given, if not, print usage
if [ -z "$1" ]; then
echo "[*] Simple Zone transfer script"
echo "[*] Usage : $0 <domain name> "
exit 0
# if argument was given, identify the DNS servers for the domain
for server in $(host -t ns $1 | cut -d " " -f4); do
# For each of these servers, attempt a zone transfer
host -l $1 $server |grep "has address"
Bash script for zone transfer

DNS enumeration script

dnsrecon -d $ip -t axfr

Bruteforce using wordlist

dnsrecon -d $ip -D ~/list.txt -t brt

Finds nameservers for a given domain

host -t ns $ip| cut -d " " -f 4
dnsenum $ip

Nmap zone transfer scan

nmap $ip --script=dns-zone-transfer -p 53

Finds the domain names for a host.

whois $ip

Finds miss configure DNS entries.

host -t ns $ip

TheHarvester finds subdomains in google, bing, etc

python theHarvester.py -l 500 -b all -d $ip

Find DNS (A) records by trying a list of common sub-domains from a wordlist.

nmap -p 80 --script dns-brute.nse domain.com
python dnscan.py -d domain.com -w ./subdomains-10000.txt


  • Gather version numbers
  • Searchsploit
  • Default Creds
  • Creds previously gathered
  • Download the software