We covered enumerating Windows and Linux during the post-exploitation phase of a penetration test. Enumeration post-exploitation can have many objectives including credential harvesting, privilege escalation, persistence and/or data exfiltration. Enumeration includes gathering information about users, groups, applications installed, installed updates, OS and kernel version, privileges of the current user, services, running procsses, scheduled tasks, network connections,etc.. This was part of TryHackMe Enumeration | Red Team track.

Get OSCP Notes

The Complete Practical Web Application Penetration Testing Course

Challenge Description

This room is an introduction to enumeration when approaching an unknown corporate environment.

Video Highlights

Enumeration in the post-exploitation phase assumes that we have successfully gained some form of access to a system. Moreover, we may have carried out privilege escalation; in other words, we might have administrator or root privileges on the target system. Some of the techniques and tools discussed in this room would still provide helpful output even with an unprivileged account, i.e., not root or administrator.

Our purpose is to collect more information that will aid us in gaining more access to the target network. For example, we might find the login credentials to grant access to another system. We focus on tools commonly available on standard systems to collect more information about the target. Being part of the system, such tools look innocuous and cause the least amount of “noise”.

We assume you have access to a command-line interface on the target, such as bash on a Linux system or cmd.exe on an MS Windows system. Starting with one type of shell on a Linux system, it is usually easy to switch to another one. Similarly, starting from cmd.exe, you can switch to PowerShell if available.

When you gain a “shell” on the target system, you usually have very basic knowledge of the system. If it is a server, you already know which service you have exploited; however, you don’t necessarily know other details, such as usernames or network shares. Consequently, the shell will look like a “dark room” where you have an incomplete and vague knowledge of what’s around you. In this sense, enumeration helps you build a more complete and accurate picture.

The purpose behind post-exploitation enumeration is to gather as much information about the system and its network. The exploited system might be a company desktop/laptop or a server. We aim to collect the information that would allow us to pivot to other systems on the network or to loot the current system. Some of the information we are interested in gathering include:

  • Users and groups
  • Hostnames
  • Routing tables
  • Network shares
  • Network services
  • Applications and banners
  • Firewall configurations
  • Service settings and audit configurations
  • SNMP and DNS details
  • Hunting for credentials (saved on web browsers or client applications)

There is no way to list everything we might stumble upon. For instance, we might find SSH keys that might grant us access to other systems. In SSH key-based authentication, we generate an SSH key pair (public and private keys); the public key is installed on a server. Consequently, the server would trust any system that can prove knowledge of the related private key.

Furthermore, we might stumble upon sensitive data saved among the user’s documents or desktop directories. Think that someone might keep a passwords.txt or passwords.xlsx instead of a proper password manager. Source code might also contain keys and passwords left lurking around, especially if the source code is not intended to be made public.

Room Answers

In SSH key-based authentication, which key does the client need?
What is the name of the Linux distribution used in the VM?

What is its version number?

What is the name of the user who last logged in to the system?

What is the highest listening TCP port number?

What is the program name of the service listening on it?

There is a script running in the background. Its name starts with THM. What is the name of the script?
What is the full OS Name?

What is the OS Version?

How many hotfixes are installed on this MS Windows Server?

What is the lowest TCP port number listening on the system?

What is the name of the program listening on that port?

Knowing that the domain name on the MS Windows Server of IP MACHINE_IP is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?

What is the name of the share available over SMB protocol and starts with THM?

Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP MACHINE_IP. What is the location specified?

What utility from Sysinternals Suite shows the logged-in users?

Video Walkthrough

About the Author

Cybersecurity Trainer MS in Cybersecurity Expertise in Healthcare and Finance Industries Penetration tester and compliance auditor

View Articles