We covered enumerating Windows and Linux during the post-exploitation phase of a penetration test. Enumeration post-exploitation can have many objectives including credential harvesting, privilege escalation, persistence and/or data exfiltration. Enumeration includes gathering information about users, groups, applications installed, installed updates, OS and kernel version, privileges of the current user, services, running procsses, scheduled tasks, network connections,etc.. This was part of TryHackMe Enumeration | Red Team track.

Challenge Description

This room is an introduction to enumeration when approaching an unknown corporate environment.

Why Enumerate After Gaining Access?

Once I’ve got my foot in the door, my objectives typically evolve to:

  • Credential Harvesting: This involves dumping credentials of high-privilege users like root or system.
  • Data Exfiltration: I’m looking to find and transfer any sensitive information from the compromised system.
  • Privilege Escalation: My aim is to gain higher levels of access—moving from a low-privilege user to root or system.
  • Persistence: I want to maintain my access to the system, often by setting up backdoors or startup scripts.

To achieve any of these goals, further, detailed enumeration is absolutely necessary.

What to Enumerate Post-Exploitation

The video highlighted several key areas I should always investigate on a compromised system:

  1. Users and Groups: I need to identify existing users and their group memberships. This helps me understand the privilege landscape and pinpoint potential targets for escalation. Often, initial access is as a low-privileged account, like www-data for web servers or mysql for databases, or just a regular local user.
  2. Installed Applications and Versions: Discovering installed software and their versions can reveal vulnerabilities. Exploiting these can lead to privilege escalation—either horizontally (to another user with similar but different privileges) or vertically (to a higher-privileged user like root).
  3. Operating System (OS) Name and Kernel Version: Outdated OS or kernel versions are often susceptible to known kernel exploits. A successful kernel exploit can frequently lead directly to root access. I always check for uninstalled updates or patches (hotfixes in Windows).
  4. Configuration Files: These files are a goldmine! They can contain hardcoded usernames, passwords, API keys, and other sensitive data. Finding credentials in config files is a very common way to harvest credentials or escalate privileges.
  5. Running Processes and Services: I identify running programs and the users running them. If a process’s binary has improper permissions (e.g., it’s writable by my current user, or has the SUID bit set), I might be able to modify it or hijack the process to run commands as the user who owns that process. Services can also be exploited, for example, through “unquoted service paths” in Windows.

Practical Demonstration

The video below demonstrated these enumeration techniques on two virtual machines from a TryHackMe room: one Linux (Ubuntu) and one Windows (Windows Server 2019).

  • Linux Enumeration: I showed how to identify the current user and OS details, list logged-in and last logged-in users, check network connections and listening ports, find running processes and scripts (and their permissions), examine command history for sensitive information, and look for configuration files.
  • Windows Enumeration: I demonstrated getting system information (OS name, version, hotfixes), identifying the current user, their groups, and privileges, listing installed software, and checking network connections and listening ports, as well as identifying the processes using them.
  • Network Protocol Enumeration (DNS & SMB/SNMP): I covered using dig for DNS zone transfers to uncover DNS records, potentially revealing subdomains. I also used net share to list available SMB shares that might contain accessible sensitive files. Finally, I showed how to use tools like snmp-check to query SNMP services for information about network devices.

Technical Commands I Used:

Here are the commands I typed or discussed in the video:

Linux Commands:

  • whoami: Shows the current user.
  • uname -a: Displays system information (kernel name, hostname, kernel release, kernel version, machine hardware name, processor type, operating system).
  • cat /etc/lsb-release: Shows Linux Standard Base and distribution-specific information (on Ubuntu/Debian).
  • cat /etc/*-release: A more generic way to display OS release information across different Linux distributions.
  • who: Shows who is logged on.
  • w: Shows who is logged on and what they are doing.
  • last: Shows a listing of last logged in users.
  • netstat -tl: Lists listening TCP ports.
  • netstat -tulnp: Lists TCP and UDP listening ports numerically with program names/PIDs.
  • sudo netstat -lpt: Lists listening TCP ports with program names/PIDs, using sudo for more details.
  • sudo netstat -lptn: Lists listening TCP ports numerically with program names/PIDs.
  • ps aux: Lists all running processes in BSD format.
  • ps aux | grep THM: Filters ps aux output for lines containing “THM”.
  • ls -la /home/Renda/: Lists files in detail in Renda’s home directory.
  • history: Shows command history.
  • cat /var/log/auth.log: Displays authentication logs.
  • cat .bash_history: Displays bash command history.
  • cat /var/log/auth.log | grep sudo: Filters authentication logs for sudo commands.

Windows Commands (CMD/PowerShell):

  • cmd.exe: Switches to the command prompt from PowerShell.
  • powershell: Switches back to PowerShell from CMD.
  • systeminfo: Displays detailed configuration information about a computer and its operating system.
  • whoami /groups: Displays the groups to which the current user belongs.
  • whoami /priv: Displays the security privileges of the current user.
  • wmic product get name, version, vendor: Gets a list of installed software with their name, version, and vendor.
  • netstat -a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • netstat -b: Displays the executable involved in creating each connection or listening port.
  • netstat -n: Displays addresses and port numbers in numerical form.
  • netstat -o: Displays the owning process ID associated with each connection.
  • netstat -an: Displays all connections and listening ports in numerical form.
  • netstat -an | findstr "LISTENING": Filters netstat -an output to show only listening connections.
  • netstat -anb: Displays all connections and listening ports numerically, showing the executable.
  • netstat -ano: Displays all connections and listening ports numerically, showing the process ID.
  • tasklist: Displays a list of currently running processes.
  • tasklist | findstr "1068": Filters tasklist output for the process with PID 1068.
  • net share: Displays information about all resources that are shared on the local computer.

Cross-Platform/Tool Commands (from attacker machine):

  • dig axfr @<server_ip> <domain_name>: Attempts a DNS zone transfer from the specified server for the given domain.
  • snmp-check -c public <target_ip>: Uses the snmp-check tool with community string “public” against the target IP.
  • ruby /opt/snmpcheck/snmpcheck.rb -c public <target_ip>: Specific execution of the snmp-check Ruby script.

Room Answers

In SSH key-based authentication, which key does the client need?
What is the name of the Linux distribution used in the VM?
 

What is its version number?

 

What is the name of the user who last logged in to the system?

 

What is the highest listening TCP port number?

 

What is the program name of the service listening on it?

 
There is a script running in the background. Its name starts with THM. What is the name of the script?
What is the full OS Name?
 

What is the OS Version?

 

How many hotfixes are installed on this MS Windows Server?

 

What is the lowest TCP port number listening on the system?

 

What is the name of the program listening on that port?

Knowing that the domain name on the MS Windows Server of IP MACHINE_IP is redteam.thm, use dig to carry out a domain transfer. What is the flag that you get in the records?

 
What is the name of the share available over SMB protocol and starts with THM?
 

Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP MACHINE_IP. What is the location specified?

What utility from Sysinternals Suite shows the logged-in users?
 

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles