Intro
The tutorial systematically breaks down the enumeration process, which is a critical first step in identifying and exploiting vulnerabilities to gain higher levels of system access.
Identifying the Current User
- Windows:
whoami: Displays the current username.net user <username>: Provides detailed information about the specified user account.
- Linux:
whoami: Shows the current username.id: Offers detailed user information, including UID (User ID), GID (Group ID), and group memberships.
Enumerating Users on the System
- Windows:
net user: Lists all user accounts present on the system.
- Linux:
cat /etc/passwd: Displays the contents of the passwd file, which contains user account information (requires appropriate read permissions).
Determining the Hostname
- The
hostnamecommand is used on both Windows and Linux to display the system’s hostname.
Identifying the Operating System and Architecture
- Knowing the OS version and system architecture is vital for finding relevant kernel exploits.
- Linux:
uname -a: Provides detailed kernel information, including its version and architecture.cat /etc/issueorcat /etc/*release*: Show distribution-specific OS information.
- Windows:
systeminfo: Outputs extensive system details, including the OS version and build.
Enumerating Running Processes and Services
- The aim here is to find processes or services with weak file permissions that are running under privileged accounts.
- Windows:
tasklist /svc: Lists running processes and their associated services. However, identifying processes run by privileged users can be challenging with this command alone.
- Linux:
ps aux: Displays all running processes along with detailed information, including the user running each process, making it easier to spot those running with root or other high privileges.
Enumerating Network Information
- Network details can reveal potential pivot points and attack vectors.
- Windows:
ipconfig /all: Shows detailed network adapter configurations.route print: Displays the system’s routing table.netstat -ano: Lists active network connections, listening ports, and the process IDs (PIDs) associated with them.
- Linux:
ifconfigorip a: Display network interface information.routeornetstat -rn: Show the routing table.ss -antup: Lists active network connections, listening ports, and associated process information.
Enumerating Firewall Rules
- Understanding firewall configurations is useful for local exploitation or when using the compromised machine as a pivot.
- Windows:
netsh advfirewall show currentprofile: Displays the active firewall profile.netsh advfirewall show rule name=all: Shows all configured firewall rules.
- Linux:
- Firewall rules are commonly managed by
iptables. Inspecting these rules typically requires root privileges.
- Firewall rules are commonly managed by
Enumerating Scheduled Tasks
- Misconfigured scheduled tasks that run with high privileges can be exploited.
- Windows:
schtasks /query /fo list /v: Lists all scheduled tasks with detailed information, including the task name, next run time, and the user account under which the task executes.
- Linux:
- Scheduled tasks are managed by cron.
ls -lah /etc/cron*: Shows cron job directories.crontab -l: Lists cron jobs for the current user (the video also mentionscat /etc/crontabfor system-wide cron jobs).- System administrators might also place tasks in
/etc/cron.d/.
Enumerating Installed Applications and Patch Levels
- Identifying outdated or vulnerable software versions can open doors for privilege escalation through application-specific exploits.
- Windows:
wmic product get name,version,vendor: Uses Windows Management Instrumentation (WMI) to list installed applications, their versions, and vendors (note: this typically only shows applications installed via the Windows Installer).
- Linux:
- Package managers are used for this.
dpkg -l(Debian-based systems): Lists installed packages with their versions and descriptions.rpm -qa(Red Hat-based systems): Lists installed packages (this command was mentioned as an alternative but not demonstrated).
Enumerating Readable and Writable Files and Directories:
Discovering files or directories with weak permissions (e.g., writable by “Everyone” or “Authenticated Users”) can allow unauthorized modification and potential code execution. –
Windows: – accesschk.exe (Sysinternals tool): Can be used to find files and directories with specific permissions.
For example, to find locations writable by the “Everyone” group.
– PowerShell:
Get-ChildItem "C:\Path\To\Check" -Recurse | Get-Acl | Where-Object {$_.AccessToString -like "*Everyone*Modify*"}– Linux:
find / -writable -type f -o -writable -type d 2>/dev/nullSearches the entire filesystem for writable files and directories, redirecting errors to /dev/null.
Enumerating Device Drivers and Kernel Modules
– Vulnerabilities in device drivers or kernel modules can be exploited for system-level access.
– Linux:
– lsmod: Lists currently loaded kernel modules.
– modinfo <module_name>: Provides detailed information about a specific kernel module, including its version.
Looking for Binaries with SUID/GUID Bits Set (Linux specific)
– On Linux, binaries with the SUID (Set User ID) or GUID (Set Group ID) bit set run with the permissions of the file’s owner or group, respectively.
If a SUID binary owned by root is misconfigured or vulnerable, it can be exploited to gain root privileges.
– Linux:
– find / -perm -4000 -type f 2>/dev/null: Finds all files with the SUID bit set.
– find / -perm -2000 -type f 2>/dev/null: Finds all files with the GUID bit set.
While manual enumeration can be lengthy, it’s indispensable when automated tools fall short. I advise using automated tools for initial scans and then delving into manual techniques for a more thorough investigation, believing that most systems harbor some form of exploitable vulnerability.
Video Walkthrough
This video offers a comprehensive guide to privilege escalation techniques, covering both Windows and Linux environments. The instructor highlights that the core concepts are similar for both operating systems, with the primary distinctions found in the specific commands used.
