Intro
When the attacker has managed to gain shell access to the victim’s machine, it is important to immediately understand what permissions he has.
In other words, the user with whom the attacker accessed the victim may not be “root” (or administrator) and therefore may not have permission to do everything on that victim’s system.
It is also very important to discover any vulnerabilities in this regard, since with maximum permissions an attacker will be able to do whatever he wants. This exploitation of a vulnerability to gain access to otherwise unavailable functions is called “privilege escalation”.
But “privilege escalation” does not only mean becoming an administrator user, but also becoming another non “root” user with other privileges than the first user or simply remaining the same user but being able to execute some commands with “root” privileges.
Just to be clear, the “root” user, in unix-like systems, is the system administrator user, the one who has maximum control over the local system. He can do anything.
Manual enumeration
The following commands, indicate how to enumerate the most important features on a victim system.
Network basic enumeration
In linux machine:
hostname
ifconfig -a
cat /etc/network/interfaces
netstat -tulpn netstat -ano
iptables -L
arp -e
route
cat /etc/resolv.conf
In Windows machine:
ipconfig /all
route print
arp -A
netstat
System basic enumeration
In linux machine:
ls -al /home ls -al /root
cat /etc/passwd cat /etc/shadow
sudo -l cat /etc/sudoers
cat /etc/issue
cat ~/.ssh/authorized_keys cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa ls -al /etc/ssh cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key
uname -a
env
lpstat -a
whoami
ls -al /var/log
mount cat /etc/fstab
echo $PATH
In Windows machine:
systeminfo
net users net user "user" net localgroup net group /domain
Service basic enumeration
In linux machine:
ps aux ps aux | grep root
cat /etc/services
cat /etc/syslog.conf
ls -al /usr/bin/ ls -al /sbin/ dpkg -l rpm -qa
To see if there are cronjobs (in linux machine):
crontab -l
cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/crontab cat /etc/anacrontab
In Windows machine:
net start
tasklist
From Powershell:
get-process
To see if there are services that have write permissions set to everyone in Windows:
wmic service
Find SUID/GUID files (in Linux)
SUID
find / -perm -u=s -type f 2>/dev/null
GUID
find / -perm -g=s -type f 2>/dev/null
Find folder permissions in Windows
icacls "C:\directory\directory"
Search password in Windows registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Find unquoted service paths in Windows
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
Automated enumeration tools
Linenum
In Linux systems, instead of manually enumerating everything, there is an automatic tool that do everything for you.
Just run this tool on the victim machine to get a complete enumeration.
This tool is “linenum“. It can be downloaded here. Just run:
./linenum.sh
For other useful options of this command see here.
Unix-privesc-check
Another useful script for Unix systems (for example Solaris, FreeBSD) is this.
Windows-Privesc-Check
For Windows victim machine a useful automated enumeration tool can be found here.
There are also various useful scripts for Powershell: for example, see here and here.