How to enumerate for privilege escalation


When the attacker has managed to gain shell access to the victim’s machine, it is important to immediately understand what permissions he has.

In other words, the user with whom the attacker accessed the victim may not be “root” (or administrator) and therefore may not have permission to do everything on that victim’s system.

It is also very important to discover any vulnerabilities in this regard, since with maximum permissions an attacker will be able to do whatever he wants. This exploitation of a vulnerability to gain access to otherwise unavailable functions is called “privilege escalation”.

But “privilege escalation” does not only mean becoming an administrator user, but also becoming another non “root” user with other privileges than the first user or simply remaining the same user but being able to execute some commands with “root” privileges.

Just to be clear, the “root” user, in unix-like systems, is the system administrator user, the one who has maximum control over the local system. He can do anything.

Manual enumeration

The following commands, indicate how to enumerate the most important features on a victim system.

Network basic enumeration

In linux machine:

ifconfig -a
cat /etc/network/interfaces
netstat -tulpn
netstat -ano
iptables -L
arp -e
cat /etc/resolv.conf

In Windows machine:

ipconfig /all
route print
arp -A

System basic enumeration

In linux machine:

ls -al /home
ls -al /root
cat /etc/passwd
cat /etc/shadow
sudo -l
cat /etc/sudoers
cat /etc/issue
cat ~/.ssh/authorized_keys
cat ~/.ssh/
cat ~/.ssh/id_rsa
ls -al /etc/ssh
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/
cat /etc/ssh/ssh_host_key
uname -a
lpstat -a
ls -al /var/log
cat /etc/fstab
echo $PATH

In Windows machine:

net users

net user "user"
net localgroup
net group /domain

Service basic enumeration

In linux machine:

ps aux
ps aux | grep root
cat /etc/services
cat /etc/syslog.conf
ls -al /usr/bin/
ls -al /sbin/
dpkg -l
rpm -qa

To see if there are cronjobs (in linux machine):

crontab -l
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/crontab
cat /etc/anacrontab

In Windows machine:

net start

From Powershell:


To see if there are services that have write permissions set to everyone in Windows:

wmic service

Find SUID/GUID files (in Linux)


find / -perm -u=s -type f 2>/dev/null


find / -perm -g=s -type f 2>/dev/null

Find folder permissions in Windows

icacls "C:\directory\directory"

Search password in Windows registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find unquoted service paths in Windows

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Automated enumeration tools


In Linux systems, instead of manually enumerating everything, there is an automatic tool that do everything for you.

Just run this tool on the victim machine to get a complete enumeration.

This tool is “linenum“. It can be downloaded here. Just run:


For other useful options of this command see here.


Another useful script for Unix systems (for example Solaris, FreeBSD) is this.


For Windows victim machine a useful automated enumeration tool can be found here.

There are also various useful scripts for Powershell: for example, see here and here.

5 1 vote
Article Rating
Notify of
Inline Feedbacks
View all comments