How to enumerate for privilege escalation

Intro

When the attacker has managed to gain shell access to the victim’s machine, it is important to immediately understand what permissions he has.

In other words, the user with whom the attacker accessed the victim may not be “root” (or administrator) and therefore may not have permission to do everything on that victim’s system.

It is also very important to discover any vulnerabilities in this regard, since with maximum permissions an attacker will be able to do whatever he wants. This exploitation of a vulnerability to gain access to otherwise unavailable functions is called “privilege escalation”.

But “privilege escalation” does not only mean becoming an administrator user, but also becoming another non “root” user with other privileges than the first user or simply remaining the same user but being able to execute some commands with “root” privileges.

Just to be clear, the “root” user, in unix-like systems, is the system administrator user, the one who has maximum control over the local system. He can do anything.

Manual enumeration

The following commands, indicate how to enumerate the most important features on a victim system.

Network basic enumeration

In linux machine:

hostname
ifconfig -a
cat /etc/network/interfaces
netstat -tulpn
netstat -ano
iptables -L
arp -e
route
cat /etc/resolv.conf

In Windows machine:

ipconfig /all
route print
arp -A
netstat

System basic enumeration

In linux machine:

ls -al /home
ls -al /root
cat /etc/passwd
cat /etc/shadow
sudo -l
cat /etc/sudoers
cat /etc/issue
cat ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
ls -al /etc/ssh
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
uname -a
env
lpstat -a
whoami
ls -al /var/log
mount
cat /etc/fstab
echo $PATH

In Windows machine:

systeminfo
net users

net user "user"
net localgroup
net group /domain

Service basic enumeration

In linux machine:

ps aux
ps aux | grep root
cat /etc/services
cat /etc/syslog.conf
ls -al /usr/bin/
ls -al /sbin/
dpkg -l
rpm -qa

To see if there are cronjobs (in linux machine):

crontab -l
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/crontab
cat /etc/anacrontab

In Windows machine:

net start
tasklist

From Powershell:

get-process

To see if there are services that have write permissions set to everyone in Windows:

wmic service

Find SUID/GUID files (in Linux)

SUID

find / -perm -u=s -type f 2>/dev/null

GUID

find / -perm -g=s -type f 2>/dev/null

Find folder permissions in Windows

icacls "C:\directory\directory"

Search password in Windows registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find unquoted service paths in Windows

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Automated enumeration tools

Linenum

In Linux systems, instead of manually enumerating everything, there is an automatic tool that do everything for you.

Just run this tool on the victim machine to get a complete enumeration.

This tool is “linenum“. It can be downloaded here. Just run:

./linenum.sh

For other useful options of this command see here.

Unix-privesc-check

Another useful script for Unix systems (for example Solaris, FreeBSD) is this.

Windows-Privesc-Check

For Windows victim machine a useful automated enumeration tool can be found here.

There are also various useful scripts for Powershell: for example, see here and here.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments