Open WDavid404 opened 11 months ago
user@TryHackMe$ ls /etc/*-release
/etc/centos-release /etc/os-release /etc/redhat-release /etc/system-release
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
[...]
hostname
cat /etc/passwd
cat /etc/group
cat /etc/shadow
//check mail directories
ls -lh /var/mail/
//To find the installed applications you can consider listing the files in /usr/bin/ and /sbin/:
ls -lh /usr/bin/
ls -lh /sbin/
//On an RPM-based Linux system, you can get a list of all installed packages using rpm -qa.
//The -qa indicates that we want to query all packages.
rpm -qa
//On a Debian-based Linux system (Ubuntu), you can get the list of installed packages using dpkg -l
dpkg -l
who
//shows who is logged in and what they are doing.
w
user@TryHackMe$ w
07:18:43 up 18:05, 3 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 Wed13 17:52m 0.00s 0.00s less -s
jane pts/0 10.20.30.105 07:17 3.00s 0.01s 0.00s w
peter pts/1 10.20.30.113 07:13 5:23 0.00s 0.00s vi notes.txt
//To print the real and effective user and group IDS
id
// Displays a listing of the last logged-in users; moreover, we can see who logged out and how much they stayed connected.
user@TryHackMe$ last
jane pts/0 10.20.30.105 Thu May 19 07:17 still logged in
peter pts/1 10.20.30.113 Thu May 19 07:13 still logged in
michael pts/0 10.20.30.1 Thu May 19 05:12 - 05:17 (00:04)
randa pts/1 10.20.30.107 Wed May 18 14:18 - 07:08 (16:49)
root tty1 Wed May 18 13:24 still logged in
[...]
//To list the allowed command for the invoking user on the current system.
sudo -l
//show IP info
ip address show (or 'ip a s', 'ifconfig -a')
//The DNS servers can be found in the /etc/resolv.conf
cat /etc/resolv.conf
//netstat -plt will return Programs Listening on TCP sockets.
netstat -plt
//netstat -atupn will show All TCP and UDP listening and established connections and the program names with addresses and ports in numeric format.
netstat -atupn
// To display only Internet and network connections
// lsof stands for List Open Files
sudo lsof -i
//lsof -i :25, to limit the output to those related to port 25
lsof -i :25
ps -ef or ps -el
ps aux
ps axjf : to print a process tree.
PS C:\Users\dave> systeminfo
//check installed updates
wmic qfe get Caption,Description
//check the installed and started Windows services
net start
// If only interested in installed apps
wmic product get name,version,vendor
C:\Users\dave>whoami
C:\Users\dave> whoami /groups
C:\Users\dave> whoami /priv
C:\Users\dave> net user ## list all users
C:\Users\dave> net group
C:\Users\dave> net localgroup
PS C:\Users\dave> Get-LocalUser
PS C:\Users\dave> Get-LocalGroup
PS C:\Users\dave> Get-LocalGroupMember adminteam
PS C:\Users\dave> Get-LocalGroupMember Administrators
//list the users that belong to the local administrators’ group
net localgroup administrators
//see the local settings on a machine
net accounts
// see if the machine belongs to a domain
net accounts /domain
ipconfig
netstat -abno
netstat -abno -p TCP : only show TCP (-p 可以指定protocol)
PS C:\Users\dave> ipconfig /all
PS C:\Users\dave> route print
PS C:\Users\dave> netstat -ano
//shows the current ARP entries, i.e., the physical addresses of the systems on the same LAN that communicated with your system.
arp -a
PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
## Beside,we should always check 32-bit and 64-bit Program Files directories located in **C:\**. Additionally, we should review the contents of the **Downloads directory** of our user to find more potential programs.
PS C:\Users\dave> Get-Process
Sysinternals Suite Process Hacker GhostPack Seatbelt
dig -t AXFR DOMAIN_NAME @DNS_SERVER
The -t AXFR indicates that we are requesting a zone transfer, while @ precedes the DNS_SERVER that we want to query regarding the records related to the specified DOMAIN_NAME.
Case: Knowing that the domain name on the MS Windows Server of IP 10.10.64.128 is redteam.thm, use dig to carry out a domain transfer.
dig -t AXFR redteam.thm @10.10.64.128
Simple Network Management Protocol (SNMP) was designed to help collect information about different devices on the network.
Tool: snmpcheck
/opt/snmpcheck/snmpcheck.rb 10.10.64.128 -c COMMUNITY_STRING
Case: Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.64.128
./snmpcheck.rb 10.10.64.128 -c public|more
Tool:Enum4linux Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.
The syntax of Enum4Linux is nice and simple: "enum4linux [options] ip"
TAG FUNCTION -U get userlist -M get machine list -N get namelist dump (different from -U and-M) -S get sharelist -P get password policy information -G get group and member list -a all of the above (full basic enumeration)
Server Message Block (SMB) is a communication protocol that provides shared access to files and printers. We can check shared folders using net share.
user@TryHackMe$ net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
Internal C:\Internal Files Internal Documents
Users C:\Users
The command completed successfully.
We can see that C:\Internal Files is shared under the name Internal.
kali@kali:~$ sudo nbtscan -r 192.168.50.0/24
Doing NBT name scan for addresses from 192.168.50.0/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.50.124 SAMBA <server> SAMBA 00:00:00:00:00:00
192.168.50.134 SAMBAWEB <server> SAMBAWEB 00:00:00:00:00:00
...
Nmap also offers many useful NSE scripts that we can use to discover and enumerate SMB services. We'll find these scripts in the /usr/share/nmap/scripts directory.
kali@kali:~$ ls -1 /usr/share/nmap/scripts/smb*
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
...
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
Running 'net view' to list remote shares
C:\Users\student>net view \\dc01 /all
Shared resources at \\dc01
Share name Type Used as Comment
-------------------------------------------------------------------------------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.
post-exploitation enumeration