Enumeration

[WDavid404]

post-exploitation enumeration

• Linux enumeration with commonly-installed tools: System, users, networking, and running services
• MS Windows enumeration with built-in tools: System, users, networking, and running services
• Examples of additional tools: Seatbelt

[WDavid404]

Linux enumeration

System

user@TryHackMe$ ls /etc/*-release
/etc/centos-release  /etc/os-release  /etc/redhat-release  /etc/system-release
$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"
[...]

hostname
cat /etc/passwd
cat /etc/group
cat /etc/shadow

//check mail directories
ls -lh /var/mail/

//To find the installed applications you can consider listing the files in /usr/bin/ and /sbin/:
ls -lh /usr/bin/
ls -lh /sbin/

//On an RPM-based Linux system, you can get a list of all installed packages using rpm -qa. 
//The -qa indicates that we want to query all packages.
rpm -qa

//On a Debian-based Linux system (Ubuntu), you can get the list of installed packages using dpkg -l
dpkg -l

who

//shows who is logged in and what they are doing. 
w

user@TryHackMe$ w
 07:18:43 up 18:05,  3 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                      Wed13   17:52m  0.00s  0.00s less -s
jane     pts/0    10.20.30.105     07:17    3.00s  0.01s  0.00s w
peter    pts/1    10.20.30.113     07:13    5:23   0.00s  0.00s vi notes.txt

//To print the real and effective user and group IDS
id

// Displays a listing of the last logged-in users; moreover, we can see who logged out and how much they stayed connected. 
user@TryHackMe$ last
jane     pts/0        10.20.30.105     Thu May 19 07:17   still logged in   
peter    pts/1        10.20.30.113     Thu May 19 07:13   still logged in   
michael  pts/0        10.20.30.1       Thu May 19 05:12 - 05:17  (00:04)    
randa    pts/1        10.20.30.107     Wed May 18 14:18 - 07:08  (16:49)    
root     tty1                          Wed May 18 13:24   still logged in
[...]

//To list the allowed command for the invoking user on the current system.
sudo -l

Network

//show IP info
ip address show (or 'ip a s',    'ifconfig -a')

//The DNS servers can be found in the /etc/resolv.conf
cat /etc/resolv.conf

//netstat -plt will return Programs Listening on TCP sockets. 
netstat -plt 

//netstat -atupn will show All TCP and UDP listening and established connections and the program names with addresses and ports in numeric format.
netstat -atupn

// To display only Internet and network connections
// lsof stands for List Open Files
sudo lsof -i

//lsof -i :25,  to limit the output to those related to port 25
lsof -i :25

Running Services

ps -ef  or  ps -el
ps aux
ps axjf  :  to print a process tree.

[WDavid404]

Windows Enumeration

System info

PS C:\Users\dave> systeminfo

//check installed updates
wmic qfe get Caption,Description

//check the installed and started Windows services 
net start

// If only interested in installed apps
wmic product get name,version,vendor

User

C:\Users\dave>whoami
C:\Users\dave> whoami /groups
C:\Users\dave> whoami /priv

C:\Users\dave> net user    ## list all users
C:\Users\dave> net group
C:\Users\dave>  net localgroup
PS C:\Users\dave> Get-LocalUser
PS C:\Users\dave> Get-LocalGroup
PS C:\Users\dave> Get-LocalGroupMember adminteam
PS C:\Users\dave> Get-LocalGroupMember Administrators

//list the users that belong to the local administrators’ group
net localgroup administrators

//see the local settings on a machine
net accounts

// see if the machine belongs to a domain
net accounts /domain

Networking

ipconfig
netstat -abno
netstat -abno -p TCP :  only show TCP (-p 可以指定protocol)
PS C:\Users\dave> ipconfig /all
PS C:\Users\dave> route print
PS C:\Users\dave> netstat -ano

//shows the current ARP entries, i.e., the physical addresses of the systems on the same LAN that communicated with your system.
arp -a

Installed program

PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 
PS C:\Users\dave> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
## Beside，we should always check 32-bit and 64-bit Program Files directories located in **C:\**. Additionally, we should review the contents of the **Downloads directory** of our user to find more potential programs.

Running process

PS C:\Users\dave> Get-Process

More Tools for Windows

Sysinternals Suite Process Hacker GhostPack Seatbelt

[WDavid404]

DNS, SMB, and SNMP.

DNS

dig -t AXFR DOMAIN_NAME @DNS_SERVER The -t AXFR indicates that we are requesting a zone transfer, while @ precedes the DNS_SERVER that we want to query regarding the records related to the specified DOMAIN_NAME.

Case: Knowing that the domain name on the MS Windows Server of IP 10.10.64.128 is redteam.thm, use dig to carry out a domain transfer. dig -t AXFR redteam.thm @10.10.64.128

SNMP

Simple Network Management Protocol (SNMP) was designed to help collect information about different devices on the network. Tool: snmpcheck /opt/snmpcheck/snmpcheck.rb 10.10.64.128 -c COMMUNITY_STRING Case: Knowing that the community string used by the SNMP service is public, use snmpcheck to collect information about the MS Windows Server of IP 10.10.64.128 ./snmpcheck.rb 10.10.64.128 -c public|more

[WDavid404]

Enumerate SMB

Tool：Enum4linux Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.

The syntax of Enum4Linux is nice and simple: "enum4linux [options] ip"

TAG FUNCTION -U get userlist -M get machine list -N get namelist dump (different from -U and-M) -S get sharelist -P get password policy information -G get group and member list -a all of the above (full basic enumeration)

[WDavid404]

SMB

Server Message Block (SMB) is a communication protocol that provides shared access to files and printers. We can check shared folders using net share.

user@TryHackMe$ net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share
IPC$                                         Remote IPC
ADMIN$       C:\Windows                      Remote Admin
Internal     C:\Internal Files               Internal Documents
Users        C:\Users
The command completed successfully.

We can see that C:\Internal Files is shared under the name Internal.

NetBIOS information

kali@kali:~$ sudo nbtscan -r 192.168.50.0/24
Doing NBT name scan for addresses from 192.168.50.0/24

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.50.124   SAMBA            <server>  SAMBA            00:00:00:00:00:00
192.168.50.134   SAMBAWEB         <server>  SAMBAWEB         00:00:00:00:00:00
...

SMB with nmap

Nmap also offers many useful NSE scripts that we can use to discover and enumerate SMB services. We'll find these scripts in the /usr/share/nmap/scripts directory.

kali@kali:~$ ls -1 /usr/share/nmap/scripts/smb*
/usr/share/nmap/scripts/smb2-capabilities.nse
/usr/share/nmap/scripts/smb2-security-mode.nse
/usr/share/nmap/scripts/smb2-time.nse
/usr/share/nmap/scripts/smb2-vuln-uptime.nse
/usr/share/nmap/scripts/smb-brute.nse
/usr/share/nmap/scripts/smb-double-pulsar-backdoor.nse
/usr/share/nmap/scripts/smb-enum-domains.nse
/usr/share/nmap/scripts/smb-enum-groups.nse
/usr/share/nmap/scripts/smb-enum-processes.nse
/usr/share/nmap/scripts/smb-enum-sessions.nse
/usr/share/nmap/scripts/smb-enum-shares.nse
/usr/share/nmap/scripts/smb-enum-users.nse
/usr/share/nmap/scripts/smb-os-discovery.nse
...

nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

list up remote shares with "net view" command

Running 'net view' to list remote shares

C:\Users\student>net view \\dc01 /all
Shared resources at \\dc01

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
ADMIN$      Disk           Remote Admin
C$          Disk           Default share
IPC$        IPC            Remote IPC
NETLOGON    Disk           Logon server share
SYSVOL      Disk           Logon server share
The command completed successfully.