Till Studer's Notes

Recent Notes

5 min read

Post-Exploitation Enumeration

  • Every environment is unique, but the techniques are still the same
  • Search for:
    • misconfigured services
    • insufficient file permission restrictions on binaries or services
    • direct kernel vulnerabilities
    • vulnerable software running with high privileges
    • sensitive information stored on local files
    • registry settings that always elevate privileges before executing a binary
    • installation scripts that may contain hard coded credentials
    • etc.

Windows

Don’t forget to set the Execution Policy! Set-ExecutionPolicy Bypass -Scope process -Force

Automated

Manual

  • PayloadsAllTheThings
  • pentest-everything
  • Check what privileges you have: whoami /priv
  • Get current username: echo %USERNAME%
  • Get OS version: ver
  • More OS info: systeminfo
  • Get environment variables: set
  • Show processes & services:
    • tasklist /svc
    • tasklist /v
    • cmd /c sc query state= all
    • Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
  • Show all scheduled tasks: schtasks /query /fo LIST /v
    • Copy the output to your kali instance and search through it with cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
  • List drives (must be admin): fsutil fsinfo drives
  • Directory listing of C: tree /F /A c:\ > tree.txt
  • Hosts in current domain: net view /domain
  • All users in current domain: net user /domain
  • Get more info about the specified user: net user <username>
  • List domain groups: net group /domain
  • List local Admins: net localgroup "Administrators"
  • List users in Domain Admins: net group "Domain Admins" /domain
  • List DCs for current domain: net group "Domain Controllers" /domain
  • Current SMB shares: net share
  • Active SHB sessions: net session | find / "\\"
  • IP configuration: ipconfig /all
  • Local DNS cache: ipconfig /displaydns
  • Get Network routs: route print
  • Open connections: netstat -ano
  • Firewall settings:
    • netsh advfirewall show all
    • netsh advfirewall show currentprofile
  • Online nmap scan: iwr https://nivenly.com/client
  • List all services: wmic service get displayname,pathname
    • Check for entires where the PathName contains a space character and where the Path isn’t surrounded by double quotation marks ""
    • E.g.: C:\Program Files\My Program\My service\service.exe
    • In the example above we could see if we have the permissions to place a file called My.exe under C:\Program Files\My Program\
  • Installed Applications and Patch Levels
    • applications: wmic product get name, version, vendor (but only the ones which were installed by the windows installer)
    • patch levels: wmic qfe get Caption, Description, HotFixID, InstalledOn
  • Readable/Writable Files and Directories:
    • accesschk.exe -uws "Everyone" "C:\Program Files"
    • Get-ChildItem "C:\Program Files" -Recurse | %{Get-ACL $_.FullName} | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
  • Mounted Disks: mountvol
  • Device Drivers and Kernel Modules
    • get all loaded drivers: driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
    • get the version of the VMware drivers (change this depending on what you’re trying to search for): Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
  • Binaries That AutoElevate
    • Check if AlwaysInstallElevated is enabled (if yes any Windows installer (.msi) will have system privileges)
      • reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
      • reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Linux

Automated

Manual

  • pentest-everything
  • PayloadsAllTheThings
  • g0tmi1k
  • Check what if any sudo privileges you have: sudo -l
    • nmap !sh
    • vi :!bash OR :set shell=/bin/bash:shell
    • python python -c 'import pty; pty.spawn("/bin/sh")'
    • bash echo os.system('/bin/bash') OR /bin/sh -i
    • perl perl —e 'exec "/bin/sh";' OR perl: exec "/bin/sh";
    • ruby ruby: exec "/bin/sh"
    • lua lua: os.execute('/bin/sh')
  • Current username: id
  • Current directory: pwd
  • Logged on users: w
  • Last users logged on: last -a
  • Process listing (top): ps aux
  • Network services: netstat -antup or ss -anp
  • IP configuration: ip a or ifconfig
  • Network Routs: /sbin/route or routel
  • Firewall settings:
    • grep -Hs iptables /etc/*
    • iptables -S (root needed)
  • Disk usage (free): df -h
  • Mounted file Systems:
    • all mounted file systems: mount
    • all drives mounted at boot time: cat /etc/fstab
    • all available disks and their partitions: /bin/lsblk
  • Show list of users: getent passwd or cat /etc/passwd
  • Get the password hashes: cat /etc/shadow
  • Get and overview of personal files: ls -lahR /home
  • Show list of groups: cat /etc/group
  • Show OS info: cat /etc/issue
  • Show OS version info: cat /etc/*release*
  • Show kernel info: cat /proc/version
  • Kernel version/CPU info: uname -a
  • Installed pkgs (Redhat): rpm --query -all
  • Install RPM (-e=remove): rpm -ivh *.rpm
  • Installed pkgs (Ubuntu): dpkg -l
  • Install DEB (-r=remove): dpkg -I *.deb
  • Installed pkgs (Solaris): pkginfo
  • Installed applications (Red Hat: )rpm -a
  • Online nmap scan: curl https://nivenly.com/client
  • Cron Jobs:
    • ls -lah /etc/cron*
    • cat /etc/crontab
  • Readable/Writable Files and Directories: find / -writable -type d 2>/dev/null
  • Device Drivers and Kernel Modules
    • get all loaded kernel modules: lsmod
    • get more information about the libata module: `/sbin/
  • Find Root SUID files: find / -perm -u=s -type f 2>/dev/null

Relevant Note(s): Penetration Testing Anti-Virus Evasion Techniques

Graph View

Backlinks