# Enumeration - Post exploitation pt2 ## Networking The IP addresses can be shown using ip address show (which can be shortened to ip a s) or with the older command ifconfig -a (its package is no longer maintained.) The terminal output below shows the network interface ens33 with the IP address 10.20.30.129 and subnet mask 255.255.255.0 as it is 24. ``` user@TryHackMe$ ip a s 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:a2:0e:7e brd ff:ff:ff:ff:ff:ff inet 10.20.30.129/24 brd 10.20.30.255 scope global noprefixroute dynamic ens33 valid_lft 1580sec preferred_lft 1580sec inet6 fe80::761a:b360:78:26cd/64 scope link noprefixroute valid_lft forever preferred_lft forever ``` The DNS servers can be found in the /etc/resolv.conf. Consider the following terminal output for a system that uses DHCP for its network configurations. The DNS, i.e. nameserver, is set to 10.20.30.2. ``` user@TryHackMe$ cat /etc/resolv.conf # Generated by NetworkManager search localdomain thm nameserver 10.20.30.2 ``` netstat is a useful command for learning about network connections, routing tables, and interface statistics. You can use any combination that suits your needs. For instance, netstat -plt will return Programs Listening on TCP sockets. As we can see in the terminal output below, sshd is listening on the SSH port, while master is listening on the SMTP port on both IPv4 and IPv6 addresses. Note that to get all PID (process ID) and program names, you need to run netstat as root or use sudo netstat. ``` user@TryHackMe$ sudo netstat -plt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 978/sshd tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN 1141/master tcp6 0 0 [::]:ssh [::]:* LISTEN 978/sshd tcp6 0 0 localhost:smtp [::]:* LISTEN 1141/master ``` One might think that using nmap before gaining access to the target machine would have provided a comparable result. However, this is not entirely true. Nmap needs to generate a relatively large number of packets to check for open ports, which can trigger intrusion detection and prevention systems. Furthermore, firewalls across the route can drop certain packets and hinder the scan, resulting in incomplete Nmap results. lsof stands for List Open Files. If we want to display only Internet and network connections, we can use lsof -i. The terminal output below shows IPv4 and IPv6 listening services and ongoing connections. The user peter is connected to the server rpm-red-enum.thm on the ssh port. Note that to get the complete list of matching programs, you need to run lsof as root or use sudo lsof ``` user@TryHackMe$ sudo lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 640 chrony 5u IPv4 16945 0t0 UDP localhost:323 chronyd 640 chrony 6u IPv6 16946 0t0 UDP localhost:323 sshd 978 root 3u IPv4 20035 0t0 TCP *:ssh (LISTEN) sshd 978 root 4u IPv6 20058 0t0 TCP *:ssh (LISTEN) master 1141 root 13u IPv4 20665 0t0 TCP localhost:smtp (LISTEN) master 1141 root 14u IPv6 20666 0t0 TCP localhost:smtp (LISTEN) dhclient 5638 root 6u IPv4 47458 0t0 UDP *:bootpc sshd 5693 peter 3u IPv4 47594 0t0 TCP rpm-red-enum.thm:ssh->10.20.30.113:38822 (ESTABLISHED) [...] ``` Because the list can get quite lengthy, you can further filter the output by specifying the ports you are interested in, such as SMTP port 25. By running lsof -i :25, we limit the output to those related to port 25, as shown in the terminal output below. The server is listening on port 25 on both IPv4 and IPv6 addresses. ``` user@TryHackMe$ sudo lsof -i :25 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME master 1141 root 13u IPv4 20665 0t0 TCP localhost:smtp (LISTEN) master 1141 root 14u IPv6 20666 0t0 TCP localhost:smtp (LISTEN) ``` ## Running Services Getting a snapshot of the running processes can provide many insights. ps lets you discover the running processes and plenty of information about them.