# Enumeration - Post exploitation * Purpose of enemuration * Linux enumeration with commonly-installed tools * MS Windows enumeration with built-in tools: * Example of additional tools: Seatbelt ## Purpose The purpose behind post-exploitation enumeration is to gather as much information about the system and its network. We aim to collect the informations that would allow us to pivot to other systems on the network or to loot the current system. Some of the information we are interested in gathering include: * User and groups * Hostnames * Routing tables * Network shares * Network Services * Applications and banners * Firewall configurations * Service settings and audit configurations * SNMP and DNS details * Hunting for credentials ## Linux Enumeration * System * Users * Networking * Running services ### System On Linux System,we can get more information about the Linux distro and release version by seraching for files or links that end with **-release** in **/etc/** .Running **ls /etc/-release*** ``` user@TryHackMe$ ls /etc/*-release /etc/centos-release /etc/os-release /etc/redhat-release /etc/system-release $ cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" [...] ``` We can find the system’s name using the command hostname. ``` user@TryHackMe$ hostname rpm-red-enum.thm ``` Various files on a system can provide plenty of useful information. In particular, consider the following /etc/passwd, /etc/group, and /etc/shadow. Any user can read the files passwd and group. However, the shadow password file requires root privileges as it contains the hashed passwords. If you manage to break the hashes, you will know the user’s original password ``` user@TryHackMe$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash [...] michael:x:1001:1001::/home/michael:/bin/bash peter:x:1002:1002::/home/peter:/bin/bash jane:x:1003:1003::/home/jane:/bin/bash randa:x:1004:1004::/home/randa:/bin/bash $ cat /etc/group root:x:0: [...] michael:x:1001: peter:x:1002: jane:x:1003: randa:x:1004: $ sudo cat /etc/shadow root:$6$pZlRFi09$qqgNBS.00qtcUF9x0yHetjJbXsw0PAwQabpCilmAB47ye3OzmmJVfV6DxBYyUoWBHtTXPU0kQEVUQfPtZPO3C.:19131:0:99999:7::: [...] michael:$6$GADCGz6m$g.ROJGcSX/910DEipiPjU6clo6Z6/uBZ9Fvg3IaqsVnMA.UZtebTgGHpRU4NZFXTffjKPvOAgPKbtb2nQrVU70:19130:0:99999:7::: peter:$6$RN4fdNxf$wvgzdlrIVYBJjKe3s2eqlIQhvMrtwAWBsjuxL5xMVaIw4nL9pCshJlrMu2iyj/NAryBmItFbhYAVznqRcFWIz1:19130:0:99999:7::: jane:$6$Ees6f7QM$TL8D8yFXVXtIOY9sKjMqJ7BoHK1EHEeqM5dojTaqO52V6CPiGq2W6XjljOGx/08rSo4QXsBtLUC3PmewpeZ/Q0:19130:0:99999:7::: randa:$6$dYsVoPyy$WR43vaETwoWooZvR03AZGPPKxjrGQ4jTb0uAHDy2GqGEOZyXvrQNH10tGlLIHac7EZGV8hSIfuXP0SnwVmnZn0:19130:0:99999:7::: ``` To find the installed applications you can consider listing the files in /usr/bin/ and /sbin/: ls -lh /usr/bin/ ls -lh /sbin/ On an RPM-based Linux system, you can get a list of all installed packages using rpm -qa. The -qa indicates that we want to query all packages. On a Debian-based Linux system, you can get the list of installed packages using dpkg -l. The output below is obtained from an Ubuntu server. ``` user@TryHackMe$ dpkg -l Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=====================================-==================================-============-=============================================================================== ii accountsservice 0.6.55-0ubuntu12~20.04.5 amd64 query and manipulate user account information ii adduser 3.118ubuntu2 all add and remove users and groups ii alsa-topology-conf 1.2.2-1 all ALSA topology configuration files ii alsa-ucm-conf 1.2.2-1ubuntu0.13 all ALSA Use Case Manager configuration files ii amd64-microcode 3.20191218.1ubuntu1 amd64 Processor microcode firmware for AMD CPUs [... ] ii zlib1g-dev:amd64 1:1.2.11.dfsg-2ubuntu1.3 amd64 compression library - development ``` ## Users Files such as /etc/passwd reveal the usernames; however, various commands can provide more information and insights about other users on the system and their whereabouts. You can show who is logged in using who. ``` user@TryHackMe$ who root tty1 2022-05-18 13:24 jane pts/0 2022-05-19 07:17 (10.20.30.105) peter pts/1 2022-05-19 07:13 (10.20.30.113) ``` To take things to the next level, you can use w, which shows who is logged in and what they are doing. Based on the terminal output below, peter is editing notes.txt and jane is the one running w in this example. ``` user@TryHackMe$ w 07:18:43 up 18:05, 3 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 Wed13 17:52m 0.00s 0.00s less -s jane pts/0 10.20.30.105 07:17 3.00s 0.01s 0.00s w peter pts/1 10.20.30.113 07:13 5:23 0.00s 0.00s vi notes.txt ``` To print the real and effective user and group IDS, you can issue the command id (for ID). ``` user@TryHackMe$ id uid=1003(jane) gid=1003(jane) groups=1003(jane) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 ``` Do you want to know who has been using the system recently? last displays a listing of the last logged-in users; moreover, we can see who logged out and how much they stayed connected. In the output below, the user randa remained logged in for almost 17 hours, while the user michael logged out after four minutes.