2-3: System Recon
- Basic enumeration of info / access (system level info, user, groups, write access, files on the system)
- Enumerating privilege escalation vectors specifically
- Use of tools for automating checks (Lin/WinPEAS, LSE, Seatbelt, etc.).
At this stage the assumption is that some level of access to a server, workstation, or other device has been achieved. Ideally this would be full shell or RDP access, but many of the steps can be accomplished from more limited access points (e.g., command injection).
In this initial version, the goal is to cover the baseline methodology for both Windows and Linux system recon. Enumeration paths for each will be fleshed out in more detail later, as Windows needs some additional work to cover Active Directory (among other things). With that said there are some universals we can consider first.
System Information
Learn as much as possible about the specifics of the machine and it's software at this stage. The headlining items are the operating system and kernel version, but here is a rough checklist of information to find:
- Operating System version: for Windows also note patches and hotfixes installed on the system, which can be found via
wmic qfe list
- Kernel version: for crucial information on if any kernel specific exploits could be used against the system
- Drives and file shares: Get initial information on what drives are mounted and whether any network shares are present, if any.
- Networking info: Look at networking interfaces and see what services/processes are listening, and on which ports.
- Users and groups: Identify what users are present on the system, what groups they are members of, and what level of privileges these users and groups have.
- Environment variables: Checking for both sensitive credentials and specific keys that may hint at vulnerabilities. Other information to note are important configuration info revealed like the PATH variable.
File system enumeration
Spending time digging into whatever files and folders you can read on the system is well worth the time. Two points to bear in mind while doing this:
- Run permission checks as you enumerate the file system, the contents of the system are important, but noting what you can read and especially what you can write to is crucial. In Linux
ls -ali
is your friend. - Look for any potential sensitive information that can be read with your current account.
Configuration Enumeration
Strictly speaking configuration here covers a lot of ground. But there are a few main areas beyond what has already been covered above:
- Services & process: Checking both for what account is running them, and what commands and files they invoke if possible.
- Scheduled tasks / cronjobs: See if any regular tasks are scheduled that can be modified either directly or indirectly. In the context of labs these typically need to be either frequently running or something your user can modify so that it initiates.
- Admin access controls: In Linux this will be looking at
sudo
access and potential SUID and SGID binaries. In Windows it'll be looking at user privileges withwhoami /priv
as the closest analog, unless there is weak application UAC.
Enumeration Tools
In most cases it makes sense to not only do manual checks, but to use specific tools to perform the enumeration to both cover ground more quickly and reveal any quick wins. Knowing how to manually gain the information is still essential though, as there will be times where the tools can't be used or don't work to their full capacity (e.g., in a limited shell).
Note that the below list isn't exhaustive.