Enumeration

Document the Server

• Display CPU information:

cat /proc/cpuinfo

• Display memory information:

cat /proc/meminfo
free -h

• System Process Information:

cat /proc/version

• Display partition information:

cat /proc/partitions
df -h

• Display IP address information:

ip addr

• Display the status of the SSH service:

systemctl status sshd

• Passwords / Keys:

cat ~/.*history | less

• More OS Information:

cat /etc/issue

ps

• Show processes for the current shell:

ps

The output of the ps (Process Status) will show the following;
• PID: The process ID (unique to the process)
• TTY: Terminal type used by the user
• Time: Amount of CPU time used by the process (NOT the time this process has been running for)
• CMD: The command or executable running (will NOT display any command line parameter)

The “ps” command provides a few useful options...

• ps -A: View all running processes
• ps axjf: View process tree (see the tree formation until ps axjf is run below)
• ps aux: The aux option will show processes for all users (a), 
  display the user that launched the process (u), 
  and show processes that are not attached to a terminal (x).

Looking at the ps aux command output, we can have a better understanding of the system and potential vulnerabilities.

env

• Show environmental variables:

env

The PATH variable may have a compiler or a scripting language (e.g. Python) that could be used to run code on the target system or leveraged for privilege escalation.

netstat

The netstat command can be used with several different options to gather information on existing connections.

• netstat -a: Shows all listening ports and established connections.
• netstat -at or netstat -au: Can also be used to list TCP or UDP protocols respectively.
• netstat -l: List ports in “listening” mode. These ports are open and ready to accept incoming connections. This can be used with the -t option to list only ports that are listening using the TCP protocol
• netstat -s: List network usage statistics by protocol. This can also be used with the -t or -u options to limit the output to a specific protocol.
• netstat -tp: List connections with the service name and PID information. This can also be used with the -l option to list listening ports (below)
• netstat -i: Shows interface statistics.
• Usually seen being used: -ano
• -a: Display all sockets
• -n: Do not resolve names
• -o: Display timers

Search Sockets

If we run ss -tulpn it will tell us what socket connections are running

agent47@gamezone:~$ ss -lpnut
Netid State      Recv-Q Send-Q Local Address:Port               Peer Address:Port              
udp   UNCONN     0      0       *:10000               *:*                  
udp   UNCONN     0      0       *:68                  *:*                  
tcp   LISTEN     0      80     127.0.0.1:3306                *:*                  
tcp   LISTEN     0      128     *:10000               *:*                  
tcp   LISTEN     0      128     *:22                  *:*                  
tcp   LISTEN     0      128    :::80                 :::*                  
tcp   LISTEN     0      128    :::22                 :::*   

We can see that a service running on port 10000 is blocked via a firewall rule from the outside. However, Using an SSH Tunnel we can expose the port to us locally.

ssh -L 10000:localhost:10000 agent47@10.10.0.32

SNMP

$ git clone https://gitlab.com/kalilinux/packages/snmpcheck.git 
$ cd snmpcheck/ 
$ gem install snmp
$ chmod +x snmpcheck-1.9.rb

The syntax is quite simple:

$ /opt/snmpcheck/snmpcheck.rb 10.10.175.250 -c COMMUNITY_STRING