Host Scan Methodologies¶

The initial access to a compromised host often occurs through a low-access user or service account. Attackers typically conduct host scanning, also called enumeration, to identify weaknesses that could facilitate privilege escalation.

Host enumeration needs to be tailored for each scan; It wouldn't make sense to search for files with sudo privileges on a Windows machine or to query the registry on a BSD system.

UNIX¶

For Unix hosts, a recommended starting point is to check for the following artifacts:¶

Kernel and distribution release details
System Information:
- Hostname
- Networking details:
  - Current IP
  - Default route details
  - DNS server information
User Information:
- Current user details
- Last logged-on users
- Show users logged onto the host
- List all users, including uid/gid information, IPv4 header
- List root accounts
- Extract password policies and hash storage method information
- Check umask value
- Check if password hashes are stored in /etc/passwd
- Extract full details for 'default' uids such as 0, 1000, 1001, etc
- Attempt to read restricted files, i.e.,/etc/shadow
- List current users' history files (i.e., .bash_history, .nano_history, etc.)
- Basic SSH checks
Privileged access:
- Which users have recently used sudo
- Determine if /etc/sudoers is accessible
- Determine if the current user has Sudo access without a password
- Are known 'good' breakout binaries available via Sudo (i.e., Nmap, vim, etc.)
- Is the root's home directory accessible
- List permissions for /home/
Environmental:
- Display current $PATH
- Display environmental information
Jobs/Tasks:
- List all cron jobs
- Locate all world-writable cron jobs
- Locate cron jobs owned by other users of the system
- List the active and inactive systemd timers
Services:
- List network connections (TCP & UDP)
- List running processes
- Lookup and list process binaries and associated permissions
- List inetd.conf/xined.conf contents and associated binary file permissions
- List init.d binary permissions
Version Information (of the following):
- Sudo
- MYSQL
- Postgres
- Apache
  - Checks user config
  - Shows enabled modules
  - Checks for htpasswd files
  - View www directories
Default/Weak Credentials:
- Check for default/weak Postgres accounts
- Check for default/weak MYSQL accounts
Search:
- Locate all SUID/GUID files
- Locate all world-writable SUID/GUID files
- Locate all SUID/GUID files owned by root
- Locate 'interesting' SUID/GUID files (i.e., Nmap, vim, etc)
- Locate files with POSIX capabilities
- List all world-writable files
- Find/list all accessible *.plan files and display contents
- Find/list all accessible *.rhosts files and display contents
- Show NFS server details
- Locate *.conf and *.log files containing keywords supplied at script runtime
- List all *.conf files located in /etc
- .bak file search
- Locate mail
Platform/software-specific tests:
- Check to determine if in a Docker container
- Check to see if the host has Docker installed
- Check to determine if in an LXC container`

Windows¶

For Windows hosts, a recommended starting point is to check for the following artifacts:¶

System Information:
- Windows Version
- Architecture
- Hostname
- Current User
- Current Time\Date
User Information:
- Username
- Groups
- Stored Credentials
- Checking for AutoAdminLogon
Network Information:
- ip configs
- ARP cache
- Netstat
- Windows firewall
- Hosts File Contents
Services:
- Processes
- Scheduled Tasks
- Services
- Installed Programs
- Installed Patches
- Program Folders
File System Information
- Files with Full Control and Modify Access
- Folders with Full Control and Modify Access
- Mapped Drives
- Unquoted Service Paths
- Recent Documents
- Potentially Interesting Files in the Users Directory
- 10 Last Modified Files in C:\User
- MUICache Files
- System Files with Passwords
- AlwaysInstalledElevated Registry Key`