Local Reconnaissance
A list of useful Local Reconnaissance Technique
Linux
Network
Enumerate all responding @IP of the network. Bash native.
Windows
Network
Get all responding Ip addresses using Windows native command:
DNS / ARP / Routing Table / WiFi
Path to the Windows hosts file: C:\Windows\System32\drivers\etc\hosts
System
Enumerate users
Get directory/file perms
Get services permissions
Download and upload the SysInternals AccessCHK tool.
Gist: https://gist.github.com/cube0x0/1cdef7a90473443f72f28df085241175
Connect into SMB server
Using Meterpreter
arp_scanner : The arp_scanner post module will perform an ARP scan for a given range through a compromised host.
run post/windows/gather/arp_scanner
credential_collector : The credential_collector module harvests passwords hashes and tokens on the compromised host.
run post/windows/gather/credentials/credential_collector
dumplinks : The dumplinks module parses the .lnk files in a users Recent Documents which could be useful for further information gathering. Note that, as shown below, we first need to migrate into a user process prior to running the module.
run post/windows/manage/migrate (optionnal migrate to a user PID)
run post/windows/gather/dumplinks
enum_applications : The enum_applications module enumerates the applications that are installed on the compromised host.
run post/windows/gather/enum_applications
enum_logged_on_users : The enum_logged_on_users post module returns a listing of current and recently logged on users along with their SIDs.
enum_shares : The enum_shares post module returns a listing of both configured and recently used shares on the compromised system.
run post/windows/gather/enum_shares
enum_snmp : The enum_snmp module will enumerate the SNMP service configuration on the target, if present, including the community strings.
run post/windows/gather/enum_snmp
hashdump : The hashdump post module will dump the local users accounts on the compromised host using the registry.
run post/windows/gather/hashdump
local_exploit_suggester : The local_exploit_suggester, or 'Lester' for short, scans a system for local vulnerabilities contained in Metasploit. It then makes suggestions based on the results as well as displays exploit's location for quicker access.
use post/multi/recon/local_exploit_suggester
Last updated