mirror of
https://github.com/calebstewart/pwncat.git
synced 2024-11-27 19:04:15 +01:00
102 lines
4.8 KiB
ReStructuredText
102 lines
4.8 KiB
ReStructuredText
Enum
|
|
====
|
|
|
|
The ``enum`` command is used to enumerated facts on the victim host. These facts could be
|
|
system properties, installed packages, SUID binaries, various file permissions, etc. In
|
|
general, they are system properties which may be useful for privilege escalation.
|
|
|
|
``pwncat`` enumeration modules are based on a variety of Linux enumeration methodologies
|
|
and other fabulous enumeration scripts such as LinPEAS or LinEnum. ``pwncat`` takes these
|
|
methodologies and implements the enumeration in such a way that the raw information is
|
|
available to both the automated ``pwncat`` modules and to the user in a formatted and
|
|
readable way.
|
|
|
|
In this way, ``pwncat`` may automatically perform some enumeration while attempting to
|
|
escalate privieleges, but these enumerated facts will not be lost if the escalation
|
|
fails. For example, the ``privesc`` module always searches for SUID binaries. Even if a
|
|
path to the root user is not identified, ``pwncat`` utilizes the ``enumerate`` module
|
|
to track enumerated facts like SUID binaries. This speeds up future privilege escalation
|
|
as well as allows the user to give the enumerated data a human review.
|
|
|
|
Facts
|
|
-----
|
|
|
|
``pwncat`` uses the term "fact" to describe any individual piece of data which is
|
|
enumerated by the ``enumerate`` module. Each fact will have a type, a source and some
|
|
abstract data. All data must implement the ``__str__`` operator which is used for the
|
|
short form of the enumeration output. Further, data objects may implement a ``description``
|
|
property which contains a longer form description of the data suitable for more in-depth
|
|
inspection.
|
|
|
|
Different types of facts have different data types. If you request a "suid" fact type,
|
|
then each item is expected to have data objects of the class ``pwncat.enumerate.suid.Binary``
|
|
This generic interface allows the ``enum`` command to intelligently build reports while
|
|
not knowing the underlying data type. Further, if the underlying data type is known,
|
|
``pwncat`` can interact with the raw data (such as the SUID binaries path or owner UID).
|
|
|
|
Viewing Facts
|
|
-------------
|
|
|
|
The ``--show/-s`` argument to the ``enum`` command provides a way to view facts about
|
|
the victim host. If a specific fact type is requested, ``pwncat`` will first look for
|
|
facts of this type in the fact table of the database. Next, ``pwncat`` will check for
|
|
enumerator modules which provide the given type and run any which are available.
|
|
|
|
The default type of data is ``all``. This can take some time as ``pwncat`` has multiple
|
|
types of enumerator modules implemented. There is also a ``--quick`` option which will
|
|
only select a few useful and fast enumeration types which may be useful. Further, you
|
|
can pass the ``--type/-t`` parameter with the name of an enumeration type you would
|
|
like. Enumeration types are dynamic, but a known set of types at runtime can be found
|
|
by tab-completing the ``--type`` argument.
|
|
|
|
.. code-block:: bash
|
|
:caption: Requesting quick enumeration facts
|
|
|
|
$ pwncat -C data/pwncatrc -c -H 1.1.1.1 -p 4444
|
|
[+] connection to 1.1.1.1:4444 established
|
|
[+] setting terminal prompt
|
|
[+] running in /bin/sh
|
|
[+] terminal state synchronized
|
|
[+] pwncat is ready 🐈
|
|
|
|
(remote) bob@pwncat-centos-testing:/root$
|
|
[+] local terminal restored
|
|
(local) pwncat$ enum --show --quick
|
|
SYSTEM.HOSTNAME Facts by pwncat.enumerate.system
|
|
pwncat-centos-testing
|
|
SYSTEM.ARCH Facts by pwncat.enumerate.system
|
|
Running on a x86_64 processor
|
|
SYSTEM.DISTRO Facts by pwncat.enumerate.system
|
|
Running CentOS Linux 8 (Core) (centos), Version 8, Build ID None.
|
|
SYSTEM.KERNEL.VERSION Facts by pwncat.enumerate.system
|
|
Running Linux Kernel 4.18.0-147.3.1.el8_1.x86_64
|
|
SYSTEM.NETWORK.HOSTS Facts by pwncat.enumerate.system
|
|
127.0.0.1 -> ['pwncat-centos-testing', 'pwncat-centos-testing']
|
|
::1 -> ['pwncat-centos-testing', 'pwncat-centos-testing']
|
|
10.0.0.5 -> ['internal_testing.company.com']
|
|
SYSTEM.NETWORK Facts by pwncat.enumerate.system
|
|
Interface lo w/ address 127.0.0.1/8
|
|
Interface lo w/ address ::1/128
|
|
Interface eth0 w/ address 134.122.23.33/20
|
|
Interface eth0 w/ address 10.10.0.6/16
|
|
Interface eth0 w/ address fe80::d877:e2ff:fe42:3169/64
|
|
WRITABLE_PATH Facts by pwncat.enumerate.writable_path
|
|
/home/bob/.local/bin
|
|
/home/bob/bin
|
|
(local) pwncat$
|
|
|
|
Generating a Host Report
|
|
------------------------
|
|
|
|
The ``enum`` command is capable of generating a human-readable report in the form of
|
|
a Markdown document. Specifying the ``--report/-r`` argument enables this mode. When
|
|
generating a report, you can select specific fact types. ``pwncat`` will enumerate
|
|
all information for the remote host and output a comprehensive organized markdown
|
|
report to the specified file.
|
|
|
|
.. code-block:: bash
|
|
:caption: Generating the Report
|
|
|
|
(local) pwncat$ enum --report ./report.md
|
|
[+] enumeration report written to ./report.md
|
|
(local) pwncat$ |