Manual Enumeration Fundamentals

Manual Enumeration Fundamentals

Systematic enumeration forms the foundation of successful privilege escalation, revealing misconfigurations, vulnerable software, and credential exposure. Begin with basic system information gathering: kernel version (uname -a), distribution details (cat /etc/*release), and architecture. Older kernels frequently contain public privilege escalation exploits, though kernel exploits should remain last resorts due to stability risks.

User and group enumeration reveals privilege relationships and potential lateral movement opportunities. Current user context (id, whoami) establishes starting privileges. User listings (cat /etc/passwd) identify other accounts for potential pivoting. Group memberships sometimes grant special privileges—docker group members can escape containers, disk group allows raw device access, video group might read screen contents. Understanding these implicit privileges transforms seemingly limited access into root paths.

Process enumeration uncovers running services, scheduled tasks, and potential attack vectors. Process listings (ps aux) reveal services running as root, interesting applications, and potential credentials in command lines. Network connections (netstat -antup, ss -antup) identify services bound to localhost potentially accessible after gaining access. Open ports invisible externally might host vulnerable services exploitable for escalation.

File system enumeration discovers sensitive files, credentials, and misconfigurations. Search for configuration files containing passwords, private keys, or connection strings. Common locations include web application configs, database files, and user home directories. Hidden files (.bash_history, .mysql_history) often contain credentials or reveal system usage patterns. Backup files (*.bak, *~) might contain outdated but valid credentials.