Manual Enumeration
We can use the id825 command to gather user context information
test@debian:~$ id
uid=1000(test) gid=1000(test)
groups=1000(test),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netd
ev),112(bluetooth),116(lpadmin),117(scanner)To enumerate all users, we can simply read the contents of the /etc/passwd file.
joe@debian-privesc:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
...
dnsmasq:x:106:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:108:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
...
Debian-gdm:x:117:124:Gnome Display Manager:/var/lib/gdm3:/bin/false
joe:x:1000:1000:joe,,,:/home/joe:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
eve:x:1001:1001:,,,:/home/eve:/bin/bashLogin Name: “joe” - Indicates the username used for login.
Encrypted Password: “x” - This field typically contains the hashed version of the user’s password. In this case, the value x means that the entire password hash is contained in the /etc/shadow file (more on that shortly).
UID: “1000” - Aside from the root user that has always a UID of 0, Linux starts counting regular user IDs from 1000. This value is also called real user ID.
GID: “1000” - Represents the user’s specific Group ID.
Comment: “joe,,,” - This field generally contains a description about the user, often simply repeating username information.
Home Folder: “/home/joe” - Describes the user’s home directory prompted upon login.
Login Shell: “/bin/bash” - Indicates the default interactive shell, if one exists.
hostname
┌──(kali㉿kali)-[~]
└─$ hostname
kali/etc/issue , /etc/*-release And uname -a
┌──(kali㉿kali)-[~]
└─$ cat /etc/issue
Kali GNU/Linux Rolling \n \l
┌──(kali㉿kali)-[~]
└─$ cat /etc/os-release
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
VERSION="2023.1"
VERSION_ID="2023.1"
VERSION_CODENAME="kali-rolling"
ID=kali
ID_LIKE=debian
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
ANSI_COLOR="1;31"
┌──(kali㉿kali)-[~]
└─$ uname -a
Linux kali 6.1.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.12-1kali2 (2023-02-23) x86_64 GNU/Linux
ps
use the a and x flags to list all processes with or without a tty and the u flag to list the processes in a user-readable format
┌──(kali㉿kali)-[~]
└─$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 169116 13448 ? Ss Jul21 0:03 /sbin/init splash
root 2 0.0 0.0 0 0 ? S Jul21 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Jul21 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< Jul21 0:00 [rcu_par_gp]
root 5 0.0 0.0 0 0 ? I< Jul21 0:00 [slub_flushwq]
root 6 0.0 0.0 0 0 ? I< Jul21 0:00 [netns]
root 10 0.0 0.0 0 0 ? I< Jul21 0:00 [mm_percpu_wq]
root 11 0.0 0.0 0 0 ? I Jul21 0:00 [rcu_tasks_kthread]
root 12 0.0 0.0 0 0 ? I Jul21 0:00 [rcu_tasks_rude_kthread]
root 13 0.0 0.0 0 0 ? I Jul21 0:00 [rcu_tasks_trace_kthread]
root 14 0.0 0.0 0 0 ? S Jul21 0:02 [ksoftirqd/0]
root 15 0.0 0.0 0 0 ? I Jul21 0:16 [rcu_preempt]
root 16 0.0 0.0 0 0 ? S Jul21 0:00 [migration/0]
root 18 0.0 0.0 0 0 ? S Jul21 0:00 [cpuhp/0]
root 19 0.0 0.0 0 0 ? S Jul21 0:00 [cpuhp/1]
root 20 0.0 0.0 0 0 ? S Jul21 0:00 [migration/1]
ps -auwwx | grep vnc
ifconfig or ip
┌──(kali㉿kali)-[~]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:98:02:ed brd ff:ff:ff:ff:ff:ff
inet 192.168.10.13/24 brd 192.168.10.255 scope global dynamic noprefixroute eth0
valid_lft 68983sec preferred_lft 68983sec
inet6 fe80::c3d1:f112:b9dc:3dcc/64 scope link noprefixroute
valid_lft forever preferred_lft forever
12: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.14.3/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::1001/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::c716:e1e2:ee4:3a9c/64 scope link stable-privacy
valid_lft forever preferred_lft forever
┌──(kali㉿kali)-[~]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.10.13 netmask 255.255.255.0 broadcast 192.168.10.255
inet6 fe80::c3d1:f112:b9dc:3dcc prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:98:02:ed txqueuelen 1000 (Ethernet)
RX packets 7182316 bytes 5145023073 (4.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7825314 bytes 1591825947 (1.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 20146 bytes 11233526 (10.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20146 bytes 11233526 (10.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.14.3 netmask 255.255.254.0 destination 10.10.14.3
inet6 fe80::c716:e1e2:ee4:3a9c prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::1001 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 65 bytes 10280 (10.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0route And routel
┌──(kali㉿kali)-[~]
└─$ routel
Dst Gateway Prefsrc Protocol Scope Dev Table
default 192.168.10.1 192.168.10.13 dhcp eth0
10.10.10.0/23 10.10.14.1 tun0
10.10.14.0/23 10.10.14.3 kernel link tun0
10.129.0.0/16 10.10.14.1 tun0
192.168.10.0/24 192.168.10.13 kernel link eth0
10.10.14.3 10.10.14.3 kernel host tun0 local
10.10.15.255 10.10.14.3 kernel link tun0 local
127.0.0.0/8 127.0.0.1 kernel host lo local
127.0.0.1 127.0.0.1 kernel host lo local
127.255.255.255 127.0.0.1 kernel link lo local
192.168.10.13 192.168.10.13 kernel host eth0 local
192.168.10.255 192.168.10.13 kernel link eth0 local
┌──(kali㉿kali)-[~]
└─$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default RTK_GW 0.0.0.0 UG 100 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.10.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
netstat or ss
charix@Poison:/ % netstat -an -p tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 44 10.10.10.84.22 10.10.14.10.46082 ESTABLISHED
tcp4 0 0 127.0.0.1.25 *.* LISTEN
tcp4 0 0 *.80 *.* LISTEN
tcp6 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp6 0 0 *.22 *.* LISTEN
tcp4 0 0 127.0.0.1.5801 *.* LISTEN
tcp4 0 0 127.0.0.1.5901 *.* LISTEN
┌──(kali㉿kali)-[~]
└─$ netstat -anp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:37601 0.0.0.0:* LISTEN 453743/chrome --rem
tcp 0 0 127.0.0.1:33507 0.0.0.0:* LISTEN 5601/Code --standar
tcp 0 0 192.168.10.13:59336 18.200.157.25:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 127.0.0.1:37601 127.0.0.1:41184 ESTABLISHED 453743/chrome --rem
tcp 0 0 192.168.10.13:39204 35.201.103.21:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 192.168.10.13:56782 142.250.77.170:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 192.168.10.13:56528 34.160.144.191:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 10.10.14.5:49550 10.10.10.58:22 ESTABLISHED 732460/ssh
tcp 0 0 192.168.10.13:56780 142.250.77.170:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 192.168.10.13:60228 34.117.65.55:443 ESTABLISHED 3398/firefox-esr
tcp 0 0 192.168.10.13:59962 34.98.75.36:443 ESTABLISHED 3398/firefox-esr
tcp6 0 0 127.0.0.1:8080 :::* LISTEN 453531/java
tcp6 0 0 127.0.0.1:44385 :::* LISTEN 453531/java
tcp6 0 0 127.0.0.1:41184 127.0.0.1:37601 ESTABLISHED 453531/java
udp 0 0 192.168.10.13:68 192.168.10.1:67 ESTABLISHED -
udp 0 0 0.0.0.0:57542 0.0.0.0:* -
udp 0 0 224.0.0.251:5353 0.0.0.0:* 453743/chrome --rem
udp 0 0 224.0.0.251:5353 0.0.0.0:* 453743/chrome --rem
raw6 0 0 :::58 :::* 7 - /etc/iptables
james@privesc:~$ cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Thu Aug 18 12:53:22 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 1999 -j ACCEPT
COMMIT
# Completed on Thu Aug 18 12:53:22 2022ls -lah /etc/cron*
──(kali㉿kali)-[~]
└─$ ls -lah /etc/cron*
-rw-r--r-- 1 root root 1.1K Jan 11 2023 /etc/crontab
/etc/cron.d:
total 40K
drwxr-xr-x 2 root root 4.0K Mar 10 08:50 .
drwxr-xr-x 179 root root 12K Jul 14 12:45 ..
-rw-r--r-- 1 root root 201 Feb 2 00:38 e2scrub_all
-rw-r--r-- 1 root root 607 Nov 9 2022 john
-rw-r--r-- 1 root root 140 Jan 16 2023 ntpsec
-rw-r--r-- 1 root root 712 Jul 13 2022 php
-rw-r--r-- 1 root root 102 Jan 11 2023 .placeholder
-rw-r--r-- 1 root root 396 Dec 4 2022 sysstat
/etc/cron.daily:
total 56K
drwxr-xr-x 2 root root 4.0K Jul 9 02:45 .
drwxr-xr-x 179 root root 12K Jul 14 12:45 ..
-rwxr-xr-x 1 root root 539 Jun 9 2022 apache2
-rwxr-xr-x 1 root root 1.5K Feb 8 11:07 apt-compat
-rwxr-xr-x 1 root root 157 Dec 13 2017 debtags
-rwxr-xr-x 1 root root 123 Feb 14 21:58 dpkg
-rwxr-xr-x 1 root root 377 Dec 14 2022 logrotate
-rwxr-xr-x 1 root root 1.4K Jan 8 2023 man-db
-rw-r--r-- 1 root root 102 Jan 11 2023 .placeholder
-rwxr-xr-x 1 root root 652 Dec 7 2020 plocate
-rwxr-xr-x 1 root root 383 Jan 28 16:40 samba
-rwxr-xr-x 1 root root 518 Dec 4 2022 sysstat
/etc/cron.hourly:
total 20K
drwxr-xr-x 2 root root 4.0K Mar 10 08:43 .
drwxr-xr-x 179 root root 12K Jul 14 12:45 ..
-rw-r--r-- 1 root root 102 Jan 11 2023 .placeholder
/etc/cron.monthly:
total 24K
drwxr-xr-x 2 root root 4.0K Mar 10 08:50 .
drwxr-xr-x 179 root root 12K Jul 14 12:45 ..
-rw-r--r-- 1 root root 102 Jan 11 2023 .placeholder
-rwxr-xr-x 1 root root 144 Jun 5 2013 rwhod
/etc/cron.weekly:
total 24K
drwxr-xr-x 2 root root 4.0K Mar 10 08:44 .
drwxr-xr-x 179 root root 12K Jul 14 12:45 ..
-rwxr-xr-x 1 root root 1.1K Jan 8 2023 man-db
-rw-r--r-- 1 root root 102 Jan 11 2023 .placeholder/etc/crontab, crontab -l and sudo crontab -l
┌──(kali㉿kali)-[~]
└─$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.daily; }
47 6 * * 7 root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.weekly; }
52 6 1 * * root test -x /usr/sbin/anacron || { cd / && run-parts --report /etc/cron.monthly; }
#
joe@debian-privesc:~$ crontab -l
joe@debian-privesc:~$ sudo crontab -ldpkg -l
john@privesc:~$ dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-=====================================-
============================================-============-
===============================================================================
ii accountsservice 0.6.45-2
amd64 query and manipulate user account information
ii acl 2.2.53-4
amd64 access control list - utilities
ii adduser 3.118
all add and remove users and groups
ii adwaita-icon-theme 3.30.1-1
all default icon theme of GNOME
ii aisleriot 1:3.22.7-2
amd64 GNOME solitaire card game collection
ii alsa-utils 1.1.8-2
amd64 Utilities for configuring and using ALSA
ii anacron 2.3-28
amd64 cron-like program that doesn't go by time
ii analog 2:6.0-22
amd64 web server log analyzer
ii apache2 2.4.38-3+deb10u7
amd64 Apache HTTP Server
ii apache2-bin 2.4.38-3+deb10u7
amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.38-3+deb10u7
all Apache HTTP Server (common files)
ii apache2-doc 2.4.38-3+deb10u7
all Apache HTTP Server (on-site documentation)
ii apache2-utils 2.4.38-3+deb10u7
amd64 Apache HTTP Server (utility programs for web servers)find / -writable -type d 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ find / -writable -type d 2>/dev/null #directory
/var/lib/php/sessions
/var/tmp
/run/user/1000
/run/user/1000/speech-dispatcher
/run/user/1000/speech-dispatcher/log
/run/user/1000/speech-dispatcher/log/debug
/run/user/1000/speech-dispatcher/pid
/h
find / -writable -type f 2>/dev/null #forfilesmount And /etc/fstab
┌──(kali㉿kali)-[~]
└─$ cat /etc/fstab
UUID=488e8ee1-1415-4b2f-935a-3393af6926e2 / ext4 defaults,errors=remount-ro 0 1
/swapfile none swap defaults 0 0
┌──(kali㉿kali)-[~]
└─$ mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=4023872k,nr_inodes=1005968,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=812888k,mode=755,inode64)
/dev/sda1 on / type ext4 (rw,relatime,errors=remount-ro)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k,inode64)
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=29,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15944)
tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime,pagesize=2M)
fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
ramfs on /run/credentials/systemd-sysusers.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,relatime,user_id=0,group_id=0,default_permissions,allow_other)
ramfs on /run/credentials/systemd-sysctl.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
ramfs on /run/credentials/systemd-tmpfiles-setup-dev.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
/var/lib/snapd/snaps/snapd_18357.snap on /snap/snapd/18357 type squashfs (ro,nodev,relatime,errors=continue,x-gdu.hide,x-gvfs-hide)
/var/lib/snapd/snaps/core20_1828.snap on /snap/core20/1828 type squashfs (ro,nodev,relatime,errors=continue,x-gdu.hide,x-gvfs-hide)
/var/lib/snapd/snaps/sublime-text_118.snap on /snap/sublime-text/118 type squashfs (ro,nodev,relatime,errors=continue,x-gdu.hide,x-gvfs-hide)
ramfs on /run/credentials/systemd-tmpfiles-setup.service type ramfs (ro,nosuid,nodev,noexec,relatime,mode=700)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=812884k,nr_inodes=203221,mode=700,uid=1000,gid=1000,inode64)
gvfsd-fuse on /run/user/1000/gvfs type fuse.gvfsd-fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)
portal on /run/user/1000/doc type fuse.portal (rw,nosuid,nodev,relatime,user_id=1000,group_id=1000)lsblk to view all available disks
┌──(kali㉿kali)-[~]
└─$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 63.3M 1 loop /snap/core20/1828
loop1 7:1 0 49.8M 1 loop /snap/snapd/18357
loop2 7:2 0 65.1M 1 loop /snap/sublime-text/118
sda 8:0 0 80.1G 0 disk
└─sda1 8:1 0 80.1G 0 part /
sr0 11:0 1 1024M 0 rom We can enumerate the loaded kernel modules using lsmod
┌──(kali㉿kali)-[~]
└─$ lsmod
Module Size Used by
mptcp_diag 16384 0
vsock_diag 16384 0
tcp_diag 16384 0
udp_diag 16384 0
raw_diag 16384 0
inet_diag 24576 4 tcp_diag,mptcp_diag,raw_diag,udp_diag
unix_diag 16384 0
af_packet_diag 16384 0
netlink_diag 16384 0
cfg80211 1134592 0
tls 126976 0
tun 61440 2
qrtr 49152 4
btusb 65536 0
btrtl 28672 1 btusb
btbcm 24576 1 btusb
snd_ens1371 32768 4
snd_ac97_codec 176128 1 snd_ens1371
vsock_loopback 16384 0
btintel 45056 1 btusb
vmw_vsock_virtio_transport_common 49152 1 vsock_loopback
intel_rapl_msr 20480 0
ac97_bus 16384 1 snd_ac97_codec
intel_rapl_common 32768 1 intel_rapl_msr
btmtk 16384 1 btusb
gameport 24576 1 snd_ens1371
bluetooth 950272 6 btrtl,btmtk,btintel,btbcm,btusb
jitterentropy_rng 16384 1
drbg 45056 1
snd_rawmidi 53248 1 snd_ens1371
intel_pmc_core 53248 0
vmw_vsock_vmci_transport 36864 2
ansi_cprng 16384 0
snd_seq_device 16384 1 snd_rawmidi
ecdh_generic 16384 1 bluetooth
rfkill 36864 4 bluetooth,cfg80211
snd_pcm 159744 3 snd_ac97_codec,snd_ens1371
vsock 53248 8 vmw_vsock_virtio_transport_common,vsock_loopback,vsock_diag,vmw_vsock_vmci_transport
snd_timer 49152 2 snd_pcm
rapl 20480 0
ecc 40960 1 ecdh_generic
snd 126976 12 snd_seq_device,snd_timer,snd_ac97_codec,snd_pcm,snd_rawmidi,snd_ens1371
ppdev 24576 0
soundcore 16384 1 snd
vmw_balloon 24576 0
parport_pc 40960 0
vmw_vmci 98304 2 vmw_balloon,vmw_vsock_vmci_transport
parport 73728 2 parport_pc,ppdev
sg 40960 0
joydev 28672 0
evdev 28672 8
ac 20480 0
pcspkr 16384 0
serio_raw 20480 0
sunrpc 692224 1
binfmt_misc 24576 1
squashfs 73728 3
loop 32768 6
efi_pstore 16384 0
configfs 57344 1
fuse 176128 9
ip_tables 36864 0
x_tables 61440 1 ip_tables
autofs4 53248 2
ext4 983040 1
crc16 16384 2 bluetooth,ext4
mbcache 16384 1 ext4
jbd2 167936 1 ext4
crc32c_generic 16384 0
hid_generic 16384 0
usbhid 65536 0
hid 155648 2 usbhid,hid_generic
sd_mod 65536 1
t10_pi 16384 1 sd_mod
crc64_rocksoft_generic 16384 1
crc64_rocksoft 20480 1 t10_pi
crc_t10dif 20480 1 t10_pi
crct10dif_generic 16384 0
crc64 20480 2 crc64_rocksoft,crc64_rocksoft_generic
crct10dif_pclmul 16384 1
crct10dif_common 16384 3 crct10dif_generic,crc_t10dif,crct10dif_pclmul
crc32_pclmul 16384 0
crc32c_intel 24576 2
ghash_clmulni_intel 16384 0
sr_mod 28672 0
cdrom 81920 1 sr_mod
sha512_ssse3 49152 1
sha512_generic 16384 1 sha512_ssse3
ata_generic 16384 0
vmwgfx 405504 5
drm_ttm_helper 16384 1 vmwgfx
uhci_hcd 57344 0
ttm 94208 2 vmwgfx,drm_ttm_helper
ata_piix 45056 0
ehci_pci 20480 0
drm_kms_helper 229376 1 vmwgfx
aesni_intel 393216 0
crypto_simd 16384 1 aesni_intel
libata 401408 2 ata_piix,ata_generic
cryptd 28672 2 crypto_simd,ghash_clmulni_intel
mptspi 28672 1
mptscsih 36864 1 mptspi
mptbase 81920 2 mptspi,mptscsih
ehci_hcd 102400 1 ehci_pci
scsi_transport_spi 40960 1 mptspi
drm 663552 9 vmwgfx,drm_kms_helper,drm_ttm_helper,ttm
psmouse 184320 0
usbcore 344064 5 ehci_pci,usbhid,ehci_hcd,btusb,uhci_hcd
e1000 163840 0
usb_common 16384 3 usbcore,ehci_hcd,uhci_hcd
scsi_mod 282624 7 mptspi,sd_mod,scsi_transport_spi,mptscsih,libata,sg,sr_mod
i2c_piix4 28672 0
scsi_common 16384 5 scsi_mod,mptscsih,libata,sg,sr_mod
floppy 86016 0
button 24576 0
Once we’ve collected the list of loaded modules and identified those we want more information about, such as libata in the above example, we can use modinfo to find out more about the specific module.
┌──(kali㉿kali)-[~]
└─$ /sbin/modinfo libata
filename: /lib/modules/6.1.0-kali5-amd64/kernel/drivers/ata/libata.ko
version: 3.00
license: GPL
description: Library module for ATA devices
author: Jeff Garzik
srcversion: 0E34B319B4C12FC4494244B
depends: scsi_mod,scsi_common
retpoline: Y
intree: Y
name: libata
vermagic: 6.1.0-kali5-amd64 SMP preempt mod_unload modversions
parm: zpodd_poweroff_delay:Poweroff delay for ZPODD in seconds (int)
parm: acpi_gtf_filter:filter mask for ACPI _GTF commands, set to filter out (0x1=set xfermode, 0x2=lock/freeze lock, 0x4=DIPM, 0x8=FPDMA non-zero offset, 0x10=FPDMA DMA Setup FIS auto-activate) (int)
parm: force:Force ATA configurations including cable type, link speed and transfer mode (see Documentation/admin-guide/kernel-parameters.rst for details) (string)
parm: atapi_enabled:Enable discovery of ATAPI devices (0=off, 1=on [default]) (int)
parm: atapi_dmadir:Enable ATAPI DMADIR bridge support (0=off [default], 1=on) (int)
parm: atapi_passthru16:Enable ATA_16 passthru for ATAPI devices (0=off, 1=on [default]) (int)
parm: fua:FUA support (0=off [default], 1=on) (int)
parm: ignore_hpa:Ignore HPA limit (0=keep BIOS limits, 1=ignore limits, using full disk) (int)
parm: dma:DMA enable/disable (0x1==ATA, 0x2==ATAPI, 0x4==CF) (int)
parm: ata_probe_timeout:Set ATA probing timeout (seconds) (int)
parm: noacpi:Disable the use of ACPI in probe/suspend/resume (0=off [default], 1=on) (int)
parm: allow_tpm:Permit the use of TPM commands (0=off [default], 1=on) (int)
parm: atapi_an:Enable ATAPI AN media presence notification (0=0ff [default], 1=on) (int)We can use find to search for SUID-marked binaries
┌──(kali㉿kali)-[~]
└─$ find / -perm -u=s -type f 2>/dev/null
/snap/core20/1828/usr/bin/chfn
/snap/core20/1828/usr/bin/chsh
/snap/core20/1828/usr/bin/gpasswd
/snap/core20/1828/usr/bin/mount
/snap/core20/1828/usr/bin/newgrp
/snap/core20/1828/usr/bin/passwd
/snap/core20/1828/usr/bin/su
/snap/core20/1828/usr/bin/sudo
/snap/core20/1828/usr/bin/umount
/snap/core20/1828/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1828/usr/lib/openssh/ssh-keysign
/snap/snapd/18357/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/usr/lib/xorg/Xorg.wrapAutomated Enumeration
┌──(kali㉿kali)-[~]
└─$ unix-privesc-check standard > output.txt Last updated