28 July 2021

Enumerating Internal Network Processes Using net-enum-listeners

One of the areas to focus on after getting an initial foothold on a machine is enumerating ports that are only accessible internally. Each port has a corresponding process that uses it. Important processes to focus on are those that are running as SYSTEM or as a privileged user, which can be used to escalate privileges. However, admin privileges are required to identify what user a specific process is running as. On the other hand, it is possible to identify which process (as well as corresponding services) may be listening on an internal port. While the netstat command’s -b flag requires admin rights to view this information, net-enum-listeners.ps1 can do this without admin privileges. This contextual information can be useful when trying to determine whether a specific process may be running as a privileged user and can be used to find further information about a specific process. More information on how to run the script along with some examples can be found on GitHub.

tags: networking oscp penetration testing powershell