Situational Awareness

After gaining access to a system, situational awareness helps you understand your position, identify opportunities, and plan next steps. This reconnaissance phase is critical for effective post-exploitation.

Essential Questions

Every compromise requires answering: Who am I (user, privileges)? Where am I (system, network)? What is here (data, software)? Who else is here (users, admins)? Where can I go (other systems)?

Linux Situational Awareness

User and Privilege Information

Check current user with whoami and id, sudo permissions with sudo -l, users on system with /etc/passwd.

System Information

System details with uname -a and /etc/os-release, hostname, hardware with lscpu, free, df.

Network Position

Network configuration with ip a, netstat, ss. Routing and neighbors with ip route and arp.

Interesting Files

Configuration files in /etc/crontab and cron directories, /etc/hosts. User files in /home directories.

Windows Situational Awareness

User and Privilege Information

Current user with whoami, privileges with whoami /priv, groups with whoami /groups. Local users with net user, administrators with net localgroup administrators.

System Information

System details with systeminfo and hostname. Environment with set.

Network Position

Network configuration with ipconfig /all, netstat -ano, arp -a. Active connections with net session and net use.

Automated Enumeration

Use scripts for comprehensive checks: linpeas.sh and LinEnum.sh for Linux, winPEAS.exe and Seatbelt.exe for Windows.

Documenting Findings

Record everything: access obtained (user, time), system information, network position, interesting findings, credentials found, next steps identified.

Good situational awareness enables every subsequent post-exploitation step.