2.1-Linux-Enumeration.md

Intrusion phase (Linux)

Enumeration

common listing

id
whoami
pwd
ls -la
ls -l /home

quick distribution enum

hostname
hostname -A
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

quick version enum

cat /proc/version
cat /etc/issue
cat /etc/os-release
cat /etc/*-release

hardware

lscpu #cpu
lspci #pci
free #ram

ctl commands

systemctl #introspect and control the state of the systemd system and service manager
hostnamectl #query and change the system hostname and related settings
networkctl #introspect and configure the state of the network link
journalctl #query the contents of the systemd journal
timedatectl #query and change the system clock and its settings
loginctl #introspect and control the state of the systemd Login Manager
busctl # introspect and monitor the D-Bus bus
networkctl # Query the status of network links
localectl #query and change the system locale and keyboard layout settings

process and services

ps -A # View all running processes
ps axjf # View process tree
ps aux # Show processes for all users
ps -ef # Show processes in standard format
ps aux | grep root
ps -ef | grep root
top # realtime process
kill <pid> # stop process
kill -9 <pid> # force kill process
cat /etc/services

system variables

env
set
echo $PATH
echo $TERM
echo $SHELL
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

security listing

sudo -l -l # list sudoer commands
sudo --version
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

id
who
last
cat /etc/sudoers
cat /etc/passwd

# backup password hash
locate shadow | grep bak
find / -type f -name *.bak 2>/dev/null

network config

ifconfig # network interfaces
ip route # network routes
route # route table
cat /etc/network/interfaces
cat /etc/sysconfig/network
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
dnsdomainname

network ports

netstat -tunlp # check open and listening port
ss -tunlp # check open and listening port

find commands

# find "flag" in the current directory
find . -name *flag*.txt -type f 2>/dev/null
# find "flag" in the home directory
find /home -name *flag*.txt -type f 2>/dev/null
# find the directory named "config"
find / -type d -name config -type f 2>/dev/null
# find files with the 777 permissions
find / -type f -perm 0777 -type f 2>/dev/null
# find files with the suid bit
find / -user root -perm /4000 2>/dev/null
# find executable files
find / -perm a=x -type f 2>/dev/null
# find files of user "frank" under home
find /home -user frank -type f 2>/dev/null
# find files last modified in 10 days
find / -mtime 10 -type f 2>/dev/null
# find files last accessed in 10 days
find / -atime 10 -type f 2>/dev/null
# find files last changed  in 10 days
find / -ctime 10 -type f 2>/dev/null

mount

mount
df -h
cat /etc/fstab

printer

lpstat -a

password fingerprinting

cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

installed and running app

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

services settings misconfigured

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

Enumeration Tools

• https://github.com/rebootuser/LinEnum
• https://github.com/carlospolop/PEASS-ng
• https://github.com/mzet-/linux-exploit-suggester
• https://github.com/linted/linuxprivchecker
• https://github.com/diego-treitos/linux-smart-enumeration
• http://pentestmonkey.net/tools/audit/unix-privesc-check

Cron job

expect for a scheduled task that runs with root privileges

crontab -l
cat /etc/crontab