killchain-compendium/post exploitation/docs/linux.md

# Linux Enumeration

## First Checks

```sh
cat /etc/*-release 
cat /proc/version
```

```sh
hostname or cat /etc/hostname
cat /etc/hosts
```

```sh
cat /etc/resolve.conf
cat /etc/systemd/resolved.conf
uname -a
cat /etc/issue
ps wuax  or ps ajxf or ps -A
printenv or env
cat /etc/timezone or timedatectl
```

## Users

```sh
sudo -l
id
whoami
groups and getent group or cat /etc/group
cat /etc/passwd | column -t -s :
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
history
cat /var/mail
```


## Network Info

* The output of information will be different, depending on permissions of the user
```sh
ip a or ifconfig
ip route
cat /etc/network/interfaces
netstat -natup or ss -natup
netstat -tupln or ss -tulpn
netstat -s and netstat -i
lsof -i :<port>
```

## Login Info

```sh
last -f /var/log/wtmp
last -f /var/log/btmp
last
w
who
```

## Syslog

```sh
journalctl -xe
less /var/log/syslog
```

## Auth Logs

```sh
cat /var/log/auth.log | less
cat /var/log/access.log | less
```

## Find Files

* Find SUID permissions on files and dirs
* `find / -perm /6000 -ls 2>/dev/null`

* Find writeables dirs
* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
* `find / -perm -o x -type d 2>/dev/null`

* Find writeable subdirs
`find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`

* `cat ~/.viminfo`

## Services

```sh
ls -al /etc/systemd/system && ls -la /var/lib/systemd/system || ls -la /etc/init.d 
```

```sh
cat /etc/crontab
crontab -l
cat /etc/bash.bashrc ; cat /etc/profile
```

## Packet Managers

* pacman, apt, dpkg, dnf etc.
enumeration 2022-08-16 23:58:30 +02:00			`# Linux Enumeration`

			`## First Checks`

			```sh
			`cat /etc/*-release`
			`cat /proc/version`
			```

			```sh
			`hostname or cat /etc/hostname`
			`cat /etc/hosts`
			```

			```sh
			`cat /etc/resolve.conf`
			`cat /etc/systemd/resolved.conf`
			`uname -a`
			`cat /etc/issue`
			`ps wuax or ps ajxf or ps -A`
			`printenv or env`
			`cat /etc/timezone or timedatectl`
			```

			`## Users`

			```sh
			`sudo -l`
			`id`
			`whoami`
			`groups and getent group or cat /etc/group`
			`cat /etc/passwd \| column -t -s :`
			`cat /etc/shadow`
			`cat /etc/group`
			`cat /etc/sudoers`
			`history`
			`cat /var/mail`
			```


			`## Network Info`

			`* The output of information will be different, depending on permissions of the user`
			```sh
			`ip a or ifconfig`
			`ip route`
			`cat /etc/network/interfaces`
			`netstat -natup or ss -natup`
			`netstat -tupln or ss -tulpn`
			`netstat -s and netstat -i`
			`lsof -i :<port>`
			```

bump 2022-05-31 21:08:28 +02:00			`## Login Info`
enumeration 2022-08-16 23:58:30 +02:00
bump 2022-05-31 21:08:28 +02:00			```sh
			`last -f /var/log/wtmp`
			`last -f /var/log/btmp`
			`last`
			`w`
			`who`
			```
bump 2021-10-23 02:03:06 +02:00
bump 2022-05-31 21:08:28 +02:00			`## Syslog`

			```sh
			`journalctl -xe`
			`less /var/log/syslog`
			```

			`## Auth Logs`
enumeration 2022-08-16 23:58:30 +02:00
bump 2022-05-31 21:08:28 +02:00			```sh
			`cat /var/log/auth.log \| less`
			`cat /var/log/access.log \| less`
			```

			`## Find Files`
enumeration 2022-08-16 23:58:30 +02:00
bump 2021-10-23 02:03:06 +02:00			`* Find SUID permissions on files and dirs`
			* `find / -perm /6000 -ls 2>/dev/null`

			`* Find writeables dirs`
			* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
			* `find / -perm -o x -type d 2>/dev/null`

			`* Find writeable subdirs`
			`find / -writable 2>/dev/null \| cut -d "/" -f 2,3 \| grep -v proc \| sort -u`
bump 2022-05-31 21:08:28 +02:00
			* `cat ~/.viminfo`

			`## Services`

			```sh
			`ls -al /etc/systemd/system && ls -la /var/lib/systemd/system \|\| ls -la /etc/init.d`
			```
enumeration 2022-08-16 23:58:30 +02:00
bump 2022-05-31 21:08:28 +02:00			```sh
			`cat /etc/crontab`
			`crontab -l`
			`cat /etc/bash.bashrc ; cat /etc/profile`
			```
enumeration 2022-08-16 23:58:30 +02:00
			`## Packet Managers`

			`* pacman, apt, dpkg, dnf etc.`