killchain-compendium/Post Exploitation/Enum on Target.md

112 lines
1.6 KiB
Markdown

# Linux Enumeration
## First Checks
```sh
cat /etc/*-release
cat /proc/version
```
```sh
hostname or cat /etc/hostname
cat /etc/hosts
```
```sh
cat /etc/resolve.conf
cat /etc/systemd/resolved.conf
uname -a
cat /etc/issue
ps wuax or ps ajxf or ps -A
printenv or env
cat /etc/timezone or timedatectl
```
## Users
```sh
sudo -l
id
whoami
groups and getent group or cat /etc/group
cat /etc/passwd | column -t -s :
cat /etc/shadow
cat /etc/group
cat /etc/sudoers
history
cat /var/mail
```
## Network Info
* The output of information will be different, depending on permissions of the user
```sh
ip a or ifconfig
ip route
cat /etc/network/interfaces
netstat -natup or ss -natup
netstat -tupln or ss -tulpn
netstat -s and netstat -i
lsof -i :<port>
```
## Login Info
```sh
last -f /var/log/wtmp
last -f /var/log/btmp
last
w
who
```
## Syslog
```sh
journalctl -xe
less /var/log/syslog
```
## Auth Logs
```sh
cat /var/log/auth.log | less
cat /var/log/access.log | less
```
## Find Files
* User files
```sh
find / -user $USER 2>/dev/null | grep -vE "run|proc|var"
```
* Find SUID permissions on files and dirs
* `find / -perm /6000 -ls 2>/dev/null`
* Find writeables dirs
* `find / -writable -type d 2>/dev/null` or `find / -perm -o w -type d 2>/dev/null`
* `find / -perm -o x -type d 2>/dev/null`
* Find writeable subdirs
`find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`
* `cat ~/.viminfo`
## Services
```sh
ls -al /etc/systemd/system && ls -la /var/lib/systemd/system || ls -la /etc/init.d
```
```sh
cat /etc/crontab
crontab -l
cat /etc/bash.bashrc ; cat /etc/profile
```
## Packet Managers
* pacman, apt, dpkg, dnf etc.