hostname
whoami
id
ifconfig
uname -a
uname -m
# Check version using
searchsploit -w distrib
searchsploit -w kernel_version
# Test trivials login combinaison# check /etc/passwd# then su login=password# Look for known machines
arp -a
# Get network configuration
/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
# Find Linux distribution and version
cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;# Get environment variables
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env;set# Look for files and getting filename, path, user, group, mode as columns
find /home -printf -type f "%f\t%p\t%u\t%g\%m\n" 2>/dev/null | column -t
Running Services
netstat -lantp
lsof -i
sockstat -l
ss -lantp
# Find printers
lpstat -a
# Network# TCP ports, UDP ports, numerical adresses, only listening ports, PID of process
netstat -tunlp
Checking Different Things
# Check sudo rights
sudo -l
# User bash history
cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
# Look for writable configuration files
find /etc/ -writable -type f 2>/dev/null
# Checks web config files or databases config files# If one of them is here, exploits can be compiled on the target machine
which gcc g++ cc
# Look for SUID or GUID binaries
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {}\; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# ARP cache can get you new IP
cat /proc/net/arp
Pspy
# pspy is a command line tool designed to snoop on processes without need # for root permissions. It allows you to see commands run by other # users, cron jobs, etc. as they execute.
https://github.com/DominicBreuker/pspy
Usefull scripts
https://github.com/pentestmonkey/unix-privesc-check
https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
# Check for root cron jobs
https://github.com/codingo/OSCP-2/blob/master/BASH/CronJobChecker.sh
# LinuxPrivCheck
https://github.com/codingo/OSCP-2/blob/master/BASH/LinuxPrivCheck.sh
# Clear and efficient
https://github.com/diego-treitos/linux-smart-enumeration
Swap Digger
https://github.com/sevagas/swap_digger
# swap_digger is a bash script used to automate Linux swap analysis for post-exploitation # or forensics purpose. It automates swap extraction and searches for Linux user credentials,# Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least /<root-path>/etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).