Recon and Enumeration


# Tmux shortcuts


uname -a
uname -m

# Check version using 
searchsploit -w distrib
searchsploit -w kernel_version

# Test trivials login combinaison
# check /etc/passwd
# then su login=password

# Look for known machines
arp -a

# Get network configuration
/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname

# Find Linux distribution and version
cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;

# Get environment variables
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set

# Look for files and getting filename, path, user, group, mode as columns
find /home -printf -type f "%f\t%p\t%u\t%g\%m\n" 2>/dev/null | column -t

Running Services

netstat -lantp
lsof -i
sockstat -l
ss -lantp

# Find printers
lpstat -a

# Network
# TCP ports, UDP ports, numerical adresses, only listening ports, PID of process
netstat -tunlp

Checking Different Things

# Check sudo rights
sudo -l

# User bash history
cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history

# Look for writable configuration files
find /etc/ -writable -type f 2>/dev/null

# Checks web config files or databases config files

# If one of them is here, exploits can be compiled on the target machine
which gcc g++ cc

# Look for SUID or GUID binaries
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# ARP cache can get you new IP
cat /proc/net/arp


# pspy is a command line tool designed to snoop on processes without need 
# for root permissions. It allows you to see commands run by other 
# users, cron jobs, etc. as they execute.

Usefull scripts

# Check for root cron jobs

# LinuxPrivCheck

# Clear and efficient