Recon and Enumeration

Resources

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

# Tmux shortcuts
https://gist.github.com/MohamedAlaa/2961058


Basics

hostname
whoami
id
ifconfig
uname -a
uname -m

# Check version using 
searchsploit -w distrib
searchsploit -w kernel_version

# Test trivials login combinaison
# check /etc/passwd
# then su login=password

# Look for known machines
arp -a

# Get network configuration
/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname

# Find Linux distribution and version
cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;

# Get environment variables
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set

# Look for files and getting filename, path, user, group, mode as columns
find /home -printf -type f "%f\t%p\t%u\t%g\%m\n" 2>/dev/null | column -t


Running Services

netstat -lantp
lsof -i
sockstat -l
ss -lantp

# Find printers
lpstat -a

# Network
# TCP ports, UDP ports, numerical adresses, only listening ports, PID of process
netstat -tunlp


Checking Different Things

# Check sudo rights
sudo -l

# User bash history
cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history

# Look for writable configuration files
find /etc/ -writable -type f 2>/dev/null

# Checks web config files or databases config files

# If one of them is here, exploits can be compiled on the target machine
which gcc g++ cc

# Look for SUID or GUID binaries
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

# ARP cache can get you new IP
cat /proc/net/arp


Pspy

# pspy is a command line tool designed to snoop on processes without need 
# for root permissions. It allows you to see commands run by other 
# users, cron jobs, etc. as they execute.
https://github.com/DominicBreuker/pspy


Usefull scripts

https://github.com/pentestmonkey/unix-privesc-check
https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py

https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

# Check for root cron jobs
https://github.com/codingo/OSCP-2/blob/master/BASH/CronJobChecker.sh

# LinuxPrivCheck
https://github.com/codingo/OSCP-2/blob/master/BASH/LinuxPrivCheck.sh

# Clear and efficient
https://github.com/diego-treitos/linux-smart-enumeration