Skip to main content

Enumerating Linux


Linux Privilege Escalation Checklist

  • Service Exploits (ex. MySQL User Defined Functions (UDFs) exploit)
  • Weak FIle Permissions (ex. Readable /etc/shadow - Crack hash)
  • Weak FIle Permissions (ex. Writable /etc/shadow - Replace hash with your own)
  • Weak FIle Permissions (ex. Writable /etc/passwd - Replace X with your hash)
  • Sudo - Shell Escape Sequences (sudo -l)
  • Sudo - Environment Variables (ex. env_keep)
  • Cron Jobs - File Permissions
  • Cron Jobs - PATH Environment Variable
  • Cron Jobs - Wildcards
  • SUID/SGID Executables - Known Exploits
  • SUID/SGID Executables - Shared Object Injection
  • SUID/SGID Executables - Environment Variables
  • SUID/SGID Executables - Abusing Shell Features
  • Passwords & Keys - History Files
  • Passwords & Keys - Config Files
  • Passwords & Keys - SSH Keys
  • NFS
  • Kernel Exploits

Manual Enumeration

Enumerating Users

  • Get username the shell is running as

whoami

  • Get more information about the username

id <username>

  • Getting information about the users on Linux

cat /etc/passwd


Enumerating the Hostname

  • Get hostname

hostname


Enumerating the Operating System Version and Architecture

  • Getting the version and architecture of the running operating system

cat /etc/issue

cat /etc/*-release

uname -a


Enumerating Running Processes and Services
  • Getting a list of running processes on the operating system and matching services
ps axu


Enumerating Networking Information
  • Listing the full TCP/IP configuration
ip a
  • Printing the routes
route
  • Listing all active network connections
ss -anp

Enumerating Firewall Status and Rules

  • List firewall rules
iptables
  • Firewall config files
/etc/iptables #search

Enumerating Scheduled Tasks

  • Listing all cron jobs
ls -lah /etc/cron*
  • Check scheduled tasks
cat /etc/crontab

cat /var/log/cron.log

Enumerating Installed Applications and Patch Levels

  • Listing all installed packages on a Debian Linux operating system
dpkg -l

Enumerating Readable/Writable Files and Directories

  • Listing all world writable directories on Linux
find / -writable -type d 2>/dev/null

Enumerating Unmounted Disks

  • Listing content of /etc/fstab and all mounted drives on Linux
cat /etc/fstab

mount
  • Listing all available drives
lsblk

Enumerating Device Drivers and Kernel Modules

  • Listing loaded drivers on Linux
lsmod
  • Listing additional information about a module on Linux
/sbin/modinfo $DRIVER

Enumerating Binaries That AutoElevate

  • List all files with SUID
find / -perm -u=s -type f 2>/dev/null

Automated Enumeration

Tools
unix-privesc-check standard
./unix-privesc-check standard

linpeas.sh
./linpeas.sh