Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Normally, using this command on a directory will cause it to list the attributes of the files inside that directory. However, you can force lsattr to treat a directory as a file and produce file attribute information for it by using the -d command line option.
lsattr -d /home/user
Change attributes of a file
chattr $file
The format of a symbolic mode is +-=[aAcCdDeijsStTu]
The operator '+' causes the selected attributes to be added to the existing attributes of the files; '-' causes them to be removed; and '=' causes them to be the only attributes that the files have.
The letters 'aAcCdDeijsStTu' select the new attributes for the files: append only (a), no atime updates (A), compressed (c), no copy-on-write (C), no dump (d), synchronous directory updates (D), extent format (e), immutable (i), data journalling (j), secure deletion (s), synchronous updates (S), no tail-merging (t), top of directory hierarchy (T), and undeletable (u).
The following attributes are read-only and may be listed by lsattr but not modified by chattr: compression error (E), huge file (h), indexed directory (I), inline data (N), compression raw access (X), and compressed dirty file (Z).
Not all flags are supported or utilized by all filesystems; refer to filesystem-specific man pages such as btrfs, ext4, and xfs for more filesystem-specific details.
Process Enumeration
ps
# To list every process on the system:psaux# To list a process treepsaxjf# To list every process owned by $user:ps-au$user# To list every process with a user-defined format:ps-eopid,user,command# List the processes being run by a particular set of usernamesps-f-uusername1,username2,....,usernameN# Display a list of processes with a particular parent ID (5589)# Note that when a process is launched it may spawn several other sub processes which all share a common parent process ID
ps-f-ppid5589# List processes with given PIDsps-f-p25001,4567,789# Display all processes owned by the current userps-U $USER# Sort processes based on CPU and memory usage (useful for finding memory leaks)psaux--sortpmem
You can run pspy --help to learn about the flags and their meaning. The summary is as follows:
-p: enables printing commands to stdout (enabled by default)
-f: enables printing file system events to stdout (disabled by default)
-r: list of directories to watch with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /etc, /home, /var, and /opt).
-d: list of directories to watch with Inotify. pspy will watch these directories only, not the subdirectories (empty by default).
-i: interval in milliseconds between procfs scans. pspy scans regularly for new processes regardless of Inotify events, just in case some events are not received.
-c: print commands in different colors. File system events are not colored anymore, commands have different colors based on process UID.
--debug: prints verbose error messages which are otherwise hidden.
The default settings should be fine for most applications. Watching files inside /usr is most important since many tools will access libraries inside it.
Some more complex examples:
# print both commands and file system events and scan procfs every 1000 ms (=1sec)./pspy64-pf-i1000# place watchers recursively in two directories and non-recursively into a third./pspy64-r/path/to/first/recursive/dir-r/path/to/second/recursive/dir-d/path/to/the/non-recursive/dir# disable printing discovered commands but enable file system events./pspy64-p=false-f
/proc
enumerate info about current processes running from: /proc/self/status
ps -U root -u root ux View all processes started by a certain user (root in this case)
Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
idwhowlastcat/etc/passwd|cut-d:# List of usersgrep-v-E"^#"/etc/passwd|awk-F:'$3 == 0 { print $1}'# List of super usersawk-F:'($3 == "0") {print}'/etc/passwd# List of super userscat/etc/sudoerssudo-l
What sensitive files can be read?
cat/etc/passwdcat/etc/groupcat/etc/shadowls-alh/var/mail/#bsdcat/etc/master.passwd#is where password hashes are stored in BSD, not /etc/shadow
Anything "interesting" in the home directory(s)? If it's possible to access
ls -ahlR /root/
ls -ahlR /home/
Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
What has the user been doing? Are there any passwords in plain text? What have they been editing?
ls-la~cat~/.bash_history#check for other shells as well (zsh, etc.)cat~/.nano_history#check for other exitors as well (vim, etc.)cat~/.atftp_historycat~/.mysql_historycat~/.php_history
What user information can be found?
cat~/.bashrc# check for other shells as well (zsh, etc.)cat~/.profilecat/var/mail/rootcat/var/spool/mail/root
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases
Any settings/files related to web server? Any settings file with database information?
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/
Is there anything in the log file(s) (Could help with "Local File Includes"!)
What "Advanced Linux File Permissions" are used? "Sticky bit", SUID, GUID
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find/-perm-g=s-typef2>/dev/null# SGID (chmod 2000) - run as the group, not the user who started it.find/-perm-u=s-typef2>/dev/null# SUID (chmod 4000) - run as the owner, not the user who started it.find/-perm-g=s-o-perm-u=s-typef2>/dev/null# SGID or SUIDfor i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find/-perm-g=s-o-perm-4000!-typel-maxdepth3-execls-ld{} \; 2>/dev/null
Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm