Linux Post Enumeration
Introduction
In this blog post we will discuss manual linux post enumeration approaches, to know about the compromised host and its services.
After successful exploitation now we have to gather information about the system to escalate privilege and exfiltrate valuable data from the target system.
The very first command to execute is ‘id’ to know current user info.
id
To get kernel information of the system in order to search for any exploit available for that particular kernel version
uname -a
To see known hostnames to the target system
cat /etc/hosts
To know about the current operating system and its version
cat /etc/issue
To check ip interfaces information
ifconfig
To check running processes in target system
ps auxw
ps ef
To check network routes in order to use this information to pivot
route -n
To check current TCP and UDP Network Connections
netstat -auntp
watch ss -twurp
netstat -antu
To know about DNS server in order to get information about active Directory Accounts, Zone Transfers, etc.
cat /etc/resolv.conf
To check the communication with other machines
arp -a
To know about what our current user access
find / -user <username>
To check last logged on user
last -a
To check who is logged on and what they are doing
w
To check UID and GID information os all users
cat /etc/passwd
To check how many root account is in system
cat /etc/passwd |cut -f1,3,4 -d":" |grep "0:0"|cut -f1 -d":" |awk '{print $1}'
To check groups
cat /etc/group
To find all SUID executables
find / -perm -4000 -type f 2>/dev/null
To read configuration files in order to get sensitive information like password
grep “password” /etc/*.conf 2> /dev/null
To check current user sudo access
Check the current user’s sudo access
sudo -l
If we are allowed to read shadow file
cat /etc/shadow
To find world-writable files
find / -perm -0002 -type d 2>/dev/null
To list all cron jobs
crontab -l
TO check permissions for files /root directory
ls -als /root/*
Search for “user” and “pass” string in Apache/nginx Access Log
cat /var/log/apache/access.log |grep -E “^user|^pass”
To get cronjob information
ls -als /etc/cron.*
To check writable cronjobs to user
find /etc/cron* -type f -perm -o+w -exec ls -l {} \;
To check any any LDAP, Local or NIS Accounts
getent passwd
To dump Samba user Database Information
pdbedit -L -w
pdbedit -L -v
To check installed softwares in system
dpkg –l
Find services in /etc/init.d not owned by root and list their permissions
find /etc/init.d/ ! -uid 0 -type f 2>/dev/null |xargs ls -la
To list running services
service --status-all
To check syslog configuration
cat /etc/syslog.conf
To find all config files
find / -name *.conf 2> /dev/null
Conclusion
I have listed some commands and techniques, but there may be more that are based on the configuration and specification of target system.