Linux Post Enumeration

Introduction

In this blog post we will discuss manual linux post enumeration approaches, to know about the compromised host and its services.

After successful exploitation now we have to gather information about the system to escalate privilege and exfiltrate valuable data from the target system.

The very first command to execute is ‘id’ to know current user info.

id

To get kernel information of the system in order to search for any exploit available for that particular kernel version

uname -a

To see known hostnames to the target system

cat /etc/hosts

To know about the current operating system and its version

cat /etc/issue

To check ip interfaces information

ifconfig

To check running processes in target system

ps auxw
ps ef

To check network routes in order to use this information to pivot

route -n

To check current TCP and UDP Network Connections

netstat -auntp
watch ss -twurp
netstat -antu

To know about DNS server in order to get information about active Directory Accounts, Zone Transfers, etc.

cat /etc/resolv.conf

To check the communication with other machines

arp -a

To know about what our current user access

find / -user <username>

To check last logged on user

last -a

To check who is logged on and what they are doing

w

To check UID and GID information os all users

cat /etc/passwd

To check how many root account is in system

cat /etc/passwd |cut -f1,3,4 -d":" |grep "0:0"|cut -f1 -d":" |awk '{print $1}'

To check groups

cat /etc/group

To find all SUID executables

find / -perm -4000 -type f 2>/dev/null

To read configuration files in order to get sensitive information like password

grep “password” /etc/*.conf 2> /dev/null

To check current user sudo access

Check the current user’s sudo access

sudo -l

If we are allowed to read shadow file

cat /etc/shadow

To find world-writable files

find / -perm -0002 -type d 2>/dev/null

To list all cron jobs

crontab -l

TO check permissions for files /root directory

ls -als /root/*

Search for “user” and “pass” string in Apache/nginx Access Log

cat /var/log/apache/access.log |grep -E “^user|^pass”

To get cronjob information

ls -als /etc/cron.*

To check writable cronjobs to user

find /etc/cron* -type f -perm -o+w -exec ls -l {} \;

To check any any LDAP, Local or NIS Accounts

getent passwd

To dump Samba user Database Information

pdbedit -L -w
pdbedit -L -v

To check installed softwares in system

dpkg –l

Find services in /etc/init.d not owned by root and list their permissions

find /etc/init.d/ ! -uid 0 -type f 2>/dev/null |xargs ls -la

To list running services

service --status-all

To check syslog configuration

cat /etc/syslog.conf

To find all config files

find / -name *.conf 2> /dev/null

Conclusion

I have listed some commands and techniques, but there may be more that are based on the configuration and specification of target system.