Linux
Enumeration
OS Version
Kernel Version
Running Services
$ ps aux | grep root
Installed Packages and Versions
Logged in users
$ ps au
User Home Directories
$ ls /home$ ls -la /home/stacey.jenkins/SSH Directory Contents
$ ls -l ~/.ssh
Bash history
$ history
Sudo Privileges
$ sudo -l
Configuration Files
search usernames and passwords in
*.confand*.config
Readable Shadow File
Password hashes in /etc/passwd
$ cat /etc/passwd
Cron Jobs
$ ls -la /etc/cron.daily/
Unmounted File systems and Additional Drives
$ lsblk
SETUID and SETGID Permissions
Writable Directories
$ find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
Writable Files
$ find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
Environment Enumeration
What user are we running
$ whoami
What groups does our user belong to
$ id
What is the server named. can we gather anything from the naming convention?
$ hostname
What subnet did we land in, does the host have additional NICs in other subnets?
$ ifconfig # or ip -a
What's the CPU type/version
$ lscpu
Can our user run anything with sudo (as another user as root) without needing a password?
$ sudo -l
What OS and version is the machine
$ cat /etc/os-release $ cat /proc/version # or uname -a
Is the $PATH misconfigured? Can we leverage anything in the $PATH?
$ echo $PATH
Are there any stored credentials in the ENV?
$ env
What login shells exists on the server
$ cat /etc/shells
Are there any harddisks, usb drives, optical drives?
$ lsblk
Are there any active/queued print jobs that can we gain access to some sensitive info?
$ lpstat
Can we mount an unmounted drive?
$ cat /etc/fstab
Mounted file systems?
$ df -h
Unmounted file systems?
$ cat /etc/fstab | grep -v "#" | column -t
Any interesting other networks are available via which interface.
$ route # or netstat -rn
What other hosts does the target has been communicating
$ arp -a
Other users?
$ cat /etc/passwd $ cat /etc/passwd | cut -f1 -d: # create a users.txt dictionary
Users with login shells?
$ grep "*sh$" /etc/passwd
Existing groups?
$ cat /etc/group
List members of a group
$ getent group sudo
All hidden files?
$ find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep htb-student
All hidden folders?
$ find / -type d -name ".*" -ls 2>/dev/null
Temporary Files?
$ ls -l /tmp /var/tmp /dev/shm
Find a file containing a string?
$ find / -name *.sh 2>/dev/null | xargs cat | grep STRING
Find config files?
$ find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
Internals Enumeration
Network interfaces
$ ip a
Hosts
$ cat /etc/hosts
User's last login
$ lastlog
Logged in users
$ w # or who or finger
Command history
$ historyFinding history files
$ find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
Cron
$ ls -la /etc/cron.daily/
Proc
$ find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"
Services Enumeration
Installed Packages
$ apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
Sudo Version
$ sudo -V
Binaries
$ ls -l /bin /usr/bin/ /usr/sbin/
GTFObins
$ for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done
Trace System Calls
diagnostic tool on Linux-based operating systems to track and analyze system calls and signal processing.
$ strace ping -c1 10.129.112.20
Configuration Files
$ find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
Scripts
$ find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
Running Services by User
$ ps aux | grep root
Credential Hunting
In wpconfig.php
$ cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'
*config files
$ find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
SSH Keys
$ ls ~/.ssh
Linux Hardening
Updates and patching
Use the unattended-upgrades package installed in linux
Configuration management
Audit writable files and directories and any binaries set with the SUID bit.
Ensure that any cron jobs and sudo privileges specify any binaries using the absolute path.
Do not store credentials in cleartext in world-readable files.
Clean up home directories and bash history.
Ensure that low-privileged users cannot modify any custom libraries called by programs.
Remove any unnecessary packages and services that potentially increase the attack surface.
Consider implementing SELinux, which provides additional access controls on the system.
User management
We should limit the number of user accounts and admin accounts on each system, ensure that logon attempts (valid/invalid) are logged and monitored. It is also a good idea to enforce a strong password policy, rotate passwords periodically, and restrict users from reusing old passwords by using the /etc/security/opasswd file with the PAM module. We should check that users are not placed into groups that give them excessive rights not needed for their day-to-day tasks and limit sudo rights based on the principle of least privilege.
Templates exist for configuration management automation tools such as Puppet, SaltStack, Zabbix and Nagios to automate such checks and can be used to push messages to a Slack channel or email box as well as via other methods. Remote actions (Zabbix) and Remediation Actions (Nagios) can be used to find and auto correct these issues over a fleet of nodes. Tools such as Zabbix also feature functions such as checksum verification, which can be used for both version control and to confirm sensitive binaries have not been tampered with. For example, via the vfs.file.cksum file.
Audit
One useful tool for auditing Unix-based systems (Linux, macOS, BDS, etc.) is Lynis.
Last updated