Linux

Enumeration

• OS Version

• Kernel Version

• Running Services

  • $ ps aux | grep root

• Installed Packages and Versions

• Logged in users

  • $ ps au

• User Home Directories

  • $ ls /home

  • $ ls -la /home/stacey.jenkins/

  • SSH Directory Contents

    • $ ls -l ~/.ssh

  • Bash history

    • $ history

• Sudo Privileges

  • $ sudo -l

• Configuration Files

  • search usernames and passwords in *.conf and *.config

• Readable Shadow File

• Password hashes in /etc/passwd

  • $ cat /etc/passwd

• Cron Jobs

  • $ ls -la /etc/cron.daily/

• Unmounted File systems and Additional Drives

  • $ lsblk

• SETUID and SETGID Permissions

• Writable Directories

  • $ find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null

• Writable Files

  • $ find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

Environment Enumeration

• What user are we running

  • $ whoami

• What groups does our user belong to

  • $ id

• What is the server named. can we gather anything from the naming convention?

  • $ hostname 

• What subnet did we land in, does the host have additional NICs in other subnets?

  • $ ifconfig # or ip -a

• What's the CPU type/version

  • $ lscpu

• Can our user run anything with sudo (as another user as root) without needing a password?

  • $ sudo -l 

• What OS and version is the machine

  • $ cat /etc/os-release
    $ cat /proc/version # or uname -a

• Is the $PATH misconfigured? Can we leverage anything in the $PATH?

  • $ echo $PATH

• Are there any stored credentials in the ENV?

  • $ env

• What login shells exists on the server

  • $ cat /etc/shells

• Are there any harddisks, usb drives, optical drives?

  • $ lsblk

• Are there any active/queued print jobs that can we gain access to some sensitive info?

  • $ lpstat

• Can we mount an unmounted drive?

  • $ cat /etc/fstab

• Mounted file systems?

  • $ df -h

• Unmounted file systems?

  • $ cat /etc/fstab | grep -v "#" | column -t

• Any interesting other networks are available via which interface.

  • $ route # or netstat -rn

• What other hosts does the target has been communicating

  • $ arp -a

• Other users?

  • $ cat /etc/passwd
    $ cat /etc/passwd | cut -f1 -d: # create a users.txt dictionary

• Users with login shells?

  • $ grep "*sh$" /etc/passwd

• Existing groups?

  • $ cat /etc/group

• List members of a group

  • $ getent group sudo

• All hidden files?

  • $ find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep htb-student

• All hidden folders?

  • $ find / -type d -name ".*" -ls 2>/dev/null

• Temporary Files?

  • $ ls -l /tmp /var/tmp /dev/shm

• Find a file containing a string?

  • $ find / -name *.sh 2>/dev/null | xargs cat | grep STRING

• Find config files?

  • $ find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

We should also check to see if any defenses are in place and we can enumerate any information about them. Some things to look for include:

• Exec Shield

• iptables

• AppArmor

• SELinux

• Fail2ban

• Snort

• Uncomplicated Firewall (ufw)

Often we will not have the privileges to enumerate the configurations of these protections but knowing what, if any, are in place, can help us not to waste time on certain tasks.

---

Internals Enumeration

• Network interfaces

  • $ ip a

• Hosts

  • $ cat /etc/hosts

• User's last login

  • $ lastlog

• Logged in users

  • $ w # or who or finger

• Command history

  • $ history

  • Finding history files

    • $ find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null

• Cron

  • $ ls -la /etc/cron.daily/

• Proc

  • $ find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"

---

Services Enumeration

• Installed Packages

  • $ apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list

• Sudo Version

  • $ sudo -V

• Binaries

  • $ ls -l /bin /usr/bin/ /usr/sbin/

• GTFObins

  • $ for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done

• Trace System Calls

  • diagnostic tool on Linux-based operating systems to track and analyze system calls and signal processing.

  • $ strace ping -c1 10.129.112.20

• Configuration Files

  • $ find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null

• Scripts

  • $ find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"

• Running Services by User

  • $ ps aux | grep root

---

Credential Hunting

These may be found in configuration files (.conf, .config, .xml, etc.), shell scripts, a user's bash history file, backup (.bak) files, within database files or even in text files.

• In wpconfig.php

  • $ cat wp-config.php | grep 'DB_USER\|DB_PASSWORD'

• *config files

  • $  find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null

• SSH Keys

  • $  ls ~/.ssh

---

Linux Hardening

• Updates and patching

  • Use the unattended-upgrades package installed in linux

• Configuration management

  • Audit writable files and directories and any binaries set with the SUID bit.

  • Ensure that any cron jobs and sudo privileges specify any binaries using the absolute path.

  • Do not store credentials in cleartext in world-readable files.

  • Clean up home directories and bash history.

  • Ensure that low-privileged users cannot modify any custom libraries called by programs.

  • Remove any unnecessary packages and services that potentially increase the attack surface.

  • Consider implementing SELinux, which provides additional access controls on the system.

• User management

  • We should limit the number of user accounts and admin accounts on each system, ensure that logon attempts (valid/invalid) are logged and monitored. It is also a good idea to enforce a strong password policy, rotate passwords periodically, and restrict users from reusing old passwords by using the /etc/security/opasswd file with the PAM module. We should check that users are not placed into groups that give them excessive rights not needed for their day-to-day tasks and limit sudo rights based on the principle of least privilege.

  • Templates exist for configuration management automation tools such as Puppet, SaltStack, Zabbix and Nagios to automate such checks and can be used to push messages to a Slack channel or email box as well as via other methods. Remote actions (Zabbix) and Remediation Actions (Nagios) can be used to find and auto correct these issues over a fleet of nodes. Tools such as Zabbix also feature functions such as checksum verification, which can be used for both version control and to confirm sensitive binaries have not been tampered with. For example, via the vfs.file.cksum file.

• Audit

  • One useful tool for auditing Unix-based systems (Linux, macOS, BDS, etc.) is Lynis.