'Nix manual enumeration
Assorted commands for Linux/'Nix manual enum
#Spawning a shell
# On victim
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-z
# On attacker
echo $TERM # note down
stty -a # note down rows and cols
stty raw -echo # this may be enough
fg
# On victim
reset
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116
#Alternatives:
echo os.system('/bin/bash')
/bin/sh -i
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')#SUID files
find / -perm -1000 -type d 2>/dev/null # Sticky bit
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files
#Bash trick
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
#Blind Files
#Things to pull when all you can do is blindly read files (LFI/dir traversal)
/etc/resolv.conf #Contains the current name servers (DNS) for the system.
/etc/issue #current version of distro
/etc/passwd #List of local users
cat /etc/passwd | grep bash #variant
/etc/shadow #long shot but worth a try
/.bash_history #Will give you some directory context
#System
uname -a #Prints the kernel version, arch, sometimes distro
ps aux #List all running processes
top -n 1 -d #Print process, 1 is a number of lines
id #Your current username, groups
arch, uname -m #Kernel processor architecture
w #who is connected, uptime and load avg
who -a #uptime, runlevel, tty, processes etc.
gcc -v #Returns the version of GCC (for exploit compiling)
mysql --version #Returns the version of MySQL.
perl -v #Returns the version of Perl.
ruby -v #Ruby
python --version #Python / also python3
java -version #java
df -k #mounted fs, size, % use, dev and mount point
mount #mounted fs
last -a #Last users logged on
lastcomm
lastlog
getenforce # Get the status of SELinux (Enforcing, Permissive or Disabled)
(Command 'getenforce' not found, but can be installed)
dmesg #Informations from the last system boot
lspci #prints all PCI buses and devices
lsusb #prints all USB buses and devices
lscpu #prints CPU information
lshw #list hardware information
cat /proc/cpuinfo
cat /proc/meminfo
(ABOVE COMMANDS HAVE THE SAME USAGE AS LSCPU AND LSHW )
which nmap #locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
#Files modified in the last 5 mins
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null#Networking
hostname -f
ip addr show
ip ro show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n -v #root
iptables -t nat -L -n -v #root
ip6tables -L -n -v #root
iptables-save #root
netstat -anop
netstat -r
netstat -nltupw #root with raw sockets
arp -a
lsof -nPi
cat /proc/net/* #more discreet, all the information given by the above commands can be found by looking into the files under /proc/net,and this approach is less likely to trigger monitoring or other stuff#User accounts
cat /etc/passwd #local accounts
cat /etc/shadow #password hashes on Linux
cd /etc/security/ #then ls to find password related files,most are root secured
/etc/security/passwd #password hashes on AIX
cat /etc/group #groups(or /etc/gshadow)
getent passwd #should dump all local, LDAP, NIS, whatever the system is using
getent group #same for groups
pdbedit -L -w #Samba’s own database SAMBA HAS TO BE INSTALLED ON MACHINE TO WORK
pdbedit -L -v
cat /etc/aliases #mail aliases
find /etc -name aliases #needs root privileges
getent aliases
ypcat passwd #displays NIS password filr#Obtain user's information
ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.hist
find /home/*/.vnc /home/*/.subversion -type f
grep ^ssh /home/*/.hist
grep ^telnet /home/*/.hist
grep ^mysql /home/*/.hist
cat /home/*/.viminfo
sudo -l #sudoers
crontab -l
cat /home/*/.mysql_history
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)#Configs
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/null
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
# (Lists all crons)
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} ;
#Determine Distro
uname -a
lsb_release -d # Generic command for all LSB distros
/etc/os-release #Generic for distros using “systemd”
/etc/issue
cat /etc/*release
/etc/SUSE-release #Novell SUSE
/etc/redhat-release, /etc/redhat_version #Red Hat
/etc/fedora-release #Fedora
/etc/slackware-release, /etc/slackware-version #Slackware
/etc/debian_release, /etc/debian_version #Debian
/etc/mandrake-release #Mandrake
/etc/sun-release #Sun JDS
/etc/release #Solaris/Sparc
/etc/gentoo-release #Gentoo
/etc/arch-release #Arch Linux (file will be empty)
arch
#Installed packages
dpkg -i
rpm -qa --last | head
yum list | grep installed
dpkg -l #Debian
dpkg -l | grep -i “linux-image”
dpkg --get-selections
pkginfo #Solaris
cd /var/db/pkg/ && ls -d / #Gentoo
pacman -Q #Arch#Package sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf#Locating important files
ls -dlR */
ls -alR | grep ^d
find /var -type d
ls -dl `find /var -type d`
ls -dl `find /var -type d` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} ;
find / -user r3dcl1ff -type f -exec ls -al {} \; 2>/dev/null #(find exec files for given user)
find / -perm -4000 #find all suid files
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home//.ssh/
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$ #Remember to updatedb before running locate
locate tgz | grep [.]tgz$
locate sql | grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
.properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids
locate rhosts
Last updated