'Nix manual enumeration

Assorted commands for Linux/'Nix manual enum

#Spawning a shell

# On victim
python -c 'import pty;pty.spawn("/bin/bash")'
Ctrl-z

# On attacker
echo $TERM # note down
stty -a # note down rows and cols
stty raw -echo # this may be enough
fg

# On victim
reset
export SHELL=bash
export TERM=xterm256-color
stty rows 38 columns 116

#Alternatives:
echo os.system('/bin/bash')
/bin/sh -i
perl: exec "/bin/sh";
ruby: exec "/bin/sh"
lua: os.execute('/bin/sh')

#SUID files

find / -perm -1000 -type d 2>/dev/null   # Sticky bit
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null  
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files  
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

#Bash trick
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done

#Blind Files

#Things to pull when all you can do is blindly read files (LFI/dir traversal)

/etc/resolv.conf  #Contains the current name servers (DNS) for the system.

/etc/issue #current version of distro

/etc/passwd #List of local users

cat /etc/passwd | grep bash #variant       

/etc/shadow #long shot but worth a try

/.bash_history  #Will give you some directory context

#System

uname -a  #Prints the kernel version, arch, sometimes distro

ps aux  #List all running processes

top -n 1 -d   #Print process, 1 is a number of lines

id    #Your current username, groups

arch, uname -m #Kernel processor architecture

w    #who is connected, uptime and load avg

who -a  #uptime, runlevel, tty, processes etc.

gcc -v #Returns the version of GCC (for exploit compiling) 

mysql --version #Returns the version of MySQL.      

perl -v  #Returns the version of Perl.       

ruby -v  #Ruby     

python --version #Python / also python3

java -version #java

df -k #mounted fs, size, % use, dev and mount point

mount #mounted fs           
    
last -a  #Last users logged on

lastcomm 

lastlog

getenforce  # Get the status of SELinux (Enforcing, Permissive or Disabled)      
              (Command 'getenforce' not found, but can be installed)

dmesg #Informations from the last system boot  

lspci #prints all PCI buses and devices

lsusb #prints all USB buses and devices

lscpu  #prints CPU information  

lshw  #list hardware information 

cat /proc/cpuinfo

cat /proc/meminfo

(ABOVE COMMANDS HAVE THE SAME USAGE AS LSCPU AND LSHW )

which nmap #locate a command (ie nmap or nc)  

locate bin/nmap

locate bin/nc

#Files modified in the last 5 mins
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null

#Networking

hostname -f

ip addr show

ip ro show

ifconfig -a

route -n

cat /etc/network/interfaces

iptables -L -n -v                       #root

iptables -t nat -L -n -v                #root

ip6tables -L -n -v                      #root

iptables-save                           #root

netstat -anop

netstat -r

netstat -nltupw                         #root with raw sockets 

arp -a

lsof -nPi

cat /proc/net/*    #more discreet, all the information given by the above commands can be found by looking into the files under /proc/net,and this approach is less likely to trigger monitoring or other stuff

#User accounts

cat /etc/passwd    #local accounts    

cat /etc/shadow #password hashes on Linux          

cd /etc/security/   #then ls to find password related files,most are root secured

/etc/security/passwd  #password hashes on AIX

cat /etc/group   #groups(or /etc/gshadow)

getent passwd     #should dump all local, LDAP, NIS, whatever the system is using

getent group     #same for groups  

pdbedit -L -w     #Samba’s own database SAMBA HAS TO BE INSTALLED ON MACHINE TO WORK

pdbedit -L -v

cat /etc/aliases   #mail aliases 

find /etc -name aliases   #needs root privileges

getent aliases        

ypcat passwd      #displays NIS password filr

#Obtain user's information

ls -alh /home/*/

ls -alh /home/*/.ssh/

cat /home/*/.ssh/authorized_keys

cat /home/*/.ssh/known_hosts

cat /home/*/.hist

find /home/*/.vnc /home/*/.subversion -type f

grep ^ssh /home/*/.hist

grep ^telnet /home/*/.hist

grep ^mysql /home/*/.hist

cat /home/*/.viminfo

sudo -l     #sudoers

crontab -l

cat /home/*/.mysql_history

sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)

#Configs

ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/null

cat /etc/issue{,.net}

cat /etc/master.passwd

cat /etc/group

cat /etc/hosts

cat /etc/crontab

cat /etc/sysctl.conf

# (Lists all crons)
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done 

cat /etc/resolv.conf

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.confcda

cat /etc/inetd.conf

cat /opt/lampp/etc/httpd.conf

cat /etc/samba/smb.conf

cat /etc/openldap/ldap.conf

cat /etc/ldap/ldap.conf

cat /etc/exports

cat /etc/auto.master

cat /etc/auto_master

cat /etc/fstab

find /etc/sysconfig/ -type f -exec cat {} ;

#Determine Distro

uname -a

lsb_release -d  # Generic command for all LSB distros

/etc/os-release   #Generic for distros using “systemd”

/etc/issue 

cat /etc/*release

/etc/SUSE-release  #Novell SUSE

/etc/redhat-release, /etc/redhat_version  #Red Hat

/etc/fedora-release  #Fedora

 /etc/slackware-release, /etc/slackware-version  #Slackware

/etc/debian_release, /etc/debian_version #Debian

/etc/mandrake-release  #Mandrake

/etc/sun-release  #Sun JDS

/etc/release  #Solaris/Sparc

/etc/gentoo-release #Gentoo   

/etc/arch-release  #Arch Linux (file will be empty)

arch

#Installed packages

dpkg -i

rpm -qa --last | head

yum list | grep installed

dpkg -l  #Debian

dpkg -l | grep -i “linux-image”

dpkg --get-selections

pkginfo  #Solaris

cd /var/db/pkg/ && ls -d / #Gentoo

pacman -Q #Arch

#Package sources

cat /etc/apt/sources.list

ls -l /etc/yum.repos.d/

cat /etc/yum.conf

#Locating important files

ls -dlR */

ls -alR | grep ^d

find /var -type d

ls -dl `find /var -type d`

ls -dl `find /var -type d` | grep -v root

find /var ! -user root -type d -ls

find /var/log -type f -exec ls -la {} ;

find / -user r3dcl1ff -type f -exec ls -al {} \; 2>/dev/null #(find exec files for given user)

find / -perm -4000  #find all suid files

ls -alhtr /mnt

ls -alhtr /media

ls -alhtr /tmp

ls -alhtr /home

cd /home/; treels /home//.ssh/

find /home -type f -iname '.*history'

ls -lart /etc/rc.d/

locate tar | grep [.]tar$   #Remember to updatedb before running locate

locate tgz | grep [.]tgz$

locate sql | grep [.]sql$

locate settings | grep [.]php$

locate config.inc | grep [.]php$

ls /home/*/id*

.properties | grep [.]properties  # java config files

locate .xml | grep [.]xml  # java/.net config files

find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000  -ls # find suids

locate rhosts

PreviousNFS no_root_squash/no_all_squash NextFile transfers

Last updated 2 years ago