Featured image of post Linux Enumeration
Linux Privilege Escalation

Linux Enumeration

linux Enumeration For Privilege esclation

In this article I will share with you some techniques for enumerate linux system.

Table of contents :

- System and User Enumeration
- Files Enumeration
- Network Enumeration
- Password Enumeration
- Automation Tools

System and User Enumeration

System and user enumeration involves gathering information about the operating system, users, groups, and privileges to identify potential weaknesses for privilege escalation.

  • uname: The uname command, when used with the -a option, displays detailed information about the Linux kernel:
1

 uname -a
  • cat /etc/os-release: This command displays information about the target system’s distribution and version:
1

 cat /etc/os-release
  • cat /proc/version: This command displays more detailed information about the Linux kernel, including the compiler used to build it:
1

 cat /proc/version

Current User and Group:

1
2
3

 whoami
 id
 groups

Logged-in Users:

1
2

 w
 last

System Users:

1
2

cat /etc/passwd
awk -F: '$3 < 1000 {print $1}' /etc/passwd

Sudo Permissions:

1

sudo -l

Environment Variables:

1

env

Processes Owned by Other Users:

1

ps aux

Hidden Users (Check for unusual configurations):

1

ls -la /home/

Files with SUID/SGID Bit:

1

find / -perm /6000 -type f 2>/dev/null

Files Enumeration

File enumeration involves searching for sensitive files, misconfigurations, or improper permissions that can be exploited to escalate privileges or gain unauthorized access.

Search for World-Writable Files:

1

find / -type f -perm -o+w 2>/dev/null

Search for World-Writable Directories:

1

find / -type d -perm -o+w 2>/dev/null

Search for Files Owned by Root:

1

find / -uid 0 -type f 2>/dev/null

Search for Files with SUID Bit:

1

find / -perm /4000 -type f 2>/dev/null

Search for Files with SGID Bit:

1

find / -perm /2000 -type f 2>/dev/null

Search for Configuration Files Containing Credentials:

1
2

grep -Ri "password" /etc/* 2>/dev/null
grep -Ri "passwd" /home/* 2>/dev/null

Identify Writable Files in System Directories:

1

find /etc -writable 2>/dev/null

Look for Backup Files:

1

find / -name "*.bak" -o -name "*.backup" 2>/dev/null

Search for SSH Keys:

1

find / -name "id_rsa" -o -name "id_dsa" 2>/dev/null

Search for Sensitive Application Configuration Files;

Apache:

1

cat /etc/httpd/conf/httpd.conf

MySQL:

1

cat /etc/mysql/my.cnf

Find Recent Files Modified or Created:

1

find / -type f -mtime -5 2>/dev/null

Find Hidden Files:

1

find / -name ".*" 2>/dev/null

Identify Files Owned by Current User:

1

find / -user $(whoami) 2>/dev/null

Check for Backup/Temp Files in Home Directories:

1

ls -laR /home/ | grep "~"

Network Enumeration

Network enumeration involves discovering network configurations, active connections, and accessible services to identify potential attack vectors for privilege escalation or lateral movement.

Show Network Interfaces:

1
2

ip a
ifconfig

Routing Table:

1
2

ip route
route -n

View Active Network Connections:

1
2

netstat -tuln
ss -tuln

DNS Configuration:

1

cat /etc/resolv.conf

ARP Table:

1
2

arp -a
ip neigh

Ping to Test Connectivity:

1

ping -c 4 <target-ip>

Traceroute to Map Network Path:

1

traceroute <target-ip>

Identify Listening Ports:

1
2

netstat -tulnp
lsof -i

Scan Open Ports on Target:

1

nmap -sS -p- <target-ip>

Password Enumeration

Password hunting involves searching for stored credentials, configuration files, or weakly protected secrets that can be used to gain unauthorized access or escalate privileges.

  1. Some applications and services store sensitive information, including credentials, in configuration files.

Common Locations:

1
2
3

find / -name "*.conf" 2>/dev/null
find / -name "*.yml" 2>/dev/null
find / -name "*.ini" 2>/dev/null

Look in directories like /etc/, /var/, /opt/, and /home/. Examples of Files to Check:

1
2
3

/etc/passwd
/etc/shadow (requires root or elevated privileges)
/etc/ssh/sshd_config
  1. Check History Files Users often type sensitive commands that get stored in shell history files.
1
2

cat ~/.bash_history
cat ~/.zsh_history

Look for commands like ssh, sudo, mysql, or any with plaintext passwords.

  1. Search for Files Containing the Word “Password” Look for plaintext credentials in files.
1

grep -ri "password" / 2>/dev/null

Include variations like “passwd,” “pass,” or “pwd.”

  1. Search for SSH Keys SSH private keys can be used to log into other systems.
1

find / -name "id_rsa" 2>/dev/null

Check default paths like ~/.ssh/.

  1. Look for Database Credentials Applications often store database credentials in config files.
1
2

grep -ri "DB_USER" / 2>/dev/null
grep -ri "DB_PASS" / 2>/dev/null

Files to check: wp-config.php (WordPress) .env (Laravel or modern apps) settings.py (Django)

  1. Dump Memory for Passwords Sometimes passwords can be found in running memory.
1

strings /dev/mem | grep -i "password"

Alternatively, check running processes:

1

 ps aux |grep -i "password"
  1. Check for Backup Files Old backups may contain sensitive data.
1
2
3

find / -name "*.bak" 2>/dev/null
find / -name "*.old" 2>/dev/null
find / -name "*.backup" 2>/dev/null
  1. Identify Open Connections for Exposed Credentials Applications exposing credentials via environment variables or arguments can be a goldmine.
1

env | grep -i "pass"

Check processes:

1

ps aux | grep -E "password|username|key"
  1. Look for Git or Repository Secrets Repositories often accidentally include credentials.
1
2

find / -name ".git" 2>/dev/null
grep -r "password" .git 2>/dev/null
  1. Dump Browser Credentials Browsers often save login information.

Firefox:

1

cat ~/.mozilla/firefox/*.default-release/logins.json

Chrome: Credentials are stored in `~/.config/google-chrome/Default/Login Data (encrypted).

  1. Enumerate Credentials in Docker or Kubernetes

Docker:

1

docker inspect <container_id>

Kubernetes:

1

kubectl get secrets
  1. Extract Passwords from Files Using Tools Tools like strings, binwalk, or exiftool can help extract data from binary files.
1

strings <file> | grep -i "password"
  1. Enumerate Web Credentials Search web server files for hardcoded credentials:
1

grep -ri "auth" /var/www/html/
  1. Advanced: Check for Password Reuse If you find a password or hash, try it across other accounts/services.
1

su -c "<found_password>" <username>

Automation tools

Automation tools help streamline the process of enumeration, vulnerability discovery, and privilege escalation by automating repetitive tasks and identifying potential weaknesses efficiently. In my opinion, mastering the process manually is preferable.

  1. LinPEAS

LinPEAS (Linux Privilege Escalation Awesome Script) is a powerful script designed to enumerate a Linux system for privilege escalation vectors and misconfigurations.

• Download Source: LinPEAS GitHub Repository LinPeas

  1. Linux Exploit Suggester

This tool identifies potential privilege escalation vulnerabilities based on the system’s kernel version and configuration.

• Download Source: Linux Exploit Suggester GitHub Repository Linux Exploit Suggester

  1. LinEnum

LinEnum is a lightweight script that performs comprehensive enumeration of a Linux system, including user details, file permissions, and potential privilege escalation paths.

• Download Source: LinEnum GitHub Repository LinEnum

  1. Pspy

Pspy is a process monitoring tool that allows you to watch processes executed on a Linux system without needing elevated privileges.

• Download Source: pspy GitHub Repository Pspy

Conclusion In this article, I’ve shared key aspects of enumeration to help us master privilege escalation, from system and user insights to files, networks, and passwords. While tools can assist, I believe manual expertise is crucial. Thanks for reading, and happy learning!

comments powered by Disqus
© 2020 - 2025 Zerodex Blog
Built with Hugo
Theme Stack designed by Jimmy