Linux OS Information Gathering

OS Information Gathering

OS enumeration happens at different stages of the engagement. You can get some OS information from the initial Information Gathering phase with nmap or other finger printing tools. Getting command execution affords another opportunity to get even more information. Escalating privileges can provide even greater information about the system and its users.

This part of the engagement is designed to help make the Privilege Escalation phase easier. Much of the information here is the same as the Privilege Escalation Methodology page. However, these are all things no matter what should be looked at on all Linux systems. The other checklist may have things you may consider checking.

Limited User

As a limited, or non-root, user, the amount of information that can be gathered will be limited. Much of these will need to be reassessed for each new user to include the root user. This is because each user may have more or less visibility than another. This could reveal a connection to another service or system on the network you previously did not know about. It may also reveal a previously unknown vulnerable application or provide you with access to files or folders you were not able to access before..

Quick checklist of items you want to look for:

OS Information

cat /etc/*-release
uname -i
uname -r
uname -a
lsb_release # Debian based OS
env
hostname

User Information

whoami
id

Users

cat /etc/passwd
grep -vE "nologin|false" /etc/passwd
ls -al /home/

SUID & GUID executables

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Running services

ps aux | sort

Why are there brackets around some of executable names?

https://unix.stackexchange.com/a/22141

The ps(1) man page on FreeBSD explains why this typically happens to system processes and kernel threads:

If the arguments cannot be located (usually because it has not been set, as is the case of system processes and/or kernel threads) the command name is printed within square brackets. The ps(1) man page on Linux states: Sometimes the process args will be unavailable; when this happens, ps will instead print the executable name in brackets.

Executables ran by root

ps aux 2>/dev/null | awk '$1 ~ /^root/ {print $1 "," $11}' | awk '!x[$0]++' 2>/dev/null | sort | column -t -s ','

Executables sorted by user

ps aux 2>/dev/null | awk '{print $1 "," $11}' | awk '!x[$0]++' 2>/dev/null | sort | column -t -s ','

Executables' permissions

ps aux 2>/dev/null | awk '{print $11}' | xargs -r ls -l 2>/dev/null | sort -u

Network Interface

ip a show || ifconfig

Open Ports

netstat -paunt
ss -antulp
sudo lsof -nP -iTCP -sTCP:LISTEN

Installed programs

Debian:

dpkg -l | awk '{ print $2 "," $3 }' | column -s , -t

CentOS:

rpm -qa

ls -al /var/
ls -al /opt/
ls -al /user/local/src
ls -al /usr/src/

Cron Jobs

crontab -l
cat /etc/crontab
cat /etc/anacrontab
ls -alh /var/spool/cron/crontabs/
crontab -l
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /var/spool/cron/crontabs/root

List all available shells

cat /etc/shells

Shell Versions

/bin/bash --version

Mountable and Mounted files systems

mount
cat /etc/fstab

Plain Text Passwords

find . -name "*.config" -print0 2>/dev/null | xargs -0 grep -i -n "password" 2>/dev/null

Root User

You will need to do much of the same as above such as the cron jobs, processes network connections.

Harvest password hashes

cat /etc/shadow

Look into config files that were previously no accessible for passwords

PreviousTips & Tricks NextLinux PrivEsc

Last updated 4 years ago

Was this helpful?