Linux Local Enumeration

Enumerating System Information

• After gaining initial access to a target system, it is always important to learn more about the system like, what OS is running as well as the OS version. This information is very useful as it gives us an idea of what we can do and what type of exploits we can run.

• What are we looking for?

  • Hostname

  • Distribution & distribution release version

  • Kernel version & architecture

  • CPU information

  • Disk information & mounted drives

  • Installed packages/software

MSFconsole Commands:

• sessions -u 1 – upgrades the shell to Meterpreter shell.

Meterpreter Command:

• sysinfo – Display system information for the compromised machine.

Linux Commands:

• /bin/bash -i – Start an interactive bash shell.

• hostname – Display the name of the host (computer) on which the command is executed.

• cat /etc/issue – Show the operating system and version information.

• cat /etc/*release – Display distribution-specific release information.

• uname -a – Show detailed system information.

• uname -r – Display the kernel release information.

• env – Display environment variables.

• lscpu – Display information about the CPU architecture.

• free -h – Show memory usage in human-readable format.

• df -h – Display disk space usage for all mounted filesystems.

• df -ht ext4 – Show disk space usage only for ext4 filesystems.

• lsblk | grep sd – List block devices (drives) and filter for those containing "sd".

• dpkg -l – List installed packages on a Debian-based system.

Enumerating Users & Groups

• After gaining initial access to a target system, it is always important to learn more about the system like, what user account you have access to and other user accounts on the system.

• What are we looking for?

  • Current user & privileges

  • Other users on the system

  • Groups

Meterpreter Command:

• getuid – Retrieve the current user's ID and privilege level.

Linux Commands:

• whoami – Display the name of the currently logged-in user.

• sudo -l – List available commands that the current user can run with sudo privileges.

• groups <user> – Show group memberships of a specific user.

• cat /etc/passwd | grep -v /nologin – Display user accounts excluding those with "/nologin" shell.

• w – Display currently logged-in users with detailed information.

• who – Display currently logged-in users.

• last – Show listing of last logged-in users and logouts.

• lastlog – Display information about last logged-in users.

Enumerating Network Information

What are we looking for?

• Current IP address & network adapter

• Internal networks

• TCP/UDP services running and their respective ports

• Other hosts on the network

Meterpreter Commands:

• ifconfig – Display network interface configuration.

• netstat – Show network statistics and active connections.

• route – Display the routing table.

• arp – Show the ARP (Address Resolution Protocol) cache.

Linux Commands:

• ifconfig – Display network interface configuration.

• ip a s – Show IP address information for all interfaces.

• cat /etc/networks – Display network configuration information.

• cat /etc/hostname – Show the hostname of the system.

• cat /etc/hosts – Display the hosts file, mapping hostnames to IP addresses.

• cat /etc/resolv.conf – Show DNS resolver configuration.

• arp -a – Display the ARP cache of the system.

Enumerating Processes & Cron Jobs

• After gaining initial access to a target system, it is always important to learn more about the system like, what processes, services and scheduled tasks are currently running.

• What are we looking for?

  • Running services

  • Cron Jobs

Meterpreter Command:

• ps – List running processes on the target system.

Linux Commands:

• ps – Display running processes.

• ps aux – List all running processes with detailed information.

• top – Display dynamic real-time information about system processes.

• crontab -l – List the cron jobs for the current user.

• ls -al /etc/cron* – List cron-related files and directories in the /etc/ directory.

• cat /etc/cron* – Display the content of cron-related files in the /etc/ directory.

Automating Linux Local Enumeration

• In addition to performing local enumeration manually, we can also automate the process with the help of a few scripts and MSF modules.

• While local enumeration techniques/commands are important to know, as a penetration tester, you will need to be time efficient. As a result, you will need to learn how to utilize various automated enumeration scripts.

• In addition to automating the process of enumerating information like system information, users & groups etc, these automated enumeration scripts will also provide you with additional information regarding the target system like; privilege escalation vulnerabilities, locally stored passwords etc.

Linux Local Enum Scripts

MSFconsole Post-exploitation Modules for Linux:

• /post/linux/gather/enum_configs – Gather configuration information on a Linux system.

• /post/linux/gather/enum_network – Enumerate network-related information on the target Linux system.

• /post/linux/gather/enum_system – Enumerate general system information on a Linux system.

• /post/linux/gather/checkvm – Check if the target Linux system is a virtual machine.

Getting LinEnum Script on Target System:

1. Visit the GitHub repository of LinEnum Script and copy the script from the RAW tab.

2. Paste the copied script on the attacking machine.

3. Use a Meterpreter shell to upload the script to the victim's temporary folder using the "upload <file_path>" command.

4. Give executable permissions to the script using "chmod +x <script_name>".

5. Run the script using the command "./linenum".

Hacker's Mantra:In a world of zeros and ones, hackers are the ones who see the bigger picture.