Manual Linux Enumerations

Linux Enumerations

  • What’s the distribution type? What version?
    • cat /etc/issue
    • cat /etc/*-release
    • cat /etc/lsb-release      # Debian based
    • cat /etc/redhat-release   # Redhat based
  • What’s the kernel version? Is it 64-bit?
    • cat /proc/version
    • uname -a
    • uname -mrs
    • rpm -q kernel
    • dmesg | grep Linux
    • ls /boot | grep vmlinuz-
  • What can be learnt from the environmental variables?
  • cat /etc/profile
  • cat /etc/bashrc
  • cat ~/.bash_profile
  • cat ~/.bashrc
  • cat ~/.bash_logout
  • env
  • set
  • Is there a printer?
    • lpstat -a
  • Applications & Services
    • What services are running? Which service has which user privilege?
      • ps aux
      • ps -ef
      • top
      • cat /etc/services
  • Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!
    • ps aux | grep root
    • ps -ef | grep root
  • What applications are installed? What version are they? Are they currently running?
    • rpm -qa | grep ‘httpd\|xinetd\|cups\|cron\|klog\|udev\|ssh\|klog\|kpsmouse\|vmtools\|dkaudit\|’
    • ls -alh /usr/bin/
    • ls -alh /sbin/
    • ls -alh /usr/local/sbin
    • dpkg -l
    • rpm -qa
    • ls -alh /var/cache/apt/archives
    • ls -alh /var/cache/yum/
  • Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
    • cat /etc/syslog.conf
    • cat /etc/chttp.conf
    • cat /etc/lighttpd.conf
    • cat /etc/cups/cupsd.conf
    • cat /etc/inetd.conf
    • cat /etc/apache2/apache2.conf
    • cat /etc/my.conf
    • cat /etc/httpd/conf/httpd.conf
    • cat /opt/lampp/etc/httpd.conf
    • ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/
  • What jobs are scheduled?
    • crontab -l
    • ls -alh /var/spool/cron
    • ls -al /etc/ | grep cron
    • ls -al /etc/cron*
    • cat /etc/cron*
    • cat /etc/at.allow
    • cat /etc/at.deny
    • cat /etc/cron.allow
    • cat /etc/cron.deny
    • cat /etc/crontab
    • cat /etc/anacrontab
    • cat /var/spool/cron/crontabs/root
  • Any plain text usernames and/or passwords?
    • grep -i user [filename]
    • grep -i pass [filename]
    • grep -C 5 “password” [filename]
    • find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password”   # Joomla
  • Communications & Networking
    • What NIC(s) does the system have? Is it connected to another network?
    • /sbin/ifconfig -a
    • cat /etc/network/interfaces
    • cat /etc/sysconfig/network
  • What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
    • cat /etc/resolv.conf
    • cat /etc/sysconfig/network
    • cat /etc/networks
    • iptables -L
    • hostname
    • dnsdomainname
  • What other users & hosts are communicating with the system?
    • lsof -i
    • lsof -i :80
    • grep 80 /etc/services
    • netstat -antup
    • netstat -antpx
    • netstat -tulpn
    • chkconfig –list
    • chkconfig –list | grep 3:on
    • last
    • w
  • Whats cached? IP and/or MAC addresses
    • arp -e
    • route
    • /sbin/route -nee
  • Is packet sniffing possible? What can be seen? Listen to live traffic
    • tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
  • Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]
  • Have you got a shell? Can you interact with the system?
  • Is port forwarding possible? Redirect and interact with traffic from another view
  • FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
  • SSH
    • Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
      • ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
      • ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port
  • Netcat
    • Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
    • mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe    # Port Relay
    • mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
    • mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)
  • Is tunnelling possible? Send commands locally, remotely
    • SSH Dynamic 
      • ssh -D 127.0.0.1:9050 -N [username]@[ip]
    • proxychains ifconfig
    • Confidential Information & Users
  • Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
    • last
    • cat /etc/passwd | cut -d: -f1    # List of users
    • grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’   # List of super users
    • awk -F: ‘($3 == “0”) {print}’ /etc/passwd   # List of super users
    • cat /etc/sudoers
    • sudo -l
  • What sensitive files can be found?
    • cat /etc/passwd
    • cat /etc/group
    • cat /etc/shadow
    • ls -alh /var/mail/
  • Anything “interesting” in the home directorie(s)? If it’s possible to access
    • ls -ahlR /root/
    • ls -ahlR /home/
  • Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
    • cat /var/apache2/config.inc
    • cat /var/lib/mysql/mysql/user.MYD
    • cat /root/anaconda-ks.cfg
  • What has the user being doing? Is there any password in plain text? What have they been edting?
    • cat ~/.bash_history
    • cat ~/.nano_history
    • cat ~/.atftp_history
    • cat ~/.mysql_history
    • cat ~/.php_history
    • What user information can be found?
    • cat ~/.bashrc
    • cat ~/.profile
    • cat /var/mail/root
    • cat /var/spool/mail/root
  • Can private-key information be found?
    • cat ~/.ssh/authorized_keys
    • cat ~/.ssh/identity.pub
    • cat ~/.ssh/identity
    • cat ~/.ssh/id_rsa.pub
    • cat ~/.ssh/id_rsa
    • cat ~/.ssh/id_dsa.pub
    • cat ~/.ssh/id_dsa
    • cat /etc/ssh/ssh_config
    • cat /etc/ssh/sshd_config
    • cat /etc/ssh/ssh_host_dsa_key.pub
    • cat /etc/ssh/ssh_host_dsa_key
    • cat /etc/ssh/ssh_host_rsa_key.pub
    • cat /etc/ssh/ssh_host_rsa_key
    • cat /etc/ssh/ssh_host_key.pub
    • cat /etc/ssh/ssh_host_key
  • File Systems
    • Which configuration files can be written in /etc/? Able to reconfigure a service?
      • ls -aRl /etc/ | awk ‘$1 ~ /^.*w.*/’ 2>/dev/null     # Anyone
      • ls -aRl /etc/ | awk ‘$1 ~ /^..w/’ 2>/dev/null       # Owner
      • ls -aRl /etc/ | awk ‘$1 ~ /^…..w/’ 2>/dev/null    # Group
      • ls -aRl /etc/ | awk ‘$1 ~ /w.$/’ 2>/dev/null        # Other
      • find /etc/ -readable -type f 2>/dev/null               # Anyone
      • find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone
  • What can be found in /var/ ?
    • ls -alh /var/log
    • ls -alh /var/mail
    • ls -alh /var/spool
    • ls -alh /var/spool/lpd
    • ls -alh /var/lib/pgsql
    • ls -alh /var/lib/mysql
    • cat /var/lib/dhcp3/dhclient.leases
  • Any settings/files (hidden) on website? Any settings file with database information?
    • ls -alhR /var/www/
    • ls -alhR /srv/www/htdocs/
    • ls -alhR /usr/local/www/apache22/data/
    • ls -alhR /opt/lampp/htdocs/
    • ls -alhR /var/www/html/
  • Is there anything in the log file(s) (Could help with “Local File Includes”!)
    • cat /etc/httpd/logs/access_log
    • cat /etc/httpd/logs/access.log
    • cat /etc/httpd/logs/error_log
    • cat /etc/httpd/logs/error.log
    • cat /var/log/apache2/access_log
    • cat /var/log/apache2/access.log
    • cat /var/log/apache2/error_log
    • cat /var/log/apache2/error.log
    • cat /var/log/apache/access_log
    • cat /var/log/apache/access.log
    • cat /var/log/auth.log
    • cat /var/log/chttp.log
    • cat /var/log/cups/error_log
    • cat /var/log/dpkg.log
    • cat /var/log/faillog
    • cat /var/log/httpd/access_log
    • cat /var/log/httpd/access.log
    • cat /var/log/httpd/error_log
    • cat /var/log/httpd/error.log
    • cat /var/log/lastlog
    • cat /var/log/lighttpd/access.log
    • cat /var/log/lighttpd/error.log
    • cat /var/log/lighttpd/lighttpd.access.log
    • cat /var/log/lighttpd/lighttpd.error.log
    • cat /var/log/messages
    • cat /var/log/secure
    • cat /var/log/syslog
    • cat /var/log/wtmp
    • cat /var/log/xferlog
    • cat /var/log/yum.log
    • cat /var/run/utmp
    • cat /var/webmin/miniserv.log
    • cat /var/www/logs/access_log
    • cat /var/www/logs/access.log
    • ls -alh /var/lib/dhcp3/
    • ls -alh /var/log/postgresql/
    • ls -alh /var/log/proftpd/
    • ls -alh /var/log/samba/
  • If commands are limited, you break out of the “jail” shell?
    • python -c ‘import pty;pty.spawn(“/bin/bash”)’
    • echo os.system(‘/bin/bash’)
    • /bin/sh -i
  • How are file-systems mounted?
    • mount
    • df -h
  • Are there any unmounted file-systems?
    • cat /etc/fstab
  • What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID
    • find / -perm -1000 -type d 2>/dev/null   # Sticky bit – Only the owner of the directory or the owner of a file can delete or rename here.
    • find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – run as the group, not the user who started it.
    • find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – run as the owner, not the user who started it.
    • find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
    • for i in `locate -r “bin$”`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in ‘common’ places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
  • # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
    • find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 10 -exec ls -ld {} \; 2>/dev/null
  • Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm
    • find / -writable -type d 2>/dev/null      # world-writeable folders
    • find / -perm -222 -type d 2>/dev/null     # world-writeable folders
    • find / -perm -o w -type d 2>/dev/null     # world-writeable folders
    • find / -perm -o x -type d 2>/dev/null     # world-executable folders
    • find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders
  • Any “problem” files? Word-writeable, “nobody” files
    • find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
    • find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files
  • Preparation & Finding Exploit Code
    • What development tools/languages are installed/supported?
      • find / -name perl*
      • find / -name python*
      • find / -name gcc*
      • find / -name cc
  • How can files be uploaded?
    • find / -name wget
    • find / -name nc*
    • find / -name netcat*
    • find / -name tftp*
    • find / -name ftp
  • Finding exploit code

Techniques 

  • World writable scripts invoked as root
    • If you find a script that is owned by root but is writable by anyone you can add your own malicious code in that script that will escalate your privileges when the script is run as root. It might be part of a cronjob, or otherwise automatized, or it might be run by hand by a sysadmin. You can also check scripts that are called by these scripts.
      • # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
        • find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 10 -exec ls -ld {} \; 2>/dev/null
      • #World writable files directories
        • find / -writable -type d 2>/dev/null
        • find / -perm -222 -type d 2>/dev/null
        • find / -perm -o w -type d 2>/dev/null
      • # World executable folder
        • find / -perm -o x -type d 2>/dev/null
      • # World writable and executable folders
        • find / \( -perm -o w -perm -o x \) -type d 2>/dev/null
  • Insecure PATH Permissions 
    • https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
    • Only DOT
      • https://hackmag.com/security/reach-the-root/
      • (.:/bin:/usr/sbin ….)? Usually the users who do not want to type two more symbols do it, in other words want they to activate the command like this $ program instead of $ ./program. By adding ‘.’ in ‘PATH’ we get an opportunity to execute scripts and files from the work directory. We can do it like this:
        • PATH=.:${PATH}
        •  export PATH
    • SUID Escape Shells
      • Shell Escape Sequences:
        • http://www.dankalia.com/tutor/01005/0100501004.htm
        • Many programs offer escape sequences to display a shell to the user, programs such as
          • – emacs – by entering alt+!
          • – vi – by entering :![commandname]
          • – man – by entering![command name] replacing [command name] with the program you wish to run.
          • – Old Linux games – that incorporate a TBIC (the boss is coming) feature to escape to a shell
          • nc
      • IFS Exploit:
        • Check bash login for load programs execute 
        • Check cron for what programs execute 
        • http://www.dankalia.com/tutor/01005/0100501004.htm
        • Explanation 
          • Lines 1, 2, 3: the attacker creates a simple bash script that runs /bin/sh when executed.
          • Lines 4 and 5: the attacker checks the permissions for the suid program that calls /bin/date.
          • Lines 6 and 7: adds ‘/home/nick’ to his PATH (where the ‘bin’ program is he wrote earlier).
          • Lines 8 and 9: He sets the IFS to ‘/’ this means that instead of using a space, the ‘/’ will be used, this
          • means that the program instead of calling ‘/bin/date’ will call ‘bin date’, because he has placed a
          • program called ‘bin’ in the home directory (which is now in the PATH) when /usr/local/date is executed
          • it will execute /home/nick/bin with the permissions of /usr/local/date – which means the 
          • attacker will get a root shell!
          • Lines 11, 12: The attacker runs ‘whoami’ to verify that he is root, line 12 confirms this.
      • LD Pre-load
      • Symlinks
      • RHOSTS
      • Other Simple Examples
  • Exploit Suggesters / Priv Esc Helpers
    • /var/www/tmp/linux-exploit-suggester.sh