Enumeration

Automation

We can use tools like LinPEAS to automate enumeration for privilege escalation, but below are manual methods for enumerating the system.

System Information

uname -a               # Kernel version & system info
cat /etc/os-release    # OS version
id                     # Current user info
whoami                 # Username
hostname               # System hostname

User & Group Enumeration

who                    # Logged-in users
w                      # Active sessions
last                   # Login history
groups                 # Current user's groups
cat /etc/passwd        # List system users
cat /etc/group         # List system groups

Sudo & SUID Checks

sudo -l                                 # Check sudo permissions
find / -perm -4000 -type f 2>/dev/null  # Find SUID binaries
find / -perm -2000 -type f 2>/dev/null  # Find SGID binaries
cat /etc/sudoers                        # Sudo configuration

Environment & Path

env                    # List environment variables
printenv               # Another way to list environment variables
echo $PATH             # Path variable (check for writable dirs)

Network Information

ip a                   # Show network interfaces
ifconfig               # Same as above
netstat -tulnp         # List open ports
ss -tulnp              # Another way to list open ports
iptables -L -v -n      # Check firewall rules
cat /etc/hosts         # Show local hostname resolution

Process & Service Enumeration

ps aux                               # Running processes
ps -ef | grep root                   # Processes running as root
systemctl list-units --type=service  # List system services

Scheduled Tasks & Cron Jobs

crontab -l             # Current user's cron jobs
cat /etc/crontab       # System-wide cron jobs
ls -la /etc/cron*      # Scheduled cron jobs

File System & Writable Directories

find / -type f -writable 2>/dev/null   # Find writable files
find / -type d -writable 2>/dev/null   # Find writable directories
find / -name ".*" 2>/dev/null          # Find hidden files and directories
df -h                                  # Check disk usage
mount                                  # Mounted filesystems

Temporary Directories

ls -la /tmp            # List /tmp directory
ls -la /var/tmp        # List /var/tmp directory
ls -la /dev/shm        # List /dev/shm directory

SSH & Credentials

cat ~/.ssh/id_rsa          # Check for SSH keys
cat /etc/ssh/sshd_config   # SSH configuration

Logs & Interesting Files

cat /var/log/auth.log  # Authentication logs
cat /var/log/syslog    # System logs
cat ~/.bash_history    # Bash command history
cat ~/.zsh_history     # Zsh command history
find / -type f \( -name "*_hist" -o -name "*_history" \) -ls 2>/dev/null  # Find history files

Installed Packages & Binaries

dpkg -l                # List installed packages (Debian-based)
rpm -qa                # List installed packages (RedHat-based)
sudo --version         # Check sudo version
ls -la /bin /usr/bin /usr/sbin  # List installed binaries

Kernel & Exploit Checks

uname -r                 # Kernel version
lsmod                    # Loaded kernel modules
cat /proc/version        # Kernel and OS details
searchsploit `uname -r`  # Search for kernel exploits (requires exploitdb)

Automation​

System Information​

User & Group Enumeration​

Sudo & SUID Checks​

Environment & Path​

Network Information​

Process & Service Enumeration​

Scheduled Tasks & Cron Jobs​

File System & Writable Directories​

Temporary Directories​

SSH & Credentials​

Logs & Interesting Files​

Installed Packages & Binaries​

Kernel & Exploit Checks​

Automation

System Information

User & Group Enumeration

Sudo & SUID Checks

Environment & Path

Network Information

Process & Service Enumeration

Scheduled Tasks & Cron Jobs

File System & Writable Directories

Temporary Directories

SSH & Credentials

Logs & Interesting Files

Installed Packages & Binaries

Kernel & Exploit Checks