Local Enumeration (Linux/Debian)
Local Users and Groups
Users
cat /etc/passwdLocal Groups
cat /etc/groupCurrent User Group Membership
groupsidList All UIDs and Respective Memberships
for i in $(cat /etc/passwd 2>/dev/null | cut -d ":" -f 1); do id $i; doneCurrently Logged On Users
who -awho -qfingerpinkyusersLast Logged on Users
lastlastlogWhat is Currently Logged On User Doing
wUser Hashes
cat /etc/shadowCurrent User Environment Variables
envPath Information
echo $PATHCurrent User Command History
historycat ~/*historyDisplay All System Variables
cat /etc/profilesAvailable Shells
cat /etc/shellsUser Privileges (Sudo)
Sudo Permissions
sudo -lSudoers Group Members (Privileged Command)
cat /etc/sudoersSudo Version
sudo -VSystem
Hostname
hostnameKernel Information
cat /etc/issuecat /etc/*-releaseuname -aArchitecture
archuname -rNetwork
Local Interfaces
ifconfigip aDNS Servers
cat /etc/resolv.confActive Connections
netstat -aonss -anpListening Ports
ss -ntpluService/Port Mappings (For Refference Lookup)
cat /etc/servicesApplications
Check Var or Opt Directories
ls /varls /optInstalled Applications
dpkg -lrpm -qaRecently Installed Applications
grep install /var/log/dpkg.loggrep install /var/log/dpkg.log /var/log/dpkg.log.1Apache Version
httpd -vapache2 -vLoaded Apache Modules
apache2ctl -Mapachectl -MSites Enabled (VHOST)
ls -la /etc/apache2/sites-available/cat /etc/apache2/sites-enabled/*Which Account is Apache Running As
ps aux | egrep '(apache|httpd)' | grep -v ^root | head -n1 | awk '{print $1}'MYSQL Version
mysql --versionPostgres Version
psql -VPerl Version
perl -vJava Version
java --versionPython Version
python --versionpython3 --versionRuby Version
ruby -vAvailable Compilers
dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/nullyum list installed ‘gcc*’ 2>/dev/null| grep gcc 2>/dev/nullProcesses
List All Processes
ps auxProcesses Running as Root
ps aux | grep -i rootGathering Information on a Specific Process
ps u -C <command_run>Query `inetd` Information
cat /etc/inetd.confcat /etc/xinetd.confEnumerating Full Information on Specific Process
cat /proc/<PID>/statusInspecting the UID for Specific Process
grep UID /proc/1932/statusInspecting the Processes with Watch
watch -n 1 "ps -aux | grep -i -E 'pass|pwd|user|-u|-p|cred'"Scheduled Tasks
Current Jobs
tophtopListing All Cronjobs Directories
ls -lah /etc/cron*List Default Crontab
cat /etc/crontabList Current User Cronjobs
crontab -lListing Root User Cronjobs
sudo crontab -lReading the Cronjob Log File
grep -i "cron" /var/log/syslogjournalctl | grep -i "cron"File/Directory && Permissions
Writable Directories for Current User
find / -writable -type d 2>/dev/nullWritable Directories for Specific User
find / -writable -user john -type d 2>/dev/nullSUID Binaries
find / -perm -u=s -type f 2>/dev/nullGUID Binaries
find / -perm -g=s -type f 2>/dev/nullPassword/SSH Key Hunting
Rough Search for `pass` in Home Directory
for i in $(find /home -type f \( -name "*.txt" -o -name "*.log" -o -name "*.csv" -o -name "*.ini" -o -name "*.log" \) 2>/dev/null);do grep -i pass $i 2>/dev/null; doneSearch for SSH Files
find / -type f \( -name "*.pub" -o -name "id_dsa" -o -name "id_rsa" -o -name "*keys*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys"\) 2>/dev/nullls -la ~/.ssh/Check Log Files for Phrase: `pass`
grep -l -i pass /var/log/*.log 2>/dev/nullFind Configuration Files
find /etc/ -name *.conf -type fList Open Files (Omitting Current User)
lsof | grep -v $(whoami)Verify Access to Root’s Mail File
head /var/mail/rootFind `.plan` Files
find /home -iname *.plan 2>/dev/nullFind Rhosts File
find /home -name *.rhosts -type f 2>/dev/nullCapabilities
Recursive Search for Binaries with Capabilities
/usr/sbin/getcap -r / 2>/dev/nullFirewall
List Firewall Rules
iptables -Lf