Greetings, fellow hackers and red team enthusiasts! As we all know, the initial enumeration stage is critical to any successful penetration test or red team operation. A deep understanding of a target’s Linux system is essential in identifying vulnerabilities, misconfigurations, and potential attack vectors. In this introductory article, I will guide you through the best practices and techniques for gathering information about a Linux system during the initial enumeration process. We will explore numerous command-line tools, examine real-world examples, and delve into code samples to ensure you’re well-equipped for your next Linux-based engagement. So, without further ado, let’s dive into the fascinating world of Linux enumeration!

Getting Started with Linux Enumeration

The first step in successful Linux enumeration is understanding the essential tools and techniques available. This section will discuss fundamental methods for gathering information about a Linux system, including examining running processes, user accounts, and file permissions.

Running Processes

To begin your enumeration journey, it’s essential to determine what processes are running on the target system. This information can help you identify potential vulnerabilities and misconfigurations. The following commands are necessary for obtaining an overview of the running processes:

  • ps: The ps command allows you to view the current processes on a Linux system. To see all processes, use the ps aux command:
$ ps aux
  • top/htop: The top and htop commands provide a dynamic, real-time view of the processes running on a Linux system. The htop command is more user-friendly and offers additional features:
$ top
$ htop

User Accounts and Groups

Understanding a Linux system’s user accounts and groups is crucial to determining the attack surface. The following commands can help you enumerate user accounts and groups:

  • cat /etc/passwd: This command displays the contents of the /etc/passwd file, which contains information about user accounts:
$ cat /etc/passwd
  • cat /etc/group: This command displays the contents of the /etc/group file, which contains information about groups and their members:
$ cat /etc/group

File Permissions and Ownership

In Linux, file permissions and ownership are vital security mechanisms. Enumerating these permissions and ownership details can help you identify misconfigurations and potential privilege escalation vectors. The following commands can assist you in this process:

  • ls: The ls command, when used with the -la option, displays detailed information about files and directories, including permissions and ownership:
$ ls -la /path/to/directory
  • find: The find command can help you search for files with specific permissions or ownership settings. For example, to find all files owned by the user “root” and writable by the group “users,” you can use the following command:
$ find / -user root -group users -perm /g+w 2>/dev/null

Advanced Enumeration Techniques

Now that we have covered some basic enumeration techniques let’s delve into more advanced methods to gather more valuable information from a Linux system.

Network Enumeration

Enumerating network information is crucial in understanding how the target system communicates with other devices and networks. The following commands can help you gather network-related information:

  • ifconfig/ip: These commands display information about network interfaces and their configurations. The ip command is more modern and versatile:
$ ifconfig
$ ip addr show
  • route/ip route: These commands display the routing table of the target system, which can help you understand how traffic is routed within the network:
$ route
$ ip route
  • netstat/ss: The netstat and ss commands display information about network connections, listening ports, and routing tables. The ss command is more modern and powerful:
$ netstat -tulpn
$ ss -tulpn
  • lsof: The lsof command lists open files, including network connections. To list all open network connections, use the following command:
$ lsof -i

Service Enumeration

Gathering information about running services is crucial in identifying potential attack vectors. The following commands can help you enumerate services on a Linux system:

  • systemctl: The systemctl command manages systemd services. To list all active services, use the following command:
$ systemctl list-units --type=service --state=active
  • initctl: The initctl command manages Upstart services. To list all services and their states, use the following command:
$ initctl list
  • service: The service command manages SysV init services. To list all services and their states, use the following command:
$ service --status-all

Cron Jobs and Scheduled Tasks

Cron jobs and scheduled tasks can provide valuable information about the target system’s operations and potential vulnerabilities. The following commands can help you enumerate cron jobs and scheduled tasks:

  • cat /etc/crontab: This command displays the contents of the /etc/crontab file, which contains system-wide cron jobs:
$ cat /etc/crontab
  • ls /etc/cron.d: This command lists the files in the /etc/cron.d directory, which contains additional system-wide cron jobs:
$ ls /etc/cron.d
  • for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -l -u $user; done: This command loops through all user accounts and displays each user’s personal cron jobs:
$ for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -l -u $user; done

Kernel and System Information

Gathering information about the Linux kernel and system can help you identify vulnerabilities and potential exploit opportunities. The following commands can help you enumerate kernel and system information:

  • uname: The uname command, when used with the -a option, displays detailed information about the Linux kernel:
$ uname -a
  • cat /etc/os-release: This command displays information about the target system’s distribution and version:
$ cat /etc/os-release
  • cat /proc/version: This command displays more detailed information about the Linux kernel, including the compiler used to build it:
$ cat /proc/version

Automated Enumeration Tools

Manual enumeration can be time-consuming and may only sometimes provide comprehensive results. This section will explore some popular automated enumeration tools that can help you gather information more efficiently.

LinEnum

LinEnum is a widely used enumeration script that automates gathering information about a Linux system. It checks for misconfigurations, vulnerable services, and other potential attack vectors. To use LinEnum, download the script and execute it on the target system:

$ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
$ chmod +x LinEnum.sh
$ ./LinEnum.sh

Linux Smart Enumeration (lse)

Linux Smart Enumeration (lse) is another powerful enumeration script that provides detailed information about a Linux system. It categorizes its findings into different levels, making prioritizing your focus on specific areas easier. To use lse, download the script and execute it on the target system:

$ wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
$ chmod +x lse.sh
$ ./lse.sh

LinPEAS

LinPEAS is a versatile enumeration script that focuses on potential privilege escalation vectors. It checks for misconfigurations, vulnerable services, and other potential attack vectors. To use LinPEAS, download the script and execute it on the target system:

$ wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
$ chmod +x linpeas.sh
$ ./linpeas.sh

Privilege Escalation and GTFOBins

In this section, we will discuss privilege escalation techniques and the use of GTFOBins to exploit misconfigurations or vulnerable binaries for escalating privileges.

Privilege Escalation Techniques

Privilege escalation is obtaining higher-level privileges on a system, typically from a low-privileged user to root or administrator. There are two primary types of privilege escalation: vertical and horizontal. Vertical privilege escalation involves gaining higher-level privileges, while horizontal privilege escalation involves gaining access to another user’s account with similar privileges. Some standard privilege escalation techniques include:

  • Exploiting vulnerable software: Exploiting known vulnerabilities in installed software to gain elevated privileges.
  • Abusing misconfigurations: This involves taking advantage of system misconfigurations, such as weak file permissions or improperly configured services.
  • Leveraging weak credentials: This involves exploiting weak or reused passwords to access other user accounts or services.

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions or perform privilege escalation. These binaries typically have special functionality or can be abused to execute arbitrary code or commands. GTFOBins can be found on the project’s GitHub repository (https://github.com/GTFOBins/GTFOBins.github.io) or by visiting their website (https://gtfobins.github.io/).

To use GTFOBins effectively, follow these steps:

  1. Identify potentially exploitable binaries on the target system. You can use the find command to search for setuid or setgid binaries, as these may allow for privilege escalation:
$ find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \; 2>/dev/null
  1. Cross-reference the identified binaries with GTFOBins to determine if any of them are known to be exploitable. For example, if you find a setuid binary called example_binary, search for it on the GTFOBins website.
  2. Follow the instructions provided by GTFOBins to exploit the binary and escalate your privileges. Be sure to thoroughly read and understand the provided examples, as some binaries may require specific conditions or arguments to be exploitable.

In conclusion, understanding privilege escalation techniques and leveraging GTFOBins can significantly enhance your Linux enumeration and exploitation capabilities. Always consider privilege escalation opportunities when conducting a penetration test or red team operation, and use GTFOBins as a valuable resource for identifying and exploiting vulnerable or misconfigured binaries.

Real-World Examples

This section will examine some real-world examples of Linux enumeration and how the techniques and tools discussed in this article were used to gather valuable information.

Example 1: Linux Server Compromise

In this example, a red team was tasked with compromising a Linux server hosting a web application. The red team began by manually enumerating the system using the commands discussed in Sections 1 and 2. They discovered the server was running an outdated Apache web server with a known vulnerability (CVE-2020-11984). The red team then leveraged this vulnerability to gain an initial foothold on the server.

After gaining access, the red team used LinEnum to automate the enumeration process. LinEnum revealed that the server was running a misconfigured cron job that allowed them to escalate their privileges to root. The red team successfully compromised the server and completed their mission using this information.

Example 2: Internal Network Penetration Test

In this example, a penetration tester was tasked with assessing the security of an internal Linux-based network. The tester began using network enumeration techniques, such as the ip, route, and netstat commands, to map out the network topology and identify potential targets.

The tester then used lse to enumerate each target system. One of the systems was found to have a vulnerable version of the Samba file-sharing service (CVE-2017-7494). The tester exploited this vulnerability to access the target system and used LinPEAS to search for privilege escalation vectors. LinPEAS identified a vulnerable version of the sudo utility (CVE-2021-3156), which allowed the tester to escalate their privileges to root and compromise the system.

Conclusion

Initial Linux enumeration is vital to any successful penetration test or red team operation. By mastering the techniques and tools discussed in this article, you will be well-equipped to gather valuable information about a Linux system and identify potential attack vectors. Remember, enumeration is an iterative process – as you gain more information and access, continue to enumerate and adapt your approach. Now, go forth and conquer the Linux landscape with your newfound knowledge!