Quartz 4

Linux Enumeration - General

6 min read

🧠 Linux Enumeration - General

What is it?

  • Concept: What commands to run on a machine that you’ve just gotten access into to get as much information as possible?

Exploitation

1. System & OS Enumeration

Goal: Understand the operating system, kernel version, and architecture to identify potential kernel exploits or system specifics.

  • Hostname:
## Common tools
hostname
 
## Native alternatives:
cat /etc/hostname
cat /proc/sys/kernel/hostname
  • Kernel Version & Architecture
## Common tool
uname -a
 
## Native alternatives
cat /proc/version
  • OS release & Distribution
## Common tools
lsb_release -a
 
## Native alternatives
cat /etc/os-release

2. Installed Packages Enumeration

Goal: Find out what packages or tools are installed on the system, further allow Living off the land, pivoting to deeper machines, or vulnerable binaries that we can exploit

  • Debian / Ubuntu-based (APT)
## Common tools
dpkg -l
apt list --installed
 
## Native alternatives
cat /var/lib/dpkg/status
  • RedHat / CentOS / Fedora-based (RPM)
## Common tools
rpm -qa
dnf list installed
yum list installed # older system
 
## Native alternatives (checking common installation directories)
ls -la /usr/bin
ls -la /sbin
ls -la /opt
  • Arch Linux-based (Pacman)
## Common tools
pacman -Q
 
## Native Alternatives
ls -la /var/lib/pacman/local/

3. Shell Capabilities Enumeration

Goal: Identify Linux capabilities assigned to the current shell or process to find privilege escalation vectors.

## Common tools
capsh --print
 
## Native Alternative
cat /proc/$$/status | grep Cap

Note: If you only have the hex output from the native method, you can decode it later on your own machine using capsh --decode=<hex_value>.

4. User & Group Enumeration

Goal: Identify who you are, what groups you belong to, and who else has access to the machine.

  • Current User & Group ID:
## Common tools
id
whoami
 
## Native Alternative
echo $USER
env
  • Currently Logged-In Users:
## Common tools
w
who
last
 
## Native Alternative
ls -la /home          # see active directories 
ps -ef | grep pts     # see active terminal processes
  • All System Users & Groups:
## Common tools
getent passwd
getent group
 
## Native Alternative
cat /etc/passwd
cat /etc/group

5. Privilege Enumeration

Goal: Discover what elevated actions the current user can perform.

  • Sudo Privileges:
## Common tools
sudo -l
 
## Native Alternative
cat ~/.bash_history | grep sudo
cat /etc/sudoers        # If have read perm
cat /etc/sudoers.d/*    # If have read perm
  • SUID/SGID Binaries (Files executing as the owner/group):
## Common tools
find / -perm -4000 -type f 2>/dev/null # SUID
find / -perm -2000 -type f 2>/dev/null # SGUI

6. Network Enumeration

Goal: Map out the internal network, open ports, and active connections.

  • Network Interfaces & IP Addresses:
## Common tool
ip a
ifconfig
 
## Native Alternative
cat /proc/net/fib_trie  # routing info that reveals local IPs
ls /sys/class/bet       # list interface names
  • Open Ports & Active Connections:
## Common tools
ss -tulnp
netstat -tulnp
 
## Native Alternatives
cat /proc/net/udp
cat /proc/net/tcp
  • ARP Cache & Routing Table:
## Common tools
arp -a
ip route
 
## Native alternatives
cat /proc/net/arp
cat /proc/net/route

7. Process & Service Enumeration

Goal: Identify what is running in the background, which might include vulnerable software or hidden tasks.

  • Running Processes:
## Common tools
ps aux
top
 
## Native alternative
ls -l /proc                 # Every running process has a directory named after its Process ID
cat /proc/<PID>/cmdline     # See the exact command used to start the process
  • Scheduled Tasks (Cron Jobs):
## Common tools
crontab -l
 
## Native alternative
cat /etc/crontab
ls -la /etc/cron.*
cat /var/spool/cron/crontabs/<username> # require root/sudo

8. Interesting & Sensitive Files

Goal: Hunt for hardcoded credentials, SSH keys, or configuration files.

  • Bash History & Profiles:
cat ~/.bash_history
cat ~/.bashrc
cat ~/.profile
  • SSH Keys:
ls -la ~/.ssh # Look for `id_rsa`, `id_ed25519`, `authorized_keys`
  • Configuration Files & Passwords:
## Common tools
grep -i -r "password" /etc/ 2>/dev/null
 
## Native alternatives
cat /var/www/html/wp-config.php # checking out /etc folder, or other files.

9. Docker Container or Kubernetes Pod?

  1. Docker Container

Goal: First, confirm you are actually inside a containerized environment, if one of these signs appear, consider pivoting to (incomplete) Linux Enumeration - Docker Container

  • The Docker Environment File:
    • Command: ls -la /.dockerenv
    • Indicator: If this file exists at the root directory, you are almost certainly inside a Docker container (or a container spun up by a runtime that mimics this for compatibility).
  • Control Groups (cgroups) Inspection:
    • Command: cat /proc/1/cgroup
    • Indicator: Look at the output strings. If you see paths containing /docker/, /lxc/, or /containerd/, you are in a container. Note: If the host uses cgroups v2, this file might just show 0::/, in which case you should check mounts instead.
  • Mount Points:
    • Command: mount or cat /proc/mounts
    • Indicator: Look for overlay file systems mounted on /, or host paths mounted into the container (often visible as /dev/sda1 mounted somewhere unusual, or tmpfs mounts).
  1. Kubernetes Pod

Goal: Look for artifacts specific to Kubernetes orchestration, if one of these signs appear, consider pivoting to (incomplete) Linux Enumeration - Kubernetes Pod

If you know you are in a container, Kubernetes leaves very loud fingerprints compared to a vanilla Docker run.

  • The Kubernetes Service Account Token (The Holy Grail):
    • Command: ls -la /var/run/secrets/kubernetes.io/serviceaccount/
    • Indicator: If this directory exists and contains ca.crt, namespace, and token, you are in a Kubernetes Pod. K8s mounts this by default into almost every pod so the container can talk to the Kubernetes API.
  • Kubernetes Environment Variables:
    • Command: env | grep -i kube
    • Indicator: Kubernetes injects service discovery variables into pods. If you see variables like KUBERNETES_SERVICE_HOST, KUBERNETES_PORT, or similar KUBERNETES_* entries, you are in a Pod. Standalone Docker does not do this unless a user manually explicitly passed them.
  • Cgroup Naming Conventions:
    • Command: cat /proc/1/cgroup
    • Indicator: If the cgroup string contains /kubepods/, you are running under Kubernetes.
  • DNS Configuration:
    • Command: cat /etc/resolv.conf
    • Indicator: Kubernetes uses internal DNS. Look for search domains ending in svc.cluster.local. If you see that, you are in a K8s environment.
  • Hostname Convention:
    • Command: hostname
    • Indicator: While not foolproof, standalone Docker often assigns a random 12-character hex string as the hostname (e.g., 7a3b4c9d2e1f). Kubernetes pods usually inherit the name of the Deployment/ReplicaSet, followed by hashes (e.g., frontend-webapp-7b9c9f8d-4j2kl).
TABLE creation_date AS "Created" 
FROM "05 - Content" 
WHERE contains(techniques, this.file.link) AND contains(tags, "đźš©") 
SORT file.name ASC

Graph View

Backlinks