Linux Enumeration Cheat Sheet
After gaining shell access to a Linux system, you may want to perform some common tasks to better understand the system, its installed software, its users, and their files. This is referred to as enumeration.
Note that different commands will work on different Linux distributions, so experimentation (and learning!) is needed.
Operating System
What distribution and version is used?
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-releaseWhat is the Kernel version? Is it 64-bit?
$ cat /proc/version
$ uname -a
$ uname -mrs
$ rpm -q kernel
$ dmesg | grep LinuxWhat can be learned from the environmental variables?
$ env
$ set
$ cat /etc/profile
$ cat /etc/bashrc
$ cat ~/.bash_profile
$ cat ~/.bashrc
$ cat ~/.bash_logout
$ cat ~/.zshrcApplications and Services
What services are running? And what users are they running as?
$ ps aux
$ ps -elf
$ top
$ cat /etc/serviceWhich service(s) are running as root? Of these services, which are vulnerable?
$ ps aux | grep root
$ ps -elf | grep rootWhat applications are installed? What version are they? Are they currently running?
$ dpkg -l
$ dpkg -l PACKAGE-NAME
$ rpm -qaWhat jobs are scheduled?
$ crontab -l
$ cat /etc/cron*
$ cat /etc/cron.d/*
$ cat /etc/cron.daily/*
$ cat /etc/cron.hourly/*
$ cat /etc/cron.monthly/*
$ cat /etc/crontab
$ cat /etc/at.allow
$ cat /etc/at.deny
$ cat /etc/anacrontabCommunications and Networking
What NIC(s) does the system have? Is it connected to another network?
$ ifconfig
$ ip link
$ ip addr
$ /sbin/ifconfig -a
$ cat /etc/network/interfaces
$ cat /etc/sysconfig/networkWhat are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? Firewall rules?
$ cat /etc/resolv.conf
$ cat /etc/sysconfig/network
$ cat /etc/networks
$ iptables -L
$ hostname
$ dnsdomainnameWhat other users & hosts are communicating with this system?
$ lsof -i
$ lsof -i :80
$ netstat -antup
$ netstat -antpx
$ netstat -tulpn
$ chkconfig --list
$ chkconfig --list | grep 3:on
$ last
$ wConfidential Information and Users
Who are you? Who is logged in now? Who has been logged in previously? Who else is there? Who can do what?
$ id
$ who
$ w
$ last
$ cat /etc/passwd # List of users
$ cat /etc/sudoers
$ sudo -lWhat sensitive files can be found?
$ cat /etc/passwd # User accounts
$ cat /etc/group # Groups
$ cat /etc/shadow # Password hashesIs anything "interesting" in the home directories? Do you have access?
$ ls -ahlR /root/
$ ls -ahlR /home/Are there any passwords in scripts, databases, configuration files or log files? The specific files to search will depend on the installed programs determined previously...
$ cat /var/apache2/config.inc
$ cat /var/lib/mysql/mysql/user.MYD
$ cat /root/anaconda-ks.cfgWhat has the user being doing? Are there any password in plain text? What have they been editing?
$ cat ~/.bash_history
$ cat ~/.zsh_history
$ cat ~/.nano_history
$ cat ~/.atftp_history
$ cat ~/.mysql_history
$ cat ~/.php_historyAre there any private keys accessible?
cat ~/.ssh/*
# Check other user directories too!File Systems
How are file-systems mounted?
$ mount
$ df -hAre there any unmounted file-systems?
$ cat /etc/fstabFind world writable folders and files:
$ find / -xdev -type d -perm -0002 -ls 2> /dev/null
$ find / -xdev -type f -perm -0002 -ls 2> /dev/nullFind SUIDs (files & programs that have the permission of their owner -- usually root. Useful for privilege escalation)
$ find / -perm -4000 -user root -exec ls -ld {} \; 2> /dev/nullNext Steps
What development tools/languages are installed/supported?
$ which perl
$ which python
$ which python3
$ which gcc
# Can look for binaries not in search path
# find / -name perl*
# find / -name python*
# find / -name gcc*
# find / -name ccHow can files be downloaded to this system?
$ which wget
$ which nc
$ which netcat
# Can look for binaries not in search path
# find / -name wget
# find / -name nc*
# find / -name netcat*