Automated Scripts

-e Enter export location
-t Include thorough (lengthy) tests
-r Enter report name
-k interesting_keywords

Network Enumeration

netstat -tnlp 
netstat -an | grep LIST

#Connected Devices
nmcli dev show
ip a
arp -a
cat /etc/resolv.conf
cat /etc/hosts

#Firewall rules
firewall-cmd --list-all-zones
firewall-cmd --list-ports
firewall-cmd --list-services

#Ping sweep
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done

#Port scan
for i in {1..65535}; do (echo > /dev/tcp/$i) >/dev/null 2>&1 && echo $i is open; done

System Enumeration


cat /etc/*-release
cat /etc/issue
uname -a
cat /lsb/release
cat /proc/version
cat /etc/issue


Process Enumeration

#Privileged services
ps aux | grep "^root"

#Monitor cron jobs in real-time

ps aux | grep james

#Cron jobs
crontab -l

#Effective ID of current process
cat /proc/$$/status | grep "[UG]id"

Sensitive Files

  • Search for passwords/keys

#Environment variables

find /etc -writable -type f
find /var -readable -type f

#Directories which can be written
find / -executable -writable -type d 2> /dev/null

#Aliases in .bashrc
find /home -name .bashrc -exec grep export {} \;

find /home -name .bash_history
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null

#Search in current directory
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;

#SSH Keys
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
#SUID/SGID files
find / -perm -u=s -type f 2> /dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null

Domain Enumeration

#Check if Domain Joined. This file will contain Machine A/c details.
For Samba v3, machine A/c password will be present in clear-text. 
For v4, Hex value can be decoded to reveal Machine's NTLM hash. [https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9]
tdbdump /var/lib/samba/private/secrets.tdb

#Request TGT.
kinit <comp@domain.com> <password>

#Active Kerberos tickets

#Identify DC
cat /etc/krb5.conf

Last updated