netstat -tnlp
netstat -an | grep LIST
#Connected Devices
nmcli dev show
ifconfig
ip a
route
arp -a
cat /etc/resolv.conf
cat /etc/hosts
#Firewall rules
firewall-cmd --list-all-zones
firewall-cmd --list-ports
firewall-cmd --list-services
#Ping sweep
for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done
#Port scan
for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done
#Privileged services
ps aux | grep "^root"
#Monitor cron jobs in real-time
pspy64
ps aux | grep james
#Cron jobs
crontab -l
#Effective ID of current process
cat /proc/$$/status | grep "[UG]id"
Sensitive Files
Search for passwords/keys
#Environment variables
export
find /etc -writable -type f
find /var -readable -type f
#Directories which can be written
find / -executable -writable -type d 2> /dev/null
#Aliases in .bashrc
find /home -name .bashrc -exec grep export {} \;
find /home -name .bash_history
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
#Search in current directory
find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
#SSH Keys
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
#SUID/SGID files
find / -perm -u=s -type f 2> /dev/null
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
Crucial to set up time:proxychains net time difference should not be more than 5min
export KRB5CCNAME=pathtoticket
#Check if Domain Joined. This file will contain Machine A/c details.
For Samba v3, machine A/c password will be present in clear-text.
For v4, Hex value can be decoded to reveal Machine's NTLM hash. [https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9]
tdbdump /var/lib/samba/private/secrets.tdb
#Request TGT.
kinit <comp@domain.com> <password>
#Active Kerberos tickets
klist
#Identify DC
cat /etc/krb5.conf