Enumeration is a massive topic. In this post I will go over some basic enumeration techniques when attacking nix machines.

Remote Enumeration

When enumerating a host you would like to gain access to, you should usually start with some kind of remote enumeration.
Start by scanning for available services, here are some common services to scan for (The specified ports associated with each service are the default ports these services use. Keep in mind services can be hosted on ports that are not their defaults. Also keep in mind some of these services can use UDP or TCP).

  1. TCP - Transport Control Protocol
    • HTTP - Port 80
    • HTTPS - Port 443
    • SSH - Port 22
    • FTP - Port 21
    • Squid HTTP Proxy - Port 3128/8080
    • MySQL - Port 3306
  2. UDP - User Datagram Protocol
    • SNMP - 161/162
    • DNS - Port 53

These tools are a great place to start when beginning service enumeration. Nmap, snmp-check, Nikto, dnsmap, enum4linux, ncat.

Local Enumeration

Once you have gained entry to a host to understand the environment you are in you need to enumerate locally. I will usually start with checking out my environment. Some useful commands for this are:

  • uname -a; - Outputs Kernel / System information
  • env; - Outputs environmental variable information
  • sudo -l; - Outputs sudo information for the current user
  • pwd; - Outputs the present working directory
  • ls -al; - Lists all the files and their permissions in the current directory
  • find / -perm /6000 2>/dev/null; - To list all SUID and SGID files
  • cat /etc/passwd; - List users on the system
  • cat /etc/group; - List groups on the system
  • cat /etc/shadow; - List users and user's password hashes
  • id; - Outputs user's current user and group ID's
  • whoami; - Outputs the name of current user

There's tons of helpful commands for enumerating your surroundings in a nix environment but it is usually faster to use an enumeration script!

Links to some enumeration scripts you can try out, my personal favorite is LinEnum.

  1. LinEnum
  2. unix-privesc-check
  3. linuxprivchecker