Linux information collection

Linux information collection

Host discovery

nmap -sN

system identification

nmap -O

Port scan

Full scan

nmap –T4 –A –v -p-

-A option is used for Aggressive scanning;

-T4 specifies the Timing used in the scanning process. There are always 6 levels (0-5). The higher the level, the faster the scanning speed, but it is also easy to be detected and shielded by firewall or IDS. T4 is recommended when the network communication is in good condition;

-v indicates that redundancy information is displayed, and the scanning details are displayed during the scanning process, so that the user can understand the current scanning status.

-p - scan all ports

Find login authorization page

nmap -p 80 --script http-auth-finder <target ip>

SSH blasting

nmap -p22 --script ssh-brute <target ip>

dns domain delivery vulnerability

nmap -p 53 --script dns-zone-transfer.nse -v <target ip>

masscan quick scan

Masscan -p443  # Single port scan
Masscan --top-ports 100 -rate 100000  # Fast scan
Masscan --top-ports 100 --excludefile exclude.txt # Exclude specified targets
masscan -p20,21,22,23,80,161,443,873,2181,3389,6379,7001,8000,8009,8080,9000,9009,9090,9200,9300,10000,50070 > results.txt

Kernel version

uname -a
uname -mrs(details)
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

If you find the kernel version, you can search for relevant rights raising vulnerabilities, such as dirty cow rights raising, etc


Different Linux versions are not consistent. Just try one by one

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} \;

-perm matching permissions
4000, 2000 and 1000 respectively represent suid, sgid and sbit
-user root view the SUID file with root user privileges
2> / dev / null means that the error is output to the "black hole".
-u = s means to find the file owned by the root user
-Type indicates the type of file we are looking for
f stands for regular files, not directories or special files

After finding these binaries Method of raising right

SUDOER configuration

sudo's configuration file is sudoers file, which allows system administrators to centrally manage user permissions and hosts. It is stored in / etc/sudoers by default, and the attribute must be 0440.

See which sudo commands the current user executes without a password

cat /etc/sudoers
sudo -l

Similarly, after finding these binaries, you can Method of raising right

View the commands available to the current user

compgen -c


cat /etc/passwd


unshadow or hashcat runs the password hash in / etc/shadow

Boot item

chkconfig                   # View startup service command
ls /etc/init.d              # View boot profile command
cat /etc/rc.local           # View rc startup file
crontab -l					# Viewing crontab files
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Process list

ps -aux                     # List all processes and related information commands
ps -ef
top                         # Overview system comprehensive information command, Ctrl + C to exit the interface

Install software \ commands

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Service profile

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/


~/.bash_history		Command log
last				View all users and who have logged in to the system IP
lastlog				Record the last login information of each user
/var/log/message 	The information and error log after system startup are Red Hat Linux One of the most commonly used logs in
/var/log/secure 	Security related log information
/var/log/maillog 	Message related log information
/var/log/cron 		Log information related to scheduled tasks
/var/log/spooler 	And UUCP and news Device related log information
/var/log/boot.log 	Log messages related to Daemon Start and stop
/var/log/wtmp 		The log file permanently records the events of login, logoff, system startup and shutdown of each user
/var/log/nginx/access.log	Nginx journal
/var/log/apache2/access_log	Apache journal

Sensitive file

cat /var/apache2/
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

Critical infrastructure

Routing, gateway, DNS

ip route        # Show core routing table
ip neigh        # Show neighbor table
cat /etc/resolv.conf  # View DNS
arp -e


ls -alh /var/mail/

Tags: Intranet Penetration

Posted on Tue, 30 Nov 2021 21:18:19 -0500 by EcLip$e