Enumeration Commands

Enumeration Commands	Description
id	print real and effective user and group IDs
whoami	current user
hostname	show or set the system's host name
uname	print system information
ps -ef	report a snapshot of the current processes
echo $PATH	print environment PATH variable
ifconfig	configure a network interface
cat /etc/passwd	show passwd file contents
sudo -l	list commands allowed using sudo
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null	Find all files suid and sgid files

The previous table shows the basic commands to enumerate things, but the list below shows a more detailed commands for this:

1. hostname - lists the name of the host

2. uname -a - prints kernel information

3. cat /proc/version - prints almost same infor of above command but more like gcc version....

4. cat /etc/issue - exact version on the OS

5. ps - lists the processes that are running

• ps -A - all running processes

• ps axjf - process tree

• ps aux - displays processes with the users as well

  • Ex: ps aux | grep mysql --> This greeps by mysql, for ex, if root is runing MySQL, we can find an exploit

1. env - shows all the environment variable

2. sudo -l - lists the commands that any user run as root without password

3. groups - lists the groups that current user is in

4. id - lists id of group,user

5. cat /etc/passwd - displays all the user

• cat /etc/passwd | cut -d ":" -f 1 - removes other stuff & only displays users

• ls /home - displays users

1. history - previously ran commands which might have some sensitive info

2. ifconfig (or) ip a (or) ip route - network related information

3. netstat - network route

• netstat -a - all listening and established connection

• netstat -at - tcp connections

• netstat -au - udp connections

• netstat -l - listening connections

• netstat -s - network statistics

• netstat -tp - connections with service name and pid we can also add "l" for only listening ports

• netstat -i - interface related information

• netstat -ano

1. find command which helps us in finding lot of stuff,

• Syntax: find <path> <options> <regex/name> find . -name flag1.txt: find the file named “flag1.txt” in the current directory

• find /home -name flag1.txt : find the file names “flag1.txt” in the /home directory

• find / -type d -name config : find the directory named config under “/”

• find / -type f -perm 0777 : find files with the 777 permissions (files readable, writable, and executable by all users)

• find / -perm a=x : find executable files

• find /home -user frank : find all files for user “frank” under “/home”

• find / -mtime 10 : find files that were modified in the last 10 days

• find / -atime 10 : find files that were accessed in the last 10 day

• find / -cmin -60 : find files changed within the last hour (60 minutes)

• find / -amin -60 : find files accesses within the last hour (60 minutes)

• find / -size 50M : find files with a 50 MB size

• find / -writable -type d 2>/dev/null : Find world-writeable folders

• find / -perm -222 -type d 2>/dev/null : Find world-writeable folders

• find / -perm -o w -type d 2>/dev/null : Find world-writeable folders

• find / -perm -o x -type d 2>/dev/null : Find world-executable folders

• We can also find programming languages and supported languages: find / -name perl*, find / -name python*, find / -name gcc* ...etc

• find / -perm -u=s -type f 2>/dev/null : Find files with the SUID bit, which allows us to run the file with a higher privilege level than the current user. This is important!

1. We can even make use of "grep", "locate", "sort"...etc