Linux Enumeration Fundamentals

beginner25 minWriteup

Essential commands and techniques for system enumeration

Learning Objectives

  • Enumerate system information
  • Find installed software
  • Identify running services
  • Locate interesting files

You've got a shell on a Linux box - now what? Before exploiting anything, you need to understand the system. Enumeration is the systematic process of gathering information that reveals privilege escalation paths.

Think of it like being a burglar who got into a house. Before looking for valuables, you need to know: Where are the rooms? Who lives here? What's locked? What's not? The more you know, the better your choices.

Enumeration is 80% of the Work

In CTFs and real engagements, most of your time should be spent enumerating. A thorough enumeration often reveals easy wins that brute-force or complex exploits never would.

System Information

bash
1606070;"># Kernel and OS version (important for kernel exploits)
2uname -a                    606070;"># Kernel version and architecture
3cat /etc/os-release         606070;"># Distribution info
4cat /etc/issue              606070;"># Distribution (older method)
5hostnamectl                 606070;"># Systemd systems
6 
7606070;"># Architecture
8uname -m                    606070;"># x86_64 or i686
9arch                        606070;"># Same info
10 
11606070;"># Hostname and domain
12hostname
13cat /etc/hostname
14dnsdomainname               606070;"># If domain-joined
15 
16606070;"># Example output:
17606070;"># Linux victim 5.4.0-42-generic #46-Ubuntu SMP x86_64 GNU/Linux
18606070;"># → Kernel 5.4.0-42-generic, 64-bit, Ubuntu

Kernel Version Matters

Write down the exact kernel version. Later, you'll search for kernel exploits like DirtyCow or DirtyPipe that work on specific versions.

Users and Groups

bash
1606070;"># Current user info
2id                          606070;"># Current user, groups, UID/GID
3whoami                      606070;"># Just username
4groups                      606070;"># Groups for current user
5 
6606070;"># All users
7cat /etc/passwd             606070;"># All system users
8getent passwd               606070;"># Same but resolves NIS/LDAP too
9 
10606070;"># Parse interesting users (UID >= 1000 are usually humans)
11cat /etc/passwd | cut -d: -f1,3 | grep -v 606070;">#a5d6ff;">"nologin\|false"
12awk -F: 606070;">#a5d6ff;">'$3 >= 1000 {print $1}' /etc/passwd
13 
14606070;"># All groups
15cat /etc/group
16getent group
17 
18606070;"># Interesting groups to look for:
19606070;"># - sudo/wheel: Can sudo
20606070;"># - docker: Can escalate via docker
21606070;"># - lxd/lxc: Can escalate via containers
22606070;"># - disk: Direct disk access
23606070;"># - adm: Can read logs
24606070;"># - video: May access framebuffer
25groups admin                606070;"># Check another user's groups

Password Information

bash
1606070;"># Password hashes (usually need root to read)
2cat /etc/shadow             606070;"># Typically permission denied
3ls -la /etc/shadow          606070;"># Check permissions anyway
4 
5606070;"># Last logins
6last                        606070;"># Login history
7lastlog                     606070;"># Last login per user
8w                           606070;"># Currently logged in
9 
10606070;"># Password policies
11chage -l username           606070;"># Password aging info

Sudo Permissions

bash
1606070;"># CRITICAL: First thing to check!
2sudo -l                     606070;"># What can I run as sudo?
3 
4606070;"># Example outputs:
5 
6606070;"># "User may run the following commands on victim:"
7606070;"># (ALL) NOPASSWD: /usr/bin/vim
8606070;"># → vim with no password = instant root via :!sh
9 
10606070;"># (root) /usr/bin/less /var/log/*
11606070;"># → Constrained but might be escapable
12 
13606070;"># If prompted for password and you don't know it:
14606070;"># User cannot run sudo OR needs password
15 
16606070;"># Sudoers files (usually need root)
17cat /etc/sudoers
18ls -la /etc/sudoers.d/      606070;"># Additional sudoers configs

Sudo -l is Essential

ALWAYS run "sudo -l" early in enumeration. It's the most common easy win in CTFs and real systems. Many admins misconfigure sudo.

Files and Permissions

bash
1606070;"># SUID binaries (run as owner, usually root)
2find / -perm -4000 -type f 2>/dev/null
3 
4606070;"># SGID binaries (run as group)
5find / -perm -2000 -type f 2>/dev/null
6 
7606070;"># Both SUID and SGID
8find / -perm -6000 -type f 2>/dev/null
9 
10606070;"># World-writable files (anyone can modify)
11find / -writable -type f 2>/dev/null
12find / -perm -2 -type f 2>/dev/null
13 
14606070;"># World-writable directories
15find / -writable -type d 2>/dev/null
16 
17606070;"># Files owned by current user
18find / -user $(whoami) 2>/dev/null
19 
20606070;"># Recent files (potentially interesting)
21find / -mmin -10 -type f 2>/dev/null     606070;"># Modified in last 10 min
22find / -cmin -10 -type f 2>/dev/null     606070;"># Changed in last 10 min

Sensitive Files

bash
1606070;"># Config files with potential credentials
2cat /etc/passwd
3cat /etc/shadow                 606070;"># If readable = gold mine!
4cat /etc/group
5cat /etc/hosts
6cat /etc/crontab
7cat /etc/fstab                  606070;"># Mount info, NFS shares
8 
9606070;"># User files
10ls -la ~/
11cat ~/.bashrc
12cat ~/.bash_history             606070;"># Command history!
13cat ~/.ssh/id_rsa               606070;"># Private keys!
14cat ~/.ssh/authorized_keys
15ls -la /home/*/                 606070;"># Other users' homes
16 
17606070;"># Web config (often has DB passwords)
18cat /var/www/html/config.php
19cat /var/www/html/wp-config.php
20find /var/www -name 606070;">#a5d6ff;">"*.php" -exec grep -l "password" {} \;

Network Information

bash
1606070;"># Network interfaces and IPs
2ip a                            606070;"># Modern
3ifconfig                        606070;"># Legacy
4hostname -I                     606070;"># Quick IP list
5 
6606070;"># Routing
7ip route                        606070;"># Modern
8route -n                        606070;"># Legacy
9cat /etc/resolv.conf            606070;"># DNS servers
10 
11606070;"># Open ports and connections
12ss -tulpn                       606070;"># Modern (listening ports)
13netstat -tulpn                  606070;"># Legacy
14ss -anp                         606070;"># All connections
15lsof -i                         606070;"># Files/network association
16 
17606070;"># Firewall rules
18iptables -L -n                  606070;"># Usually need root
19cat /etc/iptables/*
20 
21606070;"># ARP table (other hosts on network)
22arp -a
23ip neigh

Processes and Services

bash
1606070;"># Running processes
2ps aux                          606070;"># All processes
3ps aux | grep root              606070;"># Root processes
4ps -ef --forest                 606070;"># Process tree
5 
6606070;"># Process with full command line
7ps auxwww
8 
9606070;"># What's running as root? (potential targets)
10ps aux | grep 606070;">#a5d6ff;">"^root"
11 
12606070;"># Services
13systemctl list-units --type=service
14systemctl status <service>
15service --status-all            606070;"># SysV init
16 
17606070;"># Interesting to look for:
18606070;"># - Services running as root with world-writable configs
19606070;"># - Services bound to localhost (internal only)
20606070;"># - Custom services or scripts

Installed Software

bash
1606070;"># Package managers
2dpkg -l                         606070;"># Debian/Ubuntu
3rpm -qa                         606070;"># RHEL/CentOS
4pacman -Q                       606070;"># Arch
5 
6606070;"># Specific software versions
7python --version
8python3 --version
9perl --version
10gcc --version
11mysql --version
12sudo --version                  606070;"># Check for sudo CVEs!
13 
14606070;"># Find installed compilers (for exploit compilation)
15which gcc cc clang
16which python python3 perl
17 
18606070;"># Common vulnerable software to check
19606070;"># sudo version (CVE-2021-3156 Baron Samedit)
20606070;"># pkexec version (CVE-2021-4034 PwnKit)
21606070;"># screen version (local root exploits)
22pkexec --version

Version Numbers are Gold

Write down version numbers of common software. Specific versions have known CVEs. "sudo 1.8.31" might be vulnerable to Baron Samedit!

Scheduled Tasks

bash
1606070;"># System cron jobs
2cat /etc/crontab
3ls -la /etc/cron.*
4cat /etc/cron.d/*
5 
6606070;"># User cron jobs
7crontab -l                      606070;"># Current user
8crontab -l -u username          606070;"># Specific user (needs privilege)
9 
10606070;"># Cron directories
11ls -la /etc/cron.hourly/
12ls -la /etc/cron.daily/
13ls -la /etc/cron.weekly/
14ls -la /etc/cron.monthly/
15 
16606070;"># Systemd timers (modern cron alternative)
17systemctl list-timers --all
18 
19606070;"># Look for:
20606070;"># - Scripts running as root
21606070;"># - Scripts in writable locations
22606070;"># - Scripts with wildcards
23606070;"># - Relative paths in scripts

Enumeration Methodology

Systematic Enumeration

1
Quick Winssudo -l, SUID binaries, bash history
2
System InfoKernel version, OS, architecture
3
UsersWho's on the system, interesting groups
4
FilesSensitive files, writable locations
5
NetworkInternal services, other hosts
6
ProcessesWhat's running as root
7
ScheduledCron jobs, systemd timers
8
SoftwareVersions for known CVEs

Knowledge Check

Quick Quiz
Question 1 of 3

What command should you always run first during enumeration?

Challenges

Complete System Enumeration

Challenge
🌱 beginner

On a practice Linux machine, perform systematic enumeration and document: kernel version, all SUID binaries, sudo permissions, and any interesting files in user home directories.

Need a hint? (4 available)

Key Takeaways

  • Always run "sudo -l" first - it's often the easy win
  • SUID binaries run as owner - find them with find -perm -4000
  • Check ~/.bash_history for leaked credentials
  • Note kernel and software versions for CVE lookup
  • World-writable files and directories are potential targets
  • Systematic enumeration beats random exploitation attempts