HacktheboxGithub

Linux Penetration Testing

Methodology

  • Kernel and distribution release details

  • System Information:

  • Hostname

  • Networking details:

  • Current IP

  • Default route details

  • DNS server information

  • User Information:

  • Current user details

  • Last logged on users

  • Shows users logged onto the host

  • List all users including uid/gid information

  • List root accounts

  • Extracts password policies and hash storage method information

  • Checks umask value

  • Checks if password hashes are stored in /etc/passwd

  • Extract full details for 'default' uid's such as 0, 1000, 1001 etc

  • Attempt to read restricted files i.e. /etc/shadow

  • List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.)

  • Basic SSH checks

  • Privileged access:

  • Which users have recently used sudo

  • Determine if /etc/sudoers is accessible

  • Determine if the current user has Sudo access without a password

  • Are known 'good' breakout binaries available via Sudo (i.e. nmap, vim etc.)

  • Is root's home directory accessible

  • List permissions for /home/

  • Environmental:

  • Display current $PATH

  • Displays env information

  • Jobs/Tasks:

  • List all cron jobs

  • Locate all world-writable cron jobs

  • Locate cron jobs owned by other users of the system

  • List the active and inactive systemd timers

  • Services:

  • List network connections (TCP & UDP)

  • List running processes

  • Lookup and list process binaries and associated permissions

  • List inetd.conf/xined.conf contents and associated binary file permissions

  • List init.d binary permissions

  • Version Information (of the following):

  • Sudo

  • MYSQL

  • Postgres

  • Apache

    • Checks user config

    • Shows enabled modules

    • Checks for htpasswd files

    • View www directories

  • Default/Weak Credentials:

  • Checks for default/weak Postgres accounts

  • Checks for default/weak MYSQL accounts

  • Searches:

  • Locate all SUID/GUID files

  • Locate all world-writable SUID/GUID files

  • Locate all SUID/GUID files owned by root

  • Locate 'interesting' SUID/GUID files (i.e. nmap, vim etc)

  • Locate files with POSIX capabilities

  • List all world-writable files

  • Find/list all accessible *.plan files and display contents

  • Find/list all accessible *.rhosts files and display contents

  • Show NFS server details

  • Locate .conf and .log files containing keyword supplied at script runtime

  • List all *.conf files located in /etc

  • Locate mail

  • Platform/software specific tests:

  • Checks to determine if we're in a Docker container

  • Checks to see if the host has Docker installed

  • Checks to determine if we're in an LXC container

PreviousMicrosoft Exchange and OfficeNextLinux Active directory

Last updated