Linux Basic CML

Command

Result

uname -a

Print all available system information

uname -r

Kernel release

uname -n

System hostname

hostname

As above

uname -m

Linux kernel architecture (32 or 64 bit)

cat /proc/version

Kernel information

cat /etc/*-release

Distribution information

cat /etc/issue

As above

cat /proc/cpuinfo

CPU information

df -a

File system information

Command

Result

cat /etc/passwd

List all users on the system

cat /etc/group

List all groups on the system

cat /etc/shadow

Show user hashes – Privileged command

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'

List all super user accounts

finger

Users currently logged in

pinky

As above

users

As above

who -a

As above

w

Who is currently logged in and what they’re doing

last

Listing of last logged on users

lastlog

Information on when all users last logged in

lastlog –u %username%

Information on when the specified user last logged in

Command

Result

whoami

Current username

id

Current user information

cat /etc/sudoers

Who’s allowed to do what as root – Privileged command

sudo -l

Can the current user perform anything as root

Command

Result

env

Display environmental variables

set

As above

echo $PATH

Path information

history

Displays command history of current user

pwd

Print working directory, i.e. ‘where am I’

cat /etc/profile

Display default system variables

Command

Result

find / -perm -4000 -type f 2>/dev/null

Find SUID files

find / -uid 0 -perm -4000 -type f 2>/dev/null

Find SUID files owned by root

find / -perm -2000 -type f 2>/dev/null

Find files with GUID bit set

find / -perm -2 -type f 2>/dev/null

Find world-writable files

find / -perm -2 -type d 2>/dev/null

Find word-writable directories

find /home –name *.rhosts -print 2>/dev/null

Find rhost config files

ls -ahlR /root/

See if you can access other user directories to find interesting files – Privileged command

cat ~/.bash_history

Show the current users’ command history

ls -la ~/.*_history

Show the current users’ various history files

ls -la ~/.ssh/

Check for interesting ssh files in the current users’ directory

ls -la /usr/sbin/in.*

Check Configuration of inetd services

grep -l -i pass /var/log/*.log 2>/dev/null

Check log files for keywords (‘pass’ in this example) and show positive matches

find /var/log -type f -exec ls -la {} \; 2>/dev/null

List files in specified directory (/var/log)

find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null

List .log files in specified directory (/var/log)

find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null

List .conf files in /etc (recursive 1 level)

ls -la /etc/*.conf

As above

find / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null

Find .conf files (recursive 4 levels) and output line number where the word password is located

lsof -i -n

List open files (output will depend on account privileges)

Command

Result

ps aux | grep root

View services running as root

cat /etc/inetd.conf

List services managed by inetd

cat /etc/xinetd.conf

As above for xinetd

Command

Result

crontab -l -u %username%

Display scheduled jobs for the specified user – Privileged command

ls -la /etc/cron*

Scheduled jobs overview (hourly, daily, monthly etc)

ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null

What can ‘others’ write in /etc/cron* directories

top

List of current tasks

Command

Result

/sbin/ifconfig -a

List all network interfaces

cat /etc/network/interfaces

As above

arp -a

Display ARP communications

route

Display route information

cat /etc/resolv.conf

Show configured DNS sever addresses

netstat -antp

List all TCP sockets and related PIDs (-p Privileged command)

netstat -anup

List all UDP sockets and related PIDs (-p Privileged command)

iptables -L

List rules – Privileged command

cat /etc/services

View port numbers/services mappings

Command

Result

dpkg -l

Installed packages (Debian)

rpm -qa

Installed packages (Red Hat)

sudo -V

Sudo version – does an exploit exist?

httpd -v

Apache version

apache2 -v

As above

apache2ctl (or apachectl) -M

List loaded Apache modules

mysql --version

Installed MYSQL version details

perl -v

Installed Perl version details

java -version

Installed Java version details

python --version

Installed Python version details

ruby -v

Installed Ruby version details

find / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)

Locate ‘useful’ programs (netcat, wget etc)

which %program_name% (i.e. nc, netcat, wget, nmap etc)

As above

Command

Program(s)

:!bash

vi, vim

:set shell=/bin/bash:shell

vi, vim

!bash

man, more, less

find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;

find

awk 'BEGIN {system("/bin/bash")}'

awk

--interactive

nmap

perl -e 'exec "/bin/bash";'

Perl

'/bin/sh -i'