# Enumeración Aquí vamos a identificar y comprobar permisos, configuraciones, procesos corriendo... Cualquier cosa que pueda darnos una vía para posteriormente escalar privilegios, ya sea accediendo como root, ejecutando comandos con los permisos de éste, elevando los permisos de nuestro usuario, etc... Listar servicios corriendo como root ```jsx ps aux | grep root ``` Listar servicios corriendo como root , permiso, y exports NFS {% code overflow="wrap" %} ```jsx echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null ``` {% endcode %} Listar conexiones en la máquina y servicios a la escucha asignados a puertos ```jsx netstat -putona ``` Configuración de red {% code overflow="wrap" %} ```jsx /sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname ``` {% endcode %} Listar programas con el SUID activado (que se ejecuten con permisos de root) ```jsx find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \\; 2>/dev/null find / -perm -1000 -type d 2>/dev/null find / -perm -g=s -type f 2>/dev/null ``` Listar tareas programados {% code overflow="wrap" %} ```jsx crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny ``` {% endcode %} Listar variables de entorno {% code overflow="wrap" %} ``` env export cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set ``` {% endcode %} Listar impresoras ``` lpstat -a ``` Listar aplicaciones instaladas * ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/\*; Listar archivos de configuración con permisos de escritura (directorio /etc/) ``` /find /etc/ -writable -type f 2>/dev/null ``` Listar servicios mal configurados {% code overflow="wrap" %} ``` cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.r./' ``` {% endcode %} Buscar contraseñas/usuarios hardcodeados• grep -i user \[filename] ``` grep -i pass [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" grep -C 5 "password" [filename] ``` Buscar otros usuarios {% code overflow="wrap" %} ``` id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l ``` {% endcode %} Listar superusuarios ``` grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' awk -F: '($3 == "0") {print}' /etc/passwd ``` Listar directorios /home/ de otros usuarios ``` ls -ahlR /root/; ls -ahlR /home/ ``` Contenido del histórico del usuario {% code overflow="wrap" %} ```jsx cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history ``` {% endcode %} Contenido de mails de usuarios ```jsx cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root ``` Búsqueda de aplicaciones de interés (para futuras operaciones) (WGET, NC/NetCat, FTP) {% code overflow="wrap" %} ```jsx find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp ``` {% endcode %} Listar unidades de disco / sistemas de archivo montados en la máquina ```jsx mount; df -h; cat /etc/fstab ``` Listar carpetas con permisos de lectura, escritura y ejecución globales {% code overflow="wrap" %} ```bash echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \\( -perm -o w -perm -o x \\) -type d 2>/dev/null; ``` {% endcode %} Ficheros donde buscar claves privadas de SSH ``` ~/.ssh/authorized_keys ~/.ssh/identity.pub ~/.ssh/identity ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_dsa.pub ~/.ssh/id_dsa /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key ``` Búsqueda de información en logs de interés ``` ~/.ssh/authorized_keys /etc/httpd/logs/access.log/ etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/auth.log /var/log/chttp.log /var/log/cups/error_log /var/log/dpkg.log /var/log/faillog /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/messages /var/log/secure /var/log/syslog /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/run/utmp /var/webmin/miniserv.log /var/www/logs/access_log /var/www/logs/access.log /var/lib/dhcp3/ /var/log/postgresql/ /var/log/proftpd/ /var/log/samba/ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wiki.securiters.com/securiters-wiki/redteam/linux/enumeracion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.