Enumeración

Aquí vamos a identificar y comprobar permisos, configuraciones, procesos corriendo... Cualquier cosa que pueda darnos una vía para posteriormente escalar privilegios, ya sea accediendo como root, ejecutando comandos con los permisos de éste, elevando los permisos de nuestro usuario, etc...

Listar servicios corriendo como root

ps aux | grep root

Listar servicios corriendo como root , permiso, y exports NFS

echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

Listar conexiones en la máquina y servicios a la escucha asignados a puertos

netstat -putona

Configuración de red

/sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname

Listar programas con el SUID activado (que se ejecuten con permisos de root)

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \\; 2>/dev/null
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

Listar tareas programados

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny

Listar variables de entorno

env
export
cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set

Listar impresoras

lpstat -a

Listar aplicaciones instaladas

ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;

Listar archivos de configuración con permisos de escritura (directorio /etc/)

/find /etc/ -writable -type f 2>/dev/null

Listar servicios mal configurados

cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.r./'

Buscar contraseñas/usuarios hardcodeados• grep -i user [filename]

grep -i pass [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
grep -C 5 "password" [filename]

Buscar otros usuarios

id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l

Listar superusuarios

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
awk -F: '($3 == "0") {print}' /etc/passwd

Listar directorios /home/ de otros usuarios

ls -ahlR /root/; ls -ahlR /home/

Contenido del histórico del usuario

cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history

Contenido de mails de usuarios

cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root

Búsqueda de aplicaciones de interés (para futuras operaciones) (WGET, NC/NetCat, FTP)

find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp

Listar unidades de disco / sistemas de archivo montados en la máquina

mount; df -h; cat /etc/fstab

Listar carpetas con permisos de lectura, escritura y ejecución globales

echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \\( -perm -o w -perm -o x \\) -type d 2>/dev/null;

Ficheros donde buscar claves privadas de SSH

~/.ssh/authorized_keys
~/.ssh/identity.pub
~/.ssh/identity
~/.ssh/id_rsa.pub
~/.ssh/id_rsa
~/.ssh/id_dsa.pub
~/.ssh/id_dsa
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_key.pub
/etc/ssh/ssh_host_key

Búsqueda de información en logs de interés

~/.ssh/authorized_keys
/etc/httpd/logs/access.log/
etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/auth.log
/var/log/chttp.log
/var/log/cups/error_log
/var/log/dpkg.log
/var/log/faillog
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/messages
/var/log/secure
/var/log/syslog
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/run/utmp
/var/webmin/miniserv.log
/var/www/logs/access_log
/var/www/logs/access.log
/var/lib/dhcp3/
/var/log/postgresql/
/var/log/proftpd/
/var/log/samba/

PreviousLinux NextElevación de Privilegios

Last updated 1 year ago

Was this helpful?

echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

find / -user root -perm -4000 -print 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \\; 2>/dev/null find / -perm -1000 -type d 2>/dev/null find / -perm -g=s -type f 2>/dev/null

crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny

cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.r./'

echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \$ -perm -o w -perm -o x \$ -type d 2>/dev/null;

~/.ssh/authorized_keys ~/.ssh/identity.pub ~/.ssh/identity ~/.ssh/id_rsa.pub ~/.ssh/id_rsa ~/.ssh/id_dsa.pub ~/.ssh/id_dsa /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_key

~/.ssh/authorized_keys /etc/httpd/logs/access.log/ etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/auth.log /var/log/chttp.log /var/log/cups/error_log /var/log/dpkg.log /var/log/faillog /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/messages /var/log/secure /var/log/syslog /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/run/utmp /var/webmin/miniserv.log /var/www/logs/access_log /var/www/logs/access.log /var/lib/dhcp3/ /var/log/postgresql/ /var/log/proftpd/ /var/log/samba/