Linux Enumeration

Reading time ~2 minutes

Once access is established typically the next step will be enumerating the system to learn what is present, what resources are accessible and what the attack surface looks like.

This page details a couple of the most popular Linux scripts which automate this task. For CTF events these scripts can provide quick useful information, however in a real world engagement beware that these scripts will create a lot of “noise.” However, these scripts can provide a foundation / basis for creating customized scripts.

Linux Smart Enumeration (LSE)

Linux enumeration tools for pentesting and CTFs

Project Page: https://github.com/diego-treitos/linux-smart-enumeration

The LSE project was inspired by https://github.com/rebootuser/LinEnum and uses many of its tests. Unlike LinEnum, lse tries to gradually expose the information depending on its importance from a privesc point of view.

Use: ./lse.sh [options]

 OPTIONS
  -c           Disable color
  -i           Non interactive mode
  -h           This help
  -l LEVEL     Output verbosity level
                 0: Show highly important results. (default)
                 1: Show interesting results.
                 2: Show all gathered information.
  -s SELECTION Comma separated list of sections or tests to run. Available
               sections:
                 usr: User related tests.
                 sud: Sudo related tests.
                 fst: File system related tests.
                 sys: System related tests.
                 sec: Security measures related tests.
                 ret: Recurren tasks (cron, timers) related tests.
                 net: Network related tests.
                 srv: Services related tests.
                 pro: Processes related tests.
                 sof: Software related tests.
                 ctn: Container (docker, lxc) related tests.
                 cve: CVE related tests.
               Specific tests can be used with their IDs (i.e.: usr020,sud)
  -e PATHS     Comma separated list of paths to exclude. This allows you
               to do faster scans at the cost of completeness
  -p SECONDS   Time that the process monitor will spend watching for
               processes. A value of 0 will disable any watch (default: 60)
  -S           Serve the lse.sh script in this host so it can be retrieved
               from a remote host.

Proof of concept on how to get LSE on a remote system:

RootHelper

Project Page: https://github.com/NullArray/RootHelper

Roothelper will aid in the process of privilege escalation on a Linux system that has been compromised. The latest version totals eleven scripts. From enumeration to exploit suggestion to exploit deployment. RootHelper ensures you have access to the best tools for the job.

SUID3NUM

Project Page: https://github.com/Anon-Exploiter/SUID3NUM

A standalone script supporting both python2 & python3 to find out all SUID binaries in machines/CTFs and do the following

  • List all Default SUID Binaries (which ship with Linux/aren’t exploitable)
  • List all Custom Binaries (which don’t ship with packages/vanilla installation)
  • List all custom binaries found in GTFO Bin’s (This is where things get interesting)
  • Printing binaries and their exploitation (in case they create files on the machine)
  • Try and exploit found custom SUID binaries which won’t impact machine’s files

uptux

Project Page: https://github.com/initstring/uptux

Specialized privilege escalation checks for Linux systems.

Implemented so far:

  • Writable systemd paths, services, timers, and socket units
    • Disassembles systemd unit files looking for:
      • References to executables that are writable
      • References to broken symlinks pointing to writeable directories
      • Relative path statements
      • Unix socket files that are writeable (sneaky APIs)
  • Writable D-Bus paths
  • Overly permissive D-Bus service settings
  • HTTP APIs running as root and responding on file-bound Unix domain sockets