> For the complete documentation index, see [llms.txt](https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/linux/enumeration.md). # Enumeration ## Basic enumeration commands (Linux) 1. `hostname` 2. `uname -a` 3. Files to view with the `cat` command a) **/proc/version** b) **/etc/issue** c) **/etc/passwd** and **/etc/shadow** * Readable **/etc/shadow** file * Writable **/etc/passwd** and **/etc/shadow** ```bash # rx /etc/passwd $ ls -l /etc/passwd -rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/passwd # rx /etc/shadow $ ls -l /etc/shadow -rw-r--r-x 1 root shadow xxxx xxx xx xxxx /etc/shadow ``` 4. `env` 5. `id` Suppose a user is in the ***adm*** group. This user will be able to read the log files present in the `/var/log` or other related folder: Practical example: ```bash $ id ... ...(adm) $ cd /var/log /var/log$ less syslog ``` 4. `history` 5. `sudo -l` > The target system may be configured to allow users to run some (or all) commands with root privileges. The `sudo -l` command can be used to list all commands your user can run using `sudo` 8. `find` a) Files with SUID bit: ```bash $ find / -perm -u=s -type f 2>/dev/null # SUID bit and writable by current user $ find / -perm -u=s -writable -user $(whoami) -type f 2>/dev/null # SUID bit and writable by others find / -perm -u=s -perm 002 -type f 2>/dev/null ``` b) Files with SGID bit: ```bash $ find / -perm -g=s-type f 2>/dev/null # SGID bit and the group is root $ find / -perm -g=s -group root -type f 2>/dev/null ``` c) Files with certain permission * `0777`: readable, writable and executable by all users * `003`: writable and executable by `others`. Ignoring permissions for `owner` and `group` * `/001`: atleast executable permissions for others

# both the commands below are the same
$ find / -perm 777 -type f 2>/dev/null
$ find / -perm 0777 -type f 2>/dev/null

# eg. files with write and execute (wx) permissions for "others"
$ find / -perm 003 -type f 2>/dev/null

# eg. similar to above, but with folders/dirs instead
$ find / -perm 003 -type d 2>/dev/null

# eg. atleast executable by others
$ find / -perm /001 -type f 2>/dev/null

**Find world-writable folders** ```bash $ find / -writable -type d 2>/dev/null $ find / -perm -222 -type d 2>/dev/null $ find / -perm -o x -type d 2>/dev/null ``` **Find world-executable folders** ```bash $ find / -executable -type d 2>/dev/null $ find / -perm -111 -type d 2>/dev/null $ find / -perm -o x -type d 2>/dev/null ``` #### Files to look out for 1. Writable `/etc/fstab` () 2. Writable `/etc/systemd/system` , `/lib/systemd/services`, `/usr/lib/systemd/system`, `/run/systemd/system` (systemd services) and other similar directories ### Automated tools * LinPeas: * LinEnum: * LES (Linux Exploit Suggester): * Linux Smart Enumeration: * Linux Priv Checker: {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/linux/enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.