☝️Initial Enumeration
Understanding Your Target
During a penetration test or security audit, gaining a solid understanding of the target system is crucial. Initial enumeration involves collecting valuable information about the system, users, network, and potential vulnerabilities. Here are some beginner-friendly commands to assist you in this phase:
System Information
1. uname -a
uname -aDisplays system information, including the kernel version.
2. hostname
hostnameReveals the host or machine name.
3. cat /proc/version
cat /proc/versionShows detailed kernel and version information.
4. cat /etc/issue
cat /etc/issueProvides distribution-specific information.
5. lscpu
lscpuDisplays CPU information.
6. ps aux
ps auxLists all running processes, providing insights into active applications.
7. ss -lntp
7. ss -lntplist listening network sockets along with their associated processes on a Linux system.
User Enumeration
7. whoami
whoamiIdentifies the current user.
8. id
idProvides information about the user and group.
9. sudo -l
sudo -lLists the commands the current user can execute with sudo privileges.
10. cat /etc/passwd
cat /etc/passwdDisplays information about user accounts.
11. cat /etc/shadow
cat /etc/shadowShows encrypted password information.
12. cat /etc/group
cat /etc/groupLists information about groups.
13. history
historyDisplays command history, revealing recent activities.
Mindset Tip: Understand who you are on the system, the system's architecture, your sudo privileges, and review command history for insights.
Network Enumeration
14. ip a
ip aShows information about network interfaces.
15. ip route
ip routeDisplays the routing table.
16. ip neigh
ip neighLists ARP cache entries, revealing connected devices.
17. netstat -ano
netstat -anoProvides network statistics and active connections.
Password Hunting
18. grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/nullSearches for sensitive information like passwords.
19. locate password | more
locate password | moreLocates files containing the term "password."
20. locate pass | more
locate pass | moreLocates files containing the term "pass."
21. find / -name authorized_keys
find / -name authorized_keysSearches for SSH authorized keys.
22. find / -name id_rsa > /dev/null
find / -name id_rsa > /dev/nullSearches for private SSH keys.
Remember, initial enumeration sets the stage for deeper analysis and exploitation. Use these commands responsibly and ethically in alignment with your testing goals. Happy hunting! 🕵️♂️🔍
Last updated