2. Manual Enumeration

System awareness:

Enumerate user and groups:

id

Enumerate all users:

cat /etc/passwd

Which users exist can tell something about which services are available, such as user "www-data" for Apache, and "sshd" for SSH
System services users often have home folders as /usr/sbin/nologin to block any login for that account

Hostname:

hostname

System info:

uname -a

cat /etc/issue

cat /etc/os-release

Mountable drives:

#Drives mounted at boot (may not include user-created scripts):
cat /etc/fstab

#All mounted filesystems:
mount

#List all available disks:
lsblk

Running processes:

ps aux

TCP/IP configuration:

ip a

ifconfig

Network routing tables:

ip route

route

routel

Active network connections and listening ports:

ss -anp

netstat -anp

Listening ports:

netstat -tulnp

Installed applications:

Debian distros use dpkg and Redhat uses rpm

#Debian:
dpkg -l

Kernel modules:

#List loaded kernel modules:
lsmod

#Inspect specific module:
/sbin/modinfo <modulename>

AppArmor status:

aa-status

Firewall enumeration:

iptables requires root user
However, specific rule files under /etc/iptables are used to restore netfilter rules at boot, which often have weaker permissions
Also, files created by the iptables-save command can be searched

cat /etc/iptables/*

Cronjobs:

# Cronjobs for all users
ls -lah /etc/cron*

#User-created cronjobs for the current user
crontab -l

#Running cronjobs:
grep "CRON" /var/log/syslog
cat /var/log/cron.log

If let use sudo to list root cronjobs as well

Writable directories & files:

Writable directories:

find / -writable -type d 2>/dev/null

Writable files:

find / -writable -type f 2>/dev/null | grep -v proc | grep -v gnupg

SUID binaries:

SUID-marked binaries:

find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 2>/dev/null

Privilege escalation resources:

root         854  0.0  1.7 2528964 35092 ?       Ssl  18:44   0:00 java -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y /opt/stats/App.java