Enumeration

Enumeration

LINUX

LinEnum.sh

Linux Exploit Suggester

BeRoot

Linux Exploit Suggester 2

Bashark

RootHelper

LinPEAS



WINDOWS

JAWS

BeRoot

winprivesc

WinEnum

Windows Exploit Suggester



LINUX PRIVESC & ENUM

Packet Captures:

Capture packets that contain a password

tcpdump -s 0 -A -n -l | egrep -i "POST /|pwd=|passwd=|password=|Host:I"


Capture HTTP Request Info

sudo tcpdump -nn -A -s1500 -l | egrep -i 'User-Agent:|Host:'


Capture POST Requests

sudo tcpdump -s 0 -A -vv 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'


Capture Visited URLs:

sudo tcpdump -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"


Capture Cookies:

sudo tcpdump -nn -A -s0 -l | egrep -i 'Set-Cookie|Host:|Cookie:'


Capture Emails:

sudo tcpdump -nn -l port 25 | grep -i 'MAIL FROM\|RCPT TO'


Capture SNMP: 

sudo tcpdump -n -s0  port 161 and udp


Capture FTP Creds:

sudo tcpdump -nn -v port ftp or ftp-data


Capture DNS:

sudo tcpdump -i wlp58s0 -s0 port 53

REFERENCE: https://hackertarget.com/tcpdump-examples/



Get Capabilities:

/sbin/getcap -r / 2>/dev/null



Get SUID Binaries:

find / -perm -u=s -type f 2>/dev/null



Check Sudo Configuration:

sudo -l

cat /etc/sudoers



Check Open Files On Linux:

fuser <filename>

lsof <filename>



Check For Unmounted Disks On Linux:

ls /dev



Bash Port Scan:

for p in {1..65535}; do 

    echo hi > /dev/tcp/<ip>/$p && echo port $p is open > scan 2> /dev/null; done 



Using Gateway Finder To Detect Rogue Gateways:

arp-scan -l | tee <name>.txt

python gateway-finder.py -f arp.txt -i <public ip>



Mount VMDK File:

modprobe nbd

qemu-nbd -r -c /dev/nbd2 <name>.vmdk

mount /dev/nbd1p1 /mnt