As with Windows, there are many tools and local Linux commands you can use to enumerate information. For example, once you compromise a Linux machine in Metasploit, you can use the post/linux/enum_system module to get information about the system. Additional enumeration modules include:
- enum_configs
- enum_network
- enum_protections
- enum_users_history
You can also use nmap -O or -sV scans to fingerprint the operating system and interrogate its services. If the Linux host is running the Samba service, you can use nmap smb-* NSE scripts and rpcclient commands against the target. For example:
nmap -O 192.168.1.20
nmap -sV 192.168.1.20
nmap --script=smb-os-discovery 192.168.1.20
rpcclient -U "" 192.168.1.20
If you prefer to use built-in Bash commands, there is a very wide range to choose from. The following table lists just a few you can choose from. Some require root privilege. If you receive a "Permission denied" error, start the command with sudo and supply the root password when prompted.
Note: Commands may vary between Linux distributions.
Local Linux Bash Command | Result |
uname -a | Show all available system information. |
hostname | Show computer host name. |
route | Show route table. |
arp | Show ARP cache. |
ifconfig | Show interface configuration, including IP address. |
netstat -antp | Show TCP listening ports and socket status. |
netstat -anup | Show UDP listening ports and socket status. |
iptables -L | Display any firewall rules. |
mount | Show mounted storage devices or file systems. |
dpkg -l | List all packages installed on the system. |
apache2 -v | List information about Apache2 web server. |
mysql --version | List information about MySQL. |
df -a | Show disk information. |
cat /etc/*-release | Show distribution information. |
cat /proc/cpuinfo | Show information about the CPU. |
cat /etc/resolv.conf | List DNS servers host is using. |
cat /etc/network/interfaces | List interface IP configuration. |
cat /etc/passwd | List all users on the system. |
cat /etc/group | List all groups on the system. |
cat /etc/shadow | Show user hashes (privileged command). |
users | List currently logged in users. |
w | List currently logged in users and their processes. |
lastlog | Show when all users last logged in. |
whoami | Show current user name. |
id | Show current user information. |
sudo -l | List programs current user can run as root. |
find | head | Find all files in the current directory and sub-directories. |
find / -iname *.txt | Find all txt files (case insensitive) in /. |
find / -type f -exec grep -l "password" {} \; | List file names containing the word "password". |
find . -type f -name ".*" | Find all hidden files. |