System Info

Hostname

Hostname can give away a lot of information such as whether the system is a webserver, database or a domain controller.

hostname

OS Details

Next we gather info about the operating system,

cat /etc/issue
cat /etc/*-release
uname -a

Networking Information

Next step is to identify the various IP addresses assigned to the system and the various applications listening on different ports. Though you may have conducted a port scan from outside of the system, a lot of processes may listen on the loopback address - 127.0.0.1.

ip a
/sbin/route
ss -anp

Firewalls & Access Permissions

Firewall access permissions are a crucial part of privilege escalation, since a system may not be accessible from a remote server due to the rules of the firewall it may well be accessible locally. It also serves for tunnelling and port forwarding for furthering the attack within the network.

In Linux the user has to have root privileges to access the iptables rules, hence it is not possible to get the rules directly. However, we may be able to get pieces of information by scouting around the commands and files in the etc directory.

cd /etc/iptables/

Look for files firewall rules files that may be left around with weak permissions.

history | grep "iptables-save"

If the user had executed this command, then the rules of the firewall will be dumped into the file mentioned in that command.

Device Drivers & Kernel Modules

Similar to applications and services being susceptible to exploits, device drivers and kernels can pose flaws that can be exploited.

lsmod

Once we have the list of loaded modules using the above command, we can gather more specific information using the following command,

/sbin/modinfo libata

Last updated