什么用户，哪个用户登录，还有哪些用户，他们能做什么

• id
• who
• whoami
• w
• last
• cat /etc/passwd |cut -d: -f1 列出所有用户
• grep -v -e "^#" /etc/passwd | awk -F: '1}' 列出超级用户
• awk -F: '($3 == "0") {print}' /etc/passwd 列出超级用户
• cat /etc/sudoers
• sudo -l

能否找到一些敏感信息

• cat /etc/passwd
• cat /etc/group
• cat /etc/shadow
• ls -alh /var/mail/

查看家目录是否含有，有价值的信息

• ls -alhR /root/
• ls -alhR /home/

是否含有密码，脚本，数据库，配置文件，日志文件，默认路径，本地密码等信息

• cat /var/apache2/config.inc
• cat /var/lib/mysql/mysql/user.MYD
• cat /root/anaconda-ks.cfg

查看用户的操作历史文件信息

• cat ~/.bash_history
• cat ~/.nano_history
• cat ~/.atftp_history
• cat ~/.mysql_history
• cat ~/.php_history

根据用户信息查找

• cat ~/.bashrc
• cat ~/.profile
• cat /var/mail/root
• cat /var/spool/mail/root

查找私钥信息

• cat ~/.ssh/authorized_keys
• cat ~/.ssh/identity.pub
• cat ~/.ssh/identity
• cat ~/.ssh/id_rsa.pub
• cat ~/.ssh/id_rsa
• cat ~/.ssh/id_dsa.pub
• cat ~/.ssh/id_dsa
• cat /etc/ssh/ssh_config
• cat /etc/ssh/sshd_config
• cat /etc/ssh/ssh_host_dsa_key.pub
• cat /etc/ssh/ssh_host_dsa_key
• cat /etc/ssh/ssh_host_rsa_key.pub
• cat /etc/ssh/ssh_host_rsa_key
• cat /etc/ssh/ssh_host_key.pub
• cat /etc/ssh/ssh_host_key

哪些配置能写入etc目录并且能够重启服务

• ls -aRl /etc/ | awk '$1 ~ /^.w./' 2>/dev/null
• ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null
• ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null
• ls -aRl /etc/ | awk '/' 2>/dev/null
• find /etc/ -readable -type f 2>/dev/null
• find /etc/ -readable -type f -maxdepth 1 2>/dev/null

查看var目录有哪些信息

• ls -alh /var/log
• ls -alh /var/mail
• ls -alh /var/spool
• ls -alh /var/spool/lpd
• ls -alh /var/lib/pgsql
• ls -alh /var/lib/mysql
• cat /var/lib/dhcp3/dhclient.leases

所有web站点下是否含有隐藏文件

• ls -alhR /var/www/
• ls -alhR /srv/www/htdocs/
• ls -alhR /usr/local/www/apache22/data/
• ls -alhR /opt/lampp/htdocs/
• ls -alhR /var/www/html/

查看日志文件看是否有本地文件包含

cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
https://www.thegeekstuff.com/2011/08/linux-var-log-files/

当所在的shell被限制了可以跳出此限制

• python -c 'import pty;pty.spawn("/bin/bash")'
• echo os.system('/bin/bash') 这个是要输入到一个文件然后导入Python的os模块才可以使用

#!/usr/bin/python
import os
os.system('/bin/sh')

• /bin/sh -i

查看挂载了哪些文件系统

• mount
• df -h

查看哪些没有挂载的文件系统

• cat /etc/fstab

高级Linux文件系统权限使用SUID&SGID

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.

find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

确认在一些常见的目录(/tmp/,/var/tmp/,/dev/shm/)哪些有写入的权限

find / -writable -type d 2>/dev/null      # world-writeable folders

find / -perm -222 -type d 2>/dev/null     # world-writeable folders

find / -perm -o w -type d 2>/dev/null     # world-writeable folders

find / -perm -o x -type d 2>/dev/null     # world-executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders

确认哪些是存在缺陷可写的文件

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files

find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

查找可利用的漏洞代码所需要的开发工具

• find / -name perl*
• find / -name python*
• find / -name gcc*
• find / -name cc

查看是否有可上传的命令工具

• find / -name wget
• find / -name nc*
• find / -name netstat*
• find / -name tftp*
• find / -name ftp

查找exploit的代码网站

• http://www.securityfocus.com/
• http://www.exploit-db.com
• http://1337day.com
• http://www.securiteam.com
• http://www.exploitsearch.net
• http://metasploit.com/modules/
• http://securityreason.com
• http://seclists.org/fulldisclosure/
• https://www.cvedetails.com/
• https://packetstormsecurity.com/
• http://cve.mitre.org/

自动化脚本检查

• http://pentestmonkey.net/tools/audit/unix-privesc-check
• https://labs.portcullis.co.uk/tools/enum4linux/
• http://bastille-linux.sourceforge.net/

其他枚举系统信息方法

• http://www.0daysecurity.com/penetration-testing/enumeration.html
• https://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
• https://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html