# Manual Enumeration ## System Enumeration Enumerate kernel version: ```bash uname -a ``` Enumerate distribution: ```bash cat /proc/version ``` Enumerate CPU: ```bash lscpu ``` Enumerate running services: ```bash ps aux ``` Enumerate running services owned by root: ```bash ps aux | grep root ``` ## User Enumeration Enumerate current username: ```bash whoami ``` Enumerate current user ID: ```bash id ``` Enumerate active sessions: ```bash w ``` Enumerate sudo: ```bash sudo -l ``` Enumerate all users on the system: ```bash cat /etc/passwd ``` Show only usernames from `/etc/passwd`: ```bash cat /etc/passwd | cut -d : -f 1 ``` Enumerate user groups: ```bash cat /etc/group ``` Enumerate command history: ```bash history ``` ## Network Enumeration Enumearte network settings (older machines): ```bash ifconfig ``` Enumearte network settings (newer machines): ```bash ip a ``` Enumerate routing table (older machines): ```bash route ``` Enumerate routing table (newer machines): ```bash ip route ``` Enumerate ARP table (older machines): ```bash arp -e ``` Enumerate ARP table (newer machines): ```bash ip neigh ``` Enumerating active network connections: ```bash netstat -antup ``` ## Password Hunting Search for the keyword "password=" in all files: ```bash grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null ``` Search for the keyword "password" in filenames: ```bash locate password | more ``` Search for SSH keys: ```bash find / -name id_rsa 2>/dev/null ``` ## Applications and Services Enumerate running services owned by root: ```bash ps aux | grep root ``` Enumerate installed applications on Debian and derivatives: ```bash dpkg -l ``` Enumerate installed applications on Fedora-based distros, use: ```bash rpm -qa ``` Enumerate configuration files in the /etc directory: ```bash ls -la /etc/ | grep .conf ``` Search for web application configuration files: ```bash ls -la /var/www/html/ ``` ## File and Directory Enumeration World-writable directories: ```bash find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root ``` World-writable directories for root: ```bash find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root ``` World-writable files: ```bash find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null ```