# Manual Enumeration ## System Enumeration Enumerate kernel version: ```bash uname -a ``` Enumerate distribution: ```bash cat /proc/version ``` Enumerate CPU: ```bash lscpu ``` Enumerate running services: ```bash ps aux ``` Enumerate running services owned by root: ```bash ps aux | grep root ``` ## User Enumeration Enumerate current username: ```bash whoami ``` Enumerate current user ID: ```bash id ``` Enumerate active sessions: ```bash w ``` Enumerate sudo: ```bash sudo -l ``` Enumerate all users on the system: ```bash cat /etc/passwd ``` Show only usernames from `/etc/passwd`: ```bash cat /etc/passwd | cut -d : -f 1 ``` Enumerate user groups: ```bash cat /etc/group ``` Enumerate command history: ```bash history ``` ## Network Enumeration Enumearte network settings (older machines): ```bash ifconfig ``` Enumearte network settings (newer machines): ```bash ip a ``` Enumerate routing table (older machines): ```bash route ``` Enumerate routing table (newer machines): ```bash ip route ``` Enumerate ARP table (older machines): ```bash arp -e ``` Enumerate ARP table (newer machines): ```bash ip neigh ``` Enumerating active network connections: ```bash netstat -antup ``` ## Password Hunting Search for the keyword "password=" in all files: ```bash grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2>/dev/null ``` Search for the keyword "password" in filenames: ```bash locate password | more ``` Search for SSH keys: ```bash find / -name id_rsa 2>/dev/null ``` ## Applications and Services Enumerate running services owned by root: ```bash ps aux | grep root ``` Enumerate installed applications on Debian and derivatives: ```bash dpkg -l ``` Enumerate installed applications on Fedora-based distros, use: ```bash rpm -qa ``` Enumerate configuration files in the /etc directory: ```bash ls -la /etc/ | grep .conf ``` Search for web application configuration files: ```bash ls -la /var/www/html/ ``` ## File and Directory Enumeration World-writable directories: ```bash find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root ``` World-writable directories for root: ```bash find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep root ``` World-writable files: ```bash find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/manual-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.