From e7d731615e16fc65fb00909255ca95d34495f903 Mon Sep 17 00:00:00 2001 From: Jimmy Astle Date: Tue, 2 Jan 2018 16:03:14 -0500 Subject: [PATCH 1/3] Adding in a few more account discovery techniques --- Linux/Discovery/Account_Discovery.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md index 307df472..d9b12fca 100644 --- a/Linux/Discovery/Account_Discovery.md +++ b/Linux/Discovery/Account_Discovery.md @@ -6,6 +6,22 @@ List of all accounts: cat /etc/passwd +List local groups: + + cat /etc/group > /tmp/loot.txt + +View sudoers access (requires root): + + cat /etc/sudoers > /tmp/loot.txt + +View accounts with UID 0: + + grep 'x:0:' /etc/passwd > /tmp/loot.txt + +List opened files by user: + + username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username + Currently logged in: Local: @@ -15,3 +31,7 @@ Local: Remote: finger @ + +Show if a user account has ever logged in remotely: + + lastlog > /tmp/loot.txt From 7f78ad5ace81740809b3f520cdb3559947d45a36 Mon Sep 17 00:00:00 2001 From: Jimmy Astle Date: Tue, 2 Jan 2018 17:16:27 -0500 Subject: [PATCH 2/3] Adding in missing table link for Account Discovery --- Linux/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/README.md b/Linux/README.md index ebb84ad4..cfad99c6 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -2,7 +2,7 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | Account Discovery | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | +| .bash_profile and .bashrc | Exploitation of Vulnerability | Binary Padding | [Bash History](Credential_Access/Bash_History.md) | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | Command-Line Interface | Audio Capture | Automated Exfiltration | Commonly Used Port | | Bootkit | Setuid and Setgid | [Clear Command History](Defense_Evasion/Clear_Command_History.md) | Brute Force | File and Directory Discovery | Exploitation of Vulnerability | Graphical User Interface | Automated Collection | Data Compressed | Communication Through Removable Media | | [Cron Job](Persistence/Cron_Job.md) | Sudo | Disabling Security Tools | [Create Account](Credential_Access/Create_Account.md) | Permission Groups Discovery | Remote File Copy | Scripting | Clipboard Data | Data Encrypted | Connection Proxy | | Hidden Files and Directories | Valid Accounts | Exploitation of Vulnerability | Credentials in Files | Process Discovery | Remote Services | Source | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | From e36a8e337758a6338af656d9a67c145f2e671f4a Mon Sep 17 00:00:00 2001 From: Jimmy Astle Date: Tue, 2 Jan 2018 17:20:28 -0500 Subject: [PATCH 3/3] Removing the groups command as that should live in a seperate spot --- Linux/Discovery/Account_Discovery.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md index d9b12fca..4531bba5 100644 --- a/Linux/Discovery/Account_Discovery.md +++ b/Linux/Discovery/Account_Discovery.md @@ -6,10 +6,6 @@ List of all accounts: cat /etc/passwd -List local groups: - - cat /etc/group > /tmp/loot.txt - View sudoers access (requires root): cat /etc/sudoers > /tmp/loot.txt