Skip to content
1337skills 1337skills

Linenum

LinEnum is a comprehensive Linux enumeration script that automatically scans for privilege escalation vectors and system misconfigurations.

Installation

# Download from GitHub
wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
chmod +x LinEnum.sh

# Or clone repository
git clone https://github.com/rebootuser/LinEnum.git
cd LinEnum
chmod +x LinEnum.sh

Basic Usage

CommandDescription
./LinEnum.shRun full enumeration
./LinEnum.sh -tThorough scan (slower)
./LinEnum.sh -sPerform search (grep-based)
./LinEnum.sh -r report.htmlGenerate HTML report
./LinEnum.sh -hDisplay help

Enumeration Categories

System Information

# OS version and kernel details
uname -a
cat /etc/issue
cat /proc/version

# Hostname and network
hostname
ip a
ifconfig

Users and Groups

# Current user privileges
id
whoami
sudo -l

# All users on system
cat /etc/passwd
cat /etc/shadow  # if readable

# Groups
cat /etc/group
groups

SUID/SGID Binaries

# Find SUID binaries (run as owner)
find / -perm -4000 -type f 2>/dev/null

# Find SGID binaries (run with group privileges)
find / -perm -2000 -type f 2>/dev/null

# Check against GTFOBins for exploitability

Writable Locations

# World-writable directories
find / -perm -0002 -type d 2>/dev/null

# Writable system binaries
find /usr/bin /usr/local/bin -writable 2>/dev/null

# /tmp and /var/tmp accessibility
ls -ld /tmp /var/tmp

Cron Jobs

# System cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/

# User cron jobs
crontab -l
for user in $(cat /etc/passwd | cut -d: -f1); do crontab -l -u $user; done

Network Services

# Listening ports and services
netstat -tulpn
ss -tulpn
lsof -i -P -n

# Running processes
ps aux
ps auxf

File Permissions

# Sensitive file permissions
ls -la /etc/passwd /etc/shadow /etc/sudoers

# World-readable sensitive files
find / -name "*.pem" -o -name "*.key" -o -name "*.txt" 2>/dev/null

# Check home directories
ls -la ~/
ls -la /root/

Kernel Vulnerabilities

# Kernel version (check for known CVEs)
uname -r

# Common vulnerable kernels:
# - 2.6.x (DirtyCOW variants)
# - 4.x (Overlayfs, eBPF)
# - 5.x (specific CVE patches)

# Use with searchsploit for CVE matching

Installed Software

# Installed packages
dpkg -l          # Debian/Ubuntu
rpm -qa          # RedHat/CentOS
pacman -Q        # Arch

# Notable outdated software
# - Old versions of Apache, MySQL, PHP
# - Vulnerable libraries
# - Setuid wrappers

Environment Variables

# Display all env vars
env
printenv

# Search for sensitive data
env | grep -i "pass\|token\|key\|secret\|api"

Advanced Options

Thorough Scan

# More comprehensive checks (-t flag)
./LinEnum.sh -t

# Includes:
# - All writable locations
# - Extended file permission checks
# - Additional service enumeration
# - Deeper vulnerability scanning

Output to Report

# Generate HTML report
./LinEnum.sh -r report.html

# Open in browser
firefox report.html

# Includes color-coded findings
# Organized by category
# Searchable findings

Search Specific Strings

# Search for specific patterns
./LinEnum.sh -s password
./LinEnum.sh -s config
./LinEnum.sh -s backup

# Searches across system files
# Looks for credentials, configs, backups

Key Findings to Investigate

Critical Indicators

  1. Kernel CVE - Direct privilege escalation vector
  2. SUID with GTFOBins match - Exploitable binary
  3. Sudo without password - Immediate escalation
  4. Writable /etc/passwd - Add new root user
  5. Cron jobs with writable scripts - Modify and execute as root
  6. World-writable important files - Modify system behavior

Important Findings

  • NFS shares with no_root_squash
  • Docker group membership (container escape)
  • Capabilities (cap_setuid, cap_net_admin)
  • Outdated installed software
  • Plaintext credentials in files/env
  • Weak file permissions on sensitive configs

Common Exploitation Patterns

SUID Binary Exploitation

# 1. Identify SUID binary
find / -perm -4000 -type f

# 2. Check GTFOBins
# https://gtfobins.github.io/

# 3. Find vulnerability
strings /usr/bin/suid_binary | grep -i exec

# 4. Exploit (example: exec without quotes)
/usr/bin/suid_binary "$(whoami)"

Cron Job Exploitation

# 1. Find cron job running as root
cat /etc/crontab | grep root

# 2. Check if script is writable
ls -la /path/to/script.sh

# 3. If writable, modify with payload
echo "/bin/bash -i" >> /path/to/script.sh

# 4. Wait for cron execution or trigger manually

Kernel Exploit

# 1. Identify kernel version
uname -r

# 2. Search for exploit
searchsploit "Linux Kernel 5.10"

# 3. Download and compile
gcc exploit.c -o exploit

# 4. Run exploit
./exploit

# 5. Verify privilege escalation
id

Post-Enumeration Workflow

# 1. Run full enumeration
./LinEnum.sh > enum_output.txt

# 2. Review critical findings
grep -E "CRITICAL|SUID|SUDO|CVE" enum_output.txt

# 3. Validate findings manually
find / -perm -4000 -type f 2>/dev/null

# 4. Check GTFOBins for each SUID
# https://gtfobins.github.io/

# 5. Identify exploitation path
# - SUID → Binary exploitation
# - Cron → Script modification
# - Kernel → Exploit compilation

# 6. Execute privilege escalation

Tips and Tricks

  • Run LinEnum multiple times to catch scheduled tasks
  • Cross-reference with GTFOBins: https://gtfobins.github.io/
  • Use pspy to monitor real-time process execution
  • Check cron jobs with: for user in $(cut -f1 -d: /etc/passwd); do crontab -l -u $user 2>/dev/null; done
  • Monitor for new SUID binaries with: find / -newer timestamp -perm -4000 2>/dev/null
  • LinPEAS: More comprehensive PEASS-ng version
  • pspy: Process monitoring without root
  • GTFOBins: Exploit database for Unix binaries
  • SearchSploit: Offline exploit search
  • BeRoot: Linux privilege escalation checking

Last updated: March 2025 | GitHub