Skip to main content
Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Linux Pentesting SOP (Authorized)

Authorized environments only. This SOP covers defensive assessment and configuration validation.

Table of Contents

  1. Engagement Setup
  2. Information Gathering (Read-Only)
  3. Configuration Review
  4. Privilege Escalation Vectors (Non-Destructive Checks)
  5. Logging & Monitoring Review
  6. Network Security
  7. Automated Enumeration Tools
  8. Common Misconfigurations Checklist
  9. Evidence Collection
  10. Reporting
  11. Safety & Legal
  12. Tools Reference
  13. Common Pitfalls
  14. Reference Resources

1. Engagement Setup

Pre-Engagement

  • Obtain written authorization (signed Rules of Engagement)
  • Define scope: hosts, subnets, services, user accounts
  • Set time windows and blackout periods
  • Establish emergency contacts and escalation path
  • Agree on change control procedures
  • Confirm backup/restore process exists

Objectives (Examples)

  • Identify misconfigurations enabling unauthorized access or privilege escalation
  • Validate hardening baseline compliance (CIS, STIG, etc.)
  • Test privilege separation and access controls
  • Evaluate logging/monitoring efficacy

2. Information Gathering (Read-Only)

System Identification

# OS version and kernel
uname -a
cat /etc/os-release
cat /etc/*-release
hostnamectl

# Kernel version (for known vuln research)
uname -r

User & Group Enumeration

# List all users
cat /etc/passwd
cut -d: -f1 /etc/passwd

# Users with login shells
grep -v "/nologin\|/false" /etc/passwd

# Check for UID 0 (root-equivalent) accounts
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Group memberships
cat /etc/group
groups <username>

# Sudo access
sudo -l
cat /etc/sudoers
ls -la /etc/sudoers.d/

# Recently modified user accounts
ls -lat /home/

Running Services & Network

# Active services
systemctl list-units --type=service --state=running
ps aux

# Network listeners
ss -tulnp
netstat -tulnp

# Firewall status
sudo iptables -L -n -v
sudo ufw status verbose
sudo firewall-cmd --list-all

# Check for unusual binds (0.0.0.0 vs localhost)
ss -tulnp | grep "0.0.0.0"

Installed Packages

# Debian/Ubuntu
dpkg -l
apt list --installed

# RHEL/CentOS
rpm -qa
yum list installed

# Check for outdated packages
apt list --upgradable  # Debian/Ubuntu
yum check-update       # RHEL/CentOS

# Look for unnecessary packages (compilers, dev tools on prod)
dpkg -l | grep -E "gcc|g\+\+|build-essential|python-dev"

3. Configuration Review

File & Directory Permissions

Sensitive files to check:

# SSH configuration
ls -la /etc/ssh/sshd_config
cat /etc/ssh/sshd_config | grep -E "PermitRootLogin|PasswordAuthentication|PubkeyAuthentication|PermitEmptyPasswords"

# Shadow file (should be 600 or 640)
ls -la /etc/shadow

# Sudoers (should be 440)
ls -la /etc/sudoers
ls -la /etc/sudoers.d/

# Cron files
ls -la /etc/cron*
ls -la /var/spool/cron/crontabs/

# World-writable files (dangerous)
find / -type f -perm -002 -ls 2>/dev/null

# World-writable directories
find / -type d -perm -002 -ls 2>/dev/null

# SUID/SGID binaries (privilege escalation vectors)
find / -type f \( -perm -4000 -o -perm -2000 \) -ls 2>/dev/null

# Files owned by users but writable by others
find / -type f -perm -o+w -ls 2>/dev/null

SSH Hardening Checks

# Check SSH config for weak settings
grep -E "^PermitRootLogin" /etc/ssh/sshd_config
# Expected: PermitRootLogin no

grep -E "^PasswordAuthentication" /etc/ssh/sshd_config
# Expected: PasswordAuthentication no (if using keys only)

grep -E "^PermitEmptyPasswords" /etc/ssh/sshd_config
# Expected: PermitEmptyPasswords no

grep -E "^Protocol" /etc/ssh/sshd_config
# Expected: Protocol 2

# Check for weak SSH keys
find /home -name "authorized_keys" -exec ls -la {} \;
find /home -name "authorized_keys" -exec cat {} \;

Sudo Policy Review

# Check sudoers for NOPASSWD (dangerous)
sudo grep NOPASSWD /etc/sudoers /etc/sudoers.d/*

# Check for overly permissive sudo (ALL=(ALL) ALL)
sudo grep "ALL=(ALL)" /etc/sudoers /etc/sudoers.d/*

# Users in sudo/wheel group
getent group sudo
getent group wheel

Service Configuration

# Apache/Nginx - check for directory listing, version disclosure
grep -r "Indexes" /etc/apache2/  # Should be disabled
grep -r "ServerTokens" /etc/apache2/  # Should be Prod
grep -r "server_tokens" /etc/nginx/  # Should be off

# Check running services on unexpected ports
ss -tulnp | grep -v "127.0.0.1"

# Check for default credentials in config files (passwords in plain text)
grep -r -i "password" /etc/ 2>/dev/null | grep -v "Binary"

4. Privilege Escalation Vectors (Non-Destructive Checks)

PATH Hijacking

# Check PATH for writable directories
echo $PATH | tr ':' '\n' | while read dir; do ls -ld "$dir" 2>/dev/null; done

# Check if current directory (.) is in PATH (dangerous)
echo $PATH | grep -E "^\.:|:\.:|\.$"

Writable Scripts/Binaries in Privileged Locations

# Check if user can write to system binaries
find /usr/bin /usr/sbin /bin /sbin -writable 2>/dev/null

# Check for writable scripts called by root cron
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/

Kernel Exploits (Version Check Only)

# Check kernel version against known CVEs
uname -r
# Manually research CVEs for this version (CVE-2021-4034, CVE-2022-0847, etc.)

# Check for installed kernel patches
dpkg -l | grep linux-image  # Debian/Ubuntu
rpm -qa | grep kernel       # RHEL/CentOS

Capabilities (Linux File Capabilities)

# List files with capabilities (can bypass permissions)
getcap -r / 2>/dev/null

# Common dangerous capabilities:
# cap_setuid, cap_setgid, cap_dac_override, cap_sys_admin

Docker/Container Escape (If Applicable)

# Check if user is in docker group (root-equivalent)
groups | grep docker
getent group docker

# Check for writable docker socket
ls -la /var/run/docker.sock

# Check for privileged containers
docker ps --filter "privileged=true" 2>/dev/null

NFS Shares (Privilege Escalation)

# Check for NFS exports
cat /etc/exports

# Look for no_root_squash (allows root escalation)
cat /etc/exports | grep no_root_squash

5. Logging & Monitoring Review

Check Logging Status

# Syslog/rsyslog status
systemctl status rsyslog
systemctl status syslog-ng

# Auth log (login attempts, sudo usage)
tail -100 /var/log/auth.log      # Debian/Ubuntu
tail -100 /var/log/secure         # RHEL/CentOS

# Check for log rotation
cat /etc/logrotate.conf
ls /etc/logrotate.d/

# Check log permissions (should not be world-readable)
ls -la /var/log/

Audit Daemon (auditd)

# Check if auditd is running
systemctl status auditd

# Review audit rules
auditctl -l

# Check for monitoring of sensitive files
auditctl -l | grep -E "/etc/passwd|/etc/shadow|/etc/sudoers"

Failed Login Attempts

# Check for brute force attempts
grep "Failed password" /var/log/auth.log | tail -50

# Count failed logins by IP
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn

6. Network Security

Firewall Configuration

# Check firewall status
sudo iptables -L -v -n
sudo ufw status verbose
sudo firewall-cmd --list-all

# Look for overly permissive rules (ACCEPT all, 0.0.0.0/0)
sudo iptables -L -v -n | grep "ACCEPT.*0.0.0.0/0"

Exposed Services

# Check what's listening externally (not just localhost)
ss -tulnp | grep -v "127.0.0.1"

# Scan from external perspective (if authorized)
nmap -sV -p- <target_ip>

7. Automated Enumeration Tools

LinPEAS (Linux Privilege Escalation Awesome Script)

# Download and run (in test/authorized environment only)
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

# Or run locally
./linpeas.sh

LinEnum

# Download and run
curl -L https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | sh

Linux Smart Enumeration (LSE)

curl -L https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh | sh

Note: Review tool output manually; automated tools may generate false positives.

8. Common Misconfigurations Checklist

  • Root login via SSH enabled (PermitRootLogin yes)
  • Password authentication enabled when keys should be used
  • Users in sudoers with NOPASSWD
  • World-writable files in system directories
  • SUID binaries with known exploits (GTFOBins)
  • Weak file permissions on /etc/shadow, /etc/sudoers
  • Firewall disabled or overly permissive
  • Unnecessary services running (FTP, Telnet, rsh)
  • Default credentials in config files
  • No logging or monitoring enabled
  • Kernel/packages severely out of date
  • User in docker group (root-equivalent)
  • NFS exports with no_root_squash
  • Writable cron jobs executed by root

9. Evidence Collection

For each finding, document:

  • Exact command used
  • Full output (sanitize sensitive data)
  • Timestamp (UTC)
  • Affected hosts/files
  • Screenshot if GUI-based

File structure:

/Evidence/{engagement_id}/Linux/
  ├── enumeration/
  │   ├── 20251005_uname_output.txt
  │   ├── 20251005_ps_aux.txt
  │   └── 20251005_netstat.txt
  ├── configs/
  │   ├── 20251005_sshd_config.txt
  │   ├── 20251005_sudoers.txt
  │   └── 20251005_iptables.txt
  ├── permissions/
  │   ├── 20251005_suid_binaries.txt
  │   └── 20251005_world_writable.txt
  └── screenshots/
      └── 20251005_linpeas_output.png

Hash all files:

sha256sum *.txt > evidence_hashes.txt

10. Reporting

Finding Format

Title: SSH Root Login Enabled
Severity: High
Affected Hosts: server01.example.com, server02.example.com
Description: SSH daemon permits direct root login (PermitRootLogin yes)
Impact: Attackers can brute-force or use leaked credentials to gain root access
Evidence: /etc/ssh/sshd_config line 32
Remediation:
  1. Edit /etc/ssh/sshd_config
  2. Set: PermitRootLogin no
  3. Restart SSH: systemctl restart sshd
  4. Test SSH access with non-root user + sudo
Verification: Re-check config and test login attempts as root (should fail)

Remediation Priorities

  1. Critical: Root SSH, SUID exploits, kernel vulnerabilities
  2. High: Sudo NOPASSWD, world-writable system files, exposed services
  3. Medium: Weak logging, outdated packages, firewall gaps
  4. Low: Informational findings, hardening recommendations

11. Safety & Legal

  • Read-only first: Prefer enumeration over exploitation
  • No destructive actions without explicit approval (e.g., kernel exploits, DoS)
  • Coordinate with sysadmins before running intensive scans
  • Stop immediately if you cause instability or user impact
  • Document everything for audit trail and legal defensibility
  • Respect scope: Do not pivot beyond authorized hosts

12. Tools Reference

ToolPurposeInstall/Link
linpeas.shAutomated privilege escalation enumerationPEASS-ng
LinEnum.shLinux enumeration scriptLinEnum
linux-smart-enumerationColor-coded enumerationLSE
pspyMonitor processes without rootpspy
lynisSecurity auditing toolapt install lynis
GTFOBinsSUID/sudo exploit databasegtfobins.github.io

13. Common Pitfalls

  • ❌ Running exploit code without understanding impact (can crash system)
  • ❌ Forgetting to sanitize sensitive data in reports (passwords, keys)
  • ❌ Not checking scope before scanning (out-of-scope hosts)
  • ❌ Relying only on automated tools (miss context-specific issues)
  • ❌ Not documenting commands/timestamps (breaks evidence chain)
  • ❌ Ignoring false positives from tools (verify manually)
  • ❌ Assuming all SUID binaries are exploitable (check GTFOBins first)

14. Reference Resources

Comprehensive Knowledge Bases

Enumeration & Scanning Tools

Hardening & Security Benchmarks

Exploit Databases

Kernel Exploitation Resources

  • Kernel Exploit Development - 0x00sec.org
    • Forum with kernel exploitation tutorials
  • Linux Kernel Security - kernsec.org/wiki
    • Kernel security subsystem documentation
  • Dirty COW (CVE-2016-5195) - dirtycow.ninja
    • Famous kernel exploit example and documentation

Docker & Container Security

SSH & Authentication Resources

Post-Exploitation & Persistence

Cheat Sheets & Quick References

Logging & Monitoring

Practice Platforms

Books & Courses

  • Linux Basics for Hackers by OccupyTheWeb
  • SANS SEC504: Hacker Tools, Techniques, and Incident Handling
  • Offensive Security PWK (OSCP)
  • HackerSploit Linux Privilege Escalation - youtube.com/hackersploit

Community & Forums

Analysis:

Pentesting & Security: