The who, what, when, where, and how of the Linux command line
In penetration testing, especially during privilege escalation, it is essential to gather as much information as possible about the system, the user context, permissions, and available services. The "Who, What, When, Where, How" methodology is a structured approach to this process. Here's a breakdown:
Who (ami?)
Identify who you are and understand your system context.
whoamiDisplays the current user.idDisplays the current user's UID, GID, and group memberships.unamePrints operating system details. Useuname -ato view full kernel version and architecture. This information is useful for identifying potential kernel exploits.
What
Understand your privileges, file contents, permissions, and running processes.
Are you root?
sudo -lLists commands the current user is allowed to execute with sudo. Useful for privilege escalation via misconfigured sudo rules.idIf your UID is0, you are root. Regular user IDs usually start at1000.
What is in a file?
cat <filename>Displays the content of a file.strings <filename>Extracts and displays printable characters from binary files or executables.head <filename>Displays the first 10 lines of a file.tail <filename>Displays the last 10 lines of a file.
What permissions do you have?
Linux permissions are divided into three groups:
Owner
Group
Others
Permission types:
r– readw– writex– executeA directory will show
dat the beginning.
Example:
drwxrwxrwxThis is a directory where owner, group, and others all have full read, write, and execute permissions.
What is running?
ps auxLists all running processes from all users. Use this to identify running services, scheduled tasks, or processes with potential security issues.
When
Identify scheduled or automated executions that may be leveraged for privilege escalation.
crontab -eShows the current user's cron jobs (scheduled tasks). These jobs may run scripts with elevated privileges and could be exploitable if misconfigured.System-wide cron jobs are typically found in:
/etc/crontab/etc/cron.d//etc/cron.daily/,/hourly/, etc.
Where
Locate files, directories, binaries, and keywords across the system.
ls -alLists contents of the current directory in long format, including hidden files and permissions.pwdDisplays the present working directory.find / -name <filename> 2>/dev/nullSearches for files by name across the entire system, while suppressing permission errors.whereis <binary>Locates the binary, source, and man pages for a command.apropos <keyword>Searches man pages for the given keyword; useful when unsure of the exact command.grep -rnw / -e '<keyword>' 2>/dev/nullRecursively searches for a keyword (e.g.,password) across files. Useful for locating sensitive information.
How
Understanding how actions are performed is crucial for documentation and reporting.
All steps must be documented during penetration tests and OSCP-style assessments.
Gaining a shell or escalating privileges is often performed using manual command-line methods.
Ensure that every exploit, script, and configuration file is logged or noted for reporting and reproducibility.
Practical Enumeration Script Example
Here's a basic shell script to perform initial Linux enumeration:
#!/bin/bash
echo "[+] Current User:"
whoami
echo "[+] UID and Group Info:"
id
echo "[+] Kernel and System Info:"
uname -a
echo "[+] Current Working Directory:"
pwd
echo "[+] Home Directory Contents:"
ls -al ~
echo "[+] Running Processes:"
ps aux
echo "[+] Scheduled Cron Jobs:"
cat /etc/crontab 2>/dev/null
ls -al /etc/cron* 2>/dev/null
echo "[+] Sudo Permissions:"
sudo -l 2>/dev/null
echo "[+] Searching for keywords like 'password':"
grep -rnw / -e 'password' 2>/dev/null
echo "[+] Searching for flag.txt:"
find / -name flag.txt 2>/dev/null⚠️ Always run enumeration commands responsibly and only on systems you are authorized to test.
Last updated