1. 內(nèi)核鳍怨，操作系統(tǒng)，設(shè)備信息

lsb_release -a  查看系統(tǒng)發(fā)行版本
uname -a    查看內(nèi)核版本
uname -r    內(nèi)核版本
uname -n    系統(tǒng)主機(jī)名
uname -m    查看系統(tǒng)內(nèi)核架構(gòu)（64位/32位）
hostname    系統(tǒng)主機(jī)名
cat /proc/version    內(nèi)核信息
cat /etc/*-release   發(fā)布信息
cat /etc/issue       分發(fā)信息
cat /proc/cpuinfo    CPU信息
cat /etc/lsb-release    # Debian 
cat /etc/redhat-release     # Redhat
ls /boot | grep vmlinuz-

2. 用戶和群組

cat /etc/passwd     列出系統(tǒng)上的所有用戶
cat /var/mail/root
cat /var/spool/mail/root
cat /etc/group      列出系統(tǒng)上的所有組
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'      列出所有的超級(jí)用戶賬戶
whoami              查看當(dāng)前用戶
w                   誰(shuí)目前已登錄由境，他們正在做什么
last                最后登錄用戶的列表
lastlog             所有用戶上次登錄的信息
lastlog –u %username%  有關(guān)指定用戶上次登錄的信息
lastlog |grep -v "Never"  以前登錄用戶的完

3. 用戶權(quán)限信息

whoami        當(dāng)前用戶名
id            當(dāng)前用戶信息
cat /etc/sudoers  誰(shuí)被允許以root身份執(zhí)行
sudo -l       當(dāng)前用戶可以以root身份執(zhí)行操作

4. 環(huán)境信息

env        顯示環(huán)境變量
set        現(xiàn)實(shí)環(huán)境變量
echo %PATH 路徑信息
history    顯示當(dāng)前用戶的歷史命令記錄
pwd        輸出工作目錄
cat /etc/profile   顯示默認(rèn)系統(tǒng)變量
cat /etc/shells    顯示可用的shellrc
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

5. 進(jìn)程和服務(wù)

ps aux
ps -ef
top
cat /etc/services
查看以root 運(yùn)行的進(jìn)程:
ps aux | grep root
ps -ef | grep root

6. 查看安裝的軟件

ls -alh /usr/bin/
ls -alh /sbin/
ls -alh /var/cache/yum/
dpkg -l

7. 服務(wù)/插件

檢查有沒有不安全的服務(wù)配置颖变，和一些有漏洞的插件:

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

8. 計(jì)劃任務(wù)

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

9. 有無(wú)明文存放用戶密碼

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find , -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

10. 有無(wú)ssh 私鑰

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

11. 查看與當(dāng)前機(jī)器通信的其他用戶或者主機(jī)

lsof -i
lsof -i :80                 #查看端口為80相關(guān)文件
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

12. 日志文件

cat /var/log/boot.log
cat /var/log/cron
cat /var/log/syslog
cat /var/log/wtmp
cat /var/run/utmp
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

13. 交互式shell

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

14. 可提權(quán)SUID && GUID

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
#常見的可用來(lái)提權(quán)的Linux 可執(zhí)行文件有：Nmap, Vim, find, bash, more, less, nano, cp

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

15. 查看可寫/執(zhí)行目錄

find / -writable -type d 2>/dev/null      # world-writeable folders
find / -perm -222 -type d 2>/dev/null     # world-writeable folders
find / -perm -o w -type d 2>/dev/null     # world-writeable folders
find / -perm -o x -type d 2>/dev/null     # world-executable folders
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders

16. 查看安裝過(guò)的工具

find / -name perl*
find / -name python*
find / -name gcc*
...