Skip to content

Investigation

Disks

Convert disk to RAW image

Bash
# From VMWare
qemu-img convert -f vmdk -O raw disk.vmdk disk.img
# From Virtualbox
qemu-img convert -f ova -O raw disk.vmdk disk.img

Unpack LVM

Bash
kpartx -a -v $DUMP.lvm2

Docker containers

Bash
docker exec -it $CONTAINERNAME /bin/bash

Tracks

Other

Get hostname

Bash
/etc/hostname

Get timezone

Bash
/etc/timezone

Network

List interfaces

Bash
cat /etc/network/interfaces

List actives connections

Bash
netstat -natp

List hardcoded dns

Bash
cat /etc/hosts

Get DNS settings

Bash
cat /etc/resolv.conf

User/Groups/Rights

List users from passwd

Bash
cat /etc/passwd | column -t -s :

List sudoers

Bash
sudo cat /etc/sudoers

List groups

Bash
cat /etc/group
# Find users from a group
cat /etc/group | grep '$GROUPNAME'

Persistant

Startup

Bash
ls /etc/init.d
ls /etc/profile.d
cat ~/.bashrc

Cron

List cron tasks

Bash
crontab -l
# Root
less /etc/crontab
# From a user
sudo crontab -u $USERNAME -l
# Hourly
ls -la /etc/cron.hourly/
# Daily
ls -la /etc/cron.daily/
# Weekly
ls -la /etc/cron.weekly/
# Montly
ls -la /etc/cron.montly/

Logs

Manipulate logs
Bash
less -r $LOGFILE
tail -n $LINES $LOGFILE

Auth

Last login

Bash
sudo last -f /var/log/wtmp

Auth

Bash
cat /var/log/auth.log | less -r

Bash history

Bash
cat /home/$USER/.bash_history | less -r

SSH Key

Bash
cat /home/$USER/.ssh/authorized_keys | less -r

Proccessus

Bash
# Netcat detection
ps -aux | grep 'nc '

Sources