During a penetration test, there are many questions that you’ll need to ask yourself. Too often, blogs that I read discuss the commands that we need to run to collect information from our target, but too often don’t go far enough to explain the questions we should be asking as we’re collecting this data or running our scripts. I want to take this opportunity to discuss why we’re looking for certain information and types of questions we should be asking ourselves along the way.

The data we’re collecting here is from a combination of the following sources:

Operating System

Distribution / Version

When we use commands such as


cat /etc/issue
cat /etc/*-release

we’re getting information such as:


d3c3pt10n@ub16:~# cat /etc/issue
Ubuntu 16.04.3 LTS \n \l


d3c3pt10n@ub16:~# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

So with this information, what questions should we be asking ourselves? What should we be searching for?

  • Are there any well known vulnerabilities for this operating system version?
  • What is the codename, are any exploits using that name instead of the version number?
  • What format are package names in on this operating system? For example, if we need the version of libssl development libraries, should we be searching for libssl-dev (Debian style), openssl-devel (RHEL style) or something else?
  • If we are on a new OS, where can we potentially read about new bugs (e.g. Ubuntu’s launchpad bug tracker).

Kernel Information

Because of the importance of the kernel to our system, we need to know as much as we can about it. g0tm1lk suggests:


cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

With this, we can get information such as:


d3c3pt10n@ub16:~# cat /proc/version
Linux version 4.4.0-101-generic (buildd@lcy01-amd64-006) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) ) #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017


d3c3pt10n@ub16:~# uname -a
Linux ub16 4.4.0-101-generic #124-Ubuntu SMP Fri Nov 10 18:29:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


d3c3pt10n@ub16:~# ls /boot | grep vmlinuz-
vmlinuz-4.4.0-101-generic
vmlinuz-4.4.0-98-generic

From here we have a few very important things to take note of:

  • What architecture is the kernel? Is it i386 (32-bit) or x86_64 (64-bit)?
  • What version is the kernel? Are there any exploits that target this version and architecture?
  • Is our initial foothold leveraging the same architecture as the target? If not, can we acquire a new shell using the correct architecture?
  • What versions of vmlinuz exist? As vmlinuz is the actual kernel file, can we potentially leverage an older one that is on the system?
Kevin Kirsche

Author Kevin Kirsche

Kevin is a Principal Security Architect with Verizon. He holds the OSCP, OSWP, OSCE, and SLAE certifications. He is interested in learning more about building exploits and advanced penetration testing concepts.

More posts by Kevin Kirsche

Leave a Reply