LinEnum: The Single-Script Reconnaissance Tool That Every Penetration Tester Should Know

Hook

A 2,000-line bash script with nearly 8,000 GitHub stars has been silently living on compromised Linux systems worldwide, enumerating privilege escalation vectors faster than most security professionals can manually type the commands.

Context

When you compromise a low-privilege user account during a penetration test or CTF competition, you face a critical challenge: you need to escalate privileges to root, but you're working in an unfamiliar environment with limited visibility. Manually checking for SUID binaries, weak file permissions, sudo misconfigurations, vulnerable cron jobs, exposed credentials, and dozens of other privilege escalation vectors is time-consuming and error-prone. You might spend hours typing commands like find / -perm -4000 -type f 2>/dev/null, cat /etc/crontab, and ps aux | grep root while racing against the clock.

LinEnum emerged from this operational need in the penetration testing community. Created by rebootuser, it encapsulates the collective knowledge of Linux privilege escalation checks into a single bash script that can be uploaded to a target system and executed in minutes. Before tools like LinEnum, security professionals relied on mental checklists or personal note collections of commands to run during post-exploitation enumeration. LinEnum systematized this knowledge, transforming tribal expertise into a reproducible, comprehensive reconnaissance workflow. It represents the philosophy that enumeration should be exhaustive, fast, and transferable—getting security researchers past the tedious discovery phase and into the analysis and exploitation work that actually requires human expertise.

Technical Insight

At its core, LinEnum is an exercise in bash scripting patterns for system reconnaissance. The script operates through sequential execution of command blocks, each targeting a specific category of privilege escalation vectors. What makes it architecturally interesting is how it balances comprehensiveness with portability—every check relies only on standard Linux utilities that exist across distributions.

The script's structure follows a logical progression from basic system information to increasingly specific privilege escalation checks. It begins with kernel version detection (to identify public exploits), then moves through user enumeration, network configuration, running processes, and file system analysis. Each section uses command substitution and conditional execution to adapt its checks based on what utilities are available. For example, the network enumeration section checks for netstat, ss, and ip commands, using whichever tools exist on the target system:

# Network interface information
if [ "$export" ]; then
  /sbin/ifconfig 2>/dev/null | tee -a $export 2>/dev/null
  echo "" | tee -a $export 2>/dev/null
else
  /sbin/ifconfig 2>/dev/null
  echo ""
fi

# Active network connections
netstat -anop 2>/dev/null | grep -v 'TIME_WAIT'
ss -anp 2>/dev/null | grep -v 'TIME_WAIT'

One of LinEnum's most valuable patterns is its approach to SUID/SGID binary discovery. Rather than simply listing these files, it cross-references them against a curated list of "interesting" binaries known to be exploitable for privilege escalation when found with elevated permissions:

# Find SUID binaries and check against known exploitable list
find / -perm -4000 -type f 2>/dev/null | while read filename; do
  basename="$(basename $filename)"
  # Check if binary is in the interesting list
  if echo "$basename" | grep -qE "(nmap|vim|find|bash|more|less|nano|cp)"; then
    echo "[!] SUID binary may be exploitable: $filename"
  fi
done

This pattern-matching approach reduces cognitive load during analysis. Instead of reviewing hundreds of SUID binaries, you immediately see which ones have known exploitation techniques. The script applies similar filtering to writable files, checking specifically for writable directories in PATH, writable service files, and writable startup scripts—locations where modifications directly lead to privilege escalation.

The export functionality demonstrates another architectural decision: optional output persistence. By using the -e flag with a file path, every command's output is piped through tee, simultaneously displaying results and writing them to disk. This dual-output pattern allows real-time monitoring during script execution while preserving complete results for later analysis:

if [ "$export" ]; then
  mkdir -p "$(dirname $export)" 2>/dev/null
  echo "[+] Results will be saved to: $export" | tee -a $export
fi

LinEnum also includes temporal checks that many manual enumerations miss. It examines recently modified files, analyzes cron jobs with timestamps, and checks for shells spawned by non-standard users—temporal anomalies that often indicate security misconfigurations or active attack vectors. The script uses find with time-based predicates to surface files modified in the last 10 minutes, which can reveal active administrative work or configuration changes you might exploit.

The controversial -s flag for sudo checking illustrates LinEnum's CTF-first design philosophy. This option prompts for the current user's password and tests sudo -l to enumerate sudo privileges. While operationally useful in CTFs where you've obtained credentials, it's insecure for real-world engagements because it requires plaintext password input and creates sudo authentication logs. This design choice reflects the tool's origins in competitive hacking scenarios where speed matters more than operational security.

Gotcha

LinEnum's most significant limitation is its output verbosity without intelligent prioritization. The script dumps thousands of lines of text output covering every check it performs, leaving you to manually sift through information to identify actual privilege escalation paths. There's no severity scoring, no color-coding in the base script, and no automated filtering of false positives. In a real engagement, you'll find yourself scrolling through extensive file listings, process tables, and configuration dumps trying to identify the signal in the noise. Modern alternatives like linPEAS have addressed this with colored output and severity levels—LinEnum shows its age by treating all findings equally.

The script is also inherently noisy from a defensive perspective. It spawns dozens of processes, reads hundreds of files, and generates significant disk I/O. Any decent EDR solution or system monitoring will detect LinEnum's execution pattern. The find commands that recursively search the entire filesystem are particularly conspicuous. There's no attempt at evasion or stealth—LinEnum assumes you're either in a CTF environment where detection doesn't matter or in a penetration test where your scope allows loud reconnaissance. Additionally, the lack of structured output formats (JSON, XML, CSV) makes it difficult to integrate LinEnum into automated security workflows or parse results programmatically. It's fundamentally a human-readable tool designed for manual analysis rather than automated security pipelines.

Verdict

Use if: you're conducting penetration tests or playing CTF competitions where you need comprehensive Linux privilege escalation enumeration with minimal setup—just upload one bash script and run it. LinEnum excels in scenarios where you want exhaustive coverage of potential vectors and don't mind manually analyzing verbose output. It's particularly valuable for learning Linux privilege escalation patterns since reading through its checks teaches you what to look for. Also use it in environments where you can't install Python or other dependencies, since it runs on pure bash with standard utilities. Skip if: you need automated exploit suggestions, require structured output for toolchain integration, need stealthy reconnaissance (this script is extremely noisy), or want prioritized findings rather than comprehensive dumps. Modern alternatives like linPEAS provide significantly better user experience with colored output and severity ratings. Skip it for professional engagements where clients expect polished reports, since you'll spend considerable time post-processing LinEnum's raw output into actionable findings. Also skip if you're looking for active exploitation capabilities—LinEnum only identifies vectors, never attempts to exploit them.