User Reconnaissance
Track users. Identify infiltrators. Audit access history.
CLASSIFIED SCENARIO
MAJESTIC-12 files were accessed from an unauthorized terminal at a black site. Security logs indicate an insider threat. Your mission: audit user accounts, trace login history, and identify the mole who accessed classified materials at 0347 hours.
Why User Reconnaissance Matters
Users leave trails. Every login, every session, every group membership tells a story. Understanding user context is essential for:
- Incident response - Who was logged in during the breach?
- Privilege assessment - What can this account access?
- Lateral movement tracking - How did the attacker spread?
- Insider threat detection - Who's accessing what they shouldn't?
What User Data Reveals
- Login times - Off-hours access is suspicious
- Source IPs - External IPs on internal accounts
- Group memberships - Unexpected privileges
- Failed logins - Brute force or password guessing
- Concurrent sessions - Account sharing or compromise
Core User Commands
whoami / id
Current user identity and group memberships. First step in situational awareness.
groups
Show group memberships. Critical for understanding access levels.
w / who
Currently logged-in users. Real-time session monitoring.
last
Login history from /var/log/wtmp. Track who logged in when.
lastlog
Last login time for all users. Find dormant or suspicious accounts.
Command Deep Dive
id - Full Identity
$ id
uid=1000(operator) gid=1000(operator) groups=1000(operator),27(sudo),999(docker)
[INTEL] User is in sudo group - has root access
[INTEL] User is in docker group - container escape risk
w - Real-Time Sessions
$ w
03:47:12 up 47 days, 2:31, 3 users, load average: 0.15, 0.21, 0.18
USER TTY FROM LOGIN@ IDLE WHAT
admin pts/0 10.0.0.50 03:30 0.00s -bash
analyst pts/1 10.0.0.75 02:15 1:32m vim report.txt
mole pts/2 192.168.1.99 03:47 0.00s cat /classified/MAJESTIC-12
[ALERT] Unknown user 'mole' accessing MAJESTIC files at 03:47!
[ALERT] Connection from unusual IP 192.168.1.99
last - Login History
$ last -n 10
mole pts/2 192.168.1.99 Mon Jan 15 03:47 still logged in
analyst pts/1 10.0.0.75 Mon Jan 15 02:15 still logged in
admin pts/0 10.0.0.50 Mon Jan 15 03:30 still logged in
admin pts/0 10.0.0.50 Sun Jan 14 22:00 - 23:15 (01:15)
mole pts/3 192.168.1.99 Sun Jan 14 03:45 - 04:02 (00:17)
[PATTERN] 'mole' only logs in between 03:00-04:00 - off-hours access!
[INTEL] Same external IP each time: 192.168.1.99
lastlog - Account Overview
$ lastlog
Username Port From Latest
root pts/0 10.0.0.1 Mon Jan 8 09:00:00 -0500 2024
admin pts/0 10.0.0.50 Mon Jan 15 03:30:00 -0500 2024
analyst pts/1 10.0.0.75 Mon Jan 15 02:15:00 -0500 2024
mole pts/2 192.168.1.99 Mon Jan 15 03:47:00 -0500 2024
oldadmin **Never logged in**
[INTEL] 'oldadmin' never logged in - dormant account, possible backdoor
Quick Reference
| Command | Purpose | Key Info |
|---|---|---|
whoami | Current username | Simple identity check |
id | UID, GID, groups | Full privilege context |
groups | Group memberships | Access level assessment |
w | Logged-in users | Real-time + what they're doing |
who | Logged-in users | Simpler than w |
last | Login history | Historical sessions |
lastlog | Last login per user | Find dormant accounts |
Ready to Hunt the Mole?
Test your user tracking skills, then audit the black site logs.