Linux Commands
Jump to navigation
Jump to search
Recon
whois
$ whois [-h whois_server] name
nslookup
$ nslookup <target>
dig
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server] <name> [type]
- Zone transfer
$ dig [@server] <domain> -t AXFR * Iterative zone transfer <pre>$ dig [@server] <domain> -t IXFR=<N>
BiLE.pl
$ ./BiLE <target> <result_file> $ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine> $ ./tld-expand.pl $ ./vet-IPrange.pl $ ./qtrace.pl
Scanning
tcpdump
Parameters
- -n -- use numbers
- -i <interface>
- -v -- be verbose
- -r <file>/-w <file> -- read from/write to file
- -x -- print hex
- -A -- print ASCII
- -X -- print hex and ASCII
- -s <snaplen> -- length to capture (-s0 for all data)
Filter string
- Protocol
- ether, ip, ip6, arp, rarp, tcp, udp
- Type
- host <host>
- net <network>
- port <portnum>
- portrange <start-end>
- Direction
- src
- dst
- Logic
- and
- or
- Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
- Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
- Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10
hping3
TCP Flags
- --syn, --fin, --rst, --push, --ack, --urg
Target selection
- --rand-dest
- --interface <int>
Source selection
- --spoof <hostname>
- --rand-source
Port selection
- --destport <port>
- --destport +<port> -- increment by one for each packet received
- --destport ++<port> -- increment by one for each packet sent
- --scan <portrange>
- --baseport <port>
- --keep -- don't increment the source port
Speed options
- --fast, --faster, --flood
- --interval <N> -- interval in seconds
- --interval u<N> -- interval in microseconds
Other options
- --count <N>
- --beep
- --file <filename>
- --data <N>
traceroute
Parameters
- -f <N> -- Initial TTL
- -g <hostlist> -- Loose source route
- -I -- use ICMP Echo instead of UDP
- -m <N> -- maximum number of hops (default 30)
- -n -- numeric
- -p <baseport> -- set the base UDP port
- -w <N> -- wait N seconds (default 5)
Layer Four Traceroute (lft)
http://pwhois.org/lft/index.who
Options
- -u -- use UDP
- -p -- use ICMP echo
- -d <port> -- destination port (default 80)
- -s <port> -- source port
- -L <N> -- length (including layer 3/4 header)
- -A -- look up AS number
- -P -- traceroute via tcp
nmap
Pinging
- -PN -- don't ping
- -PB -- default, ICMP Echo + TCP to port 80
- -PE -- ICMP Echo request
- -PS[portlist] -- TCP SYN
- -PP -- ICMP Timestamp request
- -PM -- ICMP Address Mask request
- -PR -- default on subnet, use ARP to identify hosts
Scanning
- -sT -- TCP Connect scan
- -sS -- SYN scan
- -sA -- ACK scan
- -sF -- FIN scan
- -sN -- Null scan
- -sX -- Xmas Tree scan
- -sM -- Maimon scan
- --scanflags specify your own flags
- -sU -- UDP scan
Fingerprinting
- -O -- OS fingerprint
- -sV -- Version scan
Scripts
- -sC -- run all scripts
- --script=<category,dir,src,etc&/gt;
- --script-trace
Timing
- --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
- --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay
Other options
- -p<ports>
- -F -- fast (checks only ports in nmap-services)
- --packet-trace
- --traceroute
- --badsum
THC amap
Options
- -q -- quiet (omit closed ports)
- -v -- verbose
- -b -- print banners
Example:
amap -bqv 10.10.10.10 1-50
Enumerating users
Commands
$ cat /etc/passwd
$ finger
$ who
$ w
Remotely:
$ finger @<target>
netcat
Options
- -l -- listen mode
- -L -- listen harder (Windows only)
- -u -- UDP mode
- -p -- local port (in listen mode, the port to listen on)
- -e -- program to execute
- -n -- don't resolve names
- -z -- don't send any data
- -w<N> -- timeout for connects
- -v/-vv -- be verbose
Scanning
echo "" | nc -v -n -w1 <target> <port-range>
Exploitation
Finding SetUID/SetGID programs
find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -print find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done
Metasploit
Running an exploit
msf> show exploits msf> use exploit/windows/smf/ms05_039_php msf> show payloads msf> set PAYLOAD windows/shell/bind_tcp msf> show options msf> set RHOST 10.10.10.10 msf> exploit
Interacting with sessions
msf> sessions -l msf> sessions -i <N>
Meterpreter
Filesystem commands
> cd > lcd > pwd / getwd > ls > cat > download / upload > mkdir / rmdir > edit > getpid > getuid > ps > kill > execute > migrate > ipconfig > portfwd > route > idletime > uictl <enable/disable> <keyboard/mouse>
Modules
> use <modulename> > use priv > hashdump > timestomp