Below are some useful Linux commands for penetration testing, target reconnaissance and capability assessment. Use them for good, not for evil.
traceroute:
$ traceroute <target>
$ traceroute google.com
traceroute to google.com (213.157.177.157), 24 hops max, 52 byte packets
1 192-168-1-110.x.com (192.168.1.110) 9.403 ms 7.301 ms 3.264 ms
2 10.10.10.10 (10.10.10.10) 47.823 ms 3.649 ms 2.436 ms
... etc ...
whois:
$ whois [-h whois_server] <name>
$ whois google.com
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Aborting search 50 records found .....
GOOGLE.COM.ACKNOWLEDGES.NON-FREE.COM
GOOGLE.COM.AFRICANBATS.ORG
GOOGLE.COM.ANGRYPIRATES.COM
GOOGLE.COM.AR
... etc ...
nslookup:
$ nslookup <target>
$ nslookup google.com
Server: 192.168.1.110
Address: 192.168.1.110#53
Non-authoritative answer:
Name: google.com
Address: 213.157.177.157
Name: google.com
Address: 213.157.177.158
Name: google.com
Address: 213.157.177.162
... etc ...
dig:
$ dig [@server] <name> [record_type]
$ dig [@server] <domain> -t IXFR=<N>
$ dig google.com MX
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61593
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN MX
;; ANSWER SECTION:
google.com. 60 IN MX 20 alt1.aspmx.l.google.com.
google.com. 60 IN MX 30 alt2.aspmx.l.google.com.
google.com. 60 IN MX 40 alt3.aspmx.l.google.com.
google.com. 60 IN MX 50 alt4.aspmx.l.google.com.
google.com. 60 IN MX 10 aspmx.l.google.com.
... etc ...
Dump the ARP table of a SNMP server:
$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump
Show all TCP port 80 packets going to or from the specified IP:
$ tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10
Enumerate local users:
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... etc ...
$ finger
Login Name Tty Idle Login Time Office Office Phone
root root *pts/0 March 19 11:13 (10.10.10.10)
$ who
root pts/0 2017-05-09 11:13 (10.10.10.10)
$ w
11:18:56 up 169 days, 11:18, 1 user, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 10.10.10.10 11:13 0.00s 0.02s 0.00s w
Enumerate remote users:
$ finger @<remote>
Scan the target’s specified port range:
$ echo "" | nc -v -n -w1 <target> <port-range>
Find SetUID or SetGID binaries:
$ find / -type f \( -perm -4000 -o -perm -2000 \) -print
Mounting a Samba drive:
$ smbmount //<target>/<share> <mountpoint> -o username=<username>
$ smbmount //10.10.10.10/c$ /mnt/target -o username=administrator
Find any open Samba shares:
$ nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24
Add a normal user:
$ useradd <name>
Add a root user:
$ useradd -o -u 0 <name>
Manual fingerprinting and banner grabbing:
$ nc -v 192.168.1.1 25
$ telnet 192.168.1.1 25
And while at it, grab the SSH server version too (if running):
$ nc -v 192.168.1.1 22
Connection to 192.168.1.1 port 22 [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
Fingerprint Samba version too:
$ smbclient -L //192.168.1.1
Quickly determine if a port is open or closed using just bash:
$ (: </dev/tcp/127.0.0.1/443) &>/dev/null && echo "OPEN" || echo "CLOSED"
Start a simple web server, depending on what is installed (python, python3, php or ruby):
$ python -m SimpleHTTPServer 80
$ python3 -m http.server
$ php -S 0.0.0.0:80
$ ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
Spawn a TTY shell from a limited shell in Linux using Python:
$ python -c 'import pty;pty.spawn("/bin/bash")'
Spawn a TTY shell from a limited shell in Linux using Perl:
$ perl ---e 'exec "/bin/sh";'
Download all documents and images from a web page address:
$ wget -A pdf,jpg,png,gif,bmp,doc,docx -m -r -np --convert-links --execute="robots = off" <address>
Encrypt a file using gpg:
$ gpg --encrypt --sign -r you@email <filename>
Decrypt a file using gpg:
$ gpg -d <filename>
Perform a request to a remote address every 5 seconds (download a file, whatever), until you press CTRL + C:
$ while true; do wget <address>; sleep 5; done
Dump all MySQL databases:
$ mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql
Use nikto to scan a host using a proxy server and output fingerprinted info to a file:
$ perl nikto.pl -host <ip_or_hostname> -useproxy <proxy_address> -output <filename>
Use wpscan to scan a Wordpress install and output fingerprinted into to a file:
$ ruby wpscan.rb --url <address> --enumerate 2> <filename>
Use sqlmap to grab the database banner, if possible:
$ ./sqlmap.py --url="<address>" --data="<post-data>" --banner
Grab the HTTP headers:
$ curl -LIN <address>
$ curl -LIN google.com
HTTP/1.1 200 OK
Date: Tue, 19 March 2017 13:12:48 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
... etc ...
Generate a MD5 hash of the specified string:
$ echo -n "This is the text" | openssl md5
(stdin)= 4da8333008320dd94d593f3211df63ab
Generate a SHA hash of the specified string:
$ echo -n "This is the text" | openssl sha
(stdin)= 0dc9696177e9786de95a1caee349a7a6da70a614