Table of Contents
Information
Blind Files
System
Networking
User accounts
Credentials
Configs
Determine Distro
Installed Packages
Package Sources
Finding Important Files
Covering Your Tracks
Avoiding history filesmys
Obtain users’ information
Escalating
Looking for possible opened paths
Maintaining control
Reverse Shell
Fun if Windows is present and accessible
Stuff to be sorted
sudo -p
allows the user to define what the password prompt will be
Deleting and Destroying
Execute a remote script
Fork Bomb
________________
Information
Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal (Don’t forget %00!)
File
Contents and Reason
/etc/resolv.conf
Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd
/etc/motd
Message of the Day.
/etc/issue
Debian - current version of distro
/etc/passwd
List of local users
/etc/shadow
List of users’ passwords’ hashes (requires root)
/home/xxx/.bash_history
Will give you some directory context
System
Command
Description and/or Reason
uname -a
Prints the kernel version, arch, sometimes distro, ...
ps aux
List all running processes
top -n 1 -d
Print process, 1 is a number of lines
id
Your current username, groups
arch, uname -m
Kernel processor architecture
w
who is connected, uptime and load avg
who -a
uptime, runlevel, tty, proceses etc.
gcc -v
Returns the version of GCC.
mysql --version
Returns the version of MySQL.
perl -v
Returns the version of Perl.
ruby -v
Returns the version of Ruby.
python --version
Returns the version of Python.
df -k
mounted fs, size, % use, dev and mount point[
mount
mounted fs
last -a
Last users logged on
lastcomm
lastlog
lastlogin (BSD)
getenforce
Get the status of SELinux (Enforcing, Permissive or Disabled)
dmesg
Informations from the last system boot
lspci
prints all PCI buses and devices
lsusb
prints all USB buses and devices/h
lscpu
prints CPU information
lshw
ex
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
(note: can cause heavy disk i/o)
which nmap
locate a command (ie nmap or nc)
locate bin/nmap
locate bin/nc
jps -l
java -version
Returns the version of Java.
Networking
* hostname -f
* ip addr show
* ip ro show
* ifconfig -a
* route -n
* cat /etc/network/interfaces
* iptables -L -n -v
* iptables -t nat -L -n -v
* ip6tables -L -n -v
* iptables-save
* netstat -anop
* netstat -r
* netstat -nltupw (root with raw sockets)
* arp -a
* lsof -nPi
The information returned by these commands can also be acquired through “cat /proc/net/*”. This is less likely to trigger monitoring alerts. The drawback is that it generates a lot of information which then has to be analyzed.
User accounts
* local accounts: cat /etc/passwd
* password hashes in /etc/shadow on Linux
* password hashes in /etc/security/passwd on AIX
* groups in /etc/group (and/or /etc/gshadow on Linux)
* all accounts: getent passwd
* should dump local, LDAP, NIS, whatever the system is using
* same with getent group
* Samba’s own database: pdbedit -L -w or pdbedit -L -v
* privileged accounts: cat
* (above: cat ???)
* mail aliases: cat /etc/aliases find /etc -name aliases, getent aliases
* NIS accounts: ypcat passwd - displays NIS password file
Credentials
* SSH keys, often passwordless: /home/*/.ssh/id*
* SSH agent:
* * Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab
* PGP keys: /home/*/.gnupg/secring.gpgs
Configs
* ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/nullte
* cat /etc/issue{,.net}
* cat /etc/master.passwd
* cat /etc/group
* cat /etc/hosts
* cat /etc/crontab
* cat /etc/sysctl.conf
* for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
* cat /etc/resolv.conf
* cat /etc/syslog.conf
* cat /etc/chttp.conf
* cat /etc/lighttpd.conf
* cat /etc/cups/cupsd.confcda
* cat /etc/inetd.conf
* cat /opt/lampp/etc/httpd.conf
* cat /etc/samba/smb.conf
* cat /etc/openldap/ldap.conf
* cat /etc/ldap/ldap.conf
* cat /etc/exports
* cat /etc/auto.master
* cat /etc/auto_master
* cat /etc/fstab
* find /etc/sysconfig/ -type f -exec cat {} \;
Determine Distro
* lsb_release -d # Generic command for all LSB distros
* /etc/os-release # Generic for distros using “systemd”
* /etc/issue # Generic but often modified
* cat /etc/*release
* /etc/SUSE-release # Novell SUSE
* /etc/redhat-release, /etc/redhat_version # Red Hat
* /etc/fedora-release # Fedora
* /etc/slackware-release, /etc/slackware-version # Slackware
* /etc/debian_release, /etc/debian_version # Debian
* /etc/mandrake-release # Mandrake
* /etc/sun-release # Sun JDS
* /etc/release # Solaris/Sparc
* /etc/gentoo-release # Gentoo
* /etc/arch-release # Arch Linux (file will be empty)
* arch # OpenBSD; sample: “OpenBSD.amd64”
* uname -a # often hints at it pretty well
Installed Packages
* rpm -qa --last | head
* yum list | grep installed
* Debian: dpkg -l
dpkg -l | grep -i “linux-image”
dpkg --get-selections
* {Free,Net}BSD: pkg_info
* Solaris: pkginfo
* Gentoo: # equery must be installed
cd /var/db/pkg/ && ls -d */* # always works
* Arch Linux: pacman -Q
Package Sources
* cat /etc/apt/sources.list
* ls -l /etc/yum.repos.d/
* cat /etc/yum.conf
Finding Important Files
* ls -dlR */ #
* ls -alR | grep ^d
* find /var -type d
* ls -dl `find /var -type d`
* ls -dl `find /var -type d` | grep -v root
* find /var ! -user root -type d -ls
* find /var/log -type f -exec ls -la {} \;
* find / -perm -4000 (find all suid files)
* ls -alhtr /mnt
* ls -alhtr /media
* ls -alhtr /tmp
* ls -alhtr /home
* cd /home/; treels /home/*/.ssh/*
* find /home -type f -iname '.*history'
* ls -lart /etc/rc.d/
* locate tar | grep [.]tar$ # Remember to updatedb before running locate
* locate tgz | grep [.]tgz$
* locate sql | grep [.]sql$
* locate settings | grep [.]php$
* locate config.inc | grep [.]php$
* ls /home/*/id*
* .properties | grep [.]properties # java config files
* locate .xml | grep [.]xml # java/.net config files
* find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids
* locate rhosts
Covering Your Tracks
Avoiding history filesmys
* export HISTFILE=
or
* unset HISTFILE
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out:
However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
clear all history in ram
* history -c
* rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
* touch ~/.bash_history (invasive)
* <space> history -c (using a space before a command)
* zsh% unset HISTFILE HISTSIZE
* tcsh% set history=0
* bash$ set +o history
* ksh$ unset HISTFILE
* find / -type f -exec {} (forensics nightmare)
Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
Obtain users’ information
* ls -alh /home/*/
* ls -alh /home/*/.ssh/
* cat /home/*/.ssh/authorized_keys
* cat /home/*/.ssh/known_hosts
* cat /home/*/.*hist* # you can learn a lot from this
* find /home/*/.vnc /home/*/.subversion -type f
* grep ^ssh /home/*/.*hist*