The following is a penetration test memo for A Linux machine, designed for testers to perform local enumeration checks during late development or when performing operations such as command injection.
In addition, you can read many articles about penetration testing here.
| The command | describe |
|---|---|
| netstat -tulpn | In Linux, the network port corresponding to the process ID (PID) is displayed. |
| watch ss -stplu | Observe TCP and UDP ports through sockets in real time. |
| lsof -i | Displays confirmed connections. |
| macchanger -m MACADDR INTR | Change the MAC address on KALI Linux. |
| The ifconfig eth0 192.168.2.1/24 | Set the ID address in Linux. |
| The ifconfig eth0:1 192.168.2.3/24 | Add an IP address to an existing network interface in Linux. |
| ifconfig eth0 hw ether MACADDR | Run the ifconfig command to change the MAC address in Linux. |
| ifconfig eth0 mtu 1500 | In Linux, use ifconfig to change the MTU size to 1500 as you want. |
| Dig – x 192.168.1.1 | Perform reverse lookup on the IP address. |
| The host 192.168.1.1 | Reverse lookup on an IP address is appropriate if DIG is not installed. |
| Dig @192.168.2.2 domain.com -t AXFR | Perform a DNS zone transfer using DIG. |
| host -l domain.com nameserver | Perform a DNS zone transfer using host. |
| nbtstat -A x.x.x.x | Obtain the domain name corresponding to the IP address. |
| IP addr add 192.168.2.22/24 dev eth0 | Add a hidden IP address to Linux that is not displayed when the ifconfig command is executed. |
| tcpkill -9 host google.com | Block access to Google.com from the host. |
| echo “1” > /proc/sys/net/ipv4/ip_forward | Enable IP forwarding and turn the Linux box into a router — making it easy to control routed traffic through the box. |
| Echo “8.8.8.8” > / etc/resolv. Conf | Use Google DNS. |
Other Translations (1)
System information command
Useful for local enumeration checks.
| The command | describe |
|---|---|
| whoami | Displays the current logged-in user on Linux. |
| id | Displays the currently logged in users and groups to the user. |
| last | Displays the last login user. |
| mount | Displays mounted drivers. |
| df -h | Display disk usage with human-readable output. |
| echo “user:passwd” | chpasswd | Reset the password with one command. |
| getent passwd | Lists the users on Linux. |
| strings /usr/local/bin/blah | Displays the contents of non-text files, such as what is in a binary file. |
| uname -ar | Displays the running kernel version. |
| PATH=$PATH:/my/new-path | Add a new path to facilitate local file system (FS) operations. |
| history | Displays a history of bash scripts previously executed by the user, as well as typed commands. |
Redhat/CentOS/RPM based distributions
| The command | describe |
|---|---|
| cat /etc/redhat-release | The Redhat and CentOS versions are displayed. |
| rpm -qa | Lists all RPM packages already installed on RPM-based Linux. |
| rpm -q –changelog openvpn | Check whether the installed RPM is patched for CVE. You can run the grep command to filter the output related to CVE. |
YUM command
RPM based systems use the package manager, and you can use these commands to get useful information about installed packages or other tools.
| The command | describe |
|---|---|
| yum update | Updating all RPM packages with YUM also shows which are obsolete. |
| yum update httpd | Update a separate package, in this case HTTPD (Apache). |
| yum install package | Install a package using YUM. |
| yum –exclude=package kernel* update | Exclude a package without updating when using YUM. |
| yum remove package | Delete packages using YUM. |
| yum erase package | Delete packages using YUM. |
| yum list package | Lists information about yum packages. |
| yum provides httpd | Display the purpose of a package, for example, Apache HTTPD Server. |
| yum info httpd | Display package information, architecture, version and other information. |
| yum localinstall blah.rpm | Use YUM to install the local RPM from the repository. |
| yum deplist package | Displays package provider information. |
| yum list installed | more | Lists all installed packages. |
| yum grouplist | more | Display all YUM groupings. |
| yum groupinstall ‘Development Tools’ | Install the YUM grouping. |
Distributions based on Debian/Ubuntu /.deb
| The command | describe |
|---|---|
| cat /etc/debian_version | The Debian version number is displayed. |
| cat /etc/*-release | The Ubuntu version number is displayed. |
| dpkg -l | Lists all installed packages on Debian /.deb based Linux distributions. |
Linux User Management
| The command | describe |
|---|---|
| useradd new-user | Create a new Linux user. |
| passwd username | Reset the Linux user password, if you are root, just enter the password. |
| deluser username | Example Delete a Linux user. |
Linux decompression command
How to parse different zip packages on Linux (tar, zip, gzip, bzip2, etc.) and other tips for searching through zip packages.
| The command | describe |
|---|---|
| unzip archive.zip | Extract files from zip packages on Linux. |
| zipgrep *.txt archive.zip | Search in a zip package. |
| tar xf archive.tar | Extract the files in the tar package on Linux. |
| tar xvzf archive.tar.gz | Extract files from the tar.gz package on Linux. |
| tar xjf archive.tar.bz2 | Extract files from the tar.bz2 package on Linux. |
| tar ztvf file.tar.gz | grep blah | Search in a tar.gz file. |
| gzip -d archive.gz | Extract the files in gzip on Linux. |
| zcat archive.gz | Read a gz file in Linux without compression. |
| zless archive.gz | Implement the same functionality for the.gz package with fewer commands. |
| zgrep ‘blah’ /var/log/maillog*.gz | On Linux, perform a search for the contents of the.gz package, such as compressed log files. |
| vim file.txt.gz | Use vim to read.txt.gz files (my personal favorite). |
| upx -9 -o output.exe input.exe | Use UPX to compress.exe files on Linux. |
Linux Compression commands
| The command | describe |
|---|---|
| zip -r file.zip /dir/* |
Create a.zip file on Linux. |
| tar cf archive.tar files | Create a tar file on Linux. |
| tar czf archive.tar.gz files | Create a tar.gz file on Linux. |
| tar cjf archive.tar.bz2 files | Create a tar.bz2 file on Linux. |
| gzip file | Create a.gz file on Linux. |
Linux file commands
| The command | describe |
|---|---|
| df -h blah | Displays file/directory sizes on Linux. |
| diff file1 file2 | Compare/display the difference between two files on Linux. |
| md5sum file | Generate an MD5 digest on Linux. |
| md5sum -c blah.iso.md5 | Check the MD5 digest of the file on Linux, assuming that the file and.md5 are in the same path. |
| file blah | Looking up the file type on Linux will also indicate whether the file is 32 or 64 bits. |
| dos2unix | Convert Windows line terminator to Unix/Linux line terminator. |
| base64 < input-file > output-file | The input file is Base64 encoded, and then a Base64 encoded file called output-file is output. |
| base64 -d < input-file > output-file | The input file is Base64 decoded, and a Base64 decoded file called output-file is output. |
| touch -r ref-file new-file | Create a new file with the timestamp data from the reference file and place -r to simply create a file. |
| rm -rf | Delete files and directories without a confirmation prompt. |
Samba command
Connect from Linux to Samba share.
$ smbmount //server/share /mnt/win -o user=username,password=password1
$ smbclient -U user \\\\server\\share
$ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/shareCopy the codeBreak the shell’s limits
Thanks to G0tmi1k(or whatever he referred to).
Python tips:
python -c 'import pty; pty.spawn("/bin/bash")'Copy the codeecho os.system('/bin/bash')Copy the code/bin/sh -iCopy the codeMisc command
| The command | describe |
|---|---|
| init 6 | Restart Linux from the command line. |
| gcc -o output.c input.c | Compile C code. |
| gcc -m32 -o output.c input.c | Cross-compiling C code produces 32-bit binaries on 64-bit Linux. |
| unset HISTORYFILE | Disable the bash historical logging function. |
| rdesktop X.X.X.X | Connect to the RDP server from Linux. |
| kill -9 ? | Close the current session. |
| chown user:group blah | Change the owner of a file or directory. |
| chown -R user:group blah | Modify a file or directory and the owner of the file/directory under the directory – chown recursively. |
| chmod 600 file | For details, see [Linux file system Permissions](#linux-file-system-permissions). |
Clear bash history:
$ ssh [email protected] | cat /dev/null > ~/.bash_historyCopy the codeLinux file system permission
| The values | meaning |
|---|---|
| 777 | RWXRWXRWX is unlimited, fully readable, writable and executable (RWX), and the user can do anything. |
| 755 | Rwxr-xr-x owners have full access, others can only read and execute files. |
| 700 | RWX —— is fully accessible to the owner and not to anyone else. |
| 666 | Rw-rw-rw-all can read and write, but not execute. |
| 644 | Rw-r –r– Owner can read and write, others can only read. |
| 600 | The rW ——- owner can read and write, and no one else can access. |
Linux file system penetration test memo
| directory | describe |
|---|---|
| / | / also called “slash” or root. |
| /bin | A common program shared by the system, system administrators, and users. |
| /boot | Boot file, Boot loader (GRUB), kernel, vmlinuz |
| /dev | Contains references to system devices, files with special attributes. |
| /etc | Important system configuration files. |
| /home | Home directory of a system user. |
| /lib | Library files, including files for all types of programs needed by the system and users. |
| /lost+found | Failed file operations are saved here. |
| /mnt | Standard mount points for external file systems. |
| /media | Mount points for external file systems (or some distributions). |
| /net | NFS is the standard mount point for the entire remote file system. |
| /opt | It usually includes some additional or third party software. |
| /proc | A virtual file system that contains information about system resources. |
| /root | Home directory of user root. |
| /sbin | Programs used by the system and system administrators. |
| /tmp | The temporary space used by the system will be cleared during the restart. |
| /usr | Programs, libraries, documentation, and so on for use by all user-related programs. |
| /var | Store all mutable and temporary files created by the user, such as log files, mail queues, spoolers, Web servers, databases, and so on. |
Interesting files/directories in Linux
These are commands worth looking at if you want to try to upgrade privileges/perform late development.
| The path | describe |
|---|---|
| /etc/passwd | Contains local Linux users. |
| /etc/shadow | Contains hashed passwords for local accounts. |
| /etc/group | Contains local account groups. |
| /etc/init.d/ | Service network initialization scripts are included – it should be worth looking at exactly what is installed. |
| /etc/hostname | System hostname. |
| /etc/network/interfaces | Network interface. |
| /etc/resolv.conf | DNS service of the system. |
| /etc/profile | Environment variables of the system. |
| ~/.ssh/ | SSH key. |
| ~/.bash_history | Bash history log for the user. |
| /var/log/ | This is where Linux log files are stored. |
| /var/adm/ | This is where the log files for UNIX systems are generally stored. |
| /var/log/apache2/access.log
/var/log/httpd/access.log |
Path where the Apache access log file normally exists. |
| /etc/fstab | Mounted file system. |