Merge pull request #22 from wireghoul/master

Updates to linux section for blind files

linux/blind.md

@@ -1,4 +1,3 @@
-
 # Linux Blind Files
 
 In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
@@ -8,8 +7,23 @@ The files below are things to pull when all you can do is to blindly read. Examp
 | File     | Description / Importance |
 | -------- | ------------------------ |
 | `/etc/issue` | A message or system identification to be printed before the login prompt. |
-| `/etc/motd` | Message of the day banner content. Can contain information about the system owners or use of the system. | 
-| `/etc/passwd` | List of account names, groups, home directory, and shell (should be globally readable). |
+| `/etc/motd` | Message of the day banner content. Can contain information about the system owners or use of the system. |
+| `/etc/passwd` | List of account names, groups, home directory, and shell (should be globally readable). May also contain password hashes. |
+| `/etc/group` | User groups. |
 | `/etc/resolv.conf` | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than `/etc/passwd`. |
-| `/etc/shadow` | List of all user's password hashes (requires root). |
-| `/home/[USERNAME]/.bash_history`<br>`~/.bash_history`<br>`/root/.bash_history` | Shell history for [USERNAME], the current user or root respectively. This file can contain passwords and other sensitive commands and content. |
+| `/etc/shadow` | List of all shadowed user's password hashes (usually requires root privileges). |
+| `/home/[USERNAME]/.bash_history`<br>`~/.bash_history`<br>`$USER/.bash_history`<br>`/root/.bash_history` | Shell (bash) history for [USERNAME], the current user or root respectively. This file can contain passwords and other sensitive commands and content. It's worth trying .profile instead of .bash_history in case the user doesn't use bash |
+
+# Information discovery through blind files
+
+When using blind files, it is often possible to mine known files for other paths or configuration. This can disclose what services are running, how they are configured and more. The following is some files that are worth looking at.
+
+| File     | Description / Importance |
+| -------- | ------------------------ |
+| `/etc/mtab` | Reveals mount points. |
+| `/etc/inetd.conf` | Configuration file for inetd based services, mostly deprecated these days. |
+| ... | ... |
+
+# More files
+It is worth automating the extraction of files, either using a dictionary attack or even bruteforce to discover unknown files.
+A list of file paths to try can be found  [here](pillage.lst).

linux/pillage.lst

@@ -0,0 +1,191 @@
+/apache/logs/access.log
+/apache/logs/error.log
+/bin/php.ini
+/etc/alias
+/etc/apache2/apache.conf
+/etc/apache2/conf/httpd.conf
+/etc/apache2/httpd.conf
+/etc/apache/conf/httpd.conf
+/etc/bash.bashrc
+/etc/chttp.conf
+/etc/crontab
+/etc/crypttab
+/etc/debian_version
+/etc/exports
+/etc/fedora-release
+/etc/fstab
+/etc/ftphosts
+/etc/ftpusers
+/etc/group
+/etc/group-
+/etc/hosts
+/etc/http/conf/httpd.conf
+/etc/httpd.conf
+/etc/httpd/conf/httpd.conf
+/etc/httpd/httpd.conf
+/etc/httpd/logs/acces_log
+/etc/httpd/logs/acces.log
+/etc/httpd/logs/access_log
+/etc/httpd/logs/access.log
+/etc/httpd/logs/error_log
+/etc/httpd/logs/error.log
+/etc/httpd/php.ini
+/etc/http/httpd.conf
+/etc/inetd.conf
+/etc/inittab
+/etc/issue
+/etc/issue.net
+/etc/lighttpd.conf
+/etc/login.defs
+/etc/mandrake-release
+/etc/motd
+/etc/mtab
+/etc/my.cnf
+/etc/mysql/my.cnf
+/etc/openldap/ldap.conf
+/etc/os-release
+/etc/pam.conf
+/etc/passwd
+/etc/passwd-
+/etc/password.master
+/etc/php4.4/fcgi/php.ini
+/etc/php4/apache2/php.ini
+/etc/php4/apache/php.ini
+/etc/php4/cgi/php.ini
+/etc/php5/apache2/php.ini
+/etc/php5/apache/php.ini
+/etc/php5/cgi/php.ini
+/etc/php/apache2/php.ini
+/etc/php/apache/php.ini
+/etc/php/cgi/php.ini
+/etc/php.ini
+/etc/php/php4/php.ini
+/etc/php/php.ini
+/etc/profile
+/etc/proftp.conf
+/etc/proftpd/modules.conf
+/etc/protpd/proftpd.conf
+/etc/pure-ftpd.conf
+/etc/pureftpd.passwd
+/etc/pureftpd.pdb
+/etc/pure-ftpd/pure-ftpd.conf
+/etc/pure-ftpd/pure-ftpd.pdb
+/etc/pure-ftpd/pureftpd.pdb
+/etc/redhat-release
+/etc/resolv.conf
+/etc/samba/smb.conf
+/etc/security/environ
+/etc/security/group
+/etc/security/limits
+/etc/security/passwd
+/etc/security/user
+/etc/shadow
+/etc/shadow-
+/etc/slackware-release
+/etc/sudoers
+/etc/SUSE-release
+/etc/sysctl.conf
+/etc/vhcs2/proftpd/proftpd.conf
+/etc/vsftpd.conf
+/etc/vsftpd/vsftpd.conf
+/etc/wu-ftpd/ftpaccess
+/etc/wu-ftpd/ftphosts
+/etc/wu-ftpd/ftpusers
+/logs/access.log
+/logs/error.log
+/opt/apache2/conf/httpd.conf
+/opt/apache/conf/httpd.conf
+/opt/xampp/etc/php.ini
+/php4\php.ini
+/php5\php.ini
+/php\php.ini
+/PHP\php.ini
+/private/etc/httpd/httpd.conf
+/private/etc/httpd/httpd.conf.default
+/root/.bash_history
+/root/.ssh/id_rsa
+/root/.ssh/id_rsa.pub
+/root/.ssh/known_hosts
+/tmp/access.log
+/usr/apache2/conf/httpd.conf
+/usr/apache/conf/httpd.conf
+/usr/etc/pure-ftpd.conf
+/usr/lib/php.ini
+/usr/lib/php/php.ini
+/usr/lib/security/mkuser.default
+/usr/local/apache2/conf/httpd.conf
+/usr/local/apache2/httpd.conf
+/usr/local/apache2/logs/access_log
+/usr/local/apache2/logs/access.log
+/usr/local/apache2/logs/error_log
+/usr/local/apache2/logs/error.log
+/usr/local/apache/conf/httpd.conf
+/usr/local/apache/conf/php.ini
+/usr/local/apache/httpd.conf
+/usr/local/apache/logs/access_log
+/usr/local/apache/logs/access.log
+/usr/local/apache/logs/error_log
+/usr/local/apache/logs/error.log
+/usr/local/apache/logs/error. og
+/usr/local/apps/apache2/conf/httpd.conf
+/usr/local/apps/apache/conf/httpd.conf
+/usr/local/etc/apache2/conf/httpd.conf
+/usr/local/etc/apache/conf/httpd.conf
+/usr/local/etc/apache/vhosts.conf
+/usr/local/etc/httpd/conf/httpd.conf
+/usr/local/etc/php.ini
+/usr/local/etc/pure-ftpd.conf
+/usr/local/etc/pureftpd.pdb
+/usr/local/httpd/conf/httpd.conf
+/usr/local/lib/php.ini
+/usr/local/php4/httpd.conf
+/usr/local/php4/httpd.conf.php
+/usr/local/php4/lib/php.ini
+/usr/local/php5/httpd.conf
+/usr/local/php5/httpd.conf.php
+/usr/local/php5/lib/php.ini
+/usr/local/php/httpd.conf
+/usr/local/php/httpd.conf.php
+/usr/local/php/lib/php.ini
+/usr/local/pureftpd/etc/pure-ftpd.conf
+/usr/local/pureftpd/etc/pureftpd.pdb
+/usr/local/pureftpd/sbin/pure-config.pl
+/usr/local/Zend/etc/php.ini
+/usr/pkgsrc/net/pureftpd/
+/usr/ports/contrib/pure-ftpd/
+/usr/ports/ftp/pure-ftpd/
+/usr/ports/net/pure-ftpd/
+/usr/sbin/pure-config.pl
+/var/cpanel/cpanel.config
+/var/lib/mysql/my.cnf
+/var/local/www/conf/php.ini
+/var/log/access_log
+/var/log/access.log
+/var/log/apache2/access_log
+/var/log/apache2/access.log
+/var/log/apache2/error_log
+/var/log/apache2/error.log
+/var/log/apache/access_log
+/var/log/apache/access.log
+/var/log/apache/error_log
+/var/log/apache/error.log
+/var/log/error_log
+/var/log/error.log
+/var/log/httpd/access_log
+/var/log/httpd/access.log
+/var/log/httpd/error_log
+/var/log/httpd/error.log
+/var/log/messages
+/var/log/messages.1
+/var/log/user.log
+/var/log/user.log.1
+/var/www/conf/httpd.conf
+/var/www/html/index.html
+/var/www/logs/access_log
+/var/www/logs/access.log
+/var/www/logs/error_log
+/var/www/logs/error.log
+/Volumes/webBackup/opt/apache2/conf/httpd.conf
+/Volumes/webBackup/private/etc/httpd/httpd.conf
+/Volumes/webBackup/private/etc/httpd/httpd.conf.default
+/web/conf/php.ini