Command Lists
General Commands¶
░█▀▀░█▀▀░█▀█░█▀▀░█▀▄░█▀█░█░░░░░█▀▀░█▀█░█▄█░█▄█░█▀█░█▀█░█▀▄░█▀▀
░█░█░█▀▀░█░█░█▀▀░█▀▄░█▀█░█░░░░░█░░░█░█░█░█░█░█░█▀█░█░█░█░█░▀▀█
░▀▀▀░▀▀▀░▀░▀░▀▀▀░▀░▀░▀░▀░▀▀▀░░░▀▀▀░▀▀▀░▀░▀░▀░▀░▀░▀░▀░▀░▀▀░░▀▀▀
Warning
Some of these commands may or may not work. It is a culmination of my notes over the years from various courses in the industry. I have ripped most of it from my Obsidian to make sure I only post public information. This page is ever growing and continuing to change as I progress through various other courses.
OpenVPN¶
SSH¶
ssh-keygen -t rsa -C "user" creates pub/priv keys with optional passphrase. -C adds comment.
cat .ssh/id_rsa created private key
cat .ssh/id_rsa.pub created public key. Note the keyword "user" at end.
ssh user@10.50.x.x will still default to ask for password since there is no other methods
ssh-copy-id user@10.50.x.x copies key to 'user' on remote. (need to authenticate to place it there)
ssh user@10.x.x.x will now log straight in
cat .ssh/authorized_keys will see copied key. Look for keyword "user"
ssh root@10.x.x.x will still ask for password since we didn't add key
xFreeRDP Exampe¶
Linux Commands Basic¶
date & time = Are we on the right box ? knowing date and time for possible persistence
Whoami = double check who we are logged in as
Id = permissions group ( do we have root permissions)
Groups = see what groups we are apart of (are we in the sudoers )
sudo -l = do we have any binaries that execute with higher privs
cat /etc/passwd ( user information)
cat /etc/shadow ( user information) ( need privileged access)
W = who is logged in, terminal and what they are doing ( tty are direct connections to the pc.. So pts are ssh or telnet connections (possible info about other pcs)
Last = information about users that logged in ( user habits ) ( might need to avoid times)
Uptime = how long has the machine been up ( would this make for a good pivot)
Hostname = name of machine ( pay attention)
uname -a = kernel information architecture ( for exploits )
cat /etc/*rel* = release information
Networking Information¶
ifconfig -a = network information ( verify your on the right target so you dont go to jail pimp) ( dbo with the size 15 show)
cat /etc/hosts = translates hostnames or domain names to ip addresses ( could see a name to another box, might point a target of interest Windows Server )
cat /etc/resolv.conf = configure dns name servers
netstat -rn
netstat -antup ( backdoors and rootkits do use magic packets and udp) ( rsyslog 514 port) programs on different ports we could exploit
arp -an = sends data will verify arp cache ( only lasts for a few minutes) passive network enumeration .. Maybe we could find out information about other machines on the network without scanning
Process Information¶
ps -auxf = (a) all processes, format
ps -aux | grep syslog* ( just cause it is running does not mean it is remotely sending logs)
lsof -p 886 = list of open files ( files opened by the process ) ( root access can see everything the process is accessing)
lsof -i <4|6> = view files utilizing ip version
ls -al /proc/886
ls -al /proc/8/fd = file descriptors ( which is important, last thing we want is tools stolen)
Service --status-all = show if services are running or not
Logging¶
cat /etc/rsyslog.conf = check for remote logging udp port 514 ( can get us caught)
/etc/rsyslog.d = directory where config files are kept we want to check those also.
/var/log = auth logs, etc
cat /var/log/auth.log | grep -i successful
Crontabs¶
/var/spool/cron/crontabs ( same as crontab -e just without syntax help)
/etc/cron.d
ls -la /etc/cron*
cat /etc/cron* crontab
sudo crontab -u USER -l
Finding files and locations to check¶
find / -name password* 2>/dev/null ( pay attention to file extensions )
find / -type f -name *.txt = (possible user generated documents )
find / -type f 2>/dev/null | grep filenamehere
find / -type f -name ".*" = find all hidden files
find / -type d -name ".*" = find all hidden directories
/tmp check tmp folders ( global writable )
/home check home folders for users
/etc = config files are here ( can give you a hint if any extra programs have been installed on the box)
Tcpdump and BPF Filtering¶
Unicast or Multicast¶
Search the first byte of the source (ether[0]) and destination (ether[6]) MAC to determine if it’s a unicast (0x00) or multicast (0x01) MAC address.
tcpdump -i eth0 'ether[0] & 0x01 = 0x00'
tcpdump -i eth0 'ether[0] & 0x01 = 0x01'
tcpdump -i eth0 'ether[6] & 0x01 = 0x00'
tcpdump -i eth0 'ether[6] & 0x01 = 0x01'
Searching for EtherType¶
Using BPFs to print packets interface with the EtherType (ether[12:2]) field matching IPv4, ARP, VLAN Tag, and IPv6 respectively.
tcpdump -i eth0 ether[12:2] = 0x0800
tcpdump -i eth0 ether[12:2] = 0x0806
tcpdump -i eth0 ether[12:2] = 0x8100
tcpdump -i eth0 ether[12:2] = 0x86dd
Printing VLAN Packets¶
Print packets that belong to VLAN 100. Here we are masking out the 4-bit PCP/DEI field. It is unsure if this field will or will not have a value so it’s best to ignore these bits unless you are looking for a specific value here.
tcpdump -i eth0 'ether[12:2] = 0x8100 and ether[14:2] & 0x0fff = 0x0064'
tcpdump -i eth0 'ether[12:4] & 0xffff0fff = 0x81000064'