Summary of Ultimate Linux Penetration Testing Commands

This article mainly shares with you a summary of the ultimate Linux penetration testing commands. The following is a penetration testing memo for Linux machines. They are some typical commands during later development or when performing command injection and other operations. They are designed for testers to perform local enumeration. For inspection purposes.

##netstat -tulpn Display the network port corresponding to the process ID (PID) in Linux. watch ss -stpluWatch TCP, UDP ports in real time through sockets. lsof -iDisplay confirmed connections. macchanger -m MACADDR INTRChange the MAC address on KALI Linux. ifconfig eth0 192.168.2.1/24Set the ID address in Linux. ifconfig eth0:1 192.168.2.3/24Add an IP address to an existing network interface in Linux. ifconfig eth0 hw ether MACADDRUse ifconfig to modify the MAC address in Linux. ifconfig eth0 mtu 1500Use ifconfig in Linux to modify the MTU size and change 1500 to the MTU you want. dig -x 192.168.1.1 Perform a reverse lookup of the IP address. host 192.168.1.1 Perform reverse lookup on an IP address, suitable for situations where dig is not installed. dig @192.168.2.2 domain.com -t AXFRUse dig to perform a DNS zone transfer. host -l domain.com nameserverUse host to perform a DNS zone transfer. nbtstat -A x.x.x.xGet the domain name corresponding to the IP address. ip addr add 192.168.2.22/24 dev eth0Add a hidden IP address to Linux that will not be displayed when executing the ifconfig command. tcpkill -9 host google.comBlock access to google.com from the host. echo "1" > /proc/sys/net/ipv4/ip_forwardEnable IP forwarding and turn the Linux box into a router - this is convenient Routing traffic is controlled through this box. echo "8.8.8.8" > /etc/resolv.confUse Google's DNS.

Command	Description

System information command

is useful for local enumeration checks.

CommandDescription##whoamiidlastmountdf -hecho "user:passwd" | chpasswdgetent passwdstrings /usr/local/bin/blahuname -arPATH=$PATH:/my/new-pathhistoryRedhat/CentOS/RPM based distribution

showLinux Currently logged in user.
Displays the currently logged in users and groups to the user.
Displays the last logged in user.
Display the mounted driver.
Display disk usage with human-readable output.
Reset password with one line of command.
List users on Linux.
Display the contents of non-text files, for example: what is in a binary file.
Displays the running kernel version.
Add a new path to facilitate local file system (FS) operations.
Displays the history of bash scripts executed by the user before, as well as the commands typed.

Commandcat /etc/redhat-releaserpm -qarpm -q --changelog openvpn

YUM Command

RPM-based systems use a package manager. You can use these commands to get useful information about installed packages or other tools.

Description
Displays the Redhat/CentOS version number.
List all installed RPM packages on RPM-based Linux.
Check whether the installed RPM is patched for CVE. You can use the grep command to filter out output related to CVE.

##yum updateUse YUM updates all RPM packages and also shows which ones are out of date. yum update httpdUpdate individual packages, in this case HTTPD (Apache). yum install packageUse YUM to install a package. yum --exclude=package kernel* updateExclude a package from updating when using YUM. yum remove packageUse YUM to remove the package. yum erase packageUse YUM to delete the package. yum list packageList information about yum packages. yum provides httpdDisplays the purpose of a package, for example: Apache HTTPD Server. yum info httpdDisplay package information, architecture, version and other information. yum localinstall blah.rpmUse YUM to install the local RPM, install from the repository. yum deplist packageDisplay the provider information of the package. yum list installed | moreList all installed packages. yum grouplist | moreDisplay all YUM groups. yum groupinstall 'Development Tools'Install YUM group.

Command	Description

Debian/Ubuntu/.deb based distribution

CommandDescriptioncat /etc/debian_versionDisplays the Debian version number. cat /etc/*-releaseDisplay Ubuntu version number. dpkg -lList all installed packages on Debian/.deb based Linux distributions. Linux User Management

CommandDescriptionuseradd new-userCreate a new Linux user. passwd usernameReset the Linux user password. If you are the root user, just enter the password. deluser usernameDelete a Linux user. Linux decompression command

How to parse different compressed packages (tar, zip, gzip, bzip2, etc.) on Linux, and others Tips for searching and other operations in compressed files.

CommandDescription##unzip archive.zipzipgrep *.txt archive.ziptar xf archive.tartar xvzf archive.tar.gztar xjf archive.tar.bz2tar ztvf file.tar.gz | grep blahgzip -d archive.gzzcat archive.gzzless archive.gzzgrep 'blah' /var/log/maillog*.gzvim file.txt.gzupx -9 -o output.exe input.exeLinux Compression Command

Extract the files in the zip package on Linux.
Search in a zip archive.
Extract the files in the tarball on Linux.
Extract the files in the tar.gz package on Linux.
Extract the files in the tar.bz2 package on Linux.
Search in a tar.gz file.
Extract files in gzip on Linux.
Read a gz file without decompression on Linux.
Use fewer commands to achieve the same function of .gz compressed package.
Search the contents of the .gz compressed package on Linux, for example, if the search is compressed log file.
Use vim to read .txt.gz files (my personal favorite).
Use UPX to compress .exe files on Linux.

Commandzip -r file.zip /dir/*Create a .zip file on Linux. tar cf archive.tar filestar czf archive.tar.gz filestar cjf archive.tar.bz2 filesgzip file

Linux 文件命令

Description
Create a tar file on Linux.
Create a tar.gz file on Linux.
Create a tar.bz2 file on Linux.
Create a .gz file on Linux.

命令	描述
df -h blah	在 Linux 上显示文件/目录的大小。
diff file1 file2	在 Linux 上比对/显示两个文件之间的差别。
md5sum file	在 Linux 上生成 MD5 摘要。
md5sum -c blah.iso.md5	在 Linux 上检查文件的 MD5 摘要，这里假设文件和 .md5 处在相同的路径下。
file blah	在 Linux 上查找出文件的类型，也会将文件是 32 还是 64 位显示出来。
dos2unix	将 Windows 的行结束符转成 Unix/Linux 的。
base64 < input-file > output-file	对输入文件进行 Base64 编码，然后输出一个叫做 output-file 的 Base64 编码文件。
base64 -d < input-file > output-file	对输入文件进行 Base64 解码，然后输出一个叫做 output-file 的 Base64 解码文件。
touch -r ref-file new-file	使用来自于引用文件的时间戳数据创建一个新文件，放上 -r 以简单地创建一个文件。
rm -rf	不显示确认提示就删除文件和目录。

Samba 命令

从 Linux 连接到 Samba 共享。

$ smbmount //server/share /mnt/win -o user=username,password=password1
$ smbclient -U user \\\\server\\share
$ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

 

打破 shell 的限制

要谢谢 G0tmi1k(（或者他参考过的内容）。

Python 小技巧：

python -c 'import pty;pty.spawn("/bin/bash")'

 

echo os.system('/bin/bash')

 

/bin/sh -i

 

Misc 命令

命令	描述
init 6	从命令行重启 Linux 。
gcc -o output.c input.c	编译 C 代码。
gcc -m32 -o output.c input.c	交叉编译 C 代码，在 64 位 Linux 上将编译出 32 位的二进制文件。
unset HISTORYFILE	关闭 bash 历史日志记录功能。
rdesktop X.X.X.X	从 Linux 连接到 RDP 服务器。
kill -9 $$	关掉当前的会话。
chown user:group blah	修改文件或者目录的所有者。
chown -R user:group blah	修改文件或者目录，以及目录下面文件/目录的拥有者 —— 递归执行 chown。
chmod 600 file	修改文件/目录的权限设定, 详情见 [Linux 文件系统权限](#linux-file-system-permissions) 。

清除 bash 历史：

      $ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history

 

Linux 文件系统权限

取值	意义
777	rwxrwxrwx 没有限制，完全可读可写可执行（RWX），用户可以做任何事情。
755	rwxr-xr-x 拥有者可完全访问，其他人只能读取和执行文件。
700	rwx------ 拥有者可完全访问，其他人都不能访问。
666	rw-rw-rw- 所有人可以读取和写入，但不可执行。
644	rw-r--r-- 拥有者可以读取和写入，其他人只可以读取。
600	rw------- 拥有者可以读取和写入，其他人都不能访问。

Linux File System Penetration Testing Memo

Directory	Description
/	/ is also known as the "slash" or root.
/bin	A common program shared by the system, system administrators, and users.
/boot	Boot file, boot loader (grub), kernel, vmlinuz
/dev	Contains references to system devices and files with special attributes.
/etc	Important system configuration files.
/home	The home directory of the system user.
/lib	Library files, including files for all types of programs required by the system and users.
/lost+found	Failed file operations will be saved here.
/mnt	The standard mount point for external file systems.
/media	Mount point for external file systems (or some distributions).
/net	The standard mount point of the entire remote file system - nfs.
/opt	Generally contains some additional or third-party software.
/proc	A virtual file system that contains information about system resources.
/root	The home directory of the root user.
/sbin	A program used by systems and system administrators.
/tmp	The temporary space used by the system will be cleared when restarting.
/usr	Programs, libraries, documentation, etc. for use by all user-related programs.
/var	Stores all variable files and temporary files created by users, such as log files, mail queues, print spoolers, web servers, databases, etc. .

Interesting Files/Directories in Linux

If you want to try privilege escalation/perform post-development, these are some commands worth checking out.

##/etc/passwdIncludes local Linux users. /etc/shadow Contains the hashed local account password. /etc/group Contains local account groups. /etc/init.d/ Contains the service network initialization script - it should be worth taking a look at what is installed. /etc/hostnameThe hostname of the system. /etc/network/interfacesNetwork interfaces. /etc/resolv.confSystem DNS service. /etc/profileSystem environment variables. ~/.ssh/SSH key. ~/.bash_history User’s bash history log. /var/log/Linux system log files are generally stored here. /var/adm/UNIX system log files are generally stored here. The usual path where Apache access log files exist. /etc/fstabMounted file system. ## Related recommendations:

Path	Description
/var/log/httpd/access.log

mysql creation, deletion of users and authorization (linux test)_MySQL

How to use the sed command and awk command in linux

Linux command line summary

The above is the detailed content of Summary of Ultimate Linux Penetration Testing Commands. For more information, please follow other related articles on the PHP Chinese website!