80+ Linux
Command Line Tools
Linux command line
tools have help features, which can be pretty disturbing. However, cheat sheets
exist, which can be a real life saver.
I have compiled some of
the most popular and frequently used penetration testing commands . It should
however be noted that this list isn’t comprehensive by any means, but a good
reference for some of the most commonly used commands to help put you on the
fast track to penetration testing in a Linux environment.
Most of these commands will become internalized if you’ve
had a chance to work with them for a few months. However, once and a while,
it’s nice having a reference to rely on and it is all compiled below.
Linux BASH Shell Command
BASH Shell Shortcuts and Shorthand:
Though it may seem trivial at first, there are a lot of
handy hotkeys that simply working from the shell. Some of them are just for
convenience, some are practical, and some are functional.
The bottom line is you need to know how to save yourself the
hassle of re-entering and extremely long command that is nearly identical to
the last command you ran. You can use the following short keys.
- ctrl + e – go the end of line
- ![command] (i.e. !ping) – reissues the last command starting with the supplied parameters, which is the last ping command in this example
- Up arrow – search through the cached history of previously run commands
- Tab – the tab key is useful for auto-completing file and directory names within the current working directory, which save you the trouble of having to type them out
- ctrl + z – sleep program
- !! – reissues the last command that was run
- Down arrow – sort th ctrl + c – terminate the currently running command
- ctrl + r – search the current terminal session’s command history
- ctrl + a – go to the start of line (useful if you need to correct a typo at the beginning of a very long command)
Port and Service Commands:
Use the following commands to check and edit port settings
on your Linux machine:
- netstat -u – shows all UDP connections and ports that are open
- netstat -t – shows all TCP connections and ports that are open
- netstat -l – shows ports that are in a listening state
- netstat -a – shows all ports (sometimes called sockets) that are in use
- netstat -a | grep [protocol] (i.e. netstat -a | grep http) – searchs all open connections and ports for any that contain the characters “http”
The Network Interface and IP Commands:
- ifconfig [interface] up (i.e. ifconfig eth0 up) – enables an interface that has been shut down; taking an interface down and then up again (sometimes called bouncing an interface) can be a useful troubleshooting or reset procedure
- ifconfig– the same as the ipconfig on Windows systems; this command will display interface information, such as MAC address, IPv4/IPv6 addresses, interface status, transmitted and received data, and so on
- route – displays the current routing table, including the default route
- ifconfig [interface] down (i.e. ifconfig eth0 down) – shuts down an interface, such as a wireless, Ethernet, or tunnel interface
The Basic Shell Commands you can use
- whoami – displays the current active user in the shell
- lear – if there is too much information printed to the current terminal screen, you can wipe it all clean with the clear command
- suroot – prompts you for a root password to login and run commands with root privileges
- pwd – prints your current working directory, which is your current location in the file system
- ls– this is the list command, which prints the files and directories within your current working directory
- ls -l – this option is known as a “long listing,” and shows detailed information about the files and directories in your current working directory
- mount – displays mounted media and file systems
- uptime – displays how long the system has been active
- cdate – displays the time and date that is configured within the operating system
- cd ../ – this command will set you one level higher in the current working directory tree
- [command] | grep [parameters] (i.e. ls | grep myfile.txt) – piping command output to grep and supplying it with parameters will filter the output based on your criteria
- ps aux – displays a list of running processes; the output is long, so it’s best to pipe it to less, more, or search through it with a tool like grep
- kill [process_number] – kills a process based on it’s process ID identified with the ps aux command
- ls -la – this command will show you a long listing, and the -a option shows you all files; by default, hidden files that start with the “.” character are omitted
- cd [directory] – the cd command is useful for navigating the Linux files system; simply perform an ls command to see directories accessible in your current working directory
NMAP Commands
Here we are going over the most common NMAP commands. I will
briefly explain each of the command, and later into the details and explain the
most important command options.
NMAP commands are
however incredibly versatile. It is a
widely used shell program on a variety of Linux distributions.
The syntax for NMAP commands within Metasploit varies only
slightly, and the options are the same. You can Use the following data as a reference
for the NMAP help guide, which shows you most of the options and correct
syntax:
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Example : scanme.nmap.org,facebook.com/24, 192.168.0.1;
10.0.0-255.1-254
·
–exclude <host1[,host2][,host3],…>: Exclude
hosts/networks
- iL<inputfilename>: Input from list of hosts/networks
- -iR<num hosts>: Choose random targets
- –excludefile<exclude_file>: Exclude list from file
SCAN TECHNIQUES COMMANDS:
- –scanflags<flags>: Customize TCP scan flags
- -sI<zombie host[:probeport]>: Idle scan
- sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
- -sU: UDP Scan
- -sN/sF/sX: TCP Null, FIN, and Xmas scans
- -sY/sZ: SCTP INIT/COOKIE-ECHO scans
- -sO: IP protocol scan
- -b <FTP relay host>: FTP bounce scan
SERVICE/VERSION DETECTION COMANDS:
- –version-all: Try every single probe (intensity 9)
- -sV: Probe open ports to determine service/version info
- –version-light: Limit to most likely probes (intensity 2)
- –version-trace: Show detailed version scan activity (for debugging)
- –version-intensity <level>: Set from 0 (light) to 9 (try all probes)
HOST DISCOVERY COMMANDS
- -Pn: Treat all hosts as online — skip host discovery
- -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
- -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
- -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
- –dns-servers <serv1[,serv2],…>: Specify custom DNS servers
- –system-dns: Use OS’s DNS resolver
- -sL: List Scan – simply list targets to scan
- -sn: Ping Scan – disable port scan
- -PO[protocol list]: IP Protocol Ping
- –traceroute: Trace hop path to each host
OS DETECTION COMMANDS:
- –osscan-guess: Guess OS more aggressively
- -O: Enable OS detection
- –osscan-limit: Limit OS detection to promising targets
PORT SPECIFICATION AND SCAN ORDER COMMANDS:
- -r: Scan ports consecutively – don’t randomize
- –port-ratio <ratio>: Scan ports more common than <ratio>
- –top-ports <number>: Scan <number> most common ports
- -p <port ranges>: Only scan specified ports
- Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
- -F: Fast mode – Scan fewer ports than the default scan
- These are some of the most common command references that will enable you to scan networks and hosts.
Port Scanning Target Syntax:
- nmap -F 10.10.10.1 – the -F options stands for “fast,” and will scan one hundrede of the most commonly used ports on a host
- nmap -p 80-100 10.10.10.1 – scans a host to see if it is accepting connections on a range of ports (port 80 in this case)
- nmap -p- 10.10.10.1 – scans all ports on a host, but is rather slow
- nmap -p 80 10.10.10.1 – scans a host to see if it is accepting connections on a specific port (port 80 in this case)
Port Scanning Options Syntax:
- nmap -sS 10.10.10.1 – initiates a TCP SYN scan
- nmap -sT 10.10.10.1 – initiates a scan using TCP connections
- nmap -sU 10.10.10.1 – initiates a scan using UDP connections
- nmap -Pn 10.10.10.1 – initiates a port scan using selected ports, and omits the active port discovery process
Host and Subnet Target Syntax:
- nmap [subnet] (i.e. nmap 10.10.10.0/24) – tells NMAP to scan an entire subnet with a variable length subnet mask
- nmap [host] (i.e. nmap 10.10.10.1) – tells NMAP to target a single IP address
- nmap -iL[import_host_list.txt] (i.e. nmap -iL myhostlist.txt) – allows you to import a list of hosts from other sources
- nmap [domain] (i.e. nmap www.myserver.com) – tells NMAP to target a specific host, but that host needs to be resolvable with DNS
- nmap [range] (i.e. nmap 10.10.10.1-5) – specifies a range of IP addresses for NMAP to target
Verbosity
Verbose can be added to any of the previous commands. The
problem with some NMAP scans is that they can seem to take too long will not
show you what’s happening behind the scenes by default which make waiting for your scan to finish nearly
unbearable.
The verbose option in NMAP syntax is simply -v. You
can add the -v flag to almost any NMAP scan. For instance, if I wanted
to track the progress of an NMAP scan on my local network, I would issue the
following command:
- nmap -v -Pn 10.10.10.0/24
This command will run through a host and port scan for all
254 IP addresses on the 10.10.10.0/24 subnet. Furthermore, it will print
information in the prompt regarding which address it is currently probing,
giving you and accurate idea of how much more time is left in the total scan.
To Identify the Hosts’ Operating System and Active Services
Note ;If you’re using NMAP from a Metasploit perspective, it
would be highly useful to know what version, service pack, services, and
operating system a host is using to probe for vulnerabilities. Fortunately,
NMAP comes equipped with tools to scan a remote host’s operating system
fingerprint and active services.
You can Use these commands:
- nmap -sV 10.10.10.1 – basic service scanning and detection
- nmap -sA 10.10.10.1 – NMAP will scan the specified host to identify its active services and operating system
- nmap -sV –version-intensity [0-9] 10.10.10.1 – sometimes a probe won’t be able to identify a host’s operating system, so you can turn up the probing intensity with a value between 0 and 9. 9 is the most intense scan, which will try all available NMAP probes, but will also take longer
NMAP Output
NMAP can be piped into various types of output format and
imported into other applications. Instead of simply printing output to a
terminal or copying/pasting it into a text file, you can use the following
commands to manipulate how the output is stored.
- Nmap -oG MyOutputFile.txt 10.10.10.1 – save the default output to a text file
- Nmap -oX MyOutputFile.xml 10.10.10.1 – save output in an XML format
- Nmap -oAMyOutputFile 10.10.10.1 – save output in all formats
- Nmap -oN MyOutputFile.txt 10.10.10.1 – save output in a GREP readable format (which can be accessed, searched, and filtered with the grep command)
Metasploit Commands
Database Commands:
NMAP commands can be
used in the Metasploit database. Metasploit comes with a lot of handy tools to
build lists of hosts and run commands against those targets.
You use NMAP commands as follows:
- db_nmap [nmap_command_syntax] – the basic syntax of NMAP commands within Metasploit
- db_nmap -v -Pn 10.10.10.0/24 – scans the 10.10.10.0/24 subnet with a basic port scan in verbose mode, and adds those hosts to the database
- db_export – exports your current database to a file and location of your choosing
- db_import – imports a database from another source
- db_status – displays the status of the database; if everything is in working order, this command should return a status of “connected
- hosts – prints a list of all the discovered hosts in the database, which could have been discovered from NMAP commands
- hosts -a [ip_address] – adds an IP address, range, or subnet to the hosts database list
- hosts -d [ip_address] – deletes an IP address, range, or subnet from the hosts database list
- hosts -u – prints all of the hosts that are known to be up
Core Metasploit Commands:
Metasploit is never static , it keeps changing . As such,
you need to know how to search through all of the exploits, vulnerabilities,
and modules. The following is a cheat sheet of the core Metasploit commands:
- show exploits – displays all exploits in the terminal (should be piped to another
- search [name] – searches through the exploits and modules for any labeled with strings matching the supplied name
- info – displays information about a certain module or exploit
- check – checks to see if the currently set target is vulnerable to the attack or exploit
- command or filtered for better results)
- show payloads – prints all currently known payloads to the terminal (should be piped or searched with a command like grep)
- show auxiliary – displays all auxiliary modules that are contained in the Metasploit framework
- help – shows the main help page for Metasploit
- msfupdate – runs the automatic update function, and looks for any new exploits and vulnerabilities; note that this is run from the standard command line
- rhost [IP_address] – use this command to set the IP address(es) of the target(s) you wish to target with the exploit
- show options – displays all of a modules or exploits parameters that can be set; essentially a sub-help menu for an individual module that lists all of its commands
- show targets – displays which targets and systems can be targeted for a given module
- msfconsole – this command is how to enter the Metasploit environment and receive the msf> prompt in the terminal
- use [name] – loads a module or exploit
- lhost [IP_address] – this should be set to your interface’s local IP address, especially if you’re currently on the same subnet or network as the target
You should however note
that this whole tutorial is meant for learning purposes only .
No comments:
Post a Comment