Show Menu
Cheatography
  1. Home >
  2. Software >

Pentesting with Linux commands (GPEN based) Cheat Sheet (DRAFT) by

Basic but useful commands to perform pentesting taks related to Gather information from processes, network, accounts, sensitive locations, files or to perform changes, build things, etc.

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Gather info

 

Processes

ps faux
lists processes in a tree-like format
 
ps -ef
lists services running
 
systemctl status­<se­rvi­ce>
Get status of aprocess
 
systemctl list-units --type­=se­rvice --stat­e=a­ctive
list all running services in systemd

Network

ifconfig -a
Get IP address for all net interfaces
 
netstat -a
Get connec­tions info
 
netstat -nap
show listening ports
 
netstat —nap | less
Look for “LISTE­NING” and “ESTAB­LISHED”
 
lsof -i | less
List and read open connec­tions by processes
 
netstat -plnt
ports/­process in LISTEN state
 
netstat -rn
OR 
route -v
Get GW and routing table
 
arp -a
Get arp table
 
ip addr
Get IP address for all net interfaces
 
ss -a
Get connec­tions info
 
ss -plnt
ports/­process in LISTEN state
 
ping6 -i eth0 ff02::1
use this multicast address for all link-local IPv6 nodes
 
ping6 -i eth0 ff02::2
use this multicast address for all link-local IPv6 routers
 
ip neigh
Get arp table / host in same BRD domain
 
ip route
Get GW and routing table

Users and Groups

cat /etc/p­asswd
Get local user info
 
cat /etc/s­hadow
Get user hashes
 
cat /etc/group
Get all local groups
 
finger
OR 
who
See who is curren­tly­logged in
 
w
See what they are doing
 
cat /etc/n­ssw­itc­h.conf
get config about auth mechanisms
 
getent passwd
Get user accounts, regardless of back-end auth mechanism
 
getent group
Get groups, regardless of back-end auth mechanism
 
getent shadow
If SSSD or PAM is config­ured, get hashes for all users, regardless of back-end auth mechanism

Remote inform­ation Gathering

  
finger @[targ­etIP]
See who is curren­tly­logged in
 
ypcat passwd
If NIS is in use, get users
 
ypcat group
If NIS is in use, get ugroups and member­ships
 
ssh vagran­t@1­92.1­68.1.25 "­id;­hos­tna­me"
runs id and hostname on the dest host
 
scp root@x.x.x.x:/root­/.s­sh/­id_rsa .
(with point at the end))
copy remote file to current location
wget
 
-nd
No direct­ories, puts all files in one directory
 
-r
Recursive Download / web spider function
 
-P [direc­tory]
Prefix output fule locations with [direc­tory]
 
-R/A
Restrict or alow file types or patterns
 
Example1: wget -nd -r -R htm,ht­ml,­php,asp ,aspx,cgi -P /home /560 /Cours­eFiles/ 560met­ada­ta_ex [tgt_d­omain]
Exclude html, php, asp and cgi extensions
 
Example1: wget -nd -r -A pdf, doc, docx,x­ls,xlsx -P /home /560 Course­Files/ 560met­ada­ta_ex [tgt_d­omain]
included only PDF, Word, and Excel extensions
 
smbclient --list=IP --no-pass
List shared folders hosted on IP anonym­ously
 
smbclient //IP/s­haredF -U "­DOM­AIN­\us­er"
Map shared­Folder with creds
 
smbclient //IP/s­haredF -U 'NULL' -N
Map shared­Folder with anonymous creds
 
sudo mount //IP/s­haredF /mount­/point -o rw,guest
Map shared­Folder to a mount point

Sensitive Locations

/etc/p­asswd
user account info
 
/etc/s­hadow
user password info
 
~/.bas­h_h­istory
user’s history file
 
~/.ssh directory
SSH keys
 
~/.mozilla
Firefox profile
 
/etc/r­c.d­/rc­<x>.d
SystemV runlevels services to run at startup
 
/etc/s­yst­emd­/sy­ste­m/<­x>.t­ar­get.wants
Systemd target directory
 
/etc/n­ssw­itc­h.conf
determine which authen­tic­ation back-end a Linux system is configured to use
 
/etc/s­udo­ers.d/
sudoers file
 
grep -iHR passw *
get files with "­pas­sw" in them

Read & execute

cat [filename]
get content from a file
 
head -n 20 [filename]
get first 20 lines of [filename]
 
tail -n 2 [filename]
get last 2 lines of [filename]
 
less OR more
view large content moving in pages
 
ls /dev | less
putting command output as input to less
 
which ls
see Where your commands are run from
 
./prog­ram­_name
run a program located in the current directory
 
PATH=$PATH /[anot­her­_dir]
Temporary (Session's life) add direct­ories to your path

Miscel­aneous

grep root *
find files in the current directory that contain theword root
 
man /info
show detailed usage inform­ation for other commands
 
whatis [command]
Get a hint about What a program does
 
apropos network
search for topics
 
man —k network
look up something by keyword,
 
unset HISTFILE
Disable command histor­y/l­ogging
 
watch 'ls -al file.zip'
monitor when a file will appear
 
env
Listing enviro­nment variables
 
echo $PATH
View your path env variable
 
wc -l /path/­fil­e.txt
WordCount | -l count the number of lines

Working with progra­ms/jobs

[command] &
run command in background as a job
 
CTRL+Z
if a progra­m/c­ommand is running, it'll pause the job letting the process in the brackg­round paused
 
jobs
list backgr­oun­d/p­auses jobs
 
bg %[job_­number]
resume program in background
 
fg %[job_­number]
resume program in foregr­ound, back to actual screen
 

Attack

 

Port Forwarding

ssh -L 8888:v­ict­imI­P:v­ict­imPORT usr@PI­VOT-PC
LOCAL - forward traffic from local port 8888 to DSThos­tIP:80
"ssh usr@PI­VOT-PC ssh root@1­92.1­68.1.119 -R 9999:1­92.1­68.1.2­5:­80"
REMOTE - forwarding traffic through the SSH connec­tion, but your SSH connection this time will be “outbo­und.”
ssh usr@PI­VOT-PC -D 9050
Dynamic Port forwarding OR SOCKS proxy

Building tools

tar xvf [archi­ve.tar]
untar Tape Archive Image file
 
tar xvfz [archi­ve.t­ar.gz or archiv­e.tgz]
uncompress and untar .tar.gz or tgz file
 
" ./conf­igure  make  make instal­l"
compile and install

Setup Services

python -m Simple­HTT­PServer
Serves current dir as webcontent
 
python3 -m http.s­erver
Serves current dir as webcontent
 
impack­et-­smb­server -comment "Temp Dir" TMP /tmp -username tempuser -p temppass -smb2s­upport
Simple SMB Service

Change config­uration

gedit /etc/n­etw­ork­/in­ter­faces
set up static or dynamic network interfaces
 
service networking restart
pretty much that
 
export PATH=/­usr­/sb­in:­$PATH
To add/us­r/sbin to your PATH variable

Filesy­stems

locate [program name]
get location for a file
 
find [directory to search] [search criteria]
 
find / -name [filename]
exhaus­tively looks for stuff
 
find / -name whoami
 
updatedb
create a locate database
 
shred --remove /tmp/s­am.txt
Shred overwrites the file with altern­ating zeros and ones three times so that they cannot be recovered.

Accounts

useradd -d [home dir] [username]
create a user login
 
passwd
change actual user password
 
passwd [username]
change other user's password
 
sudo su
becomes root
 
whoami
shows which account you are using
 
id
get more ditauls about your user and privis
 
userdel [username]
Delete user

Firewall / IPTables

iptables -D INPUT 2
Delete INPUT rule ID 2
 
iptables -I INPUT 2 -s x.x.x.x -j DROP
fw INPUT rule ID 2, action DROP traffic from X.X.X.X
 
iptables -I INPUT 1 -s x.x.x.x -p tcp --dport 4444 -j ACCEPT
allow inbound port 4444
 
firewa­ll-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp -p tcp --dport 8443 -j ACCEPT
add fw rule to allow incoming traffic
 
firewa­ll-cmd --direct --remo­ve-rule ipv4 filter INPUT 1 -m tcp -p tcp --dport 8443 -j ACCEPT
remove fw rule to allow incoming traffic

Authen­tic­ation

ssh-keygen -t rsa -b 2048
generate a new identity file

Priv elevation

%admins ALL=(root) NOPASSWD: /bin/bar
Let admins Group run command as root