Linux information collection
Host discovery
nmap -sN 192.168.110.0/24
system identification
nmap -O 192.168.110.202
Port scan
Full scan
nmap –T4 –A –v -p- 192.168.110.149
-A option is used for Aggressive scanning;
-T4 specifies the Timing used in the scanning process. There are always 6 levels (0-5). The higher the level, the faster the scanning speed, but it is also easy to be detected and shielded by firewall or IDS. T4 is recommended when the network communication is in good condition;
-v indicates that redundancy information is displayed, and the scanning details are displayed during the scanning process, so that the user can understand the current scanning status.
-p - scan all ports
Find login authorization page
nmap -p 80 --script http-auth-finder <target ip>
SSH blasting
nmap -p22 --script ssh-brute <target ip>
dns domain delivery vulnerability
nmap -p 53 --script dns-zone-transfer.nse -v <target ip>
masscan quick scan
Masscan 127.0.0.0/24 -p443 # Single port scan Masscan 127.0.0.0/24 --top-ports 100 -rate 100000 # Fast scan Masscan 127.0.0.0/24 --top-ports 100 --excludefile exclude.txt # Exclude specified targets masscan 127.0.0.0/24 -p20,21,22,23,80,161,443,873,2181,3389,6379,7001,8000,8009,8080,9000,9009,9090,9200,9300,10000,50070 > results.txt
Kernel version
uname -a uname -mrs(details) rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz-
If you find the kernel version, you can search for relevant rights raising vulnerabilities, such as dirty cow rights raising, etc
SUID
Different Linux versions are not consistent. Just try one by one
find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000-print2>/dev/null find / -user root -perm -4000-exec ls -ldb {} \;
-perm matching permissions
4000, 2000 and 1000 respectively represent suid, sgid and sbit
-user root view the SUID file with root user privileges
2> / dev / null means that the error is output to the "black hole".
-u = s means to find the file owned by the root user
-Type indicates the type of file we are looking for
f stands for regular files, not directories or special files
After finding these binaries https://gtfobins.github.io/ Method of raising right
SUDOER configuration
sudo's configuration file is sudoers file, which allows system administrators to centrally manage user permissions and hosts. It is stored in / etc/sudoers by default, and the attribute must be 0440.
See which sudo commands the current user executes without a password
cat /etc/sudoers perhaps sudo -l
Similarly, after finding these binaries, you can https://gtfobins.github.io/ Method of raising right
View the commands available to the current user
compgen -c
/etc/passwd
cat /etc/passwd
/etc/shadow(root)
unshadow or hashcat runs the password hash in / etc/shadow
Boot item
chkconfig # View startup service command ls /etc/init.d # View boot profile command cat /etc/rc.local # View rc startup file crontab -l # Viewing crontab files ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root
Process list
ps -aux # List all processes and related information commands ps -ef top # Overview system comprehensive information command, Ctrl + C to exit the interface
Install software \ commands
ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/
Service profile
cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
journal
~/.bash_history Command log last View all users and who have logged in to the system IP lastlog Record the last login information of each user /var/log/message The information and error log after system startup are Red Hat Linux One of the most commonly used logs in /var/log/secure Security related log information /var/log/maillog Message related log information /var/log/cron Log information related to scheduled tasks /var/log/spooler And UUCP and news Device related log information /var/log/boot.log Log messages related to Daemon Start and stop /var/log/wtmp The log file permanently records the events of login, logoff, system startup and shutdown of each user /var/log/nginx/access.log Nginx journal /var/log/apache2/access_log Apache journal
Sensitive file
cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history
Critical infrastructure
Routing, gateway, DNS
route ip route # Show core routing table ip neigh # Show neighbor table cat /etc/resolv.conf # View DNS arp -e
ls -alh /var/mail/