Summary of Ultimate Linux Penetration Testing Commands

This article mainly shares with you a summary of the ultimate Linux penetration testing commands. The following is a penetration testing memo for Linux machines. They are some typical commands during later development or when performing command injection and other operations. They are designed for testers to perform local enumeration. For inspection purposes.

##netstat -tulpn Display the network port corresponding to the process ID (PID) in Linux. watch ss -stplu Watch TCP, UDP ports in real time through sockets. lsof -i Display confirmed connections. macchanger -m MACADDR INTR Change the MAC address on KALI Linux. ifconfig eth0 192.168.2.1/24 Set the ID address in Linux. ifconfig eth0:1 192.168.2.3/24 Add an IP address to an existing network interface in Linux. ifconfig eth0 hw ether MACADDR Use ifconfig to modify the MAC address in Linux. ifconfig eth0 mtu 1500 Use ifconfig in Linux to modify the MTU size and change 1500 to the MTU you want. dig -x 192.168.1.1 Perform a reverse lookup of the IP address. host 192.168.1.1 Perform reverse lookup on an IP address, suitable for situations where dig is not installed. dig @192.168.2.2 domain.com -t AXFR Use dig to perform a DNS zone transfer. host -l domain.com nameserver Use host to perform a DNS zone transfer. nbtstat -A x.x.x.x Get the domain name corresponding to the IP address. ip addr add 192.168.2.22/24 dev eth0 Add a hidden IP address to Linux that will not be displayed when executing the ifconfig command. tcpkill -9 host google.com Block access to google.com from the host. echo "1" > /proc/sys/net/ipv4/ip_forward Enable IP forwarding and turn the Linux box into a router - this is convenient Routing traffic is controlled through this box. echo "8.8.8.8" > /etc/resolv.conf Use Google's DNS.

Command	Description

System information command

is useful for local enumeration checks.

Command Description ##whoami id last mount df -h echo "user:passwd" | chpasswd getent passwd strings /usr/local/bin/blah uname -ar PATH=$PATH:/my/new-path history Redhat/CentOS/RPM based distribution

showLinux Currently logged in user.
Displays the currently logged in users and groups to the user.
Displays the last logged in user.
Display the mounted driver.
Display disk usage with human-readable output.
Reset password with one line of command.
List users on Linux.
Display the contents of non-text files, for example: what is in a binary file.
Displays the running kernel version.
Add a new path to facilitate local file system (FS) operations.
Displays the history of bash scripts executed by the user before, as well as the commands typed.

YUM Command

RPM-based systems use a package manager. You can use these commands to get useful information about installed packages or other tools.

Command cat /etc/redhat-release rpm -qa rpm -q --changelog openvpn

Description
Displays the Redhat/CentOS version number.
List all installed RPM packages on RPM-based Linux.
Check whether the installed RPM is patched for CVE. You can use the grep command to filter out output related to CVE.

##yum update Use YUM updates all RPM packages and also shows which ones are out of date. yum update httpd Update individual packages, in this case HTTPD (Apache). yum install package Use YUM to install a package. yum --exclude=package kernel* update Exclude a package from updating when using YUM. yum remove package Use YUM to remove the package. yum erase package Use YUM to delete the package. yum list package List information about yum packages. yum provides httpd Displays the purpose of a package, for example: Apache HTTPD Server. yum info httpd Display package information, architecture, version and other information. yum localinstall blah.rpm Use YUM to install the local RPM, install from the repository. yum deplist package Display the provider information of the package. yum list installed | more List all installed packages. yum grouplist | more Display all YUM groups. yum groupinstall 'Development Tools' Install YUM group.

Command	Description

Debian/Ubuntu/.deb based distribution

Command Description cat /etc/debian_version Displays the Debian version number. cat /etc/*-release Display Ubuntu version number. dpkg -l List all installed packages on Debian/.deb based Linux distributions. Linux User Management

Command Description useradd new-user Create a new Linux user. passwd username Reset the Linux user password. If you are the root user, just enter the password. deluser username Delete a Linux user. Linux decompression command

How to parse different compressed packages (tar, zip, gzip, bzip2, etc.) on Linux, and others Tips for searching and other operations in compressed files.

Command Description ##unzip archive.zip zipgrep *.txt archive.zip tar xf archive.tar tar xvzf archive.tar.gz tar xjf archive.tar.bz2 tar ztvf file.tar.gz | grep blah gzip -d archive.gz zcat archive.gz zless archive.gz zgrep 'blah' /var/log/maillog*.gz vim file.txt.gz upx -9 -o output.exe input.exe Linux Compression Command

Extract the files in the zip package on Linux.
Search in a zip archive.
Extract the files in the tarball on Linux.
Extract the files in the tar.gz package on Linux.
Extract the files in the tar.bz2 package on Linux.
Search in a tar.gz file.
Extract files in gzip on Linux.
Read a gz file without decompression on Linux.
Use fewer commands to achieve the same function of .gz compressed package.
Search the contents of the .gz compressed package on Linux, for example, if the search is compressed log file.
Use vim to read .txt.gz files (my personal favorite).
Use UPX to compress .exe files on Linux.

Linux 文件命令

Command zip -r file.zip /dir/* Create a .zip file on Linux. tar cf archive.tar files tar czf archive.tar.gz files tar cjf archive.tar.bz2 files gzip file

Description
Create a tar file on Linux.
Create a tar.gz file on Linux.
Create a tar.bz2 file on Linux.
Create a .gz file on Linux.

命令	描述
df -h blah	在 Linux 上显示文件/目录的大小。
diff file1 file2	在 Linux 上比对/显示两个文件之间的差别。
md5sum file	在 Linux 上生成 MD5 摘要。
md5sum -c blah.iso.md5	在 Linux 上检查文件的 MD5 摘要，这里假设文件和 .md5 处在相同的路径下。
file blah	在 Linux 上查找出文件的类型，也会将文件是 32 还是 64 位显示出来。
dos2unix	将 Windows 的行结束符转成 Unix/Linux 的。
base64 < input-file > output-file	对输入文件进行 Base64 编码，然后输出一个叫做 output-file 的 Base64 编码文件。
base64 -d < input-file > output-file	对输入文件进行 Base64 解码，然后输出一个叫做 output-file 的 Base64 解码文件。
touch -r ref-file new-file	使用来自于引用文件的时间戳数据创建一个新文件，放上 -r 以简单地创建一个文件。
rm -rf	不显示确认提示就删除文件和目录。

Samba 命令

从 Linux 连接到 Samba 共享。

$ smbmount //server/share /mnt/win -o user=username,password=password1 $ smbclient -U user \\\\server\\share $ mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

打破 shell 的限制

要谢谢 G0tmi1k(（或者他参考过的内容）。

Python 小技巧：

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

/bin/sh -i

Misc 命令

命令	描述
init 6	从命令行重启 Linux 。
gcc -o output.c input.c	编译 C 代码。
gcc -m32 -o output.c input.c	交叉编译 C 代码，在 64 位 Linux 上将编译出 32 位的二进制文件。
unset HISTORYFILE	关闭 bash 历史日志记录功能。
rdesktop X.X.X.X	从 Linux 连接到 RDP 服务器。
kill -9 $$	关掉当前的会话。
chown user:group blah	修改文件或者目录的所有者。
chown -R user:group blah	修改文件或者目录，以及目录下面文件/目录的拥有者 —— 递归执行 chown。
chmod 600 file	修改文件/目录的权限设定, 详情见 [Linux 文件系统权限](#linux-file-system-permissions) 。

清除 bash 历史：

$ ssh user@X.X.X.X | cat /dev/null > ~/.bash_history

Linux 文件系统权限

取值	意义
777	rwxrwxrwx 没有限制，完全可读可写可执行（RWX），用户可以做任何事情。
755	rwxr-xr-x 拥有者可完全访问，其他人只能读取和执行文件。
700	rwx------ 拥有者可完全访问，其他人都不能访问。
666	rw-rw-rw- 所有人可以读取和写入，但不可执行。
644	rw-r--r-- 拥有者可以读取和写入，其他人只可以读取。
600	rw------- 拥有者可以读取和写入，其他人都不能访问。

Linux File System Penetration Testing Memo

Directory	Description
/	/ is also known as the "slash" or root.
/bin	A common program shared by the system, system administrators, and users.
/boot	Boot file, boot loader (grub), kernel, vmlinuz
/dev	Contains references to system devices and files with special attributes.
/etc	Important system configuration files.
/home	The home directory of the system user.
/lib	Library files, including files for all types of programs required by the system and users.
/lost+found	Failed file operations will be saved here.
/mnt	The standard mount point for external file systems.
/media	Mount point for external file systems (or some distributions).
/net	The standard mount point of the entire remote file system - nfs.
/opt	Generally contains some additional or third-party software.
/proc	A virtual file system that contains information about system resources.
/root	The home directory of the root user.
/sbin	A program used by systems and system administrators.
/tmp	The temporary space used by the system will be cleared when restarting.
/usr	Programs, libraries, documentation, etc. for use by all user-related programs.
/var	Stores all variable files and temporary files created by users, such as log files, mail queues, print spoolers, web servers, databases, etc. .

Interesting Files/Directories in Linux

If you want to try privilege escalation/perform post-development, these are some commands worth checking out.

##/etc/passwd Includes local Linux users. /etc/shadow Contains the hashed local account password. /etc/group Contains local account groups. /etc/init.d/ Contains the service network initialization script - it should be worth taking a look at what is installed. /etc/hostname The hostname of the system. /etc/network/interfaces Network interfaces. /etc/resolv.conf System DNS service. /etc/profile System environment variables. ~/.ssh/ SSH key. ~/.bash_history User’s bash history log. /var/log/ Linux system log files are generally stored here. /var/adm/ UNIX system log files are generally stored here. The usual path where Apache access log files exist. /etc/fstab Mounted file system. ## Related recommendations:

Path	Description
/var/log/httpd/access.log

mysql creation, deletion of users and authorization (linux test)_MySQL

How to use the sed command and awk command in linux

Linux command line summary

The above is the detailed content of Summary of Ultimate Linux Penetration Testing Commands. For more information, please follow other related articles on the PHP Chinese website!