Kinky linux command line

Graphical user interfaces (GUIs) are helpful for many tasks, but they box you in in the tasks the designer designed the GUI for. This is true to a certain extent for the command-line too, as it relies on the commands available. Still, some commands are so basic (close to the kernel), and come with many flags and options, or can be built on easily and be combined with other commands in shell scripts, that knowing the command-line and shell scripting is well worth the effort.

If you are new to linux, I recommend doing the tutorials marked with a “!” first.

Command Line Culture

[linkview show_cat_name=”0″ cat_name=”Command Line Culture”]

Getting started

Bash shells come with a very useful utility called man, short for manual files. It gives a standardised format for documenting the purpose and usage of most of the utilities, libraries, and system calls. For documentation other than man pages, see the Linux Documentation Project site.

[linkview show_cat_name=”0″ cat_name=”Linux getting started”]

Working with files

Everything in linux can be viewed as a file:

  • regular files are documents, images, archives, recordings, directories (just a file containing names of other files) …
  • (character and block) device files give you access to hardware components
  • named pipes and sockets give access points for processes to communicate with each other
  • (hard and soft) links make a file accessible from different locations

From the command line, there are many ways to create, find and list different types of files. You can determine the type of a file with the file command:

$ file privatelyinvestigating.wordpress.2015-05-02.xml 
privatelyinvestigating.wordpress.2015-05-02.xml: XML document text
[linkview show_cat_name=”0″ cat_name=”Linux files”]

Input/Output redirection

I/O redirection is one of the easiest things to master. It allows for combining different utilities effectively. For example, you may want to search through the output from nmap or tcpdump or a key-logger by feeding its output to another file or program for further analysis.

[linkview show_cat_name=”0″ cat_name=”Linux io”]

Regular expressions

Regular expressions are strings that describe a collection of strings using a for that purpose created language. That probably reads like garble, but a few examples can help. Regular expressions are useful for expansion, static code source analysis, reverse engineering, malware fingerprinting, vulnerability assessment, and exploit development.

[linkview show_cat_name=”0″ cat_name=”Linux regular expressions”]

Grep can be used with tcpdump to search for specific network traffic:

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for user: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1
Sniffing passwords using egrep:
$ tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

Process management (job control)

When an executable program starts up, it runs as a process under management of the process table. The ps and top command can be used to look at running processes; nice and renice for raising and lowering priority of a process; processes can be moved to run in the background with bg or to the foreground with fg; kill and killall can be used to send signals to a process; stop and (re)start a process; reread configuration files; and cron can run commands at a scheduled time.

[linkview show_cat_name=”0″ cat_name=”Linux processes”]

The command pgrep looks through the currently running processes and lists the process IDs matching the selection criteria to stdout. All criteria have to match. Listing all processes named ssh AND owned by root:

$ pgrep -u root ssh
Listing processes owned by root OR deamon:
$ pgrep -u root,daemon

Shell scripting

Shell scripts are good for automating repetitive shell tasks. Bash and other shells include the “usual” constructs found in programming languages, such as for loops, tests, if and case statements, but there is only one type of variable: strings.

[linkview show_cat_name=”0″ cat_name=”Linux shell scripting”]

Network connections

Connecting to a network from a linux box is easy, and on occasion not. If a network interface does not come up or requires manual setup, there are many commands for configuring interfaces, checking network connections and setting up special routing. Once connection is up there are more commands for getting information about networks your machine is connected to.

[linkview show_cat_name=”0″ cat_name=”Linux network connections”]

Reconnaissance

The whois system is used by system administrators to obtain contact information for IP address assignments or domain name administrators. Dig is a networking tool that can query DNS servers for information. It can be very helpful for diagnosing problems with domain pointing and is a good way to verify that your configuration is working. An alternative to dig is a command called host. This command functions in a very similar way to dig, with many of the same options. And if dig and whois do not provide you with enough information, tools like dnsmap and dnsenum can be handy.

[linkview show_cat_name=”0″ cat_name=”Linux reconnaissance”]

Enumerating targets on your local network can be done with nmap, arping, hping and fping. The last three allow for constructing arbitrary packets for almost any networking protocol, for analysis of replies.

[linkview show_cat_name=”0″ cat_name=”Linux enumeration”]

If you regularly do arp sweeps of your network, you can use arp-scan or develop your own from this basic script:

#!/bin/bash
PREFIX=$1
INTERFACE=$2
for SUBNET in {1..255}
do
   for HOST in {1..255}
   do
      echo "[*] IP : "$PREFIX"."$SUBNET"."$HOST
      arping –c 3 –i $INTERFACE $PREFIX"."$SUBNET"."$HOST 2> /dev/null
   done
done
If named arpsweep (or arpsweep.sh) call with (for example):
$ arpsweep 192.168 eth0

Reverse engineering

Learn about reverse engineering and backdooring hosts, discover memory corruption, code injection, and general data- or file-handling flaws that may be used to instantiate arbitrary code execution vulnerabilities.

First some preps that make life a little easier. Metasploit can be used in the environment of the bash shell.

[linkview show_cat_name=”0″ cat_name=”Linux msfcli”]

Disassembly is the process of reversing the effect of code compilation as much as possible. And does not make sense at all if you know nothing about the parts of your processor that are made visible to machine instructions. Minimally you need to know about its registers (which can be bit-vector/integer, floating point, machine address), how Arithmetic Logic Units work, how clocking circuits works and why some instructions take more than one clock, how first and second level caches work, how Memory Management Units and Direct Memory Access work, etc.

[linkview show_cat_name=”0″ cat_name=”Linux disassembling binaries”]

Network exploitation and monitoring

Warning: Do not execute these on a network or system that you do not own. Execute only on your own network or system for learning purposes. Do not execute these on any production network or system.

Spoofing:

[linkview show_cat_name=”0″ cat_name=”Linux spoofing”]

Questioning servers:

[linkview show_cat_name=”0″ cat_name=”Linux questioning servers”]

Brute-forcing authentication:

[linkview show_cat_name=”0″ cat_name=”Linux brute-forcing authentication”]

Traffic filtering:

[linkview show_cat_name=”0″ cat_name=”Linux traffic filtering”]

Testing SSL implementation:

[linkview show_cat_name=”0″ cat_name=”Linux ssl testing”]

I’m enjoying myself tremendously. More to follow … 😀


Leave a Reply

Your email address will not be published. Required fields are marked *