JosL.

QuionesBorrero,BS
MCP,MCSA,MCT,CEH,CEI,GCIH,GPEN

LINUXINTROFORSECURITY PROFESSIONALS
Copyrights 2012

GotLinux?
LinuxisafreeUnixtypeoperaEngsystem(kernel) originallycreatedbyLinusTorvaldswiththeassistance ofdevelopersaroundtheworld.Developedunderthe GNUGeneralPublicLicense,thesourcecodeforLinux isfreelyavailabletoeveryone. AllfreelyavailabletoolsunderLinuxwheredeveloped undertheFreeSoTwareFoundaEon,foundedandsEll runbyRichardStallman. GNU/Linuxconsistsofthekernel,drivers,programs, shellandaGUI(X+Gnome,KDE,Unity)

BootStu
/boot
vmlinuz.* initramfs*

GRUB(bootmanager)
/boot/grub/grub.conf Passargumentstokernel

Singleusermode Rescue/Recoverymode(bootDVD/CD)
10/8/12

Initprocess(pid1)
init
initisthefatherofallprocesses.Itsprimaryroleistocreate processes.Usesascriptsstoredin/etc/init.d /etc/inittab thisiswheretheiniEalizaEonlevelisset.
id:x:initdefault:

SystemV(Usesrunlevels)

/etc/rc.d init scripts directory rc.sysinit runs at startup Upstart(Doesnotkeeptrackofrunlevels,theyareimplementedbythe userspacetools. /etc/init/ - configuration files /etc/init.d/ - init scripts directory

Common

/etc/{rc1.d,rc2.d,rc3.d,rc4.d,rc5.d,rc6.d} rc.local runsaTerstartup

DirectoryStructure
/:rootdirectory /etc:conguraEonles /boot:kernel&bootloader /root:rootshomedir /bin:commonshared commands /sbin:superusercommands (rootonly) /dev:devices /home:usershomedir /lib:support&libles /proc:runEmesysteminfo (notadir) /tmp:temporaryles /usr:homedirforapps /var:variabledata(logs, printspools,) /mnt:olddirformount points /media:automaEcmount points(usb,cdrom,) /opt:opEonalstructure

10/8/12

InteresEngDirectories
/tmp:getscleanedeveryEmethesystemisrebooted /var/log:Allloglesarestoredhere /dev/null:null(blackhole) /dev/zero:zerodata /dev/urandom:randomdata /dev/shm:ramdisk,leswrieenherenevertouchthe lesystem. /dev/mem:RAM /proc:itsapsudodirectorywithsysinfo/sysstate .ssh:holdsthesshkeysandknowhostsforthessh .gnupg:holdsthegpgkeysforthesystem

10/8/12

Installingfrombinaries
rpm[opEons]<lename.rpm>
-i -v -U -e -h -q install verbose upgrade erase hash query

dpkg[opEons]<lename.deb>
-i : install -r : remove -l : list

Installingusingpackagemanagers
PMswilldownloadneededpackagesandinstall themwithalldependencies. RPMBasedsystemsuseyum
yum [options] <commands> package
-y

install update checkupdate yum y install package1 package2 package3 yum groupinstall group_name

DEBbasedsystemsuseaptget/apEtude
apt-get
apt-get install <package>

aptitude

Installingfromsourceles
Tarballs
tar vzf <tarball.tar> - thiswillextractles fromtarballtoadirectorywiththesamename.remember tousez(.gz)orj(.bz2)dependingonthecompression used configure thisscriptwillsearchforlibraries,paths, andotherinformaEonneededforcompilingthesoTware. Itwillcreate.makeletobeusedbymake. makethisistheactualcompilaEoncommand make install thiswillcopythelestothe appropriatedirectories(/bin,sbin,etc) gcc <source.c> -o <compiled_file>

Sourcele

Usingthecommandline
bashbornagainshell
.bash_history .bashrc /etc/bashrc (globalopEons) root@host# (loggedinassuperuser/rootUID=0) user@host$ (loggedinasnonprivilegeuser) exit clear reset history

Commands

HelpSystem
OnceyouhaveLinuxinstalledandrunning,themost importantpieceofinformaEonyouneedishowtoget help. WhataremyopEons?
(-h or -help) whatis <command> man info <command>
man -k <keywords> man <section> <command>

Localdocs

TheLinuxDocumentaEonProject
hep://tldp.org/

/usr/share/doc

TextFileEdiEng
Atexteditorisjustlikeawordprocessorwithoutalotof features. ThemainuseofatexteditorisforwriEngsomethingin plaintextwithnoformapngsothatanotherprogramcan readit. vithisistheuniversaltexteditorinLinux.
Commoncommands:
insert/replaceinsertkeytoggle :wwrite :qquit :!donothing :/search :nsearchnext

Othermorepowefultexteditorsare:
nano,vim,gedit,kedit

WorkingtheCLI
stdin,stdout(1),stderr(2)andredirecEon
| || & && > <

Jobcontrol
CTRL+C CTRL+Z jobs fg

10/8/12

Searching
Searchfortext(strings)
grep{regex}
^string:strictlystartswithstring *string*:anythingwithstring string$:strictlyendswithstring [abc]string:hasa,borcbeforestring [^abc]string:anythingbuta,b,orcbeforestring \.string:takeitliteral(escape.)

Searchforcommands
locate<le>

IndexedSearch(updatedb) IteraEvesearch
nd/namestring

whereis<command>

10/8/12

Recon
Memory Diskspaceusage
Environment
free m

df h <directory> du sh <directory>
set set | grep OSTYPE echo $PATH date ntpdate

Date&Eme

10/8/12

Recon(cont.)
Whatprocessesarerunning?
ps aux top lsof pstree

WhichkernelImrunning&whatmodulesareloaded?
uname a lsmod

Hardware
dmidecode lspci lsusb
10/8/12

Recon(cont.)
SystemUpEme SELinuxpolicy Mountpoints
sestatus genforce uptime

Installedpackages

mount [options] <device> <mount dir> cat /etc/fstab fdisk l rpm qa yum list installed dpkg -l

10/8/12

WorkingwithIdenEty
IdenEty
who w last [tty_ |<username>] id <username>

Impersonate
su [-, -l|-c <command>| sudo <command>
10/8/12

ManagageUsers&Groups
Users
useradd m o u <uid> g <groupX> -G <groupY> <username> userdel r <username> usermod [options] <username>

Groups
groupadd -g <gid> <groupname> groupdel <groupname> groupmod [options] <groupname>
10/8/12

FilePermissions
StandardPermissions owner group others letter rwx rwx rwx bin 111 111 111 weight 421 421 421 dec 7 7 7 Commands chmod <permissions> <filename/directory> chown <user> <group> <filename/directory> chgrp <group> <filename/directory> AccessControlLists getfacl Umas
umask -S

Workingwithles/directories
IdenEfyletypes
file <filename>

Viewcontentsofale
strings cat tail head less more wc

Touchingles
touch <filename> touch [m|a|d] -t <STAMP> <filename>

10/8/12

Workingwithles/directories(cont.)
listlesordirectories Manageles
cp <source> <target> mv <source< <target> rm -rf <target> mkdir <dir_name> rmdir <dir_name> ls al

Mangagedirectories Other

pwd ~ . ..

Strings(Text)
Cupngtextfromles
cut d <delim> [-f <field#>|--fields=x,y,z ]

Replacingstrings
sed s/string_to_find/replace_with/g

sorEng
sort <list>

Echoastringtostdin
echo string

10/8/12

Cyphers
Hashing
*sumfamilityuEls
sha[1,256,512]sum md5sum cksum openssl dgst -[md5|sha1|sha256|sha512] <file>

openssl

EncrypEng

openssl enc aes256 in <source> -out <target> openssl enc d aes256 in <source> out echo<target> openssl passwd <password>

10/8/12

Workingwithprocesses
Signals
KILL (9) HUP (1) TERM (15) kill signal <PID> killall signal <process name> nice n # pid renice n # pid lsof p <pid>

Sendingsignalstoprocesses Priority Other

10/8/12

PasswordFile
/etc/passwd saltkey+password=passwordhash Preventlogin /etc/shadow

user:salt:userid:groupid:name:homedir:defaultshell

Defaultshell=/sbin/nologin or /sbin/false usermod L <username>

user:$hash_algorythm$hash_value: : Hashalgorithms
No$#$DESorcrypt() $1$MD5 $2$Blowsh $5$SHA256 $6$SHA512

Networking
ConnecEvity
ifconfig
ifconfig a (show all interfaces) ifconfig <int> <ipaddress> (assign ip address) ifconfig <int> add <ipaddress> (assign secondary address)

ifup / ifdown scripts netstat nap (show all connections with process associated to it) ping c X <ipaddress>

RouEng ARP

route add default gw <gw_ipaddress> traceroute [-T|-U|-I|-p] <target> arp a arping <ip address>

Networking(cont.)
NetworkconnecEons
netstat [options]
-a: -n: -p: -t: -u: all do not resolve show process show only tcp sho wonly udp

Firewall

10/8/12

CLIinternet

iptables [L|-F] wget http://site.com/file ftp user:password@ftp.site.com ssh i rsa_key user@host.domain.com p <port> telnet host.domian.com

NameResoluEon
NameResoluEon
/etc/resolv.conf
nameserver <dns_ip>

dig
dig @<dns_ip> <domain_name> -t AXFR dig @<dns_ip> <domain_name> -t <type_of_record>

nslookup
nslookup query=<record_type> <host|domain> <dns_server>

host
host t <record_type> <host/domain> <dns_ip>

10/8/12

NextTime!
PivoEngTechniques
ssh netcat bash metasploit rouEng(linux) windowsrouEng proxychains
10/8/12

Gracias!
josequinones@codedelio.org

Copyrights 2012