Professional Documents
Culture Documents
QuionesBorrero,BS
MCP,MCSA,MCT,CEH,CEI,GCIH,GPEN
LINUXINTROFORSECURITY PROFESSIONALS
Copyrights 2012
GotLinux?
LinuxisafreeUnixtypeoperaEngsystem(kernel) originallycreatedbyLinusTorvaldswiththeassistance ofdevelopersaroundtheworld.Developedunderthe GNUGeneralPublicLicense,thesourcecodeforLinux isfreelyavailabletoeveryone. AllfreelyavailabletoolsunderLinuxwheredeveloped undertheFreeSoTwareFoundaEon,foundedandsEll runbyRichardStallman. GNU/Linuxconsistsofthekernel,drivers,programs, shellandaGUI(X+Gnome,KDE,Unity)
BootStu
/boot
vmlinuz.* initramfs*
GRUB(bootmanager)
/boot/grub/grub.conf Passargumentstokernel
Singleusermode Rescue/Recoverymode(bootDVD/CD)
10/8/12
Initprocess(pid1)
init
initisthefatherofallprocesses.Itsprimaryroleistocreate processes.Usesascriptsstoredin/etc/init.d /etc/inittab thisiswheretheiniEalizaEonlevelisset.
id:x:initdefault:
SystemV(Usesrunlevels)
/etc/rc.d init scripts directory rc.sysinit runs at startup Upstart(Doesnotkeeptrackofrunlevels,theyareimplementedbythe userspacetools. /etc/init/ - configuration files /etc/init.d/ - init scripts directory
Common
DirectoryStructure
/:rootdirectory /etc:conguraEonles /boot:kernel&bootloader /root:rootshomedir /bin:commonshared commands /sbin:superusercommands (rootonly) /dev:devices /home:usershomedir /lib:support&libles /proc:runEmesysteminfo (notadir) /tmp:temporaryles /usr:homedirforapps /var:variabledata(logs, printspools,) /mnt:olddirformount points /media:automaEcmount points(usb,cdrom,) /opt:opEonalstructure
10/8/12
InteresEngDirectories
/tmp:getscleanedeveryEmethesystemisrebooted /var/log:Allloglesarestoredhere /dev/null:null(blackhole) /dev/zero:zerodata /dev/urandom:randomdata /dev/shm:ramdisk,leswrieenherenevertouchthe lesystem. /dev/mem:RAM /proc:itsapsudodirectorywithsysinfo/sysstate .ssh:holdsthesshkeysandknowhostsforthessh .gnupg:holdsthegpgkeysforthesystem
10/8/12
Installingfrombinaries
rpm[opEons]<lename.rpm>
-i -v -U -e -h -q install verbose upgrade erase hash query
dpkg[opEons]<lename.deb>
-i : install -r : remove -l : list
Installingusingpackagemanagers
PMswilldownloadneededpackagesandinstall themwithalldependencies. RPMBasedsystemsuseyum
yum [options] <commands> package
-y
install update checkupdate yum y install package1 package2 package3 yum groupinstall group_name
DEBbasedsystemsuseaptget/apEtude
apt-get
apt-get install <package>
aptitude
Installingfromsourceles
Tarballs
tar vzf <tarball.tar> - thiswillextractles fromtarballtoadirectorywiththesamename.remember tousez(.gz)orj(.bz2)dependingonthecompression used configure thisscriptwillsearchforlibraries,paths, andotherinformaEonneededforcompilingthesoTware. Itwillcreate.makeletobeusedbymake. makethisistheactualcompilaEoncommand make install thiswillcopythelestothe appropriatedirectories(/bin,sbin,etc) gcc <source.c> -o <compiled_file>
Sourcele
Usingthecommandline
bashbornagainshell
.bash_history .bashrc /etc/bashrc (globalopEons) root@host# (loggedinassuperuser/rootUID=0) user@host$ (loggedinasnonprivilegeuser) exit clear reset history
Commands
HelpSystem
OnceyouhaveLinuxinstalledandrunning,themost importantpieceofinformaEonyouneedishowtoget help. WhataremyopEons?
(-h or -help) whatis <command> man info <command>
man -k <keywords> man <section> <command>
Localdocs
TheLinuxDocumentaEonProject
hep://tldp.org/
/usr/share/doc
TextFileEdiEng
Atexteditorisjustlikeawordprocessorwithoutalotof features. ThemainuseofatexteditorisforwriEngsomethingin plaintextwithnoformapngsothatanotherprogramcan readit. vithisistheuniversaltexteditorinLinux.
Commoncommands:
insert/replaceinsertkeytoggle :wwrite :qquit :!donothing :/search :nsearchnext
Othermorepowefultexteditorsare:
nano,vim,gedit,kedit
WorkingtheCLI
stdin,stdout(1),stderr(2)andredirecEon
| || & && > <
Jobcontrol
CTRL+C CTRL+Z jobs fg
10/8/12
Searching
Searchfortext(strings)
grep{regex}
^string:strictlystartswithstring *string*:anythingwithstring string$:strictlyendswithstring [abc]string:hasa,borcbeforestring [^abc]string:anythingbuta,b,orcbeforestring \.string:takeitliteral(escape.)
Searchforcommands
locate<le>
IndexedSearch(updatedb) IteraEvesearch
nd/namestring
whereis<command>
10/8/12
Recon
Memory Diskspaceusage
Environment
free m
df h <directory> du sh <directory>
set set | grep OSTYPE echo $PATH date ntpdate
Date&Eme
10/8/12
Recon(cont.)
Whatprocessesarerunning?
ps aux top lsof pstree
WhichkernelImrunning&whatmodulesareloaded?
uname a lsmod
Hardware
dmidecode lspci lsusb
10/8/12
Recon(cont.)
SystemUpEme SELinuxpolicy Mountpoints
sestatus genforce uptime
Installedpackages
mount [options] <device> <mount dir> cat /etc/fstab fdisk l rpm qa yum list installed dpkg -l
10/8/12
WorkingwithIdenEty
IdenEty
who w last [tty_ |<username>] id <username>
Impersonate
su [-, -l|-c <command>| sudo <command>
10/8/12
ManagageUsers&Groups
Users
useradd m o u <uid> g <groupX> -G <groupY> <username> userdel r <username> usermod [options] <username>
Groups
groupadd -g <gid> <groupname> groupdel <groupname> groupmod [options] <groupname>
10/8/12
FilePermissions
StandardPermissions owner group others letter rwx rwx rwx bin 111 111 111 weight 421 421 421 dec 7 7 7 Commands chmod <permissions> <filename/directory> chown <user> <group> <filename/directory> chgrp <group> <filename/directory> AccessControlLists getfacl Umas
umask -S
Workingwithles/directories
IdenEfyletypes
file <filename>
Viewcontentsofale
strings cat tail head less more wc
Touchingles
touch <filename> touch [m|a|d] -t <STAMP> <filename>
10/8/12
Workingwithles/directories(cont.)
listlesordirectories Manageles
cp <source> <target> mv <source< <target> rm -rf <target> mkdir <dir_name> rmdir <dir_name> ls al
Mangagedirectories Other
pwd ~ . ..
Strings(Text)
Cupngtextfromles
cut d <delim> [-f <field#>|--fields=x,y,z ]
Replacingstrings
sed s/string_to_find/replace_with/g
sorEng
sort <list>
Echoastringtostdin
echo string
10/8/12
Cyphers
Hashing
*sumfamilityuEls
sha[1,256,512]sum md5sum cksum openssl dgst -[md5|sha1|sha256|sha512] <file>
openssl
EncrypEng
openssl enc aes256 in <source> -out <target> openssl enc d aes256 in <source> out echo<target> openssl passwd <password>
10/8/12
Workingwithprocesses
Signals
KILL (9) HUP (1) TERM (15) kill signal <PID> killall signal <process name> nice n # pid renice n # pid lsof p <pid>
PasswordFile
/etc/passwd saltkey+password=passwordhash Preventlogin /etc/shadow
user:salt:userid:groupid:name:homedir:defaultshell
Networking
ConnecEvity
ifconfig
ifconfig a (show all interfaces) ifconfig <int> <ipaddress> (assign ip address) ifconfig <int> add <ipaddress> (assign secondary address)
ifup / ifdown scripts netstat nap (show all connections with process associated to it) ping c X <ipaddress>
RouEng ARP
route add default gw <gw_ipaddress> traceroute [-T|-U|-I|-p] <target> arp a arping <ip address>
Networking(cont.)
NetworkconnecEons
netstat [options]
-a: -n: -p: -t: -u: all do not resolve show process show only tcp sho wonly udp
Firewall
10/8/12
CLIinternet
iptables [L|-F] wget http://site.com/file ftp user:password@ftp.site.com ssh i rsa_key user@host.domain.com p <port> telnet host.domian.com
NameResoluEon
NameResoluEon
/etc/resolv.conf
nameserver <dns_ip>
dig
dig @<dns_ip> <domain_name> -t AXFR dig @<dns_ip> <domain_name> -t <type_of_record>
nslookup
nslookup query=<record_type> <host|domain> <dns_server>
host
host t <record_type> <host/domain> <dns_ip>
10/8/12
NextTime!
PivoEngTechniques
ssh netcat bash metasploit rouEng(linux) windowsrouEng proxychains
10/8/12
Gracias!
josequinones@codedelio.org
Copyrights 2012