Home » Articles » Useful Linux commands

Useful Linux commands

Tue May 9, 2017

Below are some useful Linux commands for penetration testing, target reconaissance and capability assessment. Use them for good, not for evil.

traceroute:

user@host:~$ traceroute <target>

user@host:~$ traceroute google.com
traceroute to google.com (213.157.177.157), 24 hops max, 52 byte packets
 1  192-168-1-110.x.com (192.168.1.110)  9.403 ms  7.301 ms  3.264 ms
 2  10.10.10.10 (10.10.10.10)  47.823 ms  3.649 ms  2.436 ms
 	... etc ...

whois:

user@host:~$ whois [-h whois_server] <name>

user@host:~$ whois google.com
Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Aborting search 50 records found .....
GOOGLE.COM.ACKNOWLEDGES.NON-FREE.COM
GOOGLE.COM.AFRICANBATS.ORG
GOOGLE.COM.ANGRYPIRATES.COM
GOOGLE.COM.AR
	... etc ...

nslookup:

user@host:~$ nslookup <target>

user@host:~$ nslookup google.com
Server:		192.168.1.110
Address:	192.168.1.110#53

Non-authoritative answer:
Name:	google.com
Address: 213.157.177.157
Name:	google.com
Address: 213.157.177.158
Name:	google.com
Address: 213.157.177.162
	... etc ...

dig:

user@host:~$ dig [@server] <name> [record_type]
user@host:~$ dig [@server] <domain> -t IXFR=<N>

user@host:~$ dig google.com MX
; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61593
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	MX

;; ANSWER SECTION:
google.com.		60	IN	MX	20 alt1.aspmx.l.google.com.
google.com.		60	IN	MX	30 alt2.aspmx.l.google.com.
google.com.		60	IN	MX	40 alt3.aspmx.l.google.com.
google.com.		60	IN	MX	50 alt4.aspmx.l.google.com.
google.com.		60	IN	MX	10 aspmx.l.google.com.
	... etc ...

Dump the ARP table of a SNMP server:

user@host:~$ snmpwalk -v 2c -c <community> <server> ip.ipNetToMediaTable.ipNetToMediaEntry.ipNetToMediaPhysAddress > arptable.dump

Show all TCP port 80 packets going to or from the specified IP:

user@host:~$ tcpdump [-i tap0] -n tcp and port 80 and host 10.10.10.10

Enumerate local users:

user@host:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
	... etc ...

user@host:~$ finger
Login     Name       Tty      Idle  Login Time   Office     Office Phone
root      root      *pts/0          March  19 11:13 (10.10.10.10)

user@host:~$ who
root     pts/0        2017-05-09 11:13 (10.10.10.10)

user@host:~$ w
 11:18:56 up 169 days,  11:18,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    10.10.10.10      11:13    0.00s  0.02s  0.00s w

Enumerate remote users:

user@host:~$ finger @<remote>

Scan the target’s specified port range:

user@host:~$ echo "" | nc -v -n -w1 <target> <port-range>

Find SetUID or SetGID binaries:

user@host:~$ find / -type f \( -perm -4000 -o -perm -2000 \) -print

Mounting a Samba drive:

user@host:~$ smbmount //<target>/<share> <mountpoint> -o username=<username>

user@host:~$ smbmount //10.10.10.10/c$ /mnt/target -o username=administrator

Find any open Samba shares:

user@host:~$ nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=password -p445 192.168.1.0/24 

Add a normal user:

user@host:~$ useradd <name>

Add a root user:

user@host:~$ useradd -o -u 0 <name>

Manual fingerprinting and banner grabbing:

user@host:~$ nc -v 192.168.1.1 25
user@host:~$ telnet 192.168.1.1 25

And while at it, grab the SSH server version too (if running):

user@host:~$ nc -v 192.168.1.1 22
Connection to 192.168.1.1 port 22 [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

Fingerprint Samba version too:

user@host:~$ smbclient -L //192.168.1.1

Quickly determine if a port is open or closed using just bash:

user@host:~$ (: </dev/tcp/127.0.0.1/443) &>/dev/null && echo "OPEN" || echo "CLOSED"
Start a simple web server, depending on what is installed (python, python3, php or ruby):

user@host:~$ python -m SimpleHTTPServer 80
user@host:~$ python3 -m http.server
user@host:~$ php -S 0.0.0.0:80
user@host:~$ ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"

Spawn a TTY shell from a limited shell in Linux using Python:

user@host:~$ python -c 'import pty;pty.spawn("/bin/bash")'

Spawn a TTY shell from a limited shell in Linux using Perl:

user@host:~$ perl —e 'exec "/bin/sh";'

Download all documents and images from a web page address:

user@host:~$ wget -A pdf,jpg,png,gif,bmp,doc,docx -m -r -np --convert-links --execute="robots = off" <address>

Encrypt a file using gpg:

user@host:~$ gpg --encrypt --sign -r you@email <filename>

Decrypt a file using gpg:

user@host:~$ gpg -d <filename>

Perform a request to a remote address every 5 seconds (download a file, whatever), until you press CTRL + C:

user@host:~$ while true; do wget <address>; sleep 5; done

Dump all MySQL databases:

user@host:~$ mysqldump --all-databases --all-routines -u root -p > ~/fulldump.sql

Use nikto to scan a host using a proxy server and output fingerprinted info to a file:

user@host:~$ perl nikto.pl -host <ip_or_hostname> -useproxy <proxy_address> -output <filename>

Use wpscan to scan a Wordpress install and output fingerprinted into to a file:

user@host:~$ ruby wpscan.rb --url <address> --enumerate 2> <filename>

Use sqlmap to grab the database banner, if possible:

user@host:~$ ./sqlmap.py --url="<address>" --data="<post-data>" --banner

Grab the HTTP headers:

user@host:~$ curl -LIN <address>

user@host:~$ curl -LIN google.com
HTTP/1.1 200 OK
Date: Tue, 19 March 2017 13:12:48 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Server: gws
X-XSS-Protection: 1; mode=block
	... etc ...

Generate a MD5 hash of the specified string:

user@host:~$ echo -n "This is the text" | openssl md5
(stdin)= 4da8333008320dd94d593f3211df63ab

Generate a SHA hash of the specified string:

user@host:~$ echo -n "This is the text" | openssl sha
(stdin)= 0dc9696177e9786de95a1caee349a7a6da70a614

  « Previous: Next: »