February 23, 2016

GHR 105 – Linux

Objectives:

  • Topic 105.01 – Gathering Linux System Information
  • Topic 105.02 – Gathering Linux Network Information
  • Topic 105.03 – Configuring the NIC in Linux
  • Topic 105.04 – Linux Wireless
  • Topic 105.05 – Linux Routing
  • Topic 105.06 – Linux DHCP
  • Topic 105.07 – Linux DNS
  • Topic 105.08 – Blocking IP addresses and ports
  • Topic 105.09 – Manipulating Files in Linux
  • Topic 105.10 – Linux Usernames and Passwords
  • Topic 105.11 – Covering Tracking in Linux

Topic 105.01 – Gathering Linux System Information

  • RULE : Use cat /etc/issue, to see the OS information.
  • RULE : Use cat /proc/version, to see the kernel info.
  • RULE : Use df -H, to check on the disk space that has been used in human readable format (500 MB, 8.1 GB, 2.0 TB, etc).
  • RULE : Use getent passwd, to get a list of users on the linux host.
  • RULE : Type id, to get the current username.
  • RULE : To see what linux packages are installed on the linux host, you will need to know which distribution of linux it is, because they are different in the way they manage packages.
    • If RedHat use rpm --query-all.
    • If Solaris use pkginfo.
    • If Ubuntu use dpkg --get-selections.
  • RULE : Use kill 1197, to stop the process with the PID of 1197.
  • RULE : Use last -a, to see the last users logged in.
  • RULE : Use mount, to see the mounted filesystems.
  • RULE : Use netstat -A 10.0.0.177, to get the hostname for the host as 10.0.0.177.
  • RULE : Use PATH=$PATH:/somebasedir/otherdir, to add a directory to the path variable .
  • RULE : Use ps -ef, to see the processing that are running on the linux host.
  • RULE : Use uname -a, for kernel version and info on the CPU.
  • RULE : Type w, to see show else is logged into this linux host.
  • RULE : Use who -a, for user information.

Topic 105.02 – Gathering Linux Network Information

  • RULE : To show network connections:
    • watch ss -t (show sockets, t=tcp)
    • netstat -pat (show p=programs, a=all, t=tcp)
  • RULE : To show you ip address, use ifconfig.
  • RULE : To see a cool traffic graph, use iftop.

Topic 105.03 – Configuring the NIC in Linux

  • RULE : To change the IP address, use ifconfig eth0 10.0.0.1/24
  • RULE : To change the subInterface address, use ifconfig eth0:1 10.0.0.2/24
  • RULE : To set the Maximum Transfer Unit (MTU) size, use ifconfig eth0 mtu 1500
  • RULE : To change the MAC address, use ifconfig eth0 hw ether 01:23:45:67:89:ab
  • RULE : export MAC=01:23:45:67:89:ab
  • RULE : To change the MAC address in Kali Linux, use macchanger -m 01:23:45:67:89:ab eth0

Topic 105.04 – Linux Wireless

  • RULE : To see what wifi networks you can connect to, use iwlist wlan0 scan
  • RULE : Use iwconfig, to see connection details:
    • ESSID of the access point,  ESSID:"DarkBlueTeamGuest".
    • The access point’s MAC address.
    • The bit rate.
    • The signal quality.
    • The signal level.
  • RULE : To see the authentication capabilities of the wifi adapter, use iwlist wlan0 authentication
  • RULE : Connect to an unsecured wifi network:
    • iwconfig ath0 essid blueForceGuest
    • ifconfig ath0 up
    • dhclient ath0
  • RULE : Connect to an easily hackable network weakly secured by WEP:
    • iwconfig ath0 essid blueforceTeam key 42446c51495a275971294e6d48
    • ifconfig ath0 up
    • dhclient ath0
  • RULE : Connect to a network secured with WPA and a Pre-Shared Key (PSK).
    • iwconfig ath0 essid blueForceHQ
    • ifconfig ath0 up
    • wpa_supplicant -B -i ath0 -c wpa-psk.conf
    • dhclient ath0
  • RULE : Connect to a network secured with WPA Enterprise.
    • iwconfig ath0 essid blueForceSOC
    • ifconfig ath0 up
    • wpa_supplicant -B -i ath0 -c wpa-ent.conf
    • dhclient ath0

Topic 105.05 – Linux Routing

  • RULE : What does x do? echo "1" > /proc/sys/net/ipv4/ip_forward (IP forwarding)
  • RULE : What does x do? route add default gw 10.0.0.254 (add a default gateway)
  • RULE : What does x do? netstat -r (show the routing table)

Topic 105.06 – Linux DHCP

  • RULE : To do a dhcp release, then renew on eth0
    • sudo dhclient -r eth0
    • sudo dhclient eth0
  • RULE : To see dhcp messages in the log, use /var/log/messages | grep DHCP

Topic 105.07 – Linux DNS

  • RULE : What does x do? dig -x 23.23.198.17
  • RULE : Zone transfer dig @23.23.198.17 -t AXFR
  • RULE : What does this do? host 23.23.198.41
  • RULE : What does l do? host -l darkblueteam.com <nameserver>
  • RULE : What does this do? ip xfrm state list
  • RULE :What does this do? ip addr add 10.0.0.3/24 dev eth0
  • RULE :What does this do? echo "nameserver 8.8.8.8" > /etc/resolv.conf

Topic 105.08 – Block IPs and ports

  • RULE : To stop and host connection, use tcpkill host 10.20.30.40 and port 43513

Topic 105.09 – Manipulating Files in Linux

  • RULE : Most linux hosts have these common directories:
    • /bin, is where the linux commands are.
    • /dev, is where the files are that represent devices.
    • /etc, is where the passwd and shadow files are.
    • /home, is where the user home directories are.
    • /mnt, is location for mounting devices.
    • /sbin, is where administrative commands are.
    • /usr, contains more user and administrative file.
  • RULE : To show a list of open files, use lsof.
  • RULE : To access Microsoft Windows shares:
    • smb://10.0.0.1/<share>
    • share user 10.0.0.1 c$
    • smbclient -U user \\\\10.0.0.1\\<share>

Topic 105.10 – Linux Usernames and Passwords

  • RULE : Linux hosts typically use two files, the /etc/passwd and /etc/shadow to maintain the usernames and passwords.
  • RULE : The /etc/passwd file contains several colon delimited lines that look similar to this, johndoe:x:1000:1000:John Doe:/home/johndoe:/bin/bash, for each user.
    • johndoe, is the username.
    • x, indicates that the password is stored in the /etc/shadow file.
    • The first 1000, indicates the unique user identifier.
    • The second 1000, indicates the primary unique group identifer for the user.
    • John Doe, typically indicates the friendly name of the user.  It can also contain a comma-delimited list of contact information.
    • /home/johndoe, is the path to user’s home directory.
    • /bin/bash, is the shell that is launched for the user after logon.
  • RULE : The most important line in the /etc/passwd is the one that looks like, root:x:0:0:root:/root:/bin/bash.  It contains the all powerful root user.
  • RULE : The /etc/shadow file contains the passwords for the users in the /etc/passwd file.  Looks similar to these:
    • root:!:16160:0:99999:7:::
      • root, is the username.
      • !, means that the account is password locked.
      • 16160, is the days since epoch of last password change.
      • 0, is the number days until a password change is allowed.
      • 99999, is the number of days until a password change is required.
      • 7, is the number of days the user is warned about changing their password due to expiration.
      • <empty>, is the days before account inactive.  This one is empty or null since there is nothing between the first two colons.
      • <empty>, is the days since epoch when account expires.  This one is also empty.
    • johndoe:$6$QZWI5x5$Th6TtoYdEuUo6nUUe:16160:0:99999:7:::
      • johndoe, is the username.
      • $6$QZWI5x5$Th6TtoYdEuUo6nUUe, is decoded as $id$salt$hashed”, the printable form of a password hash as produced by crypt (C), where “$id” is the algorithm used.  On GNU/Linux:
        • $1$, is for MD5.  Not used in this example.
        • $2a$, is for Blowfish. Not used in this example.
        • $2y$, is for Blowfish (correctly dealing with 8-bit chars). Not used in this example.
        • $5$, is for SHA-256. Not used in this example.
        • $6$, is for SHA-512.  This is the one johndoe is using.
        • QZWI5x5$Th6TtoYdEuUo6nUUe, is the password.
      • 16160, is the days since epoch of last password change.
      • 0, is the number days until a password change is allowed.
      • 99999, is the number of days until a password change is required.
      • 7, is the number of days the user is warned about changing their password due to expiration.
      • <empty>, is the days before account inactive.  This one is empty or null since there is nothing between the first two colons.
      • <empty>, is the days since epoch when account expires.  This one is also empty.
  • RULE : Rpcclient is a command line tool for enumerating usernames and open shares.
  • RULE : Showmount is a command line tool for enumerating client who have remotely mounted a file system on the target host server.
  • RULE : Finger is a command line tool for enumerating the username and host.  It displays the user’s home directory, login time, idle times, office location, and when the user received and read linux host mail (not emails).
  • RULE : Rpfinfo is a command line tool for enumerating RPC servers.