Saturday, July 05, 2008

100 UNIX commands to issue on other people's systems

In response to Halvar Flake's request...

I'm not sure about 100, but there are a few that I use on any new system, mostly just basics that are useful on any multi-user environment: ifconfig -a, netstat -pan --inet, uname -a, w, id, mount, ps auxww.

These tell you a lot about the system and where you might go from there for further exploitation. ifconfig, like ipconfig on Windows, can tell you if the system has a NIC on another network and netstat can tell you if it's talking to one. It's important to note that options to netstat vary from one OS to another -- the above options will list all AF_INET sockets along with associated process IDs on Linux without doing DNS lookups. On Solaris and AIX it is not possible to see PIDs and the command to list all AF_INET sockets without doing DNS lookups is netstat -an -finet. uname tells you the OS name and kernel version. w (or its cousin who) will let you know if someone might be watching. id is whoami on steroids; it gives uid, gid, and a list of groups you belong to. mount tells you how the system's storage is layed out and whether there are any removable drives attached at the moment. ps lists processes and the argument tells it to list all of them, including arguments, with the owner's username. If you're lucky, sometimes you see things like this:

root 21810 0.0 0.4 6984 2452 pts/10 S+ 21:13 0:00 mysql -uroot -ppassword

Then we come to interesting files. Obviously /etc/passwd and /etc/shadow are of interest. But so are slightly more obscure things like /home/*/.ssh/id_rsa (private keys) and /tmp/ssh-*/* (ssh-agent auth sockets). I mentioned some abuses of these files about a year and a half ago. I suggest a viewing of HD Moore and Valsmith's Blackhat 2007 talk, Tactical Exploitation for some more fun things to do with ssh and kerberos.

Finding interesting files can sometimes be a problem, so we have find to help us out. For instance, if you want to list all of the binaries you have permission to read with the setuid bit set: find / -perm +0400 2>/dev/null. All files with password or passwd in their name: find / -iname '*passwd*' -or -iname '*password*'.

If you worry about leaving commands in a history file, you'll probably want to unset HISTFILE. On the other hand, sometimes the history helps an attacker, too. In bash the command history lists all of the commands in the history file. So history | grep -A1 '^ssh' and history | grep -A1 '^su' can often yield passwords when the user whose account you've compromised doesn't pay attention to make sure the password prompt actually came up before typing.

A few more commands that are really cool but are less likely to be installed include: lsof and screen.