Table Of Contents

• Linux Tools
  • SSH
  • Setup SSH Keys
  • SSH Forwarding/Tunneling
  • TCPDump & TCPReplay
  • Screen
  • IPTables
  • IPTables Examples
  • Service Manipulation

---

LINUX TOOLS

SSH

File contains system-wide known hosts

/etc/ssh/ssh_known_hosts

File contains previous hosts user has logged into

~/.ssh/known_hosts

Generate SSH DSA keys

ssh-keygen -t dsa -f <OUTPUT_PATH>

Generate SSH RSA keys

ssh-keygen -t rsa -f <OUTPUT_PATH>

Upload a file using SSH

scp <SOURCE_PATH> <USERNAME>@<IP_ADDRESS>:/<OUTPUT_PATH>

Download a file using SSH

scp <USERNAME>@<IP_ADDRESS>:/<INPUT_PATH> <OUTPUT_PATH>

Connect to target via SSH over a non-standard port

ssh <USERNAME>@<IP_ADDRESS> -p <PORT>

SETUP SSH KEYS

(Run on local machine) -- Create SSH keys. After creation command should display where keys were saved with filename

ssh-keygen

(Run on remote machine) -- Authorized_keys may already exist, if it doesn’t, run this command

mkdir ~/.ssh
touch ~/.ssh/authorized_keys

• Copy the contents of id_rsa.pub to target remote machine's file: ~/.ssh/authorized_keys

(Run on remote machine) -- Set permissions on newly created folders and files

chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys

(Run on local machine) -- Run SSH to connect to target. <FILE_PATH> is path to private key created above (NOT the .pub file)

ssh -l <FILE_PATH> <USERNAME>@<IP_ADDRESS>

SSH FORWARDING/TUNNELING

Enable Port Forwarding

# Edit /etc/ssh/sshd_config and set:
AllowTcpForwarding Yes
GatewayPorts Yes

Setup a tunnel from an already established SSH session

# Press three keys at once:
# SHIFT~C

# Should drop into a prompt “ssh>”
# Then type the tunnel command such as:
ssh> -R 0.0.0.0:443:127.0.0.1:443

Connect to remote IP address, listen on ALL IP addresses on port 8080, traverse SSH tunnel, and forward traffic to the local loopback IP on 443

ssh –R 0.0.0.0:8080:127.0.0.1:443 root@<REMOTE_IP>

Listen on all IP interfaces on port 8080 and forward that traffic THROUGH the SSH tunnel connected to <REMOTE_IP>, and finally forward the traffic to 192.168.1.1 on port 3300

ssh -L 0.0.0.0:8080:192.168.1.1:3300 root@<REMOTE_IP>

NMAP through SSH tunnel using Proxychains

# (Run against remote computer)
# Setup socks proxy on port 1080 on remote host:
ssh -D 1080 <USERNAME>@<REMOTE_IP>
 
# (Run on local computer)
# Add the following line to the file /etc/proxychains.conf:
socks 4 <IP_ADDRESS> <PORT>
 
# (Run on local computer)
# Execute Nmap against 192.168.1.1/24 tunneling traffic through socks proxy:
proxychains nmap -sT -Pn -n -p80,443 192.168.1.1/24

TCPDUMP & TCPREPLAY

• More info at: https://danielmiessler.com/study/tcpdump/

Capture packets (headers and data) on eth0 in ASCII and hex and write to file

tcpdump -i eth0 -XX -w <OUTPUT_PATH>.pcap

Capture all port 80 (HTTP) traffic with destination set to 2.2.2.2

tcpdump tcp port 80 and dst 2.2.2.2

Show traffic from interface eth0 destined for 192.168.1.22 that isn’t port 22 (SSH) traffic. Print traffic with date/time stamps.

tcpdump -i eth0 -tttt dst 192.168.1.22 and not dst port 22

Show traffic from interface eth0 that is an ICMP (Ping) reply

tcpdump -i eth0 "icmp[0] == 8"

Show the first 50 packets from interface eth0 that are UDP and port 53 (DNS). Print with date/time stamps.

tcpdump -i eth0 -c 50 -tttt udp port 53

Show traffic from all interfaces that have port 443.

# Don’t convert host IPs or port number names (-nn), use absolute TCP sequence numbers, and print packet data
tcpdump -nSX port 443

Show traffic from all interfaces

tcpdump -i eth0

Show traffic from all interfaces that has host 1.1.1.1 set as a source or destination

tcpdump host 1.1.1.1

Show traffic from all interfaces that has host 1.1.1.1 set as a source

tcpdump src 1.1.1.1

Show traffic from all interfaces that has host 1.0.0.1 set as a destination

tcpdump dst 1.0.0.1

Show traffic from all interfaces that falls into the class C 1.2.3.0/24

tcpdump net 1.2.3.0/24

Show traffic from all interfaces that has a source port of 1025

tcpdump src port 1025

Show traffic from all interfaces that has port 80 set as a source or destination. Save traffic to a file

tcpdump port 80 -w <OUTPUT_PATH>

Filter on the listed ports looking for any data matching the egrep terms listed

tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '

Replay a pcap with defaults

tcpreplay -i eth0 <INPUT_PATH>.pcap

Replay pcap as fast as possible

tcpreplay --topspeed -i eth0 <INPUT_PATH>.pcap

Replay pcap one at a time

tcpreplay --oneatatime --verbose -i eth0 <INPUT_PATH>.pcap

Replay pcap file 10 times

tcpreplay --loop=10 -i eth0 <INPUT_PATH>.pcap

Replay pcap file forever until killed

tcpreplay --loop=0 -i eth0 <INPUT_PATH>.pcap

SCREEN

• Note: In the table below, any reference to “Ctrl+a” == Control-a keyboard combination

Start new screen with name

screen -S <NAME>

List running screens

screen -ls

Attach to screen name

screen -r <NAME>

Send a command to a specific screen name

screen -S <NAME> -X <COMMAND>

• Note: Keybindings are CTRL+a, let go, and press the hotkey symbol/char.

KEYBIDING	ACTION
Ctrl+a ?	List keybindings (help)
Ctrl+a d	Detach
Ctrl+a D D	Detach and logout
Ctrl+a c	Create new window
Ctrl+a C-a	Switch to last active window
Ctrl+a <NAMEorNUMBER>	Switch to window ID or name
Ctrl+a "	See windows list and change
Ctrl+a k	Kill current window
Ctrl+a S	Split display horizontally
Ctrl+a |	Split display vertically
Ctrl+a tab	Jump to next display
Ctrl+a X	Remove current region
Ctrl+a Q	Remove all regions but current
Ctrl+a A	Rename the current focused window
Ctrl+a n	Switch to next window
Ctrl+a p	Switch to previous window

IPTABLES

• Note: Iptables is a robust firewall and packet filter program typically installed by default on Linux systems. Iptables can be configured to perform several actions on network packets as they arrive and leave a Linux system.
• Note: Use ip6tables for IPv6 rules.

Dump iptables (with counters) rules to stdout

iptables-save -c > <OUTPUT_PATH>

Restore iptables rules

iptables-restore < <INPUT_PATH>

List all iptables rules (not including NAT rules) with affected count and line numbers

iptables -L -v --line-numbers

List all NAT iptables rules with line numbers

iptables -L -t nat --line-numbers

Flush all iptables rules

iptables -F

Change default policy for rules that don’t match rules

iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP>

Allow established connections on INPUT

iptables -A INPUT -i <INTERFACE_NAME> -m state --state RELATED,ESTABLISHED -j ACCEPT

Delete 7th inbound rule (print line numbers to see rule #’s)

iptables -D INPUT 7

Increase throughput by turning off statefulness

iptables -t raw -L -n

Drop all INCOMING packets

iptables -P INPUT DROP

IPTABLES EXAMPLES

Allow SSH on port 22 outbound

iptables -A OUTPUT -o <INTERFACE_NAME> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <INTERFACE_NAME> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow ICMP outbound

iptables -A OUTPUT -o <INTERFACE_NAME> -p icmp --icmp-type echo-request -j ACCEPT

Port forward -- (Listen for traffic destined to port 3389 and redirect that traffic to host 192.168.1.2 on port 3389)

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i <INTERFACE_NAME> -p tcp --dport 3389 -j DNAT --to 192.168.1.2:3389

Allow only 1.1.1.0/24, ports 80,443 and log drops to /var/log/messages

iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED,ESTABLISHED,NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A INPUT -i eth0 –m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o eth0 -j ACCEPT 
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED"
iptables -A LOGGING -j DROP

SERVICE MANIPULATION

List existing services and run status

systemctl list-unit-files --type=service

Check single service status

systemctl list-unit-files --type=service | grep httpd

List all services

# [+] Service is running
# [-] Service is not running
service --status-all

Start a service

service <SERVICE_NAME> start

Stop a service

service <SERVICE_NAME> stop

Check status of a service

service <SERVICE_NAME> status

Disable service so it will not auto start

systemctl disable <SERVICE_NAME>

Enable service so it will auto start on reboot

systemctl enable <SERVICE_NAME>