Table Of Contents
- Linux Tools
- SSH
- Setup SSH Keys
- SSH Forwarding/Tunneling
- TCPDump & TCPReplay
- Screen
- IPTables
- IPTables Examples
- Service Manipulation
LINUX TOOLS
SSH
File contains system-wide known hosts
/etc/ssh/ssh_known_hosts
File contains previous hosts user has logged into
~/.ssh/known_hosts
Generate SSH DSA keys
ssh-keygen -t dsa -f <OUTPUT_PATH>
Generate SSH RSA keys
ssh-keygen -t rsa -f <OUTPUT_PATH>
Upload a file using SSH
scp <SOURCE_PATH> <USERNAME>@<IP_ADDRESS>:/<OUTPUT_PATH>
Download a file using SSH
scp <USERNAME>@<IP_ADDRESS>:/<INPUT_PATH> <OUTPUT_PATH>
Connect to target via SSH over a non-standard port
ssh <USERNAME>@<IP_ADDRESS> -p <PORT>
SETUP SSH KEYS
(Run on local machine) -- Create SSH keys. After creation command should display where keys were saved with filename
ssh-keygen
(Run on remote machine) -- Authorized_keys may already exist, if it doesn’t, run this command
mkdir ~/.ssh
touch ~/.ssh/authorized_keys
- Copy the contents of id_rsa.pub to target remote machine's file: ~/.ssh/authorized_keys
(Run on remote machine) -- Set permissions on newly created folders and files
chmod 700 /root/.ssh
chmod 600 /root/.ssh/authorized_keys
(Run on local machine) -- Run SSH to connect to target. <FILE_PATH> is path to private key created above (NOT the .pub file)
ssh -l <FILE_PATH> <USERNAME>@<IP_ADDRESS>
SSH FORWARDING/TUNNELING
Enable Port Forwarding
# Edit /etc/ssh/sshd_config and set:
AllowTcpForwarding Yes
GatewayPorts Yes
Setup a tunnel from an already established SSH session
# Press three keys at once:
# SHIFT~C
# Should drop into a prompt “ssh>”
# Then type the tunnel command such as:
ssh> -R 0.0.0.0:443:127.0.0.1:443
Connect to remote IP address, listen on ALL IP addresses on port 8080, traverse SSH tunnel, and forward traffic to the local loopback IP on 443
ssh –R 0.0.0.0:8080:127.0.0.1:443 root@<REMOTE_IP>
Listen on all IP interfaces on port 8080 and forward that traffic THROUGH the SSH tunnel connected to <REMOTE_IP>, and finally forward the traffic to 192.168.1.1 on port 3300
ssh -L 0.0.0.0:8080:192.168.1.1:3300 root@<REMOTE_IP>
NMAP through SSH tunnel using Proxychains
# (Run against remote computer)
# Setup socks proxy on port 1080 on remote host:
ssh -D 1080 <USERNAME>@<REMOTE_IP>
# (Run on local computer)
# Add the following line to the file /etc/proxychains.conf:
socks 4 <IP_ADDRESS> <PORT>
# (Run on local computer)
# Execute Nmap against 192.168.1.1/24 tunneling traffic through socks proxy:
proxychains nmap -sT -Pn -n -p80,443 192.168.1.1/24
TCPDUMP & TCPREPLAY
- More info at: https://danielmiessler.com/study/tcpdump/
Capture packets (headers and data) on eth0 in ASCII and hex and write to file
tcpdump -i eth0 -XX -w <OUTPUT_PATH>.pcap
Capture all port 80 (HTTP) traffic with destination set to 2.2.2.2
tcpdump tcp port 80 and dst 2.2.2.2
Show traffic from interface eth0 destined for 192.168.1.22 that isn’t port 22 (SSH) traffic. Print traffic with date/time stamps.
tcpdump -i eth0 -tttt dst 192.168.1.22 and not dst port 22
Show traffic from interface eth0 that is an ICMP (Ping) reply
tcpdump -i eth0 "icmp[0] == 8"
Show the first 50 packets from interface eth0 that are UDP and port 53 (DNS). Print with date/time stamps.
tcpdump -i eth0 -c 50 -tttt udp port 53
Show traffic from all interfaces that have port 443.
# Don’t convert host IPs or port number names (-nn), use absolute TCP sequence numbers, and print packet data
tcpdump -nSX port 443
Show traffic from all interfaces
tcpdump -i eth0
Show traffic from all interfaces that has host 1.1.1.1 set as a source or destination
tcpdump host 1.1.1.1
Show traffic from all interfaces that has host 1.1.1.1 set as a source
tcpdump src 1.1.1.1
Show traffic from all interfaces that has host 1.0.0.1 set as a destination
tcpdump dst 1.0.0.1
Show traffic from all interfaces that falls into the class C 1.2.3.0/24
tcpdump net 1.2.3.0/24
Show traffic from all interfaces that has a source port of 1025
tcpdump src port 1025
Show traffic from all interfaces that has port 80 set as a source or destination. Save traffic to a file
tcpdump port 80 -w <OUTPUT_PATH>
Filter on the listed ports looking for any data matching the egrep terms listed
tcpdump port http or port ftp or port smtp or port imap or port pop3 or port telnet -lA | egrep -i -B5 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd= |password=|pass:|user:|username:|password:|login:|pass |user '
Replay a pcap with defaults
tcpreplay -i eth0 <INPUT_PATH>.pcap
Replay pcap as fast as possible
tcpreplay --topspeed -i eth0 <INPUT_PATH>.pcap
Replay pcap one at a time
tcpreplay --oneatatime --verbose -i eth0 <INPUT_PATH>.pcap
Replay pcap file 10 times
tcpreplay --loop=10 -i eth0 <INPUT_PATH>.pcap
Replay pcap file forever until killed
tcpreplay --loop=0 -i eth0 <INPUT_PATH>.pcap
SCREEN
- Note: In the table below, any reference to “Ctrl+a” == Control-a keyboard combination
Start new screen with name
screen -S <NAME>
List running screens
screen -ls
Attach to screen name
screen -r <NAME>
Send a command to a specific screen name
screen -S <NAME> -X <COMMAND>
- Note: Keybindings are CTRL+a, let go, and press the hotkey symbol/char.
KEYBIDING | ACTION |
---|---|
Ctrl+a ? | List keybindings (help) |
Ctrl+a d | Detach |
Ctrl+a D D | Detach and logout |
Ctrl+a c | Create new window |
Ctrl+a C-a | Switch to last active window |
Ctrl+a <NAMEorNUMBER> | Switch to window ID or name |
Ctrl+a " | See windows list and change |
Ctrl+a k | Kill current window |
Ctrl+a S | Split display horizontally |
Ctrl+a | | Split display vertically |
Ctrl+a tab | Jump to next display |
Ctrl+a X | Remove current region |
Ctrl+a Q | Remove all regions but current |
Ctrl+a A | Rename the current focused window |
Ctrl+a n | Switch to next window |
Ctrl+a p | Switch to previous window |
IPTABLES
- Note: Iptables is a robust firewall and packet filter program typically installed by default on Linux systems. Iptables can be configured to perform several actions on network packets as they arrive and leave a Linux system.
- Note: Use ip6tables for IPv6 rules.
Dump iptables (with counters) rules to stdout
iptables-save -c > <OUTPUT_PATH>
Restore iptables rules
iptables-restore < <INPUT_PATH>
List all iptables rules (not including NAT rules) with affected count and line numbers
iptables -L -v --line-numbers
List all NAT iptables rules with line numbers
iptables -L -t nat --line-numbers
Flush all iptables rules
iptables -F
Change default policy for rules that don’t match rules
iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP>
Allow established connections on INPUT
iptables -A INPUT -i <INTERFACE_NAME> -m state --state RELATED,ESTABLISHED -j ACCEPT
Delete 7th inbound rule (print line numbers to see rule #’s)
iptables -D INPUT 7
Increase throughput by turning off statefulness
iptables -t raw -L -n
Drop all INCOMING packets
iptables -P INPUT DROP
IPTABLES EXAMPLES
Allow SSH on port 22 outbound
iptables -A OUTPUT -o <INTERFACE_NAME> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i <INTERFACE_NAME> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Allow ICMP outbound
iptables -A OUTPUT -o <INTERFACE_NAME> -p icmp --icmp-type echo-request -j ACCEPT
Port forward -- (Listen for traffic destined to port 3389 and redirect that traffic to host 192.168.1.2 on port 3389)
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i <INTERFACE_NAME> -p tcp --dport 3389 -j DNAT --to 192.168.1.2:3389
Allow only 1.1.1.0/24, ports 80,443 and log drops to /var/log/messages
iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED,ESTABLISHED,NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A INPUT -i eth0 –m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED"
iptables -A LOGGING -j DROP
SERVICE MANIPULATION
List existing services and run status
systemctl list-unit-files --type=service
Check single service status
systemctl list-unit-files --type=service | grep httpd
List all services
# [+] Service is running
# [-] Service is not running
service --status-all
Start a service
service <SERVICE_NAME> start
Stop a service
service <SERVICE_NAME> stop
Check status of a service
service <SERVICE_NAME> status
Disable service so it will not auto start
systemctl disable <SERVICE_NAME>
Enable service so it will auto start on reboot
systemctl enable <SERVICE_NAME>