Trang Chính
Các lệnh cơ bản dùng trong BackTrack
Networking
dhcpcd
Renew dynamic IP address:
dhcpcd -k
ifconfig eth0 up
dhcpcd
Static IP address:
ifconfig eth0 192.168.0.100/24
route add default gw 192.168.0.1
echo nameserver 192.168.0.1 > /etc/resolv.conf
Services
Apache server:
apachectl start
apachectl stop
SSH server:
sshd-generate
/usr/sbin/sshd
pkill sshd
ssh user@targetIP
TFTP server:
atftpd --daemon --port 69 /tmp/
pkill tftpd
VNC server:
vncserver
pkill Xvnc
Basics
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share
Edit a file:
nano test.sh
x
y
chmod 755 test.sh
./test.sh
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder
./configure
make
su root
make install
Footprinting
Whois:
whois target.com
ping [You must be registered and logged in to see this link.]
whois targetIP
DNS:
dig target.com any
A
PTR
NS
SOA
SRV
MX
host -l target.com
1.
Bullet CentralOps
2.
Bullet DNSstuff
3.
Bullet ServerSniff
4.
Bullet Netcraft
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
Scanning
scanrand -b10M targetIP:quick
nmap:
-sS
-sT
-sU
-PS
-PA
-PN
-n
-A
-O
-sV
-p
-T
-iL
-oG
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
1.
OS Fingerprinting
p0f -i eth0 -U -p
point a browser to the targetIP
xprobe2 targetIP
1.
Bullet Banner Grabbing
nc targetIP port
nc 10.1.1.2 80
telnet targetIP port
HEAD /HTTP/1.0
wget targetIP
cat index.html | more
q
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.
Windows Enumeration
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP
smbgetserverinfo -i targetIP
smbdumpusers -i targetIP
smbclient -L //targetIP
Bullet Using Windows
net use \\targetIP\ipc$ "" /u:""
net view \\targetIP
smbclient:
smbclient -L hostName -I targetIP
smbclient -L hostName/share -U ""
smbclient -L hostName -I targetIP -U admin
rpcclient:
rpcclient targetIP -U “”
netshareenum
enumdomusers
lsaenumsid
queryuser RID
createdomuser
ARP Spoofing
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.
Metasploit
svn update
Web Interface:
./msfweb
Console:
./msfconsole
help
show
Networking
dhcpcd
Renew dynamic IP address:
dhcpcd -k
ifconfig eth0 up
dhcpcd
Static IP address:
ifconfig eth0 192.168.0.100/24
route add default gw 192.168.0.1
echo nameserver 192.168.0.1 > /etc/resolv.conf
Services
Apache server:
apachectl start
apachectl stop
SSH server:
sshd-generate
/usr/sbin/sshd
pkill sshd
ssh user@targetIP
TFTP server:
atftpd --daemon --port 69 /tmp/
pkill tftpd
VNC server:
vncserver
pkill Xvnc
Basics
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share
Edit a file:
nano test.sh
y
chmod 755 test.sh
./test.sh
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder
./configure
make
su root
make install
Footprinting
Whois:
whois target.com
ping [You must be registered and logged in to see this link.]
whois targetIP
DNS:
dig target.com any
A
PTR
NS
SOA
SRV
MX
host -l target.com
1.
Bullet CentralOps
2.
Bullet DNSstuff
3.
Bullet ServerSniff
4.
Bullet Netcraft
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
Scanning
scanrand -b10M targetIP:quick
nmap:
-sS
-sT
-sU
-PS
-PA
-PN
-n
-A
-O
-sV
-p
-T
-iL
-oG
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
1.
OS Fingerprinting
p0f -i eth0 -U -p
point a browser to the targetIP
xprobe2 targetIP
1.
Bullet Banner Grabbing
nc targetIP port
nc 10.1.1.2 80
telnet targetIP port
HEAD /HTTP/1.0
wget targetIP
cat index.html | more
q
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.
Windows Enumeration
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP
smbgetserverinfo -i targetIP
smbdumpusers -i targetIP
smbclient -L //targetIP
Bullet Using Windows
net use \\targetIP\ipc$ "" /u:""
net view \\targetIP
smbclient:
smbclient -L hostName -I targetIP
smbclient -L hostName/share -U ""
smbclient -L hostName -I targetIP -U admin
rpcclient:
rpcclient targetIP -U “”
netshareenum
enumdomusers
lsaenumsid
queryuser RID
createdomuser
ARP Spoofing
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep "#include"
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.
Metasploit
svn update
Web Interface:
./msfweb
Console:
./msfconsole
help
show
