Advertisement
joemccray

Linux+

Mar 20th, 2017
1,777
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 54.37 KB | None | 0 0
  1. #####################################
  2. # Strategicsec Intro to Linux #
  3. # By Joe McCray #
  4. #####################################
  5.  
  6.  
  7.  
  8. ########################
  9. # Basic Linux Commands #
  10. ########################
  11. cd ~
  12.  
  13. pwd
  14.  
  15. whereis pwd
  16.  
  17. which pwd
  18.  
  19. sudo find / -name pwd
  20.  
  21. /bin/pwd
  22.  
  23. mkdir LinuxBasics
  24.  
  25. cd LinuxBasics
  26.  
  27. touch one two three
  28.  
  29. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  30.  
  31. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  32.  
  33. Press the 'Up arrow key' (What happens?)
  34.  
  35. Press 'Ctrl-A' (What happens?)
  36.  
  37. ls
  38.  
  39. clear (What happens?)
  40.  
  41. echo one > one
  42.  
  43. cat one (What happens?)
  44.  
  45. man cat (What happens?)
  46. q
  47.  
  48. cat two
  49.  
  50. cat one > two
  51.  
  52. cat two
  53.  
  54. cat one two > three
  55.  
  56. cat three
  57.  
  58. echo four >> three
  59.  
  60. cat three (What happens?)
  61.  
  62. wc -l three
  63.  
  64. man wc
  65. q
  66.  
  67. cat three | grep four
  68.  
  69. cat three | grep one
  70.  
  71. man grep
  72. q
  73.  
  74.  
  75. man ps
  76. q
  77.  
  78. ps
  79.  
  80. ps aux
  81.  
  82. ps aux | less
  83.  
  84. Press the 'Up arrow key' (What happens?)
  85.  
  86. Press the 'Down arrow key' (What happens?)
  87. q
  88.  
  89. top
  90.  
  91.  
  92.  
  93. #########
  94. # Files #
  95. #########
  96. cd ~
  97.  
  98. pwd
  99.  
  100. ls
  101.  
  102. cd LinuxBasics
  103.  
  104. pwd
  105.  
  106. cd ~
  107.  
  108. pwd
  109.  
  110. cd LinuxBasics
  111.  
  112. ls
  113.  
  114. mkdir files
  115.  
  116. cp one files/
  117.  
  118. ls files/
  119.  
  120. cd files/
  121.  
  122. cp ../two .
  123.  
  124. ls
  125.  
  126. cp ../three .
  127.  
  128. ls
  129.  
  130. tar cvf files.tar *
  131.  
  132. ls
  133.  
  134. gzip files.tar
  135.  
  136. ls
  137.  
  138. rm -rf one two three
  139.  
  140. ls
  141.  
  142. tar -zxvf files.tar.gz
  143.  
  144. rm -rf files.tar.gz
  145.  
  146. sudo apt-get install -y zip unzip
  147.  
  148. zip data *
  149.  
  150. unzip -l data.zip
  151.  
  152. unzip data.zip -d /tmp
  153.  
  154. unzip -l data.zip
  155.  
  156.  
  157.  
  158. ############
  159. # VIM Demo #
  160. ############
  161. cd ~
  162. sudo apt-get install -y vim
  163. strategicsec
  164.  
  165. cd LinuxBasics
  166.  
  167. mkdir vimlesson
  168.  
  169. cd vimlesson
  170.  
  171. vi lesson1.sh
  172.  
  173. i (press "i" to get into INSERT mode and then paste in the lines below)
  174.  
  175. #!/bin/bash
  176.  
  177. echo "This is my first time using vi to create a shell script"
  178. echo " "
  179. echo " "
  180. echo " "
  181. sleep 5
  182. echo "Ok, now let's clear the screen"
  183. sleep 3
  184.  
  185.  
  186. ---------------don't put this line in your script----------------------------
  187.  
  188. ESC (press the ESC key to get you out of INSERT mode)
  189.  
  190. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  191.  
  192.  
  193. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  194.  
  195.  
  196.  
  197. vi lesson1.sh
  198.  
  199. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  200.  
  201. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  202.  
  203. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  204.  
  205.  
  206.  
  207.  
  208. vi lesson1.sh
  209.  
  210. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  211.  
  212. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  213.  
  214.  
  215. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  216.  
  217. /echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
  218.  
  219. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  220.  
  221. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  222.  
  223.  
  224.  
  225.  
  226. vi lesson1.sh
  227.  
  228. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  229.  
  230. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  231.  
  232.  
  233. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  234.  
  235. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  236.  
  237. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  238.  
  239. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  240.  
  241.  
  242.  
  243.  
  244. vi lesson1.sh
  245.  
  246. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  247.  
  248. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  249.  
  250.  
  251. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  252.  
  253. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  254.  
  255. dd (typing "dd" will delete the line that you are on)
  256.  
  257. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  258.  
  259. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  260.  
  261.  
  262.  
  263.  
  264. vi lesson1.sh
  265.  
  266. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  267.  
  268. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  269.  
  270.  
  271. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  272.  
  273. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  274.  
  275. dd (typing "dd" will delete the line that you are on)
  276.  
  277. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  278.  
  279. syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
  280.  
  281. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  282.  
  283. set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
  284.  
  285. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  286.  
  287. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  288.  
  289.  
  290.  
  291.  
  292. vi ~/.vimrc
  293. i (press "i" to get into INSERT mode and then paste in the lines below)
  294.  
  295.  
  296. set number
  297. syntax on
  298. set tabstop=5
  299.  
  300. ESC (press the ESC key to get you out of INSERT mode)
  301.  
  302. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  303.  
  304. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  305.  
  306.  
  307.  
  308.  
  309.  
  310.  
  311. vi lesson1.sh
  312.  
  313. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  314.  
  315. echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
  316.  
  317. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  318.  
  319. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  320.  
  321.  
  322. ###############
  323. # Permissions #
  324. ###############
  325. cd ~
  326.  
  327. pwd
  328.  
  329. ls
  330.  
  331. cd LinuxBasics
  332.  
  333. ls -l one
  334.  
  335. We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
  336. Now "me" has the right to read and write this file.
  337. The file is owned by the group "me". Members of the group "me" can also read and write this file.
  338. Everybody else can read this file
  339.  
  340.  
  341.  
  342. ls -l /bin/bash
  343.  
  344.  
  345. Here we can see:
  346.  
  347. The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
  348. The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
  349.  
  350.  
  351. The next command you need to know is "chmod"
  352. rwx rwx rwx = 111 111 111
  353. rw- rw- rw- = 110 110 110
  354. rwx --- --- = 111 000 000
  355.  
  356. and so on...
  357.  
  358. rwx = 111 in binary = 7
  359. rw- = 110 in binary = 6
  360. r-x = 101 in binary = 5
  361. r-- = 100 in binary = 4
  362.  
  363. ls -l one
  364.  
  365. chmod 600 one
  366.  
  367. ls -l one
  368.  
  369. sudo useradd testuser
  370. strategicsec
  371.  
  372. sudo passwd testuser
  373.  
  374. testuser
  375. testuser
  376.  
  377. sudo chown testuser one
  378. strategicsec
  379.  
  380. ls -l one
  381.  
  382. sudo chgrp testuser one
  383. strategicsec
  384.  
  385. ls -l one
  386.  
  387. id
  388.  
  389. su testuser
  390. testuser
  391.  
  392.  
  393. Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
  394.  
  395. Value Meaning
  396. 777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
  397.  
  398. 755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
  399.  
  400. 700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
  401.  
  402. 666 (rw-rw-rw-) All users may read and write the file.
  403.  
  404. 644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
  405.  
  406. 600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
  407.  
  408.  
  409.  
  410. Directory permissions
  411. ---------------------
  412. The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
  413.  
  414. Value Meaning
  415. 777 (rwxrwxrwx) No restrictions on permissions.
  416. Anybody may list files, create new files in the directory and delete files in the directory.
  417. Generally not a good setting.
  418.  
  419.  
  420.  
  421. 755 (rwxr-xr-x) The directory owner has full access.
  422. All others may list the directory, but cannot create files nor delete them.
  423. This setting is common for directories that you wish to share with other users.
  424.  
  425.  
  426.  
  427. 700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
  428.  
  429. ##############################
  430. # Stick big and SUID exploit #
  431. ##############################
  432. Create a name myfile.txt in the file system that points to a new inode (which contains the metadata for the file and points to the blocks of data that contain its contents, i.e. the text "Hello, World!":
  433.  
  434. $ echo 'Hello, World!' > myfile.txt
  435.  
  436. Create a hard link my-hard-link to the file myfile.txt, which means "create a file that should point to the same inode that myfile.txt points to":
  437. $ ln myfile.txt my-hard-link
  438.  
  439. Create a soft link my-soft-link to the file myfile.txt, which means "create a file that should point to the file myfile.txt":
  440. $ ln -s myfile.txt my-soft-link
  441.  
  442. Look what will now happen if myfile.txt is deleted (or moved): my-hard-link still points to the same contents, and is thus unaffected, whereas my-soft-link now points to nothing. Other answers discuss the pros/cons of each.
  443.  
  444.  
  445. ####################################################
  446. # Privilege Escalation by Exploiting SUID Binaries #
  447. ####################################################
  448.  
  449.  
  450. vi test_suid.c
  451. ------------------------------------------------------------------
  452. #include<stdio.h>
  453. #include<stdlib.h>
  454. #include<unistd.h>
  455.  
  456. int main()
  457. {
  458. char *eargs[] = {"/bin/bash", "-p"};
  459.  
  460. printf("Executing Shell\n");
  461.  
  462. execve("/bash/bash", eargs, NULL);
  463.  
  464. return 0;
  465. }
  466. ------------------------------------------------------------------
  467. Test_suid.c is a demo exploit file can be compiled using GCC
  468. # gcc test_suid.c -o test_suid
  469.  
  470. Compiling as root user to make sure file is owned by root.
  471.  
  472. When test_suid binary is executed without SUID bit set, we still have prdarsha user permissions.
  473.  
  474. Now lets execute test_suid binary after setting SUID bit which will escalate the privilege from notmal user to root user.
  475. File permissions can be set using below command (also refer Figure. File Permissions)
  476. # chmod u+s test_suid
  477.  
  478. Checking the permissions of important file like passwd
  479.  
  480.  
  481. Finding all executable's which have SUID bit set
  482. find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;
  483.  
  484. ######################
  485. # Process Management #
  486. ######################
  487. top
  488.  
  489. sudo apt-get install -y htop
  490. strategicsec
  491.  
  492. htop
  493.  
  494. ps
  495.  
  496. ps aux
  497.  
  498. ps -A
  499.  
  500. ps -A | less
  501.  
  502. ps axjf
  503.  
  504. pstree
  505.  
  506. pgrep bash
  507.  
  508. pgrep init
  509.  
  510. ps aux | grep apache
  511.  
  512. You can list all of the signals that are possible to send with kill by typing:
  513.  
  514. kill -l
  515.  
  516. sudo kill -HUP pid_of_apache
  517.  
  518. The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
  519.  
  520. pkill -9 ping
  521. The above command is the equivalent of:
  522.  
  523. kill -9 `pgrep ping`
  524.  
  525.  
  526.  
  527. ##############
  528. # Cisco Logs #
  529. ##############
  530.  
  531. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
  532.  
  533.  
  534. AWK Basics
  535. ----------
  536. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  537.  
  538. cat cisco.log | awk '{print $5}' | tail -n 4
  539.  
  540.  
  541.  
  542.  
  543. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  544.  
  545. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  546.  
  547.  
  548.  
  549.  
  550. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  551.  
  552. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  553.  
  554.  
  555.  
  556.  
  557.  
  558. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  559.  
  560. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  561.  
  562. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  563.  
  564. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  565.  
  566. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  567.  
  568.  
  569.  
  570.  
  571. ####################
  572. # MD5 Hashing Demo #
  573. ####################
  574. cd ~/LinuxBasics
  575. mkdir hashdemo
  576. cd hashdemo
  577. echo test > test.txt
  578. cat test.txt
  579. md5sum test.txt
  580. echo hello >> test.txt
  581. cat test.txt
  582. md5sum test.txt
  583. cd ..
  584.  
  585.  
  586.  
  587.  
  588. #################################
  589. # Symmetric Key Encryption Demo #
  590. #################################
  591. cd ~/LinuxBasics
  592. mkdir gpgdemo
  593. cd gpgdemo
  594. echo test > test.txt
  595. cat test.txt
  596. gpg -c test.txt
  597. password
  598. password
  599. ls | grep test
  600. cat test.txt
  601. cat test.txt.gpg
  602. rm -rf test.txt
  603. ls | grep test
  604. gpg -o output.txt test.txt.gpg
  605. cat output.txt
  606.  
  607.  
  608. #########################################################################################################################
  609. # Asymmetric Key Encryption Demo #
  610. # #
  611. # Configure random number generator #
  612. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  613. #########################################################################################################################
  614.  
  615. sudo apt-get install -y rng-tools
  616. strategicsec
  617.  
  618. /etc/init.d/rng-tools start
  619.  
  620. sudo rngd -r /dev/urandom
  621. strategicsec
  622.  
  623.  
  624. echo hello > file1.txt
  625. echo goodbye > file2.txt
  626. echo green > file3.txt
  627. echo blue > file4.txt
  628.  
  629. tar czf files.tar.gz *.txt
  630.  
  631. gpg --gen-key
  632. 1
  633. 1024
  634. 0
  635. y
  636. John Doe
  637. john@doe.com
  638. --blank comment--
  639. O
  640. password
  641. password
  642.  
  643.  
  644.  
  645. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  646.  
  647. cat file-enc-pubkey.txt
  648.  
  649. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  650.  
  651. cat file-enc-privkey.asc
  652.  
  653. gpg --encrypt --recipient 'John Doe' files.tar.gz
  654.  
  655. rm -rf files.tar.gz *.txt
  656.  
  657. ls
  658.  
  659. tar -zxvf files.tar.gz.gpg
  660.  
  661. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  662. password
  663.  
  664. tar -zxvf output.tar.gz
  665.  
  666. ls
  667.  
  668.  
  669.  
  670.  
  671.  
  672. ############################
  673. # Encryption using OpenSSL #
  674. ############################
  675. openssl genrsa -out private_key.pem 1024
  676. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  677.  
  678.  
  679. echo hello > encrypt.txt
  680. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  681.  
  682. cat encrypt.dat
  683.  
  684. rm -rf encrypt.txt
  685.  
  686. ls
  687.  
  688. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  689.  
  690. cat decrypt.txt
  691.  
  692.  
  693.  
  694. ###############################
  695. # Secure File/Folder Deletion #
  696. ###############################
  697. sudo apt-get install -y secure-delete wipe
  698.  
  699. wget https://www.sans.org/security-resources/tcpip.pdf
  700.  
  701. file tcpip.pdf
  702.  
  703. sudo srm tcpip.pdf
  704.  
  705. wget https://www.sans.org/security-resources/tcpip.pdf
  706.  
  707. shred tcpip.pdf
  708.  
  709. wget https://www.sans.org/security-resources/tcpip.pdf
  710.  
  711. wipe tcpip.pdf
  712.  
  713.  
  714.  
  715.  
  716.  
  717. #################
  718. # IPTables Demo #
  719. #################
  720. cd ~
  721.  
  722. - Delete Existing Rules
  723. ---------------------
  724. sudo /sbin/iptables -F
  725. strategicsec
  726.  
  727. (or)
  728.  
  729. sudo /sbin/iptables --flush
  730. strategicsec
  731.  
  732.  
  733.  
  734. - Set Default Chain Policies
  735. --------------------------
  736. iptables -P INPUT DROP
  737. iptables -P FORWARD DROP
  738. iptables -P OUTPUT DROP
  739.  
  740.  
  741.  
  742. - Delete Existing Rules
  743. ---------------------
  744. sudo /sbin/iptables -F
  745. strategicsec
  746.  
  747. (or)
  748.  
  749. sudo /sbin/iptables --flush
  750. strategicsec
  751.  
  752.  
  753.  
  754.  
  755. sudo /bin/bash
  756.  
  757.  
  758.  
  759. - Block a Specific ip-address
  760. -----------------------------
  761. BLOCK_THIS_IP="1.2.3.4"
  762. iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
  763.  
  764.  
  765. iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
  766. iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
  767.  
  768.  
  769. - Allow ALL Incoming SSH
  770. ------------------------
  771. iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  772. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  773.  
  774.  
  775. - Allow Incoming SSH only from a Sepcific Network
  776. -------------------------------------------------
  777. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  778. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  779.  
  780.  
  781. - Allow Incoming HTTP and HTTPS
  782. -------------------------------
  783. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  784. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
  785.  
  786.  
  787. iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  788. iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  789.  
  790.  
  791.  
  792. - Combine Multiple Rules Together using MultiPorts
  793. --------------------------------------------------
  794. iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  795. iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
  796.  
  797.  
  798. - Allow Outgoing SSH
  799. --------------------
  800. iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  801. iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  802.  
  803.  
  804. - Allow Outgoing SSH only to a Specific Network
  805. -----------------------------------------------
  806. The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.
  807.  
  808. iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  809. iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  810.  
  811.  
  812.  
  813. - Allow Outgoing HTTPS
  814. ----------------------
  815. The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.
  816.  
  817. iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  818. iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  819.  
  820.  
  821.  
  822.  
  823. Load Balance Incoming Web Traffic
  824. ---------------------------------
  825. You can also load balance your incoming web traffic using iptables firewall rules.
  826.  
  827. This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).
  828.  
  829. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
  830. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
  831. iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
  832.  
  833.  
  834.  
  835. Allow Ping from Outside to Inside
  836. ---------------------------------
  837. The following rules allow outside users to be able to ping your servers.
  838.  
  839. iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  840. iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
  841.  
  842.  
  843.  
  844. Allow Ping from Inside to Outside
  845. ---------------------------------
  846. The following rules allow you to ping from inside to any of the outside servers.
  847.  
  848. iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
  849. iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  850.  
  851.  
  852.  
  853. Allow Loopback Access
  854. ---------------------
  855. You should allow full loopback access on your servers. i.e access using 127.0.0.1
  856.  
  857. iptables -A INPUT -i lo -j ACCEPT
  858. iptables -A OUTPUT -o lo -j ACCEPT
  859.  
  860.  
  861.  
  862. Allow Internal Network to External network
  863. ------------------------------------------
  864. On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.
  865.  
  866. In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).
  867.  
  868. iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
  869.  
  870.  
  871.  
  872. Allow outbound DNS
  873. ------------------
  874. The following rules allow outgoing DNS connections.
  875.  
  876. iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
  877. iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
  878.  
  879.  
  880.  
  881. Allow Rsync From a Specific Network
  882. -----------------------------------
  883. The following rules allows rsync only from a specific network.
  884.  
  885. iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
  886. iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
  887.  
  888.  
  889.  
  890. Allow MySQL connection only from a specific network
  891. ---------------------------------------------------
  892. If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
  893.  
  894. However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.
  895.  
  896. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
  897. iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
  898.  
  899.  
  900.  
  901. Allow Sendmail or Postfix Traffic
  902. ---------------------------------
  903. The following rules allow mail traffic. It may be sendmail or postfix.
  904.  
  905. iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
  906. iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
  907.  
  908.  
  909. Allow IMAP and IMAPS
  910. --------------------
  911. The following rules allow IMAP/IMAP2 traffic.
  912.  
  913. iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
  914. iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
  915.  
  916.  
  917. The following rules allow IMAPS traffic.
  918.  
  919. iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
  920. iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
  921.  
  922.  
  923.  
  924.  
  925. Allow POP3 and POP3S
  926. --------------------
  927. The following rules allow POP3 access.
  928.  
  929. iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
  930. iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
  931. The following rules allow POP3S access.
  932.  
  933. iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
  934. iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
  935.  
  936.  
  937.  
  938. Port Forwarding
  939. ---------------
  940. The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
  941.  
  942. iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
  943.  
  944. If you do the above, you also need to explicitly allow incoming connection on the port 422.
  945.  
  946. iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
  947. iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
  948.  
  949.  
  950. Log Dropped Packets
  951. -------------------
  952. You might also want to log all the dropped packets. These rules should be at the bottom.
  953.  
  954. First, create a new chain called LOGGING.
  955.  
  956. iptables -N LOGGING
  957. Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.
  958.  
  959. iptables -A INPUT -j LOGGING
  960. Next, log these packets by specifying a custom “log-prefix”.
  961.  
  962. iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
  963. Finally, drop these packets.
  964.  
  965.  
  966.  
  967.  
  968. ##############################################
  969. # Log Analysis with Linux command-line tools #
  970. ##############################################
  971. - The following command line executables are found in the Mac as well as most Linux Distributions.
  972.  
  973. cat – prints the content of a file in the terminal window
  974. grep – searches and filters based on patterns
  975. awk – can sort each row into fields and display only what is needed
  976. sed – performs find and replace functions
  977. sort – arranges output in an order
  978. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  979.  
  980.  
  981.  
  982. ###############
  983. # Apache Logs #
  984. ###############
  985.  
  986. Reference:
  987. http://www.the-art-of-web.com/system/logs/
  988.  
  989. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  990.  
  991.  
  992. - You want to list all user agents ordered by the number of times they appear (descending order):
  993.  
  994. awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr
  995.  
  996.  
  997.  
  998. - Using the default separator which is any white-space (spaces or tabs) we get the following:
  999.  
  1000. awk '{print $1}' access_log # ip address (%h)
  1001. awk '{print $2}' access_log # RFC 1413 identity (%l)
  1002. awk '{print $3}' access_log # userid (%u)
  1003. awk '{print $4,5}' access_log # date/time (%t)
  1004. awk '{print $9}' access_log # status code (%>s)
  1005. awk '{print $10}' access_log # size (%b)
  1006.  
  1007. - You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
  1008.  
  1009. awk -F\" '{print $2}' access_log # request line (%r)
  1010. awk -F\" '{print $4}' access_log # referer
  1011. awk -F\" '{print $6}' access_log # user agent
  1012.  
  1013.  
  1014. awk -F\" '{print $6}' access_log \
  1015. | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
  1016. | sort | uniq -c | sort -fr
  1017.  
  1018.  
  1019. - The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
  1020.  
  1021. awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}'
  1022. Or who's been looking at your guestbook?
  1023.  
  1024. awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
  1025.  
  1026.  
  1027. Reference:
  1028. https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
  1029.  
  1030. # top 20 URLs from the last 5000 hits
  1031. tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  1032. tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1033.  
  1034. # top 20 URLS excluding POST data from the last 5000 hits
  1035. tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  1036. tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1037.  
  1038. # top 20 IPs from the last 5000 hits
  1039. tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
  1040. tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1041.  
  1042. # top 20 URLs requested from a certain ip from the last 5000 hits
  1043. IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  1044. IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1045.  
  1046. # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
  1047. IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  1048. IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  1049.  
  1050. # top 20 referrers from the last 5000 hits
  1051. tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
  1052. tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
  1053.  
  1054. # top 20 user agents from the last 5000 hits
  1055. tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
  1056.  
  1057. # sum of data (in MB) transferred in the last 5000 hits
  1058. tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
  1059.  
  1060.  
  1061. ##############
  1062. # Cisco Logs #
  1063. ##############
  1064.  
  1065. wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
  1066.  
  1067.  
  1068. AWK Basics
  1069. ----------
  1070. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  1071.  
  1072. cat cisco.log | awk '{print $5}' | tail -n 4
  1073.  
  1074.  
  1075.  
  1076.  
  1077. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  1078.  
  1079. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  1080.  
  1081.  
  1082.  
  1083.  
  1084. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  1085.  
  1086. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  1087.  
  1088.  
  1089.  
  1090.  
  1091.  
  1092. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  1093.  
  1094. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  1095.  
  1096. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  1097.  
  1098. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  1099.  
  1100. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  1101.  
  1102.  
  1103.  
  1104.  
  1105. ##############################################################
  1106. # Intro to Bash Scripting #
  1107. # #
  1108. # Reference: #
  1109. # https://www.panix.com/~elflord/unix/bash-tute.html #
  1110. ##############################################################
  1111. A quick guide to writing scripts using the bash shell
  1112.  
  1113. A simple shell script
  1114.  
  1115. A shell script is little more than a list of commands that are run in sequence. Conventionally, a shellscript should start with a line such as the following:
  1116. #!/bin/bash
  1117.  
  1118. This indicates that the script should be run in the bash shell regardless of which interactive shell the user has chosen. This is very important, since the syntax of different shells can vary greatly.
  1119. A simple example
  1120.  
  1121. Here's a very simple example of a shell script. It just runs a few simple commands
  1122. #!/bin/bash
  1123. echo "hello, $USER. I wish to list some files of yours"
  1124. echo "listing files in the current directory, $PWD"
  1125. ls # list files
  1126.  
  1127. Firstly, notice the comment on line 4. In a bash script, anything following a pound sign # (besides the shell name on the first line) is treated as a comment. ie the shell ignores it. It is there for the benifit of people reading the script.
  1128.  
  1129. $USER and $PWD are variables. These are standard variables defined by the bash shell itself, they needn't be defined in the script. Note that the variables are expanded when the variable name is inside double quotes. Expanded is a very appropriate word: the shell basically sees the string $USER and replaces it with the variable's value then executes the command.
  1130.  
  1131. We continue the discussion on variables below ...
  1132.  
  1133. Variables
  1134.  
  1135. Any programming language needs variables. You define a variable as follows:
  1136. X="hello"
  1137. and refer to it as follows:
  1138. $X
  1139.  
  1140. More specifically, $X is used to denote the value of the variable X. Some things to take note of regarding semantics:
  1141. bash gets unhappy if you leave a space on either side of the = sign. For example, the following gives an error message:
  1142. X = hello
  1143.  
  1144. while I have quotes in my example, they are not always necessary. where you need quotes is when your variable names include spaces. For example,
  1145. X=hello world # error
  1146. X="hello world" # OK
  1147.  
  1148. This is because the shell essentially sees the command line as a pile of commands and command arguments seperated by spaces. foo=baris considered a command. The problem with foo = bar is the shell sees the word foo seperated by spaces and interprets it as a command. Likewise, the problem with the command X=hello world is that the shell interprets X=hello as a command, and the word "world" does not make any sense (since the assignment command doesn't take arguments).
  1149.  
  1150.  
  1151. Single Quotes versus double quotes
  1152.  
  1153. Basically, variable names are exapnded within double quotes, but not single quotes. If you do not need to refer to variables, single quotes are good to use as the results are more predictable.
  1154.  
  1155. An example
  1156.  
  1157. #!/bin/bash
  1158. echo -n '$USER=' # -n option stops echo from breaking the line
  1159. echo "$USER"
  1160. echo "\$USER=$USER" # this does the same thing as the first two lines
  1161. The output looks like this (assuming your username is elflord)
  1162. $USER=elflord
  1163.  
  1164. $USER=elflord
  1165. so the double quotes still have a work around. Double quotes are more flexible, but less predictable. Given the choice between single quotes and double quotes, use single quotes.
  1166.  
  1167.  
  1168.  
  1169. Using Quotes to enclose your variables
  1170.  
  1171. Sometimes, it is a good idea to protect variable names in double quotes. This is usually the most important if your variables value either (a) contains spaces or (b) is the empty string. An example is as follows:
  1172.  
  1173. #!/bin/bash
  1174. X=""
  1175. if [ -n $X ]; then # -n tests to see if the argument is non empty
  1176. echo "the variable X is not the empty string"
  1177. fi
  1178.  
  1179. This script will give the following output:
  1180. the variable X is not the empty string
  1181.  
  1182. Why ? because the shell expands $X to the empty string. The expression [ -n ] returns true (since it is not provided with an argument). A better script would have been:
  1183.  
  1184. #!/bin/bash
  1185. X=""
  1186. if [ -n "$X" ]; then # -n tests to see if the argument is non empty
  1187. echo "the variable X is not the empty string"
  1188. fi
  1189.  
  1190. In this example, the expression expands to [ -n "" ] which returns false, since the string enclosed in inverted commas is clearly empty.
  1191.  
  1192.  
  1193.  
  1194. Variable Expansion in action
  1195.  
  1196. Just to convince you that the shell really does "expand" variables in the sense I mentioned before, here is an example:
  1197. #!/bin/bash
  1198. LS="ls"
  1199. LS_FLAGS="-al"
  1200.  
  1201. $LS $LS_FLAGS $HOME
  1202.  
  1203. This looks a little enigmatic. What happens with the last line is that it actually executes the command
  1204. ls -al /home/elflord
  1205. (assuming that /home/elflord is your home directory). That is, the shell simply replaces the variables with their values, and then executes the command.
  1206.  
  1207.  
  1208.  
  1209. Using Braces to Protect Your Variables
  1210.  
  1211. OK. Here's a potential problem situation. Suppose you want to echo the value of the variable X, followed immediately by the letters "abc". Question: how do you do this ? Let's have a try :
  1212. #!/bin/bash
  1213. X=ABC
  1214. echo "$Xabc"
  1215.  
  1216.  
  1217. This gives no output. What went wrong ? The answer is that the shell thought that we were asking for the variable Xabc, which is uninitialised. The way to deal with this is to put braces around X to seperate it from the other characters. The following gives the desired result:
  1218. #!/bin/bash
  1219. X=ABC
  1220. echo "${X}abc"
  1221. Conditionals, if/then/elif
  1222.  
  1223. Sometimes, it's necessary to check for certain conditions. Does a string have 0 length ? does the file "foo" exist, and is it a symbolic link , or a real file ? Firstly, we use the if command to run a test. The syntax is as follows:
  1224. if condition
  1225. then
  1226. statement1
  1227. statement2
  1228. ..........
  1229. fi
  1230. Sometimes, you may wish to specify an alternate action when the condition fails. Here's how it's done.
  1231. if condition
  1232. then
  1233. statement1
  1234. statement2
  1235. ..........
  1236. else
  1237. statement3
  1238. fi
  1239. alternatively, it is possible to test for another condition if the first "if" fails. Note that any number of elifs can be added.
  1240. if condition1
  1241. then
  1242. statement1
  1243. statement2
  1244. ..........
  1245. elif condition2
  1246. then
  1247. statement3
  1248. statement4
  1249. ........
  1250. elif condition3
  1251. then
  1252. statement5
  1253. statement6
  1254. ........
  1255.  
  1256.  
  1257. fi
  1258.  
  1259.  
  1260. The statements inside the block between if/elif and the next elif or fi are executed if the corresponding condition is true. Actually, any command can go in place of the conditions, and the block will be executed if and only if the command returns an exit status of 0 (in other words, if the command exits "succesfully" ). However, in the course of this document, we will be only interested in using "test" or "[ ]" to evaluate conditions.
  1261.  
  1262. The Test Command and Operators
  1263.  
  1264. The command used in conditionals nearly all the time is the test command. Test returns true or false (more accurately, exits with 0 or non zero status) depending respectively on whether the test is passed or failed. It works like this:
  1265. test operand1 operator operand2
  1266.  
  1267. for some tests, there need be only one operand (operand2) The test command is typically abbreviated in this form:
  1268. [ operand1 operator operand2 ]
  1269.  
  1270. To bring this discussion back down to earth, we give a few examples:
  1271. #!/bin/bash
  1272. X=3
  1273. Y=4
  1274. empty_string=""
  1275. if [ $X -lt $Y ] # is $X less than $Y ?
  1276. then
  1277. echo "\$X=${X}, which is smaller than \$Y=${Y}"
  1278. fi
  1279.  
  1280. if [ -n "$empty_string" ]; then
  1281. echo "empty string is non_empty"
  1282. fi
  1283.  
  1284. if [ -e "${HOME}/.fvwmrc" ]; then # test to see if ~/.fvwmrc exists
  1285. echo "you have a .fvwmrc file"
  1286. if [ -L "${HOME}/.fvwmrc" ]; then # is it a symlink ?
  1287. echo "it's a symbolic link
  1288. elif [ -f "${HOME}/.fvwmrc" ]; then # is it a regular file ?
  1289. echo "it's a regular file"
  1290. fi
  1291. else
  1292. echo "you have no .fvwmrc file"
  1293. fi
  1294.  
  1295. Some pitfalls to be wary of
  1296.  
  1297. The test command needs to be in the form "operand1<space>operator<space>operand2" or operator<space>operand2 , in other words you really need these spaces, since the shell considers the first block containing no spaces to be either an operator (if it begins with a '-') or an operand (if it doesn't). So for example; this
  1298.  
  1299. if [ 1=2 ]; then
  1300. echo "hello"
  1301. fi
  1302.  
  1303. gives exactly the "wrong" output (ie it echos "hello", since it sees an operand but no operator.)
  1304. Another potential trap comes from not protecting variables in quotes. We have already given an example as to why you must wrap anything you wish to use for a -n test with quotes. However, there are a lot of good reasons for using quotes all the time, or almost all of the time. Failing to do this when you have variables expanded inside tests can result in very wierd bugs. Here's an example: For example,
  1305.  
  1306. #!/bin/bash
  1307. X="-n"
  1308. Y=""
  1309. if [ $X = $Y ] ; then
  1310. echo "X=Y"
  1311. fi
  1312.  
  1313. This will give misleading output since the shell expands our expression to
  1314. [ -n = ]
  1315. and the string "=" has non zero length.
  1316.  
  1317.  
  1318.  
  1319. A brief summary of test operators
  1320.  
  1321. Here's a quick list of test operators. It's by no means comprehensive, but its likely to be all you'll need to remember (if you need anything else, you can always check the bash manpage ... )
  1322. operator produces true if... number of operands
  1323. -n operand non zero length 1
  1324. -z operand has zero length 1
  1325. -d there exists a directory whose name is operand 1
  1326. -f there exists a file whose name is operand 1
  1327. -eq the operands are integers and they are equal 2
  1328. -neq the opposite of -eq 2
  1329. = the operands are equal (as strings) 2
  1330. != opposite of = 2
  1331. -lt operand1 is strictly less than operand2 (both operands should be integers) 2
  1332. -gt operand1 is strictly greater than operand2 (both operands should be integers) 2
  1333. -ge operand1 is greater than or equal to operand2 (both operands should be integers) 2
  1334. -le operand1 is less than or equal to operand2 (both operands should be integers) 2
  1335.  
  1336.  
  1337.  
  1338.  
  1339. Loops
  1340.  
  1341. Loops are constructions that enable one to reiterate a procedure or perform the same procedure on several different items. There are the following kinds of loops available in bash
  1342. - for loops
  1343. - while loops
  1344.  
  1345.  
  1346.  
  1347. For loops
  1348.  
  1349. The syntax for the for loops is best demonstrated by example.
  1350. #!/bin/bash
  1351. for X in red green blue
  1352. do
  1353. echo $X
  1354. done
  1355.  
  1356.  
  1357. The for loop iterates the loop over the space seperated items. Note that if some of the items have embedded spaces, you need to protect them with quotes. Here's an example:
  1358.  
  1359. #!/bin/bash
  1360. colour1="red"
  1361. colour2="light blue"
  1362. colour3="dark green"
  1363. for X in "$colour1" $colour2" $colour3"
  1364. do
  1365. echo $X
  1366. done
  1367.  
  1368. Can you guess what would happen if we left out the quotes in the for statement ? This indicates that variable names should be protected with quotes unless you are pretty sure that they do not contain any spaces.
  1369. Globbing in for loops
  1370.  
  1371. The shell expands a string containing a * to all filenames that "match". A filename matches if and only if it is identical to the match string after replacing the stars * with arbitrary strings. For example, the character "*" by itself expands to a space seperated list of all files in the working directory (excluding those that start with a dot "." ) So
  1372.  
  1373. echo *
  1374. lists all the files and directories in the current directory.
  1375. echo *.jpg
  1376. lists all the jpeg files.
  1377. echo ${HOME}/public_html/*.jpg
  1378. lists all jpeg files in your public_html directory.
  1379.  
  1380. As it happens, this turns out to be very useful for performing operations on the files in a directory, especially used in conjunction with a for loop. For example:
  1381.  
  1382. #!/bin/bash
  1383. for X in *.html
  1384. do
  1385. grep -L '<UL>' "$X"
  1386. done
  1387.  
  1388.  
  1389.  
  1390.  
  1391.  
  1392. While Loops
  1393.  
  1394. While loops iterate "while" a given condition is true. An example of this:
  1395.  
  1396. #!/bin/bash
  1397. X=0
  1398. while [ $X -le 20 ]
  1399. do
  1400. echo $X
  1401. X=$((X+1))
  1402. done
  1403.  
  1404. This raises a natural question: why doesn't bash allow the C like for loops
  1405.  
  1406. for (X=1,X<10; X++)
  1407. As it happens, this is discouraged for a reason: bash is an interpreted language, and a rather slow one for that matter. For this reason, heavy iteration is discouraged.
  1408.  
  1409.  
  1410.  
  1411.  
  1412. Command Substitution
  1413.  
  1414. Command Substitution is a very handy feature of the bash shell. It enables you to take the output of a command and treat it as though it was written on the command line. For example, if you want to set the variable X to the output of a command, the way you do this is via command substitution.
  1415.  
  1416. There are two means of command substitution: brace expansion and backtick expansion.
  1417.  
  1418. Brace expansion workls as follows: $(commands) expands to the output of commands This permits nesting, so commands can include brace expansions
  1419.  
  1420. Backtick expansion expands `commands` to the output of commands
  1421.  
  1422. An example is given;:
  1423.  
  1424. #!/bin/bash
  1425. files="$(ls)"
  1426. web_files=`ls public_html`
  1427. echo "$files" # we need the quotes to preserve embedded newlines in $files
  1428. echo "$web_files" # we need the quotes to preserve newlines
  1429. X=`expr 3 \* 2 + 4` # expr evaluate arithmatic expressions. man expr for details.
  1430. echo "$X"
  1431.  
  1432. The advantage of the $() substitution method is almost self evident: it is very easy to nest. It is supported by most of the bourne shell varients (the POSIX shell or better is OK). However, the backtick substitution is slightly more readable, and is supported by even the most basic shells (any #!/bin/sh version is just fine)
  1433.  
  1434. Note that if strings are not quote-protected in the above echo statement, new lines are replaced by spaces in the output.
  1435.  
  1436.  
  1437.  
  1438. ##############################
  1439. # Linux For InfoSec Homework #
  1440. ##############################
  1441. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  1442.  
  1443.  
  1444. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  1445.  
  1446.  
  1447.  
  1448.  
  1449. ##############################
  1450. # Linux For InfoSe Challenge #
  1451. ##############################
  1452.  
  1453. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/b5SxBRf6).
  1454.  
  1455. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  1456.  
  1457.  
  1458.  
  1459.  
  1460. IMPORTANT NOTE:
  1461. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 16th at midnight EST.
  1462.  
  1463.  
  1464. #########################################################################
  1465. # What kind of Linux am I on and how can I find out? #
  1466. # Great reference: #
  1467. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  1468. #########################################################################
  1469. - What’s the distribution type? What version?
  1470. -------------------------------------------
  1471. cat /etc/issue
  1472. cat /etc/*-release
  1473. cat /etc/lsb-release # Debian based
  1474. cat /etc/redhat-release # Redhat based
  1475.  
  1476.  
  1477.  
  1478. - What’s the kernel version? Is it 64-bit?
  1479. -------------------------------------------
  1480. cat /proc/version
  1481. uname -a
  1482. uname -mrs
  1483. rpm -q kernel
  1484. dmesg | grep Linux
  1485. ls /boot | grep vmlinuz-
  1486.  
  1487.  
  1488.  
  1489. - What can be learnt from the environmental variables?
  1490. ----------------------------------------------------
  1491. cat /etc/profile
  1492. cat /etc/bashrc
  1493. cat ~/.bash_profile
  1494. cat ~/.bashrc
  1495. cat ~/.bash_logout
  1496. env
  1497. set
  1498.  
  1499.  
  1500. - What services are running? Which service has which user privilege?
  1501. ------------------------------------------------------------------
  1502. ps aux
  1503. ps -ef
  1504. top
  1505. cat /etc/services
  1506.  
  1507.  
  1508. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  1509. ---------------------------------------------------------------------------------------------------------------
  1510. ps aux | grep root
  1511. ps -ef | grep root
  1512.  
  1513.  
  1514.  
  1515. - What applications are installed? What version are they? Are they currently running?
  1516. ------------------------------------------------------------------------------------
  1517. ls -alh /usr/bin/
  1518. ls -alh /sbin/
  1519. dpkg -l
  1520. rpm -qa
  1521. ls -alh /var/cache/apt/archivesO
  1522. ls -alh /var/cache/yum/
  1523.  
  1524.  
  1525. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  1526. ------------------------------------------------------------------------------------
  1527. cat /etc/syslog.conf
  1528. cat /etc/chttp.conf
  1529. cat /etc/lighttpd.conf
  1530. cat /etc/cups/cupsd.conf
  1531. cat /etc/inetd.conf
  1532. cat /etc/apache2/apache2.conf
  1533. cat /etc/my.conf
  1534. cat /etc/httpd/conf/httpd.conf
  1535. cat /opt/lampp/etc/httpd.conf
  1536. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  1537.  
  1538.  
  1539.  
  1540. - What jobs are scheduled?
  1541. ------------------------
  1542. crontab -l
  1543. ls -alh /var/spool/cron
  1544. ls -al /etc/ | grep cron
  1545. ls -al /etc/cron*
  1546. cat /etc/cron*
  1547. cat /etc/at.allow
  1548. cat /etc/at.deny
  1549. cat /etc/cron.allow
  1550. cat /etc/cron.deny
  1551. cat /etc/crontab
  1552. cat /etc/anacrontab
  1553. cat /var/spool/cron/crontabs/root
  1554.  
  1555.  
  1556. - Any plain text usernames and/or passwords?
  1557. ------------------------------------------
  1558. grep -i user [filename]
  1559. grep -i pass [filename]
  1560. grep -C 5 "password" [filename]
  1561. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  1562.  
  1563.  
  1564. - What NIC(s) does the system have? Is it connected to another network?
  1565. ---------------------------------------------------------------------
  1566. /sbin/ifconfig -a
  1567. cat /etc/network/interfaces
  1568. cat /etc/sysconfig/network
  1569.  
  1570.  
  1571. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  1572. ------------------------------------------------------------------------------------------------------------------------
  1573. cat /etc/resolv.conf
  1574. cat /etc/sysconfig/network
  1575. cat /etc/networks
  1576. iptables -L
  1577. hostname
  1578. dnsdomainname
  1579.  
  1580. - What other users & hosts are communicating with the system?
  1581. -----------------------------------------------------------
  1582. lsof -i
  1583. lsof -i :80
  1584. grep 80 /etc/services
  1585. netstat -antup
  1586. netstat -antpx
  1587. netstat -tulpn
  1588. chkconfig --list
  1589. chkconfig --list | grep 3:on
  1590. last
  1591. w
  1592.  
  1593.  
  1594.  
  1595. - Whats cached? IP and/or MAC addresses
  1596. -------------------------------------
  1597. arp -e
  1598. route
  1599. /sbin/route -nee
  1600.  
  1601.  
  1602. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  1603. ------------------------------------------------------------------------------------------
  1604. id
  1605. who
  1606. w
  1607. last
  1608. cat /etc/passwd | cut -d: # List of users
  1609. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  1610. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  1611. cat /etc/sudoers
  1612. sudo -l
  1613.  
  1614.  
  1615.  
  1616. - What sensitive files can be found?
  1617. ----------------------------------
  1618. cat /etc/passwd
  1619. cat /etc/group
  1620. cat /etc/shadow
  1621. ls -alh /var/mail/
  1622.  
  1623.  
  1624.  
  1625. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  1626. ----------------------------------------------------------------------------
  1627. ls -ahlR /root/
  1628. ls -ahlR /home/
  1629.  
  1630.  
  1631. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  1632. ---------------------------------------------------------------------------------------------------------------------------
  1633. cat /var/apache2/config.inc
  1634. cat /var/lib/mysql/mysql/user.MYD
  1635. cat /root/anaconda-ks.cfg
  1636.  
  1637.  
  1638. - What has the user being doing? Is there any password in plain text? What have they been edting?
  1639. -----------------------------------------------------------------------------------------------
  1640. cat ~/.bash_history
  1641. cat ~/.nano_history
  1642. cat ~/.atftp_history
  1643. cat ~/.mysql_history
  1644. cat ~/.php_history
  1645.  
  1646.  
  1647.  
  1648. - What user information can be found?
  1649. -----------------------------------
  1650. cat ~/.bashrc
  1651. cat ~/.profile
  1652. cat /var/mail/root
  1653. cat /var/spool/mail/root
  1654.  
  1655.  
  1656. - Can private-key information be found?
  1657. -------------------------------------
  1658. cat ~/.ssh/authorized_keys
  1659. cat ~/.ssh/identity.pub
  1660. cat ~/.ssh/identity
  1661. cat ~/.ssh/id_rsa.pub
  1662. cat ~/.ssh/id_rsa
  1663. cat ~/.ssh/id_dsa.pub
  1664. cat ~/.ssh/id_dsa
  1665. cat /etc/ssh/ssh_config
  1666. cat /etc/ssh/sshd_config
  1667. cat /etc/ssh/ssh_host_dsa_key.pub
  1668. cat /etc/ssh/ssh_host_dsa_key
  1669. cat /etc/ssh/ssh_host_rsa_key.pub
  1670. cat /etc/ssh/ssh_host_rsa_key
  1671. cat /etc/ssh/ssh_host_key.pub
  1672. cat /etc/ssh/ssh_host_key
  1673.  
  1674.  
  1675. - Any settings/files (hidden) on website? Any settings file with database information?
  1676. ------------------------------------------------------------------------------------
  1677. ls -alhR /var/www/
  1678. ls -alhR /srv/www/htdocs/
  1679. ls -alhR /usr/local/www/apache22/data/
  1680. ls -alhR /opt/lampp/htdocs/
  1681. ls -alhR /var/www/html/
  1682.  
  1683.  
  1684. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  1685. -----------------------------------------------------------------------------
  1686. cat /etc/httpd/logs/access_log
  1687. cat /etc/httpd/logs/access.log
  1688. cat /etc/httpd/logs/error_log
  1689. cat /etc/httpd/logs/error.log
  1690. cat /var/log/apache2/access_log
  1691. cat /var/log/apache2/access.log
  1692. cat /var/log/apache2/error_log
  1693. cat /var/log/apache2/error.log
  1694. cat /var/log/apache/access_log
  1695. cat /var/log/apache/access.log
  1696. cat /var/log/auth.log
  1697. cat /var/log/chttp.log
  1698. cat /var/log/cups/error_log
  1699. cat /var/log/dpkg.log
  1700. cat /var/log/faillog
  1701. cat /var/log/httpd/access_log
  1702. cat /var/log/httpd/access.log
  1703. cat /var/log/httpd/error_log
  1704. cat /var/log/httpd/error.log
  1705. cat /var/log/lastlog
  1706. cat /var/log/lighttpd/access.log
  1707. cat /var/log/lighttpd/error.log
  1708. cat /var/log/lighttpd/lighttpd.access.log
  1709. cat /var/log/lighttpd/lighttpd.error.log
  1710. cat /var/log/messages
  1711. cat /var/log/secure
  1712. cat /var/log/syslog
  1713. cat /var/log/wtmp
  1714. cat /var/log/xferlog
  1715. cat /var/log/yum.log
  1716. cat /var/run/utmp
  1717. cat /var/webmin/miniserv.log
  1718. cat /var/www/logs/access_log
  1719. cat /var/www/logs/access.log
  1720. ls -alh /var/lib/dhcp3/
  1721. ls -alh /var/log/postgresql/
  1722. ls -alh /var/log/proftpd/
  1723. ls -alh /var/log/samba/
  1724.  
  1725. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement