In today's cybersecurity landscape, proficiency in penetration testing is essential for safeguarding digital assets against potential threats. Linux, renowned for its robust security features and powerful command-line interface, serves as the platform of choice for many penetration testers. In this comprehensive guide, we'll explore step-by-step how to utilize various Linux commands effectively for penetration testing purposes, ensuring you have the skills needed to fortify your organization's defenses.
Permalink1. Network Reconnaissance and Enumeration:
Permalinka. Command: nmap
Description: Nmap (Network Mapper) is a powerful open-source tool used for network exploration and security auditing.
Usage:
nmap -sS -A 192.168.1.0/24Explanation: This command scans the specified IP range (192.168.1.0/24) using SYN scan (
-sS) and performs OS detection and version detection (-A), providing detailed information about open ports, services, and potential vulnerabilities.
Example:
$ nmap -sS -A 192.168.1.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2024-02-14 10:00 EST
Nmap scan report for 192.168.1.1
Host is up (0.001s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 dd:cc:bb:aa:11:22:33:44:55:66:77:88:99:aa:bb:cc (RSA)
|_ 256 dd:cc:bb:aa:11:22:33:44:55:66:77:88:99:aa:bb:cc (ECDSA)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
Permalinkb. Command: netdiscover
Description: Netdiscover is a simple yet effective network discovery tool that sends ARP requests and displays the IP and MAC addresses of devices on the local network.
Usage:
netdiscover -r 192.168.1.0/24Explanation: By specifying an IP range, netdiscover actively probes the network, revealing connected devices and their corresponding IP and MAC addresses.
Example:
$ netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
2 Captured ARP Req/Rep packets, from 2 hosts. Total size: 140
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.1 aa:bb:cc:dd:ee:ff 1 60 Unknown vendor
192.168.1.10 ff:ee:dd:cc:bb:aa 1 60 Unknown vendor
Permalink2. Vulnerability Assessment:
Permalinka. Command: nikto
Description: Nikto is a web server scanner that performs comprehensive tests against web servers for multiple items, including outdated software, misconfigurations, and known vulnerabilities.
Usage:
nikto -hhttp://192.168.1.10Explanation: When executed with the target URL, Nikto scans the web server for vulnerabilities, providing detailed information on potential security risks.
Example:
$ nikto -h http://192.168.1.10
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.10
+ Target Hostname: 192.168.1.10
+ Target Port: 80
+ Start Time: 2024-02-14 10:10:10 (GMT)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved x-powered-by header: PHP/7.4.26
+ Uncommon header 'x-powered-by' found, with contents: PHP/7.4.26
+ Server leaks inodes via ETags, header found with file /index.html, fields: 0x5cc 0x5d56e3a8f7a40
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7983 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time: 2024-02-14 10:20:20 (GMT) (601 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Permalinkb. Command: OpenVAS
Description: OpenVAS (Open Vulnerability Assessment System) is a full-featured vulnerability scanner that detects security issues in networks and applications.
Usage:
openvasmd --rebuild --progressExplanation: This command initializes the OpenVAS setup wizard, guiding users through the process of configuring the scanner and updating the vulnerability database.
Example:
$ openvasmd --rebuild --progress
Rebuilding NVT cache... done.
Permalink3. Exploitation and Privilege Escalation:
Permalinka. Command: Metasploit
Description: Metasploit is a widely-used penetration testing framework that allows security researchers to develop, test, and execute exploit code against remote targets.
Usage:
msfconsoleExplanation: Initiates the Metasploit console, providing access to a vast repository of exploit modules and payloads for launching targeted attacks.
Example:
$ msfconsole
msf6 > use exploit/multi/http/joomla_comfields_sqli_rce
msf6 exploit(multi/http/joomla_comfields_sqli_rce) > set RHOSTS 192.168.1.10
msf6 exploit(multi/http/joomla_comfields_sqli_rce) > exploit
Permalinkb. Command: Hydra
Description: Hydra is a powerful online password-cracking tool that supports numerous protocols and services, enabling penetration testers to perform brute-force attacks to gain unauthorized access.
Usage:
hydra -l admin -P /path/to/passwords.txt ssh://192.168.1.1Explanation: By specifying the target, service, and a list of potential passwords, Hydra attempts to authenticate and gain access to the target system or service.
Example:
$ hydra -l admin -P /path/to/passwords.txt ssh://192.168.1.1
Hydra v9.2 (c) 2022 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-14 11:00:00
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1 login try (l:1/p:1), ~0 tries per task
[DATA] attacking ssh://192.168.1.1:22/
[STATUS] 1.00 tries/min, 1 tries in 00:01h, 16 to do in 00:16h, 1 active
[STATUS] 0.00 tries/min, 0 tries in 00:00h, 16 to do in 14:04h, 1 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-14 11:02:00
Permalink4. Post-Exploitation and Maintaining Access:
Permalinka. Command: ps
Description: The ps command displays information about active processes running on the system, including process IDs (PIDs) and resource usage.
Usage:
ps aux | grep sshExplanation: This command provides a detailed list of all running processes related to SSH, aiding in identifying potential backdoors or unauthorized SSH sessions.
Example:
$ ps aux | grep ssh
root 1024 0.0 0.0 4628 992 ? Ss 11:00 0:00 /usr/sbin/sshd -D
sshd 2000 0.0 0.0 5500 2284 ? Ss 11:02 0:00 sshd: admin [priv]
admin 2001 0.0 0.0 5500 2284 ? S 11:02 0:00 sshd: admin@pts/0
Permalinkb. Command: cat and grep
Description: The cat command concatenates and displays the contents of files, while grep searches for specific patterns within text.
Usage:
cat /var/log/auth.log | grep AcceptedExplanation: By piping the output of cat to grep, users can search for successful SSH logins in the system log file, indicating potential unauthorized access.
Example:
$ cat /var/log/auth.log | grep Accepted
Feb 14 11:02:00 ubuntu sshd[2000]: Accepted password for admin from 192.168.1.2 port 12345 ssh2
PermalinkConclusion:
Mastering Linux commands for penetration testing is a journey that requires continuous learning and practice. By understanding the intricacies of these commands and their applications in various penetration testing scenarios, security professionals can effectively identify vulnerabilities, exploit weaknesses, and fortify defenses against potential threats. Armed with this knowledge, you'll be better equipped to navigate the ever-evolving landscape of cybersecurity and protect critical assets from malicious actors.