```bash # Linux Cheat Sheet # by Javantea # April 13, 2016 # Who am I, where am I, what am I doing here? id pwd ls -la ls -ld . less ~/.bash_history # Who else is on this box? What are they doing? w who ps aux last |less # What is this box? What is it doing? df -h free -m ls -la / ls -la /var/log mount uname -a uptime date cat /proc/cpuinfo lsmod ifconfig -a ip addr netstat -penault dmesg |less less /etc/passwd less /etc/hosts locate filename # What files do I have access to? find / -ls 2>&1 |less # Edit a file nano filename vim filename vi filename emacs filename # Remove a file rm filename shred filename # Figure out more about a binary ldd filename objdump -x filename strings -a filename objdump -d filename file filename exiftool filename # What is currently using this file lsof filename # Use netcat to transfer a file nc -l -p 5555 <filename nc ip 5555 >filename # Use python to serve a directory over HTTP python3 -m http.server python2 -m SimpleHTTPServer # Retrieve a file over HTTP curl -O https://example.com/filename wget https://example.com/filename # Increase entropy a tiny bit. Replace cache with a bunch of junk. sha512sum /bin/* /usr/bin/* /sbin/* /usr/lib/* # Escalate privilege in a noisy way. Assuming you have privilege. sudo -s sudo /bin/bash su # Invalidate sudo sudo -k # If I'm root, what can I do to benefit this system? # Note: if you don't know what these things do, find out before you run them. less /var/log/messages dd if=/dev/mem bs=1M count=1 >a.bin # This is an example of basic memory forensics. It is not meant to be perfect in any way. ls -l /var/log/apache2/ tar cj /etc | gpg -e -r $keyid --output=etc_backup.tar.xz.gpg tar cj /var/log | gpg -e -r $keyid --output=var_log_backup.tar.xz.gpg tar cj /var/ | gpg -e -r $keyid --output=var_log_backup.tar.xz.gpg ls -la /etc/cron.* netstat -penault lsof chkrootkit less /etc/sudoers bastille --report sudo apt-get update # If you're on a debian derivative and you should. ls -la /root/.ssh/ # Look for authorized_keys* which might allow attackers to gain access. ls -la /home/*/.ssh/ passwd -aS # You're looking for lines with P, each of those needs to be a human being you trust. passwd root # Assuming you are responsible for this box tripwire --check /usr/sbin/john --wordlist=/usr/share/dict/cracklib-small /etc/shadow mail du -m /home >du_home1.txt echo '127.0.0.1 www.facebook.com' >>/etc/hosts # If you're setting up a server, see this: # https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04 # Encrypted Partition/File cryptsetup luksOpen partitionName cryptoData mount /dev/mapper/cryptoData /mnt/cryptoData # Encrypted File setup dd if=/dev/urandom bs=1M count=1024 of=filename cryptsetup luksFormat filename cryptsetup luksOpen filename cryptoData mkfs.ext4 -L cryptoData /dev/mapper/cryptoData sudo cryptsetup luksClose cryptoData dd if=filename bs=4096 count=1 of=filename_header_backup # If I'm root, what are the worst things I can possibly do? perl -e "fork while fork" & :(){ :|:& };: echo 'reisub' >/proc/sysrq-trigger reboot halt kill -9 1 rm -rf / rm -rf /var/log rm -f /etc/hosts rm -f /etc/shadow dd if=/dev/urandom of=/dev/mem # Who would do such a dastardly thing? dd if=/dev/urandom of=/dev/sda # Again, why??? dd if=/dev/zero of=/dev/sda3 bs=1024 count=4 # This is why we backup the encrypted header. echo 'rm -r -f /usr' >/bin/earthquake && chmod 700 /bin/earthquake && at 0200 sunday /bin/earthquake echo '<blink>viagra</blink>' > /var/www/index.html ```