If you can see this check that

Main Page


Initial Pen Testing

User:
Password:

Authors: Rich Macfarlane, Gordon Russell

An introduction to some Linux commands which could be useful for pentesting.

To reset all the check buttons from a previous attempt click here

Question 1: Using Locate

"locate" searches through the filesystem looking for things which match the command line. It does this very quickly using a file database. The command "updatedb" refreshes the database.

Use the locate command to find the full path name of the nmap file with "stun-version" in its title.
file location:

Tests - not attempted
Location search UNTESTED

Locate finds all filesystem locations which contains information related to the search parameter nmap. Try

locate nmap

Pipe the output into grep to filter the output from the locate cmd, and find the location of an nmap scipt relating to "smb-flood".
file location:

Tests - not attempted
smb-flood location UNTESTED

Use locate and grep to find the full pathname where the nmap executable lives. This will be a directory with "bin/" somewhere in its name.
file location:

Tests - not attempted
nmap binary location UNTESTED

Use locate and grep to find the full pathname where the locate database lives. Hint: database files usually end with ".db".
file location:

Tests - not attempted
locate db location UNTESTED

Question 2: Network commands

Make sure you are logged into your virtual machine using at least 1 ssh session.

The ss command can be used to check network connections currently running. Use the ss command and identify the remote endpoint ip number used when you ssh to a virtual machine. Grep for ssh, or use a specific flag for the ss cmd to filter for tcp connections.
Proxy IP:

Tests - not attempted
Proxy ssh IP UNTESTED

The ss command with "-a" shows all current network connections. Services which are using ports will be in the LISTEN state.

How many ports are being used by services?
Service ports used:

Tests - not attempted
Ports used UNTESTED

Use the service command to start the apache2 service.

Tests - not attempted
Start apache2 UNTESTED

Use the ss command, find out which port number apache2 is running on.

Hint. Use the man page/help of ss to check options to see the port numbers numerically, as well as to see what processes are using which entry in ss.
Service port:

Tests - not attempted
Port of apache2 UNTESTED
apache2 still running UNTESTED

Use the web browser IN YOUR VIRTUAL MACHINE, browse to 127.0.0.1, and fill in the blank below based on what you can see on the webpage displayed.

The browser can be found in the application menu. Just search for browser.

Fill in the blank:
This is the default page used to

Tests - not attempted
apache2 is running UNTESTED
apache2 seems to respond UNTESTED
blank correct UNTESTED

Use nano and edit the default webpage.

Use locate to find "index.html", and then pipe and greps to locate an instance below "/var/www".

In the appropriate index.html, change "If you can read this page" to "If you can see this page". Remember to save!

Tests - not attempted
apache2 seems to respond UNTESTED
file edited UNTESTED
apache2 is running UNTESTED

Use the service command to stop the apache2 service.

Tests - not attempted
Stop apache2 UNTESTED

Question 3: Networking

Use the "ip address" command. What is the interface which is connected to the local network? This will be the interface with relates to the 10.x.x.x network.
Device:

Tests - not attempted
Main network device UNTESTED

Again using "ip address", what is the IP number of this machine in terms of the device identified above.
IP:

Tests - not attempted
IP number UNTESTED

Question 4: Netcat

Netcat is a command for basic client/server command line configuration.

Use netcat to make a simple ASCII client request to your own SSH server port. Basic netcat configuration puts the server/host IP in parameter 1 and the service port number in parameter 2. Once connected you should see a line of text then the communication seems to hang. At that point hit CTRL-C to terminate the request.

Looking at the ASCII line you got back from your SSH server, what is the first 7 characters received?
First line:

Tests - not attempted
Network working UNTESTED
First UNTESTED

There are different versions of netcat, some with more features than others. In the next few questions I recommend using nmap netcat. This is called ncat. It has some very nice flags which make things easier.

Use ncat for a chat client. Make sure you either have two terminal sessions or two command windows in your virtual machine.

In command window 1, do

ncat -l 127.0.0.1 666
In command window 2, connect to this localhost service with netcat on port 666, and type some messages.

Now have a third command window. Use the ss command and find the established entry for this chat session. What is the local endpoint port number used at the client end of this network connection?
Client port number:

Once passed press CTRL-C in the chat session to quit.

Tests - not attempted
Client port number UNTESTED

Use

-c 'cat /etc/passwd'
at the end of the ncat command and run a listening server on port 777. Try connecting to this, but note that each time you do the end of the connection (when ended with CTRL-C) closes the server too.

Introduce the flag "-k" and restart the ncat listener. Now when you end the client with CTRL-C, you can connect again without problems.

When finished, terminate the listener with a CTRL-C in that window.

Tests - not attempted
Listener gives /etc/passwd UNTESTED
Listiner gives /etc/passwd (repeated for continuous) UNTESTED

Use your new knowledge to create a backdoor on port 789. This should be a listening port in continuous mode which runs /bin/bash when someone connects. Run this and connect to it, and try "ls"...

When finished, terminate the listener with a CTRL-C in that window.

Tests - not attempted
Listener gives a shell UNTESTED
Listener gives a shell and continuous UNTESTED

Use your new knowledge to create a server on port 790. This should be a listening port in continuous mode which runs something which tell you how many files and directories (not including hidden files) can be found in /root. When you are counting you should ignore hidden files.

When finished, terminate the listener with a CTRL-C in that window.

Tests - not attempted
Listener gives a count UNTESTED
Listener gives a count and continuous UNTESTED
Count seems right test1 UNTESTED
Count seems right test2 UNTESTED


Centos 7 intro: Paths | BasicShell | Search
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net SELinux1 SELinux2 fwall DNS diag Apache1 Apache2 log Mail
Caine 10.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
Caine 13.0: Essentials | Basic | Search | Acquisition | SysIntro | grep | MBR | GPT | FAT | NTFS | FRMeta | FRTools | Browser | Mock Exam |
CPD: Cygwin | Paths | Files and head/tail | Find and regex | Sort | Log Analysis
Kali: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7a | 8a | 8b | 9 | 10 |
Kali 2020-4: 1a | 1b | 1c | 2 | 3 | 4a | 4b | 5 | 6 | 7 | 8a | 8b | 9 | 10 |
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions

Linuxzoo created by Gordon Russell.
@ Copyright 2004-2024 Edinburgh Napier University