The Hunters Hut
The Hunters Hut
Linux Command Lore
Linux Command Lore

Linux Command Lore

Obtain General Information with *nix

Get information on mounted volumes

lsblk

The lsblk command is to list block devices. It reads the data from udev database along with sysfs file system to print a report on all available or specified block devices. Block devices abstracts the actual hardware characteristics of any physical device and allows you to interact with it using a buffered interface.

lsblk

fdisk

fdisk is mostly used to manipulate the partition table, it can list info on all partitions by using fdisk -l

SuSe Linux | Find SuSe Version

How do I find out the OpenSUSE/SuSE Linux version via Command Line Interface.

cat /etc/SuSE-release # or cat /etc/issue

Result:

Welcome to SUSE Linux Enterprise Server for SAP Applications 13 SP1  (x86_64) - Kernel.
# or SUSE Linux Enterprise Server 12 (x86_64)VERSION = 12PATCHLEVEL = 1

General OS Checks for Linux Systems

Packages

List installed packages

RPM Platforms (Redhat, CentOS, SuSe, Fedora, ArchLinux, Scientific Linux, etc.)

If you are on a RPM-based Linux platform, here are two ways to determine the list of packages installed.

# Using yum
yum list installed
# Using rpm
rpm -qa

Get the local path where a particular package was installed

dpkg -L <package-name>

Standard Commandline Operations

Compression (zip) / Decompression (unzip)

Unzip a file

# Extract the contents of a file to current directory:
unzip compressed.zip

# To change the extraction target directory:
unzip compressed.zip -d /some/target/dir

# To preview contents of zip file:
unzip -l compressed.zip

# Only unzip specific files, add them at the end:
unzip compressed.zip file1 subdirectory/file2

# The inverse of the above command. Unzip every file EXCEPT the ones specified after the -x modifier:
unzip compressed.zip -x file1 subdirectory/file2

# Unzipping a password protected file:
unzip -p mypass compressed.zip

RSA Crypto Operations

Generate a local key and copy public key to target host

# First generate a key (enter to all for a quick key with no password protection)
ssh-keygen -t rsa
# Copy the key to a target host, pass in the flag to avoid prompting for host fingerprint trust check
ssh-copy-id -o StrictHostKeyChecking=no -i /path/to/.ssh/id_rsa user_name@host_name

VIM

Set VIM in nocompatible mode

To avoid dirty characters like “^M” when copy-pasting run vim with: vim -u NONE Alternatively also use the paste command: :set paste when you are finished issue :set nopaste

Network Discovery

TCPDump

Breaking down the Tcpdump Command Line

Some common commandline parameters. Ex. sudo tcpdump -i eth0 -nn -s0 -v port 80

Explanation:

💡
-i: Select the interface that the capture is to take place on, this will often be an ethernet card or wireless adapter but could also be a vlan or something more unusual. Not always required if there is only one network adapter.
💡
-nn: A single n will not resolve hostnames. A double nn will not resolve hostnames or ports. This is handy for not only viewing the IP / port numbers but also when capturing a large amount of data, as the name resolution will slow down the capture.
💡
-s0: Snap length, is the size of the packet to capture. -s0 will set the size to unlimited - use this if you want to capture all the traffic. Needed if you want to pull binaries / files from network traffic.
💡
-v: Verbose, using -v or -vv increases the amount of detail shown in the output, often showing more protocol specific information.

You can capture traffic coming from or going to different ports and hosts but TCPDUMP’s real power comes in the combination of different conditions. There are three logical operators to help you assemble the right combination of filters:

AND: use and or &&
OR: use or or ||
NEGATION: use not or !

Display ASCII text

Adding -A to the command line will have the output include the ascii strings from the capture. This allows easy reading and the ability to parse the output using grep or other commands.

sudo tcpdump -A -s0 port 80

Get Packet Contents with Hex Output

Hex output is useful when you want to see the content of the packets displayed in both HEX and ASCII

tcpdump -c 1 -X icmp

Output:

0x0670:  ecee 007c 88db 7ac7 5003 4454 2617 9f00  ...|..z.P.DT&...
0x0680:  6bb6 4393 f320 eba9 4f15 ada7 7ef0 1f48  k.C.....O...~..H
0x0690:  9715 8193 4c08 c125 f266 a8d8 9283 de1c  ....L..%.f......
0x06a0:  f004 3594 3728 a7ca 0000 0170 f8b4 31aa  ..5.7(.....p..1.
0x06b0:  e70c 8507 b1aa fad3 eb27 fd8b 30e0 a3ba  .........'..0...
0x06c0:  7f8e e45c 4515 f33c 1c2a 25cb 6ed5 ef50  ...\E..<.*%.n..P
0x0750:  eaf3 8699 abc5 fcbc 1b4e ce6b 45c6 6d24  .........N.kE.m$
0x0760:  be68 76ac 6805 7c14 5cbf 8360 9118 c7b6  .hv.h.|.\..`....
0x0770:  b70e 0c30 5f31 e66f 839f 24ef 3bc4 93ff  ...0_1.o..$.;...
0x0780:  a89f 5290 fb5b b54f 9b3e f8c0 1053 0599  ..R..[.O.>...S..
0x0790:  9fb5 064a 1e46 ee6a 0ed2 7970 7c4e 1399  ...J.F.j..yp|N..
0x07a0:  9f2f c29b 0043 40a5 45d0 8b0b d116 7355  ./[email protected]

Capture on specific Protocol

Filter on UDP traffic. Another way to specify this is to use protocol 17 that is udp. These two commands will produce the same result. The equivalent of the tcp filter is protocol 6.

sudo tcpdump -i eth0 udpsudo tcpdump -i eth0 proto 17

Capture Hosts based on IP address

Using the host filter will capture traffic going to (destination) or from (source) a specific IP address.

sudo tcpdump -i eth0 host 10.30.1.10

Alternatively, capture only packets going one way using src or dst.

sudo tcpdump -i eth0 dst 10.30.1.10sudo tcpdump src 192.168.1.10

Capture traffic from a specific port

tcpdump src port 445

You can also capture traffic coming from a range of ports

tcpdump portrange 21-23

Write to a capture file

Writing a standard pcap file is a common command option. Writing a capture file to disk allows the file to be opened in Wireshark or other packet analysis tools.

sudo tcpdump -i eth0 -s0 -w test.pcap
LinkedIn

ThreatHunterz.com