This is a work-in-progress compilation of useful commands, resources, etc. I’ve curated during my time doing various easy CTFs and online research. It is far from being either complete or correct, and serves mostly as a quick place to jot down things I’ve used during online exercises.
Using this document
This document is written using org-mode and exported to Hugo with ox-hugo.
To insert code, type: C-c C-, s
To export, type: C-c C-e H H
Useful External References
RFCs
Kali Linux Tools
Steflan Security
CTF 101
Awesome Security
https://github.com/sbilly/awesome-security
Linux Commands
netstat
Shows the network status and protocol options.
To retrieve only active Internet connections, try:
netstat -tulpn
ss
Similar to netstat
iptables
Used to set up, maintain, and inspet the tables of IPv4 and IPv6 packet filter rules in the Linux kernel.
Has the following commands: accept, drop, return (stop traversing the chain and resume at the next rule in the previous chain).
Can be used in concert with ufw
ufw
A more useful tool for packet filtering in Linux.
ip address
Shows you the IP address and other information. Part of the larger command ip.
To show the IP address info about one interface:
ip address | grep wlan0
grep
Print lines that match patterns.
resolvectl status
Information about the DNS protocol on device interfaces.
tcpdump
A packet capturing tool built into Linux which allows you to grab packets meeting particular conditions, write them to a file, etc. It’s fairly complicated, so there’s a guide here if you want it.
Also, here’s a quick cheat sheet.
tcpdump -i INTERFACE -c COUNT -w FILE.pcap
tcpdump -ttnnvvS
Linux File Locations
DNS information
/etc/resolve.conf
Logs
/var/log
| Log filename | Contents |
|---|---|
auth.log, var/log/secure | Authorization information |
messages | General messages |
kern.log | Kernel logs |
cron.log | cron jobs |
maillog | Mail server log |
httpd | Apache access and error logs directory |
lighttpd | |
nginx | Nginx access and error logs |
apt/ | apt-get command history |
boot.log | System boot log |
mysqld.log | MySQL database server log file |
utmp, wtmp | Login records |
yum.log, dnf.log | yum/dnf command log file |
Installing Tools
On this system, I have installed katoolin, which allows a user to install the Kali linux tools using their repositories.
To run katoolin, navigate to /usr/bin and run the command: sudo python2.7 katoolin. Then, add Kali repositories and update; finally, you can actually install the tools.
Reconnaissance
Wireshark
Wireshark is a packet analysis tool which can be used to capture packets, filter them, and analyze them. (side note: there is another option called tcpdump. It seems useful, and there’s a list of what you can do with it here).
Filtering with Wireshark
More information can be found at the Wireshark filtering page, but here are the basics.
| Operator | Symbol |
|---|---|
| and | && |
| or | ǁ |
| equals | eq, == |
| not equal | neq, != |
| greater than | gt, > |
| less than | lt, < |
| Filter | Syntax |
|---|---|
| IP Address | ip.addr |
| IP Source | ip.src |
| IP Destination | ip.dst |
| TCP Protocol | tcp.port, protocol name |
| UDP Protocol | udp.port, protocol name |
Address Resolution Protocol
An overview of ARP can be found at: https://www.rfc-editor.org/rfc/rfc826
ICMP
An overview of ICMP can be found at: https://www.rfc-editor.org/rfc/rfc792
ICMP type of 8 means that the packet is a request packet; type of 0 is a reply packet. If these codes are altered or don’t seem correct, that’s a great sign there’s suspicious activity on the network.
TCP
An overview of TCP can be found at: https://www.rfc-editor.org/rfc/rfc793
TCP can be quite challenging to analyze. There are other tools, like RSA NetWitness and NetworkMiner, which make it slightly easier to analyze.
A TCP connection starts with the TCP handshake, which includes a [SYN], [SYN, ACK], and [ACK] packets. WHen the handshake is out of order, it includes packets like a [RST] packet, which could indicate that something is wrong.
If a port is not open, the acknoqledgement number will be 0.
Nmap
Nmap is a network scanning tool which can be used to identify open ports, services operating on those ports, and live hosts on a given network.
Its documentation is available here.
Stealthily mapping out a network
Useful reference available here.
Determining which ports are open
When conductin a port scan, Nmap considers the following six states:
- Open: a service is listening on the specified port.
- Closed: no service is listening on the specified port, but the port is accessible.
- Filtered: Nmap isn’t sure if the port is open or closed because the port isn’t accessible (packets can’t get to the port, or they can’t get back; usually firewall filtering)
- Unfiltered: Nmap isn’t sure if the port is open or closed, but the port is accessible (common with ARP scans)
- Open | Filtered: Nmap can’t figure out if the port is open or filtered.
- Closed | Filtered: Nmap can’t figure out if the port is closed or filtered.
sudo nmap -v TARGET_IP -Pn
TCP Connect Scan
nmap -sT MACHINE_IP -v #verbose
TCP SYN Scan
sudo nmap -sS MACHINE_IP -v
UDP Scan
sudo nmap -sU MACHINE_IP -v
Determining services with XML output
sudo nmap -v -sV -pDESIRED_PORTS -oX OUTPUT_NAME.xml TARGET_IP
ARP Scan
arp-scan is a Kali Linux tool which can
Its documentation is available here.
Network Mapping
You can map a single host, a subnet, or a range of hosts, as specified in the documentation.
arp-scan XX.XX.XX.XX/SN
You can randomize the network scan with the flag -R or –random.
System Fingerprinting
Gobuster
Gobuster is a tool written in Go that performs brute-force search on URI (directory and file), DNS subdomains, virtual host names, open Amazon S3 buckets. It uses a wordlist (on this computer /usr/share/wordlists/) to try and match to the desired target.
Its documentation is available here.
Directory busting on a website
gobuster dir -u TARGET_IP -w /usr/share/wordlists/dirb/common.txt
**
Exploitation
Remote shell with netcat
Creating a listener
nc -vnlp 9991 # 9991 is the port in the PHP reverse shell code
Stabilizing the shell
If the host has Python install, it can be possible to “stabilize the shell” with a couple of shell commands:
python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import os; os.system("/bin/bash")'
John the Ripper
John the Ripper is a password-cracking tool.
Going from an RSA private key to John the Ripper
/usr/share/ssh2john.py rsa_private_key > john_formatted_hash
Cracking a hash with John the Ripper
john hash_to_crack wordlist
Example wordlist: /usr/share/wordlists/rockyou.txt
THC Hydra
Hydra is another password-cracking tool. It’s useful for cracking passwords on a remote system.
Cracking Example
hydra -l username -P wordlist.txt server service
server is the hostname or IP address of the target server
service is the service running on that server which you want to attack.
A detailed walk-through is available here: https://tryhackme.com/room/hydra
Privilege Escalation
GTFOBins
A curated list of Unix binaries that can be used to bypass local security restrictions on misconfigured systems.
Typically, the steps to privilege escalation are:
- Determine which programs can be run as root.
- Search GTFOBins for the vulnerability corresponding to those files.
Determining which programs can be run as root on current user
sudo -l
Searching for files with SUID permission
SUID
Allows file users to run the file with effective permissions of the file owner.
find . -type f -user root -perm -4000 2>/dev/null
SGID
Allows file users to run file with group permission of file’s owner.
find . -type f -user root -perm -2000 2>/dev/null
Exploit Databases
Searchsploit
searchsploit is a command-line tool for exploit-DB which allows you to search exploits. It also saves copies locally on a user’s machine.
Running from nmap output
searchsploit --nmap OUTPUT_NAME
Getting more specific about info about an exploit
Metasploit
Reverse Engineering
Useful Links
CTF 101 provides a helpful overview, as well as more specific guides about how to reverse engineer. Godbolt explains how different compilers will compile the same code.