Các lệnh cơ bản dùng trong BackTrack
Các lệnh cơ bản dùng trong BackTrack Networkingdhcpcd Renew dynamic IP address:dhcpcd -k ifconfig eth0 updhcpcdStatic IP address:ifconfig eth0 192.168.0.100/24route add default gw 192.168.0.1echo nameserver 192.168.0.1 > /etc/resolv.confServicesApache server:apachectl startapachectl stopSSH server:sshd-generate/usr/sbin/sshdpkill sshdssh user@targetIPTFTP server:atftpd --daemon --port 69 /tmp/pkill tftpd VNC server:vncserverpkill XvncBasicsMount a local hard drive:mount /dev/hda1 /mnt/hda1ls -l /mnt/hda1Mount a Windows network share:share <user> <targetIP> <remote share>share admin 10.1.1.2 c$Enter a password for the remote share.ls -l /mnt/share/umount /mnt/shareEdit a file:nano test.sh<ctrl> xy<enter>chmod 755 test.sh./test.shCompile a program:gcc -o newname exploit.c gcc -o dcom 66.c./dcomInstall a new program:tar zxvf program.tar.gzcd to the new program folder./configuremakesu rootmake installFootprintingWhois:whois target.comping www.target.comwhois targetIPDNS:dig target.com anyAPTRNSSOA SRVMXhost -l target.com <name server>1.Bullet CentralOps2.Bullet DNSstuff3.Bullet ServerSniff4.Bullet NetcraftExploitscd /pentest/exploits/milw0rmcat sploitlist.txt | grep -i [exploit]Some exploits may be written for compilation under Windows, while others for Linux.You can identify the environment by inspecting the headers.cat exploit | grep "#include"Windows: process.h, string.h, winbase.h, windows.h, winsock2.hLinux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.hGrep out Windows headers, to leave only Linux based exploits:cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u Scanningscanrand -b10M targetIP:quicknmap:-sS-sT-sU-PS-PA-PN-n-A-O-sV-p-T-iL-oGnmap -sS -PN -n targetIPnmap -sU -PN -n targetIPnmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt nmap -sS -p 135,139,445 targetIPnmap -sS -p T:1433,U:1434 targetIPamap:Take the results from nmap and check for services on uncommon ports.amap -i scan.txt1.OS Fingerprintingp0f -i eth0 -U -ppoint a browser to the targetIPxprobe2 targetIP1.Bullet Banner Grabbingnc targetIP portnc 10.1.1.2 80telnet targetIP portHEAD /HTTP/1.0<enter 2x>wget targetIPcat index.html | moreq Exploitscd /pentest/exploits/milw0rmcat sploitlist.txt | grep -i [exploit]Some exploits may be written for compilation under Windows, while others for Linux.You can identify the environment by inspecting the headers.cat exploit | grep "#include"Windows: process.h, string.h, winbase.h, windows.h, winsock2.hLinux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.hGrep out Windows headers, to leave only Linux based exploits:cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u1.Windows Enumerationnmap -sS -p 139,445 targetIPcd /pentest/enumeration/smb-enumnbtscan -f targetIPsmbgetserverinfo -i targetIPsmbdumpusers -i targetIPsmbclient -L //targetIPBullet Using Windowsnet use \\targetIP\ipc$ "" /u:"" net view \\targetIPsmbclient:smbclient -L hostName -I targetIPsmbclient -L hostName/share -U ""smbclient -L hostName -I targetIP -U adminrpcclient:rpcclient targetIP -U “”netshareenumenumdomuserslsaenumsidqueryuser RIDcreatedomuserARP Spoofingettercap:nano /usr/local/etc/etter.confUnder the Linux section, uncomment both lines under iptables.Sniff > Unified sniffing > Network interface: eth0 > OKHosts > Scan for hosts (do this two times)Hosts > Hosts listSelect the default gateway > Add to Target 1Select the target > Add to Target 2 Mitm > Arp poisoning > Sniff remote connections > OKStart > Start sniffingdsniff -i eth0urlsnarf -i eth0msgsnarf -i eth0driftnet -i eth0dns spoofing:nano /usr/local/share/ettercap/etter.dnsEdit the Microsoft lines (target URL) to redirect to the attacker.Plugins > Manage the plugins > dns_spoofMitm > Arp poisoning > Sniff remote connections > OKStart > Start sniffingExploitscd /pentest/exploits/milw0rmcat sploitlist.txt | grep -i [exploit]Some exploits may be written for compilation under Windows, while others for Linux.You can identify the environment by inspecting the headers.cat exploit | grep "#include"Windows: process.h, string.h, winbase.h, windows.h, winsock2.h Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.hGrep out Windows headers, to leave only Linux based exploits:cat sploitlist.txt | grep -i exploit | cut -d " " -f1 | xargs grep sys | cut -d ":" -f1 | sort -u1.Metasploitsvn updateWeb Interface:./msfwebConsole:./msfconsolehelpshow <option>search <name>use <exploit name>show optionsset <OPTION NAME> <option>show payloadsset PAYLOAD <payload name>show optionsset <OPTION NAME> <option>show targetsset TARGET <target number> [...]... hash.txt Delete unneeded accounts cp hash.txt /pentest/password/john-1.7.2/run/ cd /pentest/password/john-1.7.2/run/ /john hash.txt Physical Access Mount a NTFS share in read/write mode: Boot your box with Backtrack mount umount /mnt/hda1 modprobe fuse ntfsmount /dev/hda1 /mnt/hda1 mount ls -l /mnt/hda1 Dump the SAM file: bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt samdump2 /mnt/sda1/WINDOWS/system32/config/sam . Các lệnh cơ bản dùng trong BackTrack Networkingdhcpcd Renew dynamic IP address:dhcpcd -k. hash.txtPhysical AccessMount a NTFS share in read/write mode:Boot your box with Backtrack. mountumount /mnt/hda1modprobe fuse