Академический Документы
Профессиональный Документы
Культура Документы
Notice the pipe operator | is placed between the commands in the order the data should travel.
Notice how useful grep and pipes are? This is also the same data from: $ lsof -i
HeadsandTails $head[file] $ tail [file] These two commands allow us to view the first (head) and last (tail) ten lines of the specified file(s).
Here, we took the sqlmap.conf file and printed out the first and last ten lines. Often, when you've rooted a box, you know the order or certain log files and configs. It ends up being much faster to read the output with these commands then to open a file up in vim.
This is useful if you need to view the contents of a small file quickly on the screen.
Top $ top
Top displays the running information of processes, uptime, and more. It's useful for seeing what's running when you're performing recon on a server.
While top is running, you can press the 'h' key to bring up a help screen with a list of commands, some of the more useful ones are: u[username] To display only the processes belonging to the user. Use + or blank to see all users. k[pid] Kill the process with pid. Let's take an example from the 2009 Astalavista hack by AntiSec. After exploiting their Light Speed HTTP daemon to get into the Apache account, they used a local privilege escalation exploit to gain root access. This is pretty much the end of the machine. Once someone has escalated their privileges to root, they own the box. They can install rootkits, keyloggers, bots, deface website, etc.
sh-3.2#rm-rf backup/ sh-3.2#rm-rf backup.14161/ sh-3.2#rm-rf ftp/ sh-3.2#rm-rf jon/ sh-3.2#rm-rf my/ sh-3.2#rm-rf mysqldata/ sh-3.2#rm-rf test/ sh-3.2#rm-rf tmp/ sh-3.2#cd~ sh-3.2#rmrf * sh-3.2#rmrf /var/log/ rm: cannot remove directory `/var/log//proftpd': sh-3.2# rm -rf /home/* ftp>cdastalavista.com 250 CWD command successful. ftp>ls-la [snip] ftp> mdelete* mysql>drop database astanet_membersystem; mysql>drop database com_contrexx; mysql>drop database com_contrexx2; mysql>drop database com_contrexx2_live; mysql>drop database ideapool; mysql>drop database yourmaster; mysql>drop database astanet_ads; mysql>drop database astanet_mailing_lists; mysql>dropdatabaseastanet_mediawiki; Basically, they did the following: 1. 2. 3. 4. 5. Delete the local website, scripts and pages. Delete the temp, test and logs. Delete the user folders.
Directory
not
empty
Connected to the FTP backup site and deleted the backups. Connected to the Database and dropped all the website database tables.
In Closing
Looking over the commands and the order they were completed in will help make sense of what hacking really is. Hollywood and the media does a great job of
making it seem like it's a mere few clicks of a mouse, a bunch of scrolling text, and some nefarious looking teenager saying "were in". If you read over the hack logs, you might have noticed a lot of the work involved was actually on the databases