Nix Commands

Find

-iname is case sensitive

find / -name "term"[.txt, .conf]


Ping sweep without nmap

for i in {1..254}; do ping -c 1 -W 1 [First three octets of IP].$i | grep 'from'; done

Find

-iname is case sensitive

find / -name "term"[.txt, .conf]


Ping sweep without nmap

for i in {1..254}; do ping -c 1 -W 1 [First three octets of IP].$i | grep 'from'; done


Init Levels

0 Halt Shuts Down the System

1 Single-User Mode Does not configure network interface, start daemons, or allow non-root logins

2 Multi-User Mode Does not configure network interfaces or start daemons

3 Multi-User Mode with Networking Start the system normally

4 Undefined Not used/ User-definable

5 X11 As run level 3 + display manager (X)

6 Reboot Reboots the system



/etc/shadow

Example:

john:$6$iTEFbMTM$CXmxPwErbEef9RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lIqavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/:17707:0:90:14:::

Username john

$ Salt $

Encrypted Password $6$iTEFbMTM$CXmxPwErbEef9 RUBvf1zv8EgXQdaZg2eOd5uXyvt4sFzi6G4lI qavLilTQgniAHm3Czw/LoaGzoFzaMm.YwOl/

Hash Types:

$1$ is MD5

$2a$ is Blowfish

$2y$ is Blowfish

$5$ is SHA-256

$6$ is SHA-512

Last Password Changed (since Jan 1, 1970) 17707

Minimum number of days required between password changes 0

Maximum number of days the password is valid (+ 7 days grace period) 90

Number of days before the password is to expire and user is warned to change 14

Number of days after password expires that account is disabled [blank field] *Johns account wont disable after password expires

Days since Jan 1, 1970 that account is disabled, absolute date when login may not be used [blank field] *Johns account will not be disabled


Logs

System Logs /var/log/systlog

Messages /var/log/messages

Administrator /var/log/adm

Everything about the system (firewall hints) /var/log/dmesg

Warning Data (kernel) /var/log/kern

Login Records /var/log/auth.log

Secure Logins /var/log/secure

Scheduled Tasks /var/log/cron

LastLog (binary not ascii) /var/log/lastlog

btmp (records bad login attempts) /var/log/syslog

sulog (logs use of su command) /var/log/sulog

Utmp (x) (who and W) record who logs in /var/log/utmp

wtmp (record of each time a user logged in) /var/log/wtmp

xferlog (logs ftp access) /var/log/xferlog

Syslog and messages (global system activity data startup messages) debian /var/log/syslog redhat /var/log/messages

Process accounting See below

Epoch Unit timestamp conversion from 1970 January 1st

last (users connection time) /var/log/last

sa (accounting information) /var/log/sa

lastcomm (prints out info about previously executed commands) /var/log/lastcomm

Audit Daemon auditd, controls the generation and location of audit trail files, syslog msgs

Syslog Config cat /etc/rsyslog.d/*.conf


Process Accounting

Method of recording and summarizing commands executed on Linux

/var/account/acct FreeBSD / OpenBSD Default accounting file

/var/account/pacct Red Hat / RHEL / CentOS / Fedora Linux

/var/log/account/pacct Debian / Ubuntu Linux

/var/adm/psacct Sun Solaris UNIX Default accounting file


Rsyslog

System in *nix to forward log messages.

Location

cat /etc/rsyslog.conf

double @@ tells rsyslogd to have its datagrams emitted in TCP datagrams, whereas a single @ would have it sent out in UDP datagrams.

If you find a website like [badguy:514] in rsyslog look in /var/www/html or etc/hosts. curl the html / look at log.

Check netstat for connections on port 514

netstat -auntp | grep "514"

Long Helpful List

=========================

= Start/End =

=========================

date; date -u


=====================================

= System Characterization =

=====================================

#kernel version

uname -a


#uptime

uptime


#OS information

cat /etc/*release*


#hostname

hostname

cat /etc/hostname


#numeric identifier for the current host

hostid


#kernel modules (linux)

lsmod


#kernel modules (solaris)

modinfo -c


#cpu (linux)

cat /proc/cpuinfo


#cpu (solaris)

psrinfo -v


=====================

= SysV =

=====================

#Startup scripts

cat /etc/inittab

cat /etc/rc.d/rc.sysinit

cat /etc/rc.d/rc.local


#Services

service --status-all

service <name> status


#What starts on boot

chkconfig --list


#runlevel

who -r

runlevel


=====================

= Upstart =

=====================

#Startup scripts

ls /etc/init | grep .conf

cat /etc/inittab


#Services

initctl list

initctl status <service>

update-rc.d <name> <enable_disable>


#What starts on boot

initctl show-config


#runlevel

who -r

runlevel

cat /etc/init/rc-sysinit.conf


=====================

= Systemd =

=====================

#Startup scripts

cat /etc/systemd/systemd

file /usr/lib/systemd/system


#Services

systemctl list-units

systemctl status <name>

systemctl list-unit-files -t service


#What services have been modified!

systemd-delta


#What starts on boot

systemctl list-unit-files -t service


#runlevel

who -r

runlevel


#default runlevel

systemctl get-default

cat /etc/systemd/system/default.target


=================

= SMF =

=================

#Startup scripts

cat /etc/inittab


#Services

svcs -a

svcs -l <service>

inetadm


#What starts on boot

svcs

svcs -a | egrep 'online|legacy_run.*rc[0123S]_d'


#runlevel

svcprop svc:/system/svc/restarter:default/:properties/options/milestone

#if 'doesn't match entities' default milestone is still multi-user-server


=========================

= Networking =

=========================

#current IP configuration

ifconfig -a


#interface configuration files or places to manually add routes to

cat /etc/sysconfig/network-scripts/ifcfg-*

cat /etc/sysconfig/network

cat /etc/rc.local


#Routing Tables

netstat -rn

route

ip route show


#How it resolves

cat /etc/nsswitch.conf


#local caches

cat /etc/hosts

cat /etc/resolv.conf

arp -an


#check databases

getent -s <database> <choice>


#current connections (linux)

netstat -natup


#current connections (solaris)

netstat -anP tcp

netstat -anP udp


#iptables

cat /etc/sysconfig/iptables

iptables -nL


#firewalld

firewall-cmd --direct --get-all-rules

fireawll-cmd --list-all-zones


#firewalld default and user configurations

ls /usr/lib/firewalld/

ls /etc/firewalld/*.conf


#ports with services

cat /etc/services

cat /etc/inet/services


#ports to services (Solaris)

for pid in $(netstat -an | egrep "\*\.[0-9]" | awk '{print $1}' | cut -d. -f2 | sort | uniq) ; do echo "Port: $pid" ; for f in $(ps -ef | sed 1d | awk '{print $2}') ; do pfiles $f 2>/dev/null | /usr/xpg4/bin/grep -q "port: $pid"; if [ $? -eq 0 ]; then ps -ef -o pid -o args | egrep -v "grep|pfiles" | grep $f ; fi ; done ; done ; rpcinfo -p

for pid in $(ls /proc); do check=$(pfiles /proc/$pid | grep -ic "port:"); if [ $check -gt 0 ]; then echo "===============================================================================================" && echo PID: $pid && echo PFILES RESULTS: && pfiles /proc/$pid | grep -i port; echo PS LIST: && ps -flp $pid; fi; done

pfiles /proc/*


=========================

= Processes =

=========================

#list all

ps -ef

ps -elf

ps -elf --sort start_time

ps -C <process>


#max PIDs (linux) (after boot) then (current)

cat /etc/sysctl.conf

cat /proc/sys/kernel/pid_max


#max PIDs (solaris) (after boot)

cat /etc/system


#files open by processes (linux)

lsof -p <pid>

lsof -u <user>

lsof <absolute_path>

lsof -RPni :<port>

lsof +L1


#specific file open by a process (linux)

for pid in $(ps -ef | awk '{print $2}'); do var=$(lsof -p $pid | grep -c "<file_name>" 2> /dev/null); if [ $var -gt 0 ]; then echo $pid; fi; done


#files open by processes (solaris)

pfiles `echo /proc/*`


#specific file open by a process (solaris)

for pid in $(ps -ef | awk '{print $2}'); do var=$(pfiles $pid | grep -c "<name>" 2> /dev/null); if [ $var -gt 0 ]; then echo $pid; fi; done


#processes on startup

cat /etc/inittab

cat /etc/inetd.conf

cat /etc/xinetd.conf

ls -lisahR /etc/xinetd.d/


=====================================

= Filesystem Information =

=====================================

#disk usage

df -h

df -i


#mounted devices

mount


#dump ext2/3/4 filesystem information

dumpe2fs <device>


=====================

= Users =

=====================

#basic information

cat /etc/passwd

cat /etc/shadow

cat /etc/group

id

w

chage -l <user>

groups <user>


#file mode creation mask

umask

for user in $(awk -F: '{print $1}' /etc/passwd); do printf "%-10s" "$user" ; su -c 'umask' -l $user 2>/dev/null; done


#default encryption algorithm

cat /etc/security/policy.conf (solaris)

cat /etc/login.defs (linux)

cat /etc/login.conf (bsd)

cat /etc/pam.d/password-auth-ac


#cronjobs/at

cat /etc/crontab

ls -lisahR /var/spool/at

cat /var/spool/crontab

ls -la /etc/cron.*

crontab -l

for user in $(cut -f1 -d: /etc/passwd); do echo “##### $user crontab is:”; cat /var/spool/cron/{crontabs/$user,$user} 2> /dev/null; done

for user in $(cat /etc/passwd | cut -d":" -f1); do crontab -u $user -l; done


#Check home dirs

echo; for user in $(cat /etc/passwd | cut -d ":" -f1); do if [ -e /home/$user ]; then echo "$user has a home directory"; fi; done


#SUID SGID files

find / -perm /4000

find / -perm /2000


#all user system-wide settings

cat /etc/profile

cat /etc/bashrc

cat /etc/login.defs


#User specific settings could override system-wide settings

cat /home/<user>/.bashrc

cat /home/<user>/.profile


#check profile.d files

ls /etc/profile.d/


=====================

= Logging =

=====================

#rsyslog

cat /etc/rsyslog.conf

cat /etc/rsyslog.d/*


#logrotate

cat /etc/logrotate.conf


#last

last

lastb

last -f <log_file>


#SELinux

sestatus

getenforce

cat /etc/selinux/config


#syslog

cat /etc/syslog.conf


#systemd logging

cat /etc/systemd/journald.conf


#systemd journalctl commands

journalctl -p <priority_emerg_alert_info>

journalctl --since <YYYY-MM-DD HH:MM:SS>

journalctl --until <YYYY-MM-DD HH:MM:SS>

journalctl -u <service>


#logrotate (linux)

cat /etc/logrotate.conf

ls -lisah /etc/logrotate.d/


#logrotate (Solaris)

cat /etc/logadm.conf


#Auditd

cat /etc/audit.conf

#auditd user configurations

cat /etc/audit/audit.rules

ls -lisah /etc/audit/rules.d


#ausearch (linux)

ausearch -x <executable> -i

auditctl -l

aureport


=====================

= Other =

=====================

#find files between a date

find / -type f -newermnt "YYYY-MM-DD HH:MM:SS" ! -newermnt "YYYY-MM-DD HH:MM:SS" 2> /dev/null

find / -type f -mmin <+-time> 2> /dev/null


find / -type f -name <name> -print -o -path "/proc" -prune


find / -type f -exec ls -l {} \; | grep "<something_date_owner_etc>" 2> /dev/null


#if newermnt isn't available

touch -t YYYYMMDDHHMM ts_start

touch -t YYYYMMDDHHMM ts_end

find / -newer /ts_start -a ! -newer /ts_end (solaris)

find / -newer /<path>/ts_start ! -newer /<path>/ts_end (linux)


#SUID (Solaris)

find / -type f -perm -4000 2> /dev/null

find / -type f -perm -2000 2> /dev/null


=================================

= Creature Comforts =

=================================

#vi

:set number

:set autoindent

:set shiftwidth=<some_number>

:set showmatch


#aliases

alias ls='ls -lisah'


#ls colors

testvar=$LS_COLORS; LS_COLORS="di=0;97"; export LS_COLORS


for i in `ps -ef | awk '{print $2}'`;do if pfles $i | grep port |> /dev/null;then (pfiles $i | grep $i);(pfiles $i | grep port);fi;done 2> /dev/null


#process has a space at the end

ls -alQ /proc/*/exe 2>/dev/null | awk -F '"' '{print $4}' | grep -v -e '^$' | sort | uniq | more


#checks for spaces at the end of the process

for file in $(ls -alQ /proc/*/exe 2>/dev/null | awk -F '"' '{print $4}' | grep -v -e '^$' | sort | uniq); do echo \"$file\"; done

for psname in $(ps -ef | awk '{print $8}'); do echo \"$psname\"; done



#process executables

ls -latriQ /proc/*/exe

ssh -S /tmp/t1 dummy@127.1 -D 9050 -NT -f