book

Black Hat Bash

by Nick Aleks, Dolev Farhi

October 2024

Intermediate to advanced

344 pages

8h 7m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
About the Authors and Technical Reviewer
Acknowledgments
Introduction
What Is in This BookThe Scripting ExercisesHow to Use This Book
1. Bash Basics
Environmental SetupAccessing the Bash ShellInstalling a Text EditorExploring the ShellChecking Environment VariablesRunning Linux CommandsElements of a Bash ScriptThe Shebang LineCommentsCommandsExecutionDebuggingBasic SyntaxVariablesArithmetic OperatorsArraysStreamsControl OperatorsRedirection OperatorsPositional ArgumentsInput PromptingExit CodesExercise 1: Recording Your Name and the DateSummary
2. Flow Control and Text Processing
Test Operatorsif ConditionsLinking ConditionsTesting Command SuccessChecking Subsequent ConditionsFunctionsReturning ValuesAccepting ArgumentsLoops and Loop Controlswhileuntilforbreak and continuecase StatementsText Processing and ParsingFiltering with grepFiltering with awkEditing Streams with sedJob ControlManaging the Background and ForegroundKeeping Jobs Running After LogoutBash Customizations for Penetration TestersPlacing Scripts in Searchable PathsShortening Commands with AliasesCustomizing the ~/.bashrc ProfileImporting Custom ScriptsCapturing Terminal Session ActivityExercise 2: Pinging a DomainSummary
3. Setting Up a Hacking Lab
Security Lab PrecautionsInstalling KaliThe Target EnvironmentInstalling Docker and Docker ComposeCloning the Book’s RepositoryDeploying Docker ContainersTesting and Verifying the ContainersThe Network ArchitectureThe Public NetworkThe Corporate NetworkKali Network InterfacesThe MachinesManaging the LabShutting DownRemovingRebuildingAccessing Individual Lab MachinesInstalling Additional Hacking ToolsWhatWebRustScanNucleidirsearchLinux Exploit Suggester 2GitjackerpwncatLinEnumunix-privesc-checkAssigning Aliases to Hacking ToolsSummary
4. Reconnaissance
Creating Reusable Target ListsConsecutive IP AddressesPossible SubdomainsHost DiscoverypingNmaparp-scanExercise 3: Receiving Alerts About New HostsPort ScanningNmapRustScanNetcatExercise 4: Organizing Scan ResultsDetecting New Open PortsBanner GrabbingUsing Active Banner GrabbingDetecting HTTP ResponsesUsing Nmap ScriptsDetecting Operating SystemsAnalyzing Websites and JSONSummary
5. Vulnerability Scanning and Fuzzing
Scanning Websites with NiktoBuilding a Directory Indexing ScannerIdentifying Suspicious robots.txt EntriesExercise 5: Exploring Non-indexed EndpointsBrute-Forcing Directories with dirsearchExploring Git RepositoriesCloning the RepositoryViewing Commits with git logFiltering git log InformationInspecting Repository FilesVulnerability Scanning with NucleiUnderstanding TemplatesWriting a Custom TemplateApplying the TemplateRunning a Full ScanExercise 6: Parsing Nuclei’s FindingsFuzzing for Hidden FilesCreating a Wordlist of Possible FilenamesFuzzing with ffufFuzzing with WfuzzAssessing SSH Servers with Nmap’s Scripting EngineExercise 7: Combining Tools to Find FTP IssuesSummary

6. Gaining a Web Shell
Arbitrary File Upload VulnerabilitiesFuzzing for Arbitrary File UploadsBypassing File Upload ControlsUploading Files with Burp SuiteStaging Web ShellsFinding Directory Traversal VulnerabilitiesUploading Malicious PayloadsExecuting Web Shell CommandsExercise 8: Building a Web Shell InterfaceLimitations of Web ShellsLack of PersistenceLack of Real-Time ResponsesLimited FunctionalityOS Command InjectionExercise 9: Building a Command Injection InterfaceBypassing Command Injection RestrictionsObfuscation and EncodingGlobbingSummary
7. Reverse Shells
How Reverse Shells WorkIngress vs. Egress ControlsShell Payloads and ListenersThe Communication SequenceExecuting a ConnectionSetting Up a Netcat ListenerCrafting a PayloadDelivering and Initializing the PayloadExecuting CommandsListening with pwncatBypassing Security ControlsEncrypting and Encapsulating TrafficAlternating Between Destination PortsSpawning TTY Shells with Pseudo-terminal DevicesPython’s pty ModulesocatPost-exploitation Binary StagingServing NetcatUploading Files with pwncatDownloading Binaries from Trusted SitesExercise 10: Maintaining a Continuous Reverse Shell ConnectionInitial Access with Brute ForceExercise 11: Brute-Forcing an SSH ServerSummary
8. Local Information Gathering
The Filesystem Hierarchy StandardThe Shell EnvironmentEnvironment VariablesSensitive Information in Bash ProfilesUsers and GroupsLocal AccountsLocal GroupsHome Folder AccessValid ShellsProcessesViewing Process FilesRunning psExamining Root ProcessesThe Operating SystemExercise 12: Writing a Linux Operating System Detection ScriptLogin Sessions and User ActivityCollecting User SessionsInvestigating Executed CommandsNetworkingNetwork Interfaces and RoutesConnections and NeighborsFirewall RulesNetwork Interface Configuration FilesDomain ResolversSoftware InstallationsStorageBlock DevicesThe Filesystem Tab FileLogsSystem LogsApplication LogsExercise 13: Recursively Searching for Readable LogfilesKernels and BootloadersConfiguration FilesScheduled TasksCronAtExercise 14: Writing a Cron Job Script to Find CredentialsHardwareVirtualizationUsing Dedicated ToolsLiving Off the LandAutomating Information Gathering with LinEnumExercise 15: Adding Custom Functionality to LinEnumSummary
9. Privilege Escalation
What Is Privilege Escalation?Linux File and Directory PermissionsViewing PermissionsSetting PermissionsCreating File Access Control ListsViewing SetUID and SetGIDSetting the Sticky BitFinding Files Based on PermissionsExploiting a SetUID MisconfigurationScavenging for CredentialsPasswords and SecretsPrivate KeysExercise 16: Brute-Forcing GnuPG Key PassphrasesExamining the sudo ConfigurationAbusing Text Editor TricksDownloading Malicious sudoers FilesHijacking Executables via PATH MisconfigurationsExercise 17: Maliciously Modifying a Cron JobFinding Kernel ExploitsSearchSploitLinux Exploit Suggester 2Attacking Adjacent AccountsPrivilege Escalation with GTFOBinsExercise 18: Mapping GTFOBins Exploits to Local BinariesAutomating Privilege EscalationLinEnumunix-privesc-checkMimiPenguinLinuxprivcheckerBasharkSummary
10. Persistence
The Enemies of Persistent AccessModifying Service ConfigurationsSystem VsystemdHooking into Pluggable Authentication ModulesExercise 19: Coding a Malicious pam_exec Bash ScriptGenerating Rogue SSH KeysRepurposing Default System AccountsPoisoning Bash Environment FilesExercise 20: Intercepting Data via Profile TamperingCredential TheftHooking a Text EditorStreaming Executed CommandsForging a Not-So-Innocent sudoExercise 21: Hijacking Password UtilitiesDistributing Malicious PackagesUnderstanding DEB PackagesPackaging Innocent SoftwareConverting Package Formats with alienExercise 22: Writing a Malicious Package InstallerSummary
11. Network Probing and Lateral Movement
Probing the Corporate NetworkService MappingPort FrequenciesExercise 23: Scanning Ports Based on FrequenciesExploiting Cron Scripts on Shared VolumesVerifying ExploitabilityChecking the User ContextExercise 24: Gaining a Reverse Shell on the Backup ServerExploiting a Database ServerPort ForwardingBrute-Forcing with MedusaBackdooring WordPressRunning SQL Commands with BashExercise 25: Executing Shell Commands via WordPressCompromising a Redis ServerRaw CLI CommandsMetasploitExposed Database FilesDumping Sensitive InformationUploading a Web Shell with SQLSummary
12. Defense Evasion and Exfiltration
Defensive ControlsEndpoint SecurityApplication and API SecurityNetwork SecurityHoneypotsLog Collection and AggregationExercise 26: Auditing Hosts for LandminesConcealing Malicious ProcessesLibrary PreloadingProcess HidingProcess MasqueradingExercise 27: Rotating Process NamesDropping Files in Shared MemoryDisabling Runtime Security ControlsManipulating HistoryTampering with Session MetadataConcealing DataEncodingEncryptionExercise 28: Writing Substitution Cipher FunctionsExfiltrationRaw TCPDNSText Storage SitesSlack WebhooksSharding FilesNumber of LinesSizeChunksExercise 29: Sharding and Scheduling ExfiltrationSummary
Index

Content preview from Black Hat Bash

8 LOCAL INFORMATION GATHERING

In the previous two chapters, we gained an initial foothold on several hosts. In this chapter, we’ll perform local reconnaissance to identify assets of interest, leaving no stone unturned on the path to taking over other hosts on the network.

Knowing where to find sensitive information once you successfully compromise a host is a critical skill. We’ll focus on key categories of information you can gather: identities (like users and groups), files (including logs and configurations), network information, automation workflows, installed software and firmware, running processes, and security mechanisms. We’ll cover ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098182434Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Black Hat Bash

by Nick Aleks, Dolev Farhi

8 LOCAL INFORMATION GATHERING

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.