β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Updated Empire is a PowerShell and Python post-exploitation agent.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½:
1) git clone https://github.com/EmpireProject/Empire.git
2) Initial Setup
> Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify
3) and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
4) Running ./empire will start Empire, and ./empire βdebug will generate a verbose debug log at ./empire.debug. The included ./setup/reset.sh will reset/reinitialize the database and launch Empire in debug mode.
> [for more](http://www.powershellempire.com/?page_id=110)
β @UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Updated Empire is a PowerShell and Python post-exploitation agent.
πΈπ½π π π°π»π»πΈπ π°π πΈπΎπ½ & π π π½:
1) git clone https://github.com/EmpireProject/Empire.git
2) Initial Setup
> Run the ./setup/install.sh script. This will install the few dependencies and run the ./setup/setup_database.py script. The setup_database.py file contains various setting that you can manually modify
3) and then initializes the ./data/empire.db backend database. No additional configuration should be needed- hopefully everything works out of the box.
4) Running ./empire will start Empire, and ./empire βdebug will generate a verbose debug log at ./empire.debug. The included ./setup/reset.sh will reset/reinitialize the database and launch Empire in debug mode.
> [for more](http://www.powershellempire.com/?page_id=110)
β @UndercodeTesting
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
GitHub
GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.
Empire is a PowerShell and Python post-exploitation agent. - EmpireProject/Empire
Forwarded from Backup Legal Mega
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Quickly check whether the computer has been hacked (Linux version)
1) Abnormal account and permissions
If a hacker has ever had an opportunity to run a command, the other party will often want to continue this opportunity, as the industry calls it (persistence).
2) And creating a backdoor account is often a persistent approach.
3) Check abnormal account
3) Search users
cat /etc/passwdYou can see all the users and corresponding group information in the current system. If you have too many accounts, you canβt see them at a glance.
I usually use the following methods to filter:
> cat / etc / passwd | awk - F : '{print $7}' | sort | uniq - c
The purpose of changing the command is to print all types of shells and the corresponding number. For users with shells, you need to check carefully.
π¦Quickly check whether the computer has been hacked (Linux version)
1) Abnormal account and permissions
If a hacker has ever had an opportunity to run a command, the other party will often want to continue this opportunity, as the industry calls it (persistence).
2) And creating a backdoor account is often a persistent approach.
3) Check abnormal account
3) Search users
cat /etc/passwdYou can see all the users and corresponding group information in the current system. If you have too many accounts, you canβt see them at a glance.
I usually use the following methods to filter:
> cat / etc / passwd | awk - F : '{print $7}' | sort | uniq - c
The purpose of changing the command is to print all types of shells and the corresponding number. For users with shells, you need to check carefully.
Forwarded from Backup Legal Mega
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Β» π¦Quickly check whether the computer has been hacked (Linux version)
π¦Check users :
If you obtained an abnormal user name (assumed to be hacker) in the previous step , you can check the user in detail using the following methods:
1) View user id and group information: id hacker
2) View user's recent login information: lastlog -u hacker
3) View user history login information: last hacker
4) View user login failure information: lastb hacker
5) View comprehensive information: finger hacker
6) Note: The fingercommand is not built-in in some operating systems, you can use the package management tool to install it yourself, such as:
> Ubuntu/Debian: apt-get install finger
> CentOS/RedHat: yum install finger
> ArchLinux: pacman -S finger
7) The other non-built-in commands mentioned below are similar
Β» π¦Quickly check whether the computer has been hacked (Linux version)
π¦Check users :
If you obtained an abnormal user name (assumed to be hacker) in the previous step , you can check the user in detail using the following methods:
1) View user id and group information: id hacker
2) View user's recent login information: lastlog -u hacker
3) View user history login information: last hacker
4) View user login failure information: lastb hacker
5) View comprehensive information: finger hacker
6) Note: The fingercommand is not built-in in some operating systems, you can use the package management tool to install it yourself, such as:
> Ubuntu/Debian: apt-get install finger
> CentOS/RedHat: yum install finger
> ArchLinux: pacman -S finger
7) The other non-built-in commands mentioned below are similar
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦Check abnormal permissions
Linux users will generally use sudoto allow ordinary users can perform root operations, so for the average user already exists,
Can not be taken lightly. sudoPermissions management, in /etc/sudoersand /etc/sudoers.dyou can view,
It is best to check the changed files frequently to ensure that no ordinary user has obtained unexpected permissions. For each ordinary user,
You can use the command groups usernameto query the group it belongs to, if it is root or sudo group,
Or the group is in the /etc/sudoersfile, then it will be especially alert.
π¦Check abnormal permissions
Linux users will generally use sudoto allow ordinary users can perform root operations, so for the average user already exists,
Can not be taken lightly. sudoPermissions management, in /etc/sudoersand /etc/sudoers.dyou can view,
It is best to check the changed files frequently to ensure that no ordinary user has obtained unexpected permissions. For each ordinary user,
You can use the command groups usernameto query the group it belongs to, if it is root or sudo group,
Or the group is in the /etc/sudoersfile, then it will be especially alert.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
1) Abnormal startup items
The self-starting process under Linux differs according to its service manager, and the following three are commonly used:
2) Upstart
Upstart is an event-based method used to replace the ancient /sbin/init process to handle tasks and service self-starting.
π¦To view this type of self-starting file, you can use the following command:
> View all self-starting projects: initctl list
>View a self-starting project: initctl show-config evil
SystemV
> SystemV is service start/stop/status xxx.servicethe service management system behind commonly used commands.
π¦ To view this type of self-starting file, you can use the following command:
1) View the self-starting script: ls /etc/init.d/
2) View symbolic links for runlevels: ls /etc/rc*.d/
SystemD
3) SystemD is a modern service management system, and the newer Linux versions have all been migrated to SystemD.
π¦ There are two ways to view all self-starting services:
1) systemctl list-unit-files --type=service
ls /lib/systemd/system/*.service /etc/systemd/system/*.service
2) The old version of Linux is generally a mixture of Upstart and SystemV, and most of the new versions have been migrated to SystemD.
1) Abnormal startup items
The self-starting process under Linux differs according to its service manager, and the following three are commonly used:
2) Upstart
Upstart is an event-based method used to replace the ancient /sbin/init process to handle tasks and service self-starting.
π¦To view this type of self-starting file, you can use the following command:
> View all self-starting projects: initctl list
>View a self-starting project: initctl show-config evil
SystemV
> SystemV is service start/stop/status xxx.servicethe service management system behind commonly used commands.
π¦ To view this type of self-starting file, you can use the following command:
1) View the self-starting script: ls /etc/init.d/
2) View symbolic links for runlevels: ls /etc/rc*.d/
SystemD
3) SystemD is a modern service management system, and the newer Linux versions have all been migrated to SystemD.
π¦ There are two ways to view all self-starting services:
1) systemctl list-unit-files --type=service
ls /lib/systemd/system/*.service /etc/systemd/system/*.service
2) The old version of Linux is generally a mixture of Upstart and SystemV, and most of the new versions have been migrated to SystemD.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦other
1) Abnormally scheduled tasks
In addition to the above self-starting services, under Linux, you can also run persistent tasks through scheduled tasks.It is relatively simple to check for abnormal scheduled tasks
2) You only need to view /etc/crontaband /etc/cron.*the scheduled task files in the subdirectory .
3) bash initialization
Anyone who has used Linux knows that $HOME/.bashrcit can be initialized and applied to each shell in the file,
4) In other words, the script inside may be executed every time a new terminal is opened.
5) Such profiles include .bashrc, .bash_profile, .bash_login, .profileand so on.
6) Whether it runs and the order of running is determined by whether the shell is logged in when it is called, and whether it runs interactively,
π¦other
1) Abnormally scheduled tasks
In addition to the above self-starting services, under Linux, you can also run persistent tasks through scheduled tasks.It is relatively simple to check for abnormal scheduled tasks
2) You only need to view /etc/crontaband /etc/cron.*the scheduled task files in the subdirectory .
3) bash initialization
Anyone who has used Linux knows that $HOME/.bashrcit can be initialized and applied to each shell in the file,
4) In other words, the script inside may be executed every time a new terminal is opened.
5) Such profiles include .bashrc, .bash_profile, .bash_login, .profileand so on.
6) Whether it runs and the order of running is determined by whether the shell is logged in when it is called, and whether it runs interactively,
Forwarded from Backup Legal Mega
π¦For bash, the execution flow is as follows:
Forwarded from Backup Legal Mega
The execution sequence is A->B->C, B[123] means that it will be executed only when the first script exists. The flow chart is as follows:
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦ For the login/non-login shell and interactive/non-interactive shell, please refer to other introductions on the Internet, which will not be expanded here.
> As long as you know the order of files executed by your shell initialization and check these files for suspicious commands, you can find abnormal information.
> Application-level self-start
It is difficult to find all suspicious self-starting items. Experienced attackers can modify existing self-starting scripts and pull up additional commands.
> This reduces the risk of being discovered. Some Linux desktop versions will also be responsible for running similar self-starting commands, such as my favorite xfce,
In Settings -> Session Starup -> Application Autostartcan add applications from the start.
π¦ For the login/non-login shell and interactive/non-interactive shell, please refer to other introductions on the Internet, which will not be expanded here.
> As long as you know the order of files executed by your shell initialization and check these files for suspicious commands, you can find abnormal information.
> Application-level self-start
It is difficult to find all suspicious self-starting items. Experienced attackers can modify existing self-starting scripts and pull up additional commands.
> This reduces the risk of being discovered. Some Linux desktop versions will also be responsible for running similar self-starting commands, such as my favorite xfce,
In Settings -> Session Starup -> Application Autostartcan add applications from the start.
Forwarded from Backup Legal Mega
Β» ]Quickly check whether the computer has been hacked (Linux version)
π¦ Abnormal record
!) Abnormal command history
In general, hackers will execute certain commands on the shell after they obtain the shell.We can use the historycommands to view the commands that have been run.
2) Or view the ~/.bash_historyfile directly . A smart hacker may clean up the trace after doing bad things, but if history is found to be maliciously cleaned,
3) Or being tampered with abnormally, that is enough to give us a warning signal.
4) Abnormal logging
Logs, especially system logs, are our great helpers. The following commands can be used to read log files and output related information:
> View the latest login time and ip of each user: lastlog
> View each user's login record: last
> View the log of each user's login attempt (including failed): lastb
> View the currently logged in user, ip and the command being executed: w
> Of course, intentional attackers will also hide their traces in these commands, such as using the gadget hidemyass.
5) System logs are generally generated by the rsyslogd process, and are configured in /etc/rsyslog.conffiles and /etc/rsyslog.d/directories.
6) Some common logs and introductions are as follows:
> /var/log/messages: general system logs
> /var/log/kern.log: system kernel log
> /var/log/boot.log: system boot log
> /var/log/auth.log: Logs related to login, such as ssh/sudo
success and failure logs are here
> /var/log/secure: Same as above
> /var/log/cron.d: execution log of cron scheduled tasks
5) By checking the above logs, you can often find some unexpected traces (if any).
π¦Crime scene
1) Although the self-test is mainly to find clues and instructions from criminal traces, sometimes the malware left by the attackers will still be running,
2) At this time, it is also a good idea to search for clues from the crime scene.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Abnormal record
!) Abnormal command history
In general, hackers will execute certain commands on the shell after they obtain the shell.We can use the historycommands to view the commands that have been run.
2) Or view the ~/.bash_historyfile directly . A smart hacker may clean up the trace after doing bad things, but if history is found to be maliciously cleaned,
3) Or being tampered with abnormally, that is enough to give us a warning signal.
4) Abnormal logging
Logs, especially system logs, are our great helpers. The following commands can be used to read log files and output related information:
> View the latest login time and ip of each user: lastlog
> View each user's login record: last
> View the log of each user's login attempt (including failed): lastb
> View the currently logged in user, ip and the command being executed: w
> Of course, intentional attackers will also hide their traces in these commands, such as using the gadget hidemyass.
5) System logs are generally generated by the rsyslogd process, and are configured in /etc/rsyslog.conffiles and /etc/rsyslog.d/directories.
6) Some common logs and introductions are as follows:
> /var/log/messages: general system logs
> /var/log/kern.log: system kernel log
> /var/log/boot.log: system boot log
> /var/log/auth.log: Logs related to login, such as ssh/sudo
success and failure logs are here
> /var/log/secure: Same as above
> /var/log/cron.d: execution log of cron scheduled tasks
5) By checking the above logs, you can often find some unexpected traces (if any).
π¦Crime scene
1) Although the self-test is mainly to find clues and instructions from criminal traces, sometimes the malware left by the attackers will still be running,
2) At this time, it is also a good idea to search for clues from the crime scene.
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Forwarded from Backup Legal Mega
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Abnormal process ":
1) To find the abnormal process, you can use the topcommand to view the resources occupied by the running program, or ps -eflist the processes used by the current system.
2) If you find a process you don't know, you can use the following command to check it in detail:
3) View the full command line started by the process: ps eho command -p $PID
4) View the directory where the process started: readlink /proc/$PID/cwd
5) View the complete environment variable when the process
> starts: strings -f /proc/$PID/environ | cut -f2 -d ' '
> List all files opened by the process: lsof -p $PID
> List the network connections opened by the process: netstat -pan | grep $PID
> Of course, if the attacker hides the process by some means, it
> will still leave some clues, such as the suspicious LKM module, which will not be deepened here.
π¦Abnormal network traffic
1) If a malicious process is active, it is likely that it is communicating with the external network at this time, which requires analysis by packet capture tools.
2) For Linux desktop users, wireshark is an excellent choice, and for the server, tcpdump is a good tool, and it is also necessary to master it.
3) Take wireshark as an example, open the packet capture for a few minutes, through the built-in filtering rules, plus the network connection opened by the application analyzed above,
4) You can see what evil communication this malicious application is doing with the outside world, so as to timely assess the loss and protect the data.
5) In addition to the web browsing initiated by malware, some are initiated by themselves. For example, the attacker modified iptables, DNS, http proxy,
> Or /etc/hosts, it may cause our normal network requests to be intercepted and tampered by attackers. These small modifications may not be obvious,
6) But once you find that your network environment is'not quite right', you must be vigilant and carefully investigate.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦The Abnormal process ":
1) To find the abnormal process, you can use the topcommand to view the resources occupied by the running program, or ps -eflist the processes used by the current system.
2) If you find a process you don't know, you can use the following command to check it in detail:
3) View the full command line started by the process: ps eho command -p $PID
4) View the directory where the process started: readlink /proc/$PID/cwd
5) View the complete environment variable when the process
> starts: strings -f /proc/$PID/environ | cut -f2 -d ' '
> List all files opened by the process: lsof -p $PID
> List the network connections opened by the process: netstat -pan | grep $PID
> Of course, if the attacker hides the process by some means, it
> will still leave some clues, such as the suspicious LKM module, which will not be deepened here.
π¦Abnormal network traffic
1) If a malicious process is active, it is likely that it is communicating with the external network at this time, which requires analysis by packet capture tools.
2) For Linux desktop users, wireshark is an excellent choice, and for the server, tcpdump is a good tool, and it is also necessary to master it.
3) Take wireshark as an example, open the packet capture for a few minutes, through the built-in filtering rules, plus the network connection opened by the application analyzed above,
4) You can see what evil communication this malicious application is doing with the outside world, so as to timely assess the loss and protect the data.
5) In addition to the web browsing initiated by malware, some are initiated by themselves. For example, the attacker modified iptables, DNS, http proxy,
> Or /etc/hosts, it may cause our normal network requests to be intercepted and tampered by attackers. These small modifications may not be obvious,
6) But once you find that your network environment is'not quite right', you must be vigilant and carefully investigate.
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Forwarded from Backup Legal Mega
π¦70% of linux systems not safe and tracked anonymously, this new article is important for any linux user
t.me/UndercodeTesting
t.me/UndercodeTesting
What you need Undercode posts to focus on ?
Anonymous Poll
30%
Termux & Linux tools ?
11%
Accounts ?
24%
Courses ?
13%
General Hacking tips ?
23%
Carding ?