Nope, the title isn’t a typo.
Too many people are afraid of omitting ignorance in a topic, especially when it’s in an area, we’re interested in making a career out of it, but that’s your ego talking. Once you give your ego complete control you’re bound to a life of intellectual, emotional, physical, and spiritual stagnation.
I’m proudly a newb when it comes to the command line and Linux, but come back in 6 – 9 years and I guarantee I’ll be above average. 😉
This week I’ve decided to share five interesting Linuxy things with you from a book I just completed called “Linux Basics for Hackers, Getting Started with Networking, Scripting, and Security in Kali”.
Before we dive into the five Linuxy things, I want to give you some context as to why I decided on this topic and book.
If you’re following my journey you’ll know I’ve recently received my Sec+ certification and that journey was complete immersion specific to the exam content, which focused on theory and basic terminology. When learning anything I’m a fan of swinging between theory and practice because they both play into true understanding. After spending two weeks strictly on the theoretical concepts I thought it was time to tinker, which is what attracted me to this week’s book.
One other important reason for choosing a Linux command line-heavy book is that Linux operating systems are everywhere and will continue to be at the center of most machines. The real drivers for this continued adoption are cloud, mobile phones, and IoT, I won’t dive into the details, but if you’re interested go here and here.
With the realization that Linux will continue to dominate and that most Linux machines are only accessible through the command line (e.g. headless), I thought this book would be the perfect one to start with.
Plus the penguin on the cover looks pretty awesome…
Now let’s dive into my magical five discoveries.
The Linux Tree of Life
The file system of any computer tells you where everything is and most of us are used to the Windows file system. You can think of a file system as a closet for clothes or a cabinet for dishes and the goal is to organize everything. File systems do the same thing, but for your “files” instead.
But Linux is unique in its own way. When exploring the Linux file system you quickly realize everything sits inside of a file, which can surprise any lifelong Windows user. Traditionally in Windows, every file or folder leads back to a “drive” (see below).
So for Windows, we have multiple parents inside of the family tree, but for Linux, there’s a single “god-like” parent that holds everything (see below).
At first, this file structure seems strange, but after playing around with it for a little while you start to fall in love with its simplicity.
Let me warn you… By combining simplicity and ignorance, there’s a good chance you’ll delete or change some important files, so be careful! This is coming from firsthand experience. Haha!
Here are a few good resources to learn more – 1, 2, 3, and 4.
My beloved “grep”
The command line (CLI) is a world of its own and most computer geeks prefer the CLI over a traditional GUI due to its speed, power, and efficiency. While reading through this book, as well as viewing a few tutorials I kept coming across this command called “grep”.
You can think of grep as a way to search for things within a file or overall system.
A simple example would be…
Command
ps aux | grep apache2
Output
root 4851 0.2 0.7 37548 7668 ? Ss 10:14 0:00 /usr/sbin/apache2 k start
root 4906 0.0 0.4 37572 4228 ? S 10:14 0:00 /usr/sbin/apache2 k start
root 4910 0.0 0.4 37572 4228 ? Ss 10:14 0:00 /usr/sbin/apache2 k start
Breaking the command down:
- Ps – show a snapshot of the current processes running
- Aux – “a” is the running process for “all” users, “u” shows the “users” for each process, and “x” shows the processes that have not been “executed” from the terminal.
- | (pipe) – This pipe symbol “pipes” the output of one command and inputs it into another, you’ll see this used a lot in the Linux command realm
- Grep – We know what this is… Basically word search for systems and files.
- Apache2 – This is the object we’re looking for and it’s a web server, Apache2 is the second version.
Here we’re using the “ps aux” command to show all the different processes running on a system, then we’re “piping” (e.g. shoving) this through a specific “grep” filter that’s searching for the keyword “apache2”.
In simplistic terms, we’re basically Googling through our machine to see what locations have the name “apache2”.
Grep isn’t mind-blowing at first, but this little command can save hours of searching for files on a system and keywords in a file. Once you’ve become a ninja at using grep you’ll find yourself using this tiny time-saving tool all the time.
Erasing history
Whenever an attacker finishes their dirty work, the next best move is to erase their tracks. The evidence these attackers want to erase mainly sits within logs, which are short statements showing when, where, who, and what happened in a system or network.
A rookie attacker (e.g. me) would think that by simply “removing” a file they’re covering their tracks, but any average investigator could still uncover traces of the attacker. This rookie command would be something like this…
rm file_1.txt
“Rm” is the command to remove and what we’re removing is a simple text file named “file_1.txt”. In reality, we’re really not removing the file, but telling the filesystem that the location of this file is open and can be overwritten by future files.
Imagine you walk into a library and go through the card index, find a book’s catalog card, and rip it up. The book is still on the shelf. It’s just harder to find.
“Rm” isn’t enough for a truly sneaky hacker, what we’ll need to use is a command called “shred”. “shred” not only “removes” the file, but it overwrites this section of the hard drive with a bunch of gibberish.
Examples help, let’s use an example. Say we have a text file called “SuperSecretStuff.txt” and inside of this test file we have the text “This is super-secret, don’t read it”. If we run the “shred” command on this file we’re able to turn that text into gibberish, see below.
Command
shred -f -n 10 SuperSecretStuff.txt
Output
?9?-?w?K?=???l;b8SƉ?b???????@,?18!??DM??P?
Here’s some detail on what happened
- F – the “f” gives us permission to shred these files up
- N – the “n” represents a “number”, which is referring to the number of times we want to overwrite the file
- 10 – this is the number of overwrites we decided on
The investigator’s job just got way more difficult, thanks to this “shred” command, but depending on how skilled the investigator is they could still find traces.
Hidden in plain sight
I’m sure you’ve heard of “proxies”… Remember in the school computer labs they wouldn’t let you access any cool sites and you forwarded the URLs onto some sketchy public proxy to gain access…. Yeah! I know what you were doing.
A proxy acts as a middle-man between two points, so if you’re sitting inside of a network that restricts access to certain sites or you just want to be anonymous, proxies are one way of doing that. Today I’m going to talk about proxies from the lens of privacy, meaning we don’t want our IP address publicly available for the digital realm to see.
We’re going to send our request to a proxy that will replace our IP address with a different IP address before visiting whatever site we’re hoping to access. The cool thing about Linux and the built-in commands is that you can chain these proxies together while adding randomness. Let me explain.
Proxy chaining is the process of chaining multiple proxies together between my machine and the place I’m trying to reach, which makes my IP address disappear behind multiple layers of proxy IP addresses. The command within Linux is simply named “proxychains”.
Command
proxychains firefox www.Startpage.com
Above we’re telling the machine to use “proxychains” via the “firefox” web browser to access the website “www.Startpage.com” and by doing this we’re masking our original IP address with multiple proxy servers.
But it gets better!
By using the above proxychain command we’re most likely coming from the same proxy server every time, so the target website will eventually catch on, but we can sprinkle some randomness in.
The proxychain command like all other commands has a configuration file where you’re able to add and change the command’s powers. Specifically, proxychain has a flag that we’re able to turn on called “random_chain” that changes our proxy server’s IP address randomly, lowering the chances our target will know where we’re coming from.
With all that said publicly available proxy servers have been known for some sketchy behaviors, so be careful when choosing the proxy servers you use.
Automating life away
It doesn’t matter if you’re defending or attacking in the cyber realm, being able to automate as much as possible is a huge goal for everyone.
Within the Linux world, this can be done in multiple ways, but two of the more well-known commands are “cron” and “crontab”. The cron command is this thing called a “daemon”, which is a background process that runs autonomously… Think of it as a little demon working in the background on your behalf.
These tasks that are being completed by the “daemon” are pre-written scripts, which are like miniature programs. Most scripts are scheduled to run at specific times of the year, month, week, day, hour, minute, and second, this is where the “crontab” (e.g. cron table) comes into play. Our little cron daemon will reference this crontab for tasks that need to be done, once it’s time to do some chores the cron executes the script that’s path is sitting on our crontab. See the below image for the basic format.
Example crontab
30 2 * * 1-5 root /root/myscanningscript
This crontab is a script run by the root user scanning for vulnerable open ports (e.g. “myscanningscript”) every night at 2:30 AM, Monday through Friday.
And that’s it!
Yeah… Sure… I’m new to this and all of this might seem obvious to some of you but for me, it’s new, interesting, and exciting. As I mentioned before if you’re not impressed now come back in 6 – 9 years and see if I have anything impressive then. 😉
Until next time my fellow wanderers.