Day 2 OSCP | More Commands

Reading Time: ( Word Count: )

December 7, 2020
Nextdoorsec-course

Hello friend, I hope you practised the commands shown yesterday. Today we’ll follow up with more commands to get comfortable on the terminal, such as man, apropos, which, whatis, locate and find.

 

Man pages

Manual pages provide documentation for the command line’s commands. “man” is the program’s name to view these pages. Let’s look at the man page for the “whoami” command. Also shortly covered on Day 1.

  ┌──(kali㉿kali)-[~]      └─$ man whoami
WHOAMI(1) User Commands WHOAMI(1) NAME whoami - print effective userid SYNOPSIS whoami [OPTION]... DESCRIPTION Print the user name associated with the current effective user ID. Same as id -un. --help display this help and exit --version output version information and exit AUTHOR Written by Richard Mlynarik. ...

 

The content of the manual pages is organized into sections that are numbered as follows:

Section  Contents
1  User Commands
2  Programming interfaces for kernel system calls
3  Programming interfaces to the C library
4  Special files such as device nodes and drivers
5  File formats and conventions
6  Games and screensavers
7  Miscellanea
8  System administration commands and daemons

 

 

 

 

 

 

 

 

 

By a default search with the “man” command, we’ll get results from the first section. However, we can add the “-k” option to search for a keyword within all sections’ documentation. Let’s try with the “passwd” command.

  ┌──(kali㉿kali)-[~]      └─$ man -k passwd
chgpasswd (8) - update group passwords in batch mode chpasswd (8) - update passwords in batch mode expect_mkpasswd (1) - generate new password, optionally apply it to a user gpasswd (1) - administer /etc/group and /etc/gshadow ...

 

We get plenty of commands, but the one we needed is hiding somewhere in between. We need to narrow our search with the help of regular expressionsYou can check out the following page to better understand regex and practice on this website or your command line. 

In our example below, we’ve used a caret (^) and a dollar sign ($) to match the entire line and avoid sub-string matches.

  ┌──(kali㉿kali)-[~]      └─$ man -k '^passwd$'
passwd (1) - change user password passwd (1ssl) - compute password hashes passwd (5) - the password file

 

Now you can use the section number (5) above to do a specific search.

  ┌──(kali㉿kali)-[~]      └─$ man 5 passwd

 

 

Apropos as alternative for man -k

As we’ve seen above, “man -k” searches for a keyword in the description of the commands (without the use of regular expressions). “apropos” does the same, but without adding the “-k” option.

You can try for yourself by typing “man -k passwd” & “apropos passwd“, the results should be the same.

  ┌──(kali㉿kali)-[~]      └─$ apropos passwd
chgpasswd (8) - update group passwords in batch mode chpasswd (8) - update passwords in batch mode expect_mkpasswd (1) - generate new password, optionally apply it to a user gpasswd (1) - administer /etc/group and /etc/gshadow grub-mkpasswd-pbkdf2 (1) - generate hashed password for GRUB ...

 

 

Finding files with “which”

Let’s say you have two versions of the same program on your computer. Therefore you can use the “which” command to find out which version your shell will use.

The “which” command searches through the directories that are defined in the $PATH environment variable. The $PATH is just a collection of paths, each of which points to a directory. We can use the “echo” command to find out the directories in our path.

  ┌──(kali㉿kali)-[~]      └─$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games

 

The output list separates each path with colons (:). The “which” command will start searching from left to right. So the first path will be “/usr/local/sbin” and afterwards “/usr/local/bin” and so on. Let’s test this out by typing “which apropos“.

  ┌──(kali㉿kali)-[~]      └─$ which apropos
/usr/bin/apropos

 

The default command stops when it finds a result. However, if we use the -a (all) option, “which” will continue searching.

  ┌──(kali㉿kali)-[~]      └─$ which -a apropos
/usr/bin/apropos /bin/apropos

 

Above, it lists all of the matches found in our $PATH environment’s directories, starting its search from left to right. Now let’s view them and see the difference. Check Day 1 for the ls command.

  ┌──(kali㉿kali)-[~]      └─$ ls -l /usr/bin/apropos lrwxrwxrwx 1 root root 6 Jul 5 05:06 /usr/bin/apropos -> whatis
  ┌──(kali㉿kali)-[~]      └─$ ls -l /bin/apropos lrwxrwxrwx 1 root root 6 Jul 5 05:06 /bin/apropos -> whatis

 

ls” (list), “-l” (long listing). The “5” showing before the time (05:06) is the size of the executable in bytes (can be compared against the sizes of the files we find). After checking them both out, we see that they refer to the same symbolic link or shortcut, called “whatis“.

Let’s test this newfound command:

  ┌──(kali㉿kali)-[~]      └─$ whatis passwd passwd (5) - the password file passwd (1) - change user password passwd (1ssl) - compute password hashes
  ┌──(kali㉿kali)-[~]      └─$ man -k '^passwd$' passwd (1) - change user password passwd (1ssl) - compute password hashes passwd (5) - the password file

 

Summary: the “whatis” command can be used as an alternative to the “man” command used with the “-k” option and the regular expression of “^” and “$“, which is much easier to remember.

There wasn’t any difference between those two files, except their directory. To be entirely sure, let’s check both their versions with the “–version” option.

  ┌──(kali㉿kali)-[~]      └─$ /usr/bin/apropos --version apropos 2.9.3
  ┌──(kali㉿kali)-[~]      └─$ /bin/apropos --version apropos 2.9.3

 

 

Another way to “locate” files

The “locate” command is the quickest way to find the locations of files and directories in Kali. Unlike the “which” command, “locate” searches through a built-in database named “locate.db” rather than the entire hard disk itself. This database is automatically updated regularly by the cron scheduler. But we can also manually update the “locate.db” database with the “updatedb” command to be up-to-date to the minute. We need to run the command with admin privileges (sudo).

  ┌──(kali㉿kali)-[~]      └─$ sudo updatedb
  ┌──(kali㉿kali)-[~]      └─$ locate whoami /whoami.txt /home/kali/Desktop/whoami.txt /usr/bin/ldapwhoami /usr/bin/whoami /usr/share/bash-completion/completions/ldapwhoami /usr/share/man/man1/ldapwhoami.1.gz /usr/share/man/man1/whoami.1.gz /usr/share/windows-resources/binaries/whoami.exe

 

The basic form of the “locate” command locates all the files on the file system, starting at the root as we see above. The results contain all or any part of the search criteria. Check Day 0 for a better understanding of the Filesystem Hierarchy Standard (FHS).

Let’s say we want to find the files or directories that only contain our search criteria:

  ┌──(kali㉿kali)-[~]      └─$ locate -b '\whoami.txt' /whoami.txt /home/kali/Desktop/whoami.txt

 

 

The find command

is the one we can be most flexible with but takes some time to master. It allows us to search for files for which we know the approximate filenames. It gives us the ability to search for files by their age, size, name, owner, timestamp, group, type, permissions, date and other criteria. It can get pretty tricky.

To do those searches, we’ll be using wildcards. Wildcards are symbols used to replace or represent one or more characters. The most common wildcard symbols are the question mark ( ? ), which stands for a single character, and the asterisk ( * ) stands for any string of characters.

The first character ( / ) after the find command is for specifying the starting directory of our recursive search.
To have “find” search from the root folder, we’d use “find /“.
From the home folder, “find ~” and from the current folder “find .

  ┌──(kali㉿kali)-[~]      └─$ sudo find / -name whoam* /home/kali/Desktop/whoami.txt /usr/share/windows-resources/binaries/whoami.exe /usr/share/man/man1/whoami.1.gz /usr/bin/whoami /whoami.txt

 

There’s a lot to explore with the “find” command. You can check out the man page for more info.

Note: The find command defaults to being case sensitive. If you want the search for a word or phrase to be case insensitive, use the “-iname” option with the “find” command. It is the case insensitive version of the “-name” command.

There’s one more command for searching, which is the “whereis” command. It’s for you to explore it.

Aydan Arabadzha

Aydan Arabadzha

Author

Aydan, a cybersecurity ace and AI visionary, thrives on the frontlines of offensive security. His passion birthed NextdoorSec, a groundbreaking cybersecurity firm. A relentless pioneer, Aydan is persistently pushing boundaries, shaping the future of the digital world one byte at a time.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *