Day 5 OSCP | The Bash Environment

Reading Time: ( Word Count: )

December 10, 2020

What is “Bash”?

Here’s a short story for you.

When a computer boots up, a kernel (whether it’s Linux, BSD, Mach, or Windows NT) recognizes all the physical hardware and enables each component to talk with one another and be arranged by some basic software. A computer’s most basic set of instructions simply keeps it powered on and in a safe state: activating fans periodically to prevent overheating, using subsystems to monitor disk space or “listen” for newly attached devices, and so on. If this was all computers did, they’d be about as interesting as a convection oven.

Computer scientists recognized this early on, so they developed shell for Unix computers that operate outside of the kernel (or around the kernel, like a shell in nature) and allows humans to interact with the computer whenever they want to. It was an exciting development at a time when people were feeding punch cards into computers to tell them what to do. Of all the shells available, Bash is one of the most popular, the most powerful, and the most friendly.
From https://opensource.com/resources/what-bash

Bash allows us to run complex commands and perform different tasks from a terminal window. It incorporates useful features from both the KornShell (ksh) and C shell (csh).
I’m running Z shell (zsh); it’s just an extended version of Bash, that comes by default with the 2020.4 release of Kali Linux.

Environment Variables

I’ve already shortly covered what an environment variable is on Day 2, just quickly check it out. So when we open a terminal window a new Bash process, which has its own environment variables, is initialized.

Environment variables help programs know what directory to install files in, where to store temporary files, and where to find user profile settings.

Some other useful environment variables include USER, PWD, and HOME, which hold the values of the current terminal user’s username, present working directory, and home directory, respectively:

  ┌──(kali㉿kali)-[~]      └─$ echo $USER kali
  ┌──(kali㉿kali)-[~]      └─$ echo $PWD /home/kali
  ┌──(kali㉿kali)-[~]      └─$ echo $HOME /home/kali

An environment variable can be defined with the exportcommand. For example, if we are scanning a target and don’t want to type in the system’s IP address repeatedly, we can quickly assign it an environment variable and use that instead.

Let’s take our local IPv4 address for this example from the “ifconfig” command.

  ┌──(kali㉿kali)-[~]      └─$ export target=192.168.117.128
  ┌──(kali㉿kali)-[~]      └─$ ping -c 4 $target PING 192.168.117.128 (192.168.117.128) 56(84) bytes of data. 64 bytes from 192.168.117.128: icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from 192.168.117.128: icmp_seq=2 ttl=64 time=0.047 ms 64 bytes from 192.168.117.128: icmp_seq=3 ttl=64 time=0.038 ms 64 bytes from 192.168.117.128: icmp_seq=4 ttl=64 time=0.027 ms --- 192.168.117.128 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3076ms rtt min/avg/max/mdev = 0.022/0.033/0.047/0.009 ms

Ping (latency) is the time it takes for a small data set to be transmitted from your device to a different device and back to your device again, and it is measured in milliseconds (ms).

If we didn’t include “-c 4“, which is for the “count” of pings, it would continue pinging endlessly in a Linux environment by default.

Subprocesses

The exportcommand makes the variable accessible to any subprocesses we might spawn from our current Bash instance. Which means that the variable will be included in the subprocess when defined by “export”.

However, if we set an environment variable without the “export” command, it will only be available in the current shell process and will NOT be duplicated.

We will use the $$ variable to display the process ID of the current shell instance to make sure that we are indeed issuing commands in two different shells.

The “bash” command is for initializing a new Bash process and when we “exit“, we go back to the previous bash process.

  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77589
  ┌──(kali㉿kali)-[~]      └─$ localvar="Local Var"
  ┌──(kali㉿kali)-[~]      └─$ echo $localvar Local Var
  ┌──(kali㉿kali)-[~]      └─$ bash
  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77821
  ┌──(kali㉿kali)-[~]      └─$ echo $var

 

Above we created a local environment variable named “localvar”, we echoed it to see if it works. Then initialized a new bash process, echoed “$$” to make sure it’s a new process indeed. Afterwards echoed the previously created local environment variable “localvar” again, to see if it’s included in the new bash process and no output is generated. You can “exit” and rerun the command to see what happens.

 

Let’s test the same with the “export” command added.

  ┌──(kali㉿kali)-[~]      └─$ echo $$ 75574
  ┌──(kali㉿kali)-[~]      └─$ export globalvar="Global Var"
  ┌──(kali㉿kali)-[~]      └─$ echo $globalvar Global Var
  ┌──(kali㉿kali)-[~]      └─$ bash
  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77981
  ┌──(kali㉿kali)-[~]      └─$ echo $globalvar Global Var

 

To view the other environment variables defined by default in Kali Linux, run “env“.

  ┌──(kali㉿kali)-[~]      └─$ env SHELL=/usr/bin/zsh SUDO_GID=0 LANGUAGE= LESS_TERMCAP_se= LESS_TERMCAP_so= SUDO_COMMAND=/usr/bin/su SUDO_USER=root PWD=/home/kali ...

 

Bonus

Here’s an interesting post I recently found about detecting the Operating System with only the ping command. Although it’s not as accurate in my opinion.

We first run the “traceroute” command (doesn’t come by default, just run “apt install traceroute“), followed by the target destination to determine the hops between these two.

We’ll use the additional option of “-I” (capital of i) to send ICMP ECHO for probes, as in Windows.
Linux uses UDP packets by default, and for some reason, they get blocked by the firewall. However, we only need the number of hops.

  ┌──(kali㉿kali)-[~]      └─$ sudo traceroute -I nextdoorsec.com traceroute to nextdoorsec.com (104.28.29.172), 30 hops max, 60 byte packets 1 192.168.117.2 (192.168.117.2) 0.192 ms 0.092 ms 0.173 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * 104.28.29.172 (104.28.29.172) 30.179 ms 30.228 ms

 

The total number of hops on Linux is 7 and 8 on Windows.

Now ping the domain nextdoorsec.com

  ┌──(kali㉿kali)-[~]      └─$ ping -c 2 nextdoorsec.com PING nextdoorsec.com (104.28.29.172) 56(84) bytes of data. 64 bytes from 104.28.29.172 (104.28.29.172): icmp_seq=1 ttl=128 time=28.6 ms 64 bytes from 104.28.29.172 (104.28.29.172): icmp_seq=2 ttl=128 time=41.0 ms

Windows:
>ping -n 2 nextdoorsec.com Pinging nextdoorsec.com [172.67.181.144] with 32 bytes of data: Reply from 172.67.181.144: bytes=32 time=17ms TTL=57 Reply from 172.67.181.144: bytes=32 time=19ms TTL=57

 

The TTL value, when pinged on Linux, is 128 and 57 on Windows. I’m not sure why I get two different values here, but it’s probably because of the protocols used while pinging or maybe the firewall plays tricks on me. You can let me know below if you managed to find out why.

After making the Sum of TTL value and number of hops, we can define the operating system:

Linux: (7 + 128 = 135), this result doesn’t conclude much, but if we only look at the TTL value, our result says Linux.
Windows: 
(8 + 57 = 65), this one doesn’t conclude much either, however, it’s nearby Windows’s TTL of 64.

Here’s a short version of default TTL values:

 Device / OS  TTL
 *nix (Linux/Unix)  64
 Windows  128
 Solaris/AIX  254

 

As a result, don’t rely on this technique. I’ll cover better ways of finding out the operating system of our target. I just wanted to have something practical for this blogpost.

Other interesting articles

Leetcode vs Hackerrank vs Topcoder: Difference Explained

Leetcode vs Hackerrank vs Topcoder: Difference Explained

Are you the one who wants to avail a software development job? Or you are a recruiter looking forward to test a ...
Are Older Android Versions Safe? 5 Security Tips

Are Older Android Versions Safe? 5 Security Tips

Are you an Android phone user? Do you find it hard to keep your phone safe from malware attacks? If yes, this ...
Cybersecurity Vs Network Engineer – Top 3 Differences You Should Know

Cybersecurity Vs Network Engineer – Top 3 Differences You Should Know

In this digital age, without the existence of cybersecurity, businesses on the web cannot survive. Now and then, we
What Programming Language Do Hackers Use in 2021?

What Programming Language Do Hackers Use in 2021?

Before diving deep into the programming languages hackers tend to use, it depends on the type of hacking ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

error: Alert: Content is protected !!