Day 5 OSCP | The Bash Environment

Reading Time: ( Word Count: )

December 10, 2020
Nextdoorsec-course

What is “Bash”?

Here’s a short story for you.

When a computer boots up, a kernel (whether it’s Linux, BSD, Mach, or Windows NT) recognizes all the physical hardware and enables each component to talk with one another and be arranged by some basic software. A computer’s most basic set of instructions simply keeps it powered on and in a safe state: activating fans periodically to prevent overheating, using subsystems to monitor disk space or “listen” for newly attached devices, and so on. If this was all computers did, they’d be about as interesting as a convection oven.

Computer scientists recognized this early on, so they developed shell for Unix computers that operate outside of the kernel (or around the kernel, like a shell in nature) and allows humans to interact with the computer whenever they want to. It was an exciting development at a time when people were feeding punch cards into computers to tell them what to do. Of all the shells available, Bash is one of the most popular, the most powerful, and the most friendly.
From https://opensource.com/resources/what-bash

Bash allows us to run complex commands and perform different tasks from a terminal window. It incorporates useful features from both the KornShell (ksh) and C shell (csh).
I’m running Z shell (zsh); it’s just an extended version of Bash, that comes by default with the 2020.4 release of Kali Linux.

Environment Variables

I’ve already shortly covered what an environment variable is on Day 2, just quickly check it out. So when we open a terminal window a new Bash process, which has its own environment variables, is initialized.

Environment variables help programs know what directory to install files in, where to store temporary files, and where to find user profile settings.

Some other useful environment variables include USER, PWD, and HOME, which hold the values of the current terminal user’s username, present working directory, and home directory, respectively:

  ┌──(kali㉿kali)-[~]      └─$ echo $USER kali
  ┌──(kali㉿kali)-[~]      └─$ echo $PWD /home/kali
  ┌──(kali㉿kali)-[~]      └─$ echo $HOME /home/kali

An environment variable can be defined with the exportcommand. For example, if we are scanning a target and don’t want to type in the system’s IP address repeatedly, we can quickly assign it an environment variable and use that instead.

Let’s take our local IPv4 address for this example from the “ifconfig” command.

  ┌──(kali㉿kali)-[~]      └─$ export target=192.168.117.128
  ┌──(kali㉿kali)-[~]      └─$ ping -c 4 $target PING 192.168.117.128 (192.168.117.128) 56(84) bytes of data. 64 bytes from 192.168.117.128: icmp_seq=1 ttl=64 time=0.022 ms 64 bytes from 192.168.117.128: icmp_seq=2 ttl=64 time=0.047 ms 64 bytes from 192.168.117.128: icmp_seq=3 ttl=64 time=0.038 ms 64 bytes from 192.168.117.128: icmp_seq=4 ttl=64 time=0.027 ms --- 192.168.117.128 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3076ms rtt min/avg/max/mdev = 0.022/0.033/0.047/0.009 ms

Ping (latency) is the time it takes for a small data set to be transmitted from your device to a different device and back to your device again, and it is measured in milliseconds (ms).

If we didn’t include “-c 4“, which is for the “count” of pings, it would continue pinging endlessly in a Linux environment by default.

Subprocesses

The exportcommand makes the variable accessible to any subprocesses we might spawn from our current Bash instance. Which means that the variable will be included in the subprocess when defined by “export”.

However, if we set an environment variable without the “export” command, it will only be available in the current shell process and will NOT be duplicated.

We will use the $$ variable to display the process ID of the current shell instance to make sure that we are indeed issuing commands in two different shells.

The “bash” command is for initializing a new Bash process and when we “exit“, we go back to the previous bash process.

  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77589
  ┌──(kali㉿kali)-[~]      └─$ localvar="Local Var"
  ┌──(kali㉿kali)-[~]      └─$ echo $localvar Local Var
  ┌──(kali㉿kali)-[~]      └─$ bash
  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77821
  ┌──(kali㉿kali)-[~]      └─$ echo $var

 

Above we created a local environment variable named “localvar”, we echoed it to see if it works. Then initialized a new bash process, echoed “$$” to make sure it’s a new process indeed. Afterwards echoed the previously created local environment variable “localvar” again, to see if it’s included in the new bash process and no output is generated. You can “exit” and rerun the command to see what happens.

 

Let’s test the same with the “export” command added.

  ┌──(kali㉿kali)-[~]      └─$ echo $$ 75574
  ┌──(kali㉿kali)-[~]      └─$ export globalvar="Global Var"
  ┌──(kali㉿kali)-[~]      └─$ echo $globalvar Global Var
  ┌──(kali㉿kali)-[~]      └─$ bash
  ┌──(kali㉿kali)-[~]      └─$ echo $$ 77981
  ┌──(kali㉿kali)-[~]      └─$ echo $globalvar Global Var

 

To view the other environment variables defined by default in Kali Linux, run “env“.

  ┌──(kali㉿kali)-[~]      └─$ env SHELL=/usr/bin/zsh SUDO_GID=0 LANGUAGE= LESS_TERMCAP_se= LESS_TERMCAP_so= SUDO_COMMAND=/usr/bin/su SUDO_USER=root PWD=/home/kali ...

 

Bonus

Here’s an interesting post I recently found about detecting the Operating System with only the ping command. Although it’s not as accurate in my opinion.

We first run the “traceroute” command (doesn’t come by default, just run “apt install traceroute“), followed by the target destination to determine the hops between these two.

We’ll use the additional option of “-I” (capital of i) to send ICMP ECHO for probes, as in Windows.
Linux uses UDP packets by default, and for some reason, they get blocked by the firewall. However, we only need the number of hops.

  ┌──(kali㉿kali)-[~]      └─$ sudo traceroute -I nextdoorsec.com traceroute to nextdoorsec.com (104.28.29.172), 30 hops max, 60 byte packets 1 192.168.117.2 (192.168.117.2) 0.192 ms 0.092 ms 0.173 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * 104.28.29.172 (104.28.29.172) 30.179 ms 30.228 ms

 

The total number of hops on Linux is 7 and 8 on Windows.

Now ping the domain nextdoorsec.com

  ┌──(kali㉿kali)-[~]      └─$ ping -c 2 nextdoorsec.com PING nextdoorsec.com (104.28.29.172) 56(84) bytes of data. 64 bytes from 104.28.29.172 (104.28.29.172): icmp_seq=1 ttl=128 time=28.6 ms 64 bytes from 104.28.29.172 (104.28.29.172): icmp_seq=2 ttl=128 time=41.0 ms

Windows:
>ping -n 2 nextdoorsec.com Pinging nextdoorsec.com [172.67.181.144] with 32 bytes of data: Reply from 172.67.181.144: bytes=32 time=17ms TTL=57 Reply from 172.67.181.144: bytes=32 time=19ms TTL=57

 

The TTL value, when pinged on Linux, is 128 and 57 on Windows. I’m not sure why I get two different values here, but it’s probably because of the protocols used while pinging or maybe the firewall plays tricks on me. You can let me know below if you managed to find out why.

After making the Sum of TTL value and number of hops, we can define the operating system:

Linux: (7 + 128 = 135), this result doesn’t conclude much, but if we only look at the TTL value, our result says Linux.
Windows: 
(8 + 57 = 65), this one doesn’t conclude much either, however, it’s nearby Windows’s TTL of 64.

Here’s a short version of default TTL values:

 Device / OS  TTL
 *nix (Linux/Unix)  64
 Windows  128
 Solaris/AIX  254

 

As a result, don’t rely on this technique. I’ll cover better ways of finding out the operating system of our target. I just wanted to have something practical for this blogpost.

Aydan Arabadzha

Aydan Arabadzha

Author

Aydan, a cybersecurity ace and AI visionary, thrives on the frontlines of offensive security. His passion birthed NextdoorSec, a groundbreaking cybersecurity firm. A relentless pioneer, Aydan is persistently pushing boundaries, shaping the future of the digital world one byte at a time.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *