Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Linux Log Files under var/log Directory

The following are the 20 different log files that are located under /var/log/ directory. Some of these log files are distribution specific. For example, you’ll see dpkg.log on Debian based systems (for example, on Ubuntu).
  1. /var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
  2. /var/log/dmesg – Contains kernel ring buffer information. When the system boots up, it prints number of messages on the screen that displays information about the hardware devices that the kernel detects during boot process. These messages are available in kernel ring buffer and whenever the new message comes the old message gets overwritten. You can also view the content of this file using the dmesg command.
  3. /var/log/auth.log – Contains system authorization information, including user logins and authentication machinsm that were used.
  4. /var/log/boot.log – Contains information that are logged when the system boots
  5. /var/log/daemon.log – Contains information logged by the various background daemons that runs on the system
  6. /var/log/dpkg.log – Contains information that are logged when a package is installed or removed using dpkg command
  7. /var/log/kern.log – Contains information logged by the kernel. Helpful for you to troubleshoot a custom-built kernel.
  8. /var/log/lastlog – Displays the recent login information for all the users. This is not an ascii file. You should use lastlog command to view the content of this file.
  9. /var/log/maillog /var/log/mail.log – Contains the log information from the mail server that is running on the system. For example, sendmail logs information about all the sent items to this file
  10. /var/log/user.log – Contains information about all user level logs
  11. /var/log/Xorg.x.log – Log messages from the X
  12. /var/log/alternatives.log – Information by the update-alternatives are logged into this log file. On Ubuntu, update-alternatives maintains symbolic links determining default commands.
  13. /var/log/btmp – This file contains information about failed login attemps. Use the last command to view the btmp file. For example, “last -f /var/log/btmp | more”
  14. /var/log/cups – All printer and printing related log messages
  15. /var/log/anaconda.log – When you install Linux, all installation related messages are stored in this log file
  16. /var/log/yum.log – Contains information that are logged when a package is installed using yum
  17. /var/log/cron – Whenever cron daemon (or anacron) starts a cron job, it logs the information about the cron job in this file
  18. /var/log/secure – Contains information related to authentication and authorization privileges. For example, sshd logs all the messages here, including unsuccessful login.
  19. /var/log/wtmp or /var/log/utmp – Contains login records. Using wtmp you can find out who is logged into the system. who command uses this file to display the information.
  20. /var/log/faillog – Contains user failed login attemps. Use faillog command to display the content of this file.
Apart from the above log files, /var/log directory may also contain the following sub-directories depending on the application that is running on your system.
  • /var/log/httpd/ (or) /var/log/apache2 – Contains the apache web server access_log and error_log
  • /var/log/lighttpd/ – Contains light HTTPD access_log and error_log
  • /var/log/conman/ – Log files for ConMan client. conman connects remote consoles that are managed by conmand daemon.
  • /var/log/mail/ – This subdirectory contains additional logs from your mail server. For example, sendmail stores the collected mail statistics in /var/log/mail/statistics file
  • /var/log/prelink/ – prelink program modifies shared libraries and linked binaries to speed up the startup process. /var/log/prelink/prelink.log contains the information about the .so file that was modified by the prelink.
  • /var/log/audit/ – Contains logs information stored by the Linux audit daemon (auditd).
  • /var/log/setroubleshoot/ – SELinux uses setroubleshootd (SE Trouble Shoot Daemon) to notify about issues in the security context of files, and logs those information in this log file.
  • /var/log/samba/ – Contains log information stored by samba, which is used to connect Windows to Linux.
  • /var/log/sa/ – Contains the daily sar files that are collected by the sysstat package.
  • /var/log/sssd/ – Use by system security services daemon that manage access to remote directories and authentication mechanisms.
Instead of manually trying to archive the log files, by cleaning it up after x number of days, or by deleting the logs after it reaches certain size, you can do this automatically using logrotate.

Credit to:

Armitage and Metasploit Training Videos

Raphael Mudge has made a six-part training series on Armitage and Metasploit that introduce the penetration testing process and walkthrough for each step. You'll learn how to break into hosts, carry out post-exploitation activities, develop more access from your initial foothold, and you'll do this in a team environment. 

This is part 1 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

Metasploit Overview
This is part 2 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

Gaining Access
This is part 3 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

Post Exploitation
This is part 4 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

This is part 5 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

Team Tactics
This is part 6 of a 6 part series showing you the method to the madness behind Armitage for Metasploit. You'll learn how to use Armitage by following each step of the network penetration testing process.

Important Nmap Commands

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing.

Basic scan

Host discovery
nmap -sP

Exclude Host
nmap --exclude,

Find out if host is behind a firewall
nmap -sA

Scan host behind a firewall
nmap -PN
nmap -PS
nmap -PA

Scan IPv6
nmap -6 IPv6-Address

Fast scan
nmap -F -T5

Display the reason for a port in particular state
nmap --reason

Show only open port
nmap --open

Show host interface and route
nmap --iflist

OS detection
nmap -O

Scan using IP protocol ping
nmap -PO

IP protocol scan
nmap -sO

Scan firewall for security weaknesses
nmap -sN
nmap -sF
nmap -sX

Firewall scan with fragmented packets
nmap -f --mtu 32

Decoy scan
nmap -n -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip

MAC address spoofing
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE

SMB scan using NSE
nmap -v -O -sV -T4 --osscan-guess -oA ms-smbscan --script=smb-enum-domains, smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-os-discovery,smb-security-mode,smb-system-info <target ip>

Scan for SMTP Open Relay
nmap --script smtp-open-relay.nse <domain> -p 25,465,587 <mail-server>

Scanning the Internet
nmap -T4 --top-ports 50 -sV -O --osscan-limit --osscan-guess --min-hostgroup 128 --host-timeout 10m -oA ms-vscan-%D

parse result
grep " open " ms-vscan.nmap | seed -r 's/ +/ /g' | sort | unique -c | sort -rn | less

Web Scanning
nmap --script http-headers,http-title <target>
nmap -sV --script "(http-*) and not(http-slowloris or httpbrute)" <target>

Scanning Website for Malware
nmap -sV --script http-google-malware.nse,http-malware-host.nse -p80,443 <target>

Vulnerable Web Apps for PenTesting

This is the list of intentionally vulnerable applications that need to be installed locally:

  • Badstore: is dedicated to helping you understand how hackers prey on Web application vulnerabilities, and to showing you how to reduce your exposure. The demo software is distributed as an ISO image.
  • BodgeIT: The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
  • Butterfly: The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated.
  • DVWA: The Damn Vulnerable Web App is a PHP/MySQL deliberately vulnerable application. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • A vulnerable web app designed as a learning platform to test various SQL injection Techniques This is a fully functional web site with a content management system.
  • Exploit-Db: Exploit-DB is not really a deliberately vulnerable application, but keeps an archive of vulnerable public domain web applications.
  • ExploitMe Mobile Android Labs: This is an open source project by SecurityCompass demonstrating Android mobile hacking. The labs will help learn you about
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • ExploitMe Mobile iPhone Labs: This is an open source project by SecurityCompass demonstrating iPhone mobile hacking. The labs will teach you about:
    • Parameter manipulation of mobile traffic
    • Encryption of traffic
    • Password lock screens
    • File system access permissions
    • Insecure storage of files
    • Insecure logging
  • Hackme Bank: Hacme Bank™ is designed to teach application developers, programmers, architects and security professionals how to create secure software.
  • Hackme Books: Foundstone Hacme Books is a learning platform for secure software development.
  • Hackme Casino: Foundstone Hacme Casino™ is a learning platform for secure software development.
  • Hackme Shipping: Hacme Shipping is a web-based shipping application developed to demonstrate common web application hacking techniques.
  • Hackme Travel: Hacme Travel is designed to create secure software.
  • Hackxor: Hackxor is a webapp hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism and difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, …
  • LampSecurity: LAMPSecurity is a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux, Apache, PHP and MySql security.
  • Mutillidae: Mutillidae is a Deliberately Vulnerable Set Of PHP Scripts that implement the OWASP Top 10.
  • OWASP iGoat: The iGoat tool is a learning tool, primarily meant for iOS developers. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting  them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them.
  • OWASP GoatDroid: This is the Android equivalent to the iGoat Project. This project will help educate Android developers on security issues they’ll encounter when writing applications. 
  • OWASP InsecureWebApp: InsecureWebApp is a web application that includes common web application vulnerabilities. It is a target for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling. InsecureWebApp is primarily a teaching aid to challenge and improve secure design and coding skills.
  • OWASP Vicnum: Vicnum is flexible web app showing vulnerabilities such as cross site scripting, SQL injections, and session management issues. Helpful to IT auditors honing web security skills and setting up 'capture the flag'.
  • OWASP WebGoat: Webgoat is a deliberately insecure J2EE web application designed to teach web application security lessons. In each lesson, students must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application.
  • Pandemobium:  Pandemobium is a collection of open source intentionally-flawed mobile applications that are intended to be used by developers and security analysts to explore mobile application security topics.
  • Peruggia: Peruggia is designed as a safe, legal environment to learn about and try common attacks on web applications. Peruggia looks similar to an image gallery, but contains several controlled vulnerabilities to practice on.
  • PuzzleMall: Puzzlemall is a vulnerable web application designed for training purposes. It is prone to a variety of session puzzle exposures. 
  • SQLoL: SQLol is a deliberately vulnerable PHP application. It allows you to exploit SQL injection flaws, but furthermore allows a large amount of control over the manifestation of the flaw.
  • WackoPicko: WackoPicko is a vulnerable web application written in PHP used to test web application vulnerability scanners
  • Webmaven: WebMaven (better known as Buggy Bank) was an interactive learning environment for web application security. It emulated various security flaws for the user to find. This enabled users to safely & legally practice web application vulnerability assessment techniques. In addition, users could benchmark their security audit tools to ensure they perform as advertised.


This is a list of collections of vulnerable applications:
  • Dojo: The Web Security Dojo project comes preloaded with several web app targets and tools for an easy no-install environment to get you started with learning web app security testing.
  • Moth: Moth is a VMware image with a set of vulnerable web applications and scripts, that you may use for testing web application security scanners, testing static code analysis tools (SCA), giving an introductory course to web application security
  • OWASP BWA: The OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a virtual machine.
  • Stanford Securitybench: Stanford Securibench a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. All the benchmarks are Java J2EE applications that can be run on a Web server.


This is a list of online applications that can be used for testing and learning. I did not include tool vendor websites, since it is not clear if these can be used by anyone (usually there is a statement that they can only be used for demonstrating the capabilities of the tool sold by that vendor):
  • Enigma Group: Enigma Group provides a series of challenges for people to test their pen-testing skills.
  • Google Gruyere: Google Gruyere shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:
    • How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
    • How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
  • HACKME Game: this is software security (web applications) learning game, intended to help raise awareness and interest in the subject of software security as well as train developers.
  • OWASP HackAcademic: The OWASP Hackademic Challenges Project is an open source project that helps you test your knowledge on web application security. You can use it to actually attack web applications in a realistic but also controllable and safe environment. This is both an online and downloadable project. A customized version for Appsec Europe is online at
  • p0wnlabs: Online versions of vulnerable applications and distributions.
  • Watcher Test Pages: Test pages for the Watcher tool, a Fiddler add-on which aims to assist penetration testers in passively finding Web-application vulnerabilities.
  • X5S Test Page: A small working example of how to use the x5s tool to detect encoding and transformation issues that can lead to XSS vulnerabilities.

Online malware scanner (updated)

Anubis is a service for analyzing malware.

Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing.

Comodo’s online file analysis tool.

McAfee SiteAdvisor test websites for spyware, spam and scams so you can search, surf and shop more safely.

Ether provides Malware Analysis via Hardware Virtualization Extensions.

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.

IPVoid allows users to scan an IP Address with multiple scanning services to facilitate the detection of IP Addresses that have committed malicious activity and to check if a website is hosted in a compromised server, used for spam, phishing or to host malicious content.

Netscty’s malware analysis sandbox tool performs cutting edge analysis of the potentially malicious file in our controlled environment. Provides a fast comprehensive evaluation of a variety of malware such as botnet software, viruses, spyware, trojans, and keyloggers.

JSUnpack Online – Online version of the stand-alone tool jsunpack.

CWSandbox is online service that runs file you submit through automated sandbox analysis.

Upload files that you suspect are malicious or infected by malicious components for instant analysis by Norman SandBox.

PDF Analyzer allows you to view PDF objects as hex/text, also provides PDF dissector and inspector engines and scanning for known exploits.

Sunbelt Sandbox is an approach to automatically analyze malware which is based on behavior analysis. Malware samples are executed for a finite time in a simulated environment, where all system calls are closely monitored.

GFI’s sunbelt online sandbox engine.

URLVoid allows users to scan a website address with multiple scanning engines such as Google Diagnostic, McAfee SiteAdvisor, Norton SafeWeb, MyWOT to facilitate the detection of possible dangerous websites.

Symantec’s reputation service Norton Safe Web.

The AVG LinkScanner Drop Zone lets you check the safety of individual web pages you are about to visit, also will examine the web page in real time to see whether it’s hiding any suspicious downloads.

Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

Joebox Sandbox.

With VirusTotal, send a file and see the detection according the AV vendors.

Novirusthanks is a free service that allows users to upload and scan a file with multiple Antivirus engines. Users can also analyze a website url or a remote file with the option Scan Web Address.

Jotti’s malware scan is a free online service that enables you to scan suspicious files with several anti-virus programs.
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!