What is it?
This repository is a collection of various materials and tools that I use every day in my work. It contains a lot of useful information gathered in one piece. It is an invaluable source of knowledge for me that I often look back on.
"Knowledge is powerful, be careful how you use it!"
This repository is a collection of various materials and tools that I use every day in my work. It contains a lot of useful information gathered in one piece. It is an invaluable source of knowledge for me that I often look back on.
For everyone, really. Here everyone can find their favourite tastes. But to be perfectly honest, it is aimed towards System and Network administrators, DevOps, Pentesters, and Security Researchers.
If you find something which doesn't make sense, or something doesn't seem right, please make a pull request and please add valid and well-reasoned explanations about your changes or comments.
A few simple rules for this project:
These below rules may be better:
Url marked \* is temporary unavailable. Please don't delete it without confirming that it has permanently expired.
Before adding a pull request, please see the contributing guidelines. You should also remember about this:
GitHub exposes an RSS/Atom feed of the commits, which may also be useful if you want to be kept informed about all changes.
New items are also added on a regular basis.
| <b><u>IP</u></b> | <b><u>URL</u></b> | | :--- | :--- | | 84.200.69.80 | dns.watch | | 94.247.43.254 | opennic.org | | 64.6.64.6 | verisign.com | | 89.233.43.71 | censurfridns.dk | | 1.1.1.1 | cloudflare.com | | 94.130.110.185 | dnsprivacy.at |
| <b><u>Extension name</u></b> | <b><u>Description</u></b> | | :--- | :--- | | IPvFoo | Display the server IP address and HTTPS information across all page elements. | | FoxyProxy | Simplifies configuring browsers to access proxy-servers. | | HTTPS Everywhere | Automatically use HTTPS security on many sites. | | uMatrix | Point & click to forbid/allow any class of requests made by your browser. | | uBlock Origin | An efficient blocker: easy on memory and CPU footprint. | | Session Buddy | Manage browser tabs and bookmarks with ease. | | SuperSorter | Sort bookmarks recursively, delete duplicates, merge folders, and more. | | Clear Cache | Clear your cache and browsing data. | | d3coder | Encoding/Decoding plugin for various types of encoding. | | Web Developer | Adds a toolbar button with various web developer tools. | | ThreatPinch Lookup | Add threat intelligence hover tool tips. |
| <b><u>Extension name</u></b> | <b><u>Description</u></b> | | :--- | :--- | | Active Scan++ | Extends Burp's active and passive scanning capabilities. | | Autorize | Automatically detects authorization enforcement. | | AuthMatrix | A simple matrix grid to define the desired levels of access privilege. | | Logger++ | Logs requests and responses for all Burp tools in a sortable table. | | Bypass WAF | Adds headers useful for bypassing some WAF devices. | | JSON Beautifier | Beautifies JSON content in the HTTP message viewer. | | JSON Web Tokens | Enables Burp to decode and manipulate JSON web tokens. | | CSP Auditor | Displays CSP headers for responses, and passively reports CSP weaknesses. | | CSP-Bypass | Passively scans for CSP headers that contain known bypasses. | | Hackvertor | Converts data using a tag-based configuration to apply various encoding. | | HTML5 Auditor | Scans for usage of risky HTML5 features. | | Software Vulnerability Scanner | Vulnerability scanner based on vulners.com audit API. | | Turbo Intruder | Is a powerful bruteforcing tool. | | Upload Scanner | Upload a number of different file types, laced with different forms of payload. |
In Firefox's address bar, you can limit results by typing special characters before or after your term:
^ - for matches in your browsing history* - for matches in your bookmarks.% - for matches in your currently open tabs.# - for matches in page titles.@ - for matches in web addresses.chrome://chrome-urls - list of all commandschrome://flags - enable experiments and development featureschrome://interstitials - errors and warningschrome://net-internals - network internals (events, dns, cache)chrome://network-errors - network errorschrome://net-export - start logging future network activity to a filechrome://safe-browsing - safe browsing optionschrome://user-actions - record all user actionschrome://restart - restart chromechrome://dino - ERR_INTERNET_DISCONNECTED...cache:<website-address> - view the cached version of the web pageIP addresses can be shortened by dropping the zeroes:
http://1.0.0.1 → http://1.1
http://127.0.0.1 → http://127.1
http://192.168.0.1 → http://192.168.1
http://0xC0A80001 or http://3232235521 → 192.168.0.1
http://192.168.257 → 192.168.1.1
http://192.168.516 → 192.168.2.4> This bypasses WAF filters for SSRF, open-redirect, etc where any IP as input gets blacklisted.
For more information please see How to Obscure Any URL and Magic IP Address Shortcuts.
_Hashing_
plaintext :arrow_right: hash<br> hash :no_entry: plaintext
_Symmetric encryption_
plaintext :arrow_right: :key: :arrow_right: ciphertext<br> plaintext :arrow_left: :key: :arrow_left: ciphertext<br> (:key: shared key)
_Asymmetric encryption_
plaintext :arrow_right: :key: :arrow_right: ciphertext<br> plaintext :arrow_left: :part_alternation_mark: :arrow_left: ciphertext<br> (:key: public key, :part_alternation_mark: private key)<br>
_Encoding_
text :arrow_right: encoded<br> text :arrow_left: encoded
exec $SHELL -ldisown -a && exitkill -9 $$
unset HISTFILE && exittrue && echo success
false || echo failedsome_command > >(/bin/cmd_for_stdout) 2> >(/bin/cmd_for_stderr)(some_command 2>&1 1>&3 | tee errorlog ) 3>&1 1>&2 | tee stdoutloghistory | \
awk '{CMD[$2]++;count++;}END { for (a in CMD)print CMD[a] " " CMD[a]/count*100 "% " a;}' | \
grep -v "./" | \
column -c3 -s " " -t | \
sort -nr | nl | head -n 20function sterile() {
history | awk '$2 != "history" { $1=""; print $0 }' | egrep -vi "\
curl\b+.*(-E|--cert)\b+.*\b*|\
curl\b+.*--pass\b+.*\b*|\
curl\b+.*(-U|--proxy-user).*:.*\b*|\
curl\b+.*(-u|--user).*:.*\b*
.*(-H|--header).*(token|auth.*)\b+.*|\
wget\b+.*--.*password\b+.*\b*|\
http.?://.+:.+@.*\
" > $HOME/histbuff; history -r $HOME/histbuff;
}
export PROMPT_COMMAND="sterile"> Look also: A naive utility to censor credentials in command history.
cp filename{,.orig}>filenamerm !(*.foo|*.bar|*.baz)# cat >filename ... - overwrite the file
# cat >>filename ... - append to a file
cat > filename << __EOF__
data data data
__EOF__vim scp://user@host//etc/fstabmkd() { mkdir -p "$@" && cd "$@"; }rename 'y/A-Z/a-z/' *printf "%`tput cols`s" | tr ' ' '#'history | cut -c 8-
fc -l -n 1 | sed 's/^\s*//'cat > /etc/profile << __EOF__
_after_logout() {
username=$(whoami)
for _pid in $(ps afx | grep sshd | grep "$username" | awk '{print $1}') ; do
kill -9 $_pid
done
}
trap _after_logout EXIT
__EOF__for ((i=1; i<=10; i+=2)) ; do echo $i ; done
# alternative: seq 1 2 10
for ((i=5; i<=10; ++i)) ; do printf '%02d\n' $i ; done
# alternative: seq -w 5 10
for i in {1..10} ; do echo $i ; doneunset MAIL; export MAILCHECK=1; export MAILPATH='$FILE_TO_WATCH?$MESSAGE'busybox httpd -p $PORT -h $HOME [-c httpd.conf]mount -t tmpfs tmpfs /mnt -o size=64M-t - filesystem type-o - mount optionsmount -o remount,rw /fuser /var/log/daemon.log
fuser -v /home/supervisorfuser -ki filename-i - interactive optionfuser -k -HUP filename--list-signals - list available signal namesfuser -v 53/udpfuser -mv /var/wwwlsof -P -i -nlsof -i tcp:443lsof -Pan -i tcp -i udplsof -i -P | grep -i "listen"lsof -Pnl -ilsof -Pni4 | grep LISTEN | column -tlsof -c "process"lsof -u username -a +D /etclsof / | \
awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " " $1 }' | \
sort -n -u | tail | column -tlsof -p <PID> | grep cwdps awwfux | less -Sps hax -o user | sort | uniq -c | sort -rps -lfC nginxfind / -mmin 60 -type ffind / -type f -size +20Mfind -type f -exec md5sum '{}' ';' | sort | uniq --all-repeated=separate -w 33cd /var/www/site && find . -type f -exec chmod 766 {} \;
cd /var/www/site && find . -type f -exec chmod 664 {} +cd /var/www/site && find . -type d -exec chmod g+x {} \;
cd /var/www/site && find . -type d -exec chmod g+rwx {} +# User:
find . -user <username> -print
find /etc -type f -user <username> -name "*.conf"
# Group:
find /opt -group <group>
find /etc -type f -group <group> -iname "*.conf"# User:
find . \! -user <username> -print
# Group:
find . \! -group <group># User
find . -user <username> -perm -u+rw # -rw-r--r--
find /home -user $(whoami) -perm 777 # -rwxrwxrwx
# Group:
find /home -type d -group <group> -perm 755 # -rwxr-xr-xfind . -type f -mtime +60 -deletefind . -depth -type d -empty -exec rmdir {} \;find </path/to/dir> -xdev -samefile filenamefind . -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | headfind . -not -path '*/\.git*' -type f -print0 | xargs -0 sed -i 's/foo/bar/g'find . -depth -name '*test*' -execdir bash -c 'mv -v "$1" "${1//foo/bar}"' _ {} \;find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -la {} \;top -p $(pgrep -d , <str>)<str> - process containing string (eg. nginx, worker)vmstat 2 20 -t -w2 - number of times with a defined time interval (delay)20 - each execution of the command (count)-t - show timestamp-w - wide output-S M - output of the fields in megabytes instead of kilobytesvmstat 5 -wvmstat -Dvmstat -svmstat -miostat 2 10 -t -m2 - number of times with a defined time interval (delay)10 - each execution of the command (count)-t - show timestamp-m - fields in megabytes (-k - in kilobytes, default)iostat 2 10 -t -m -ciostat 2 10 -t -m -diostat -N# 1)
strace -f -p $(pidof glusterfsd)
# 2)
strace -f $(pidof php-fpm | sed 's/\([0-9]*\)/\-p \1/g')timeout 30 strace $(< /var/run/zabbix/zabbix_agentd.pid)ps auxw | grep '[a]pache' | awk '{print " -p " $2}' | \
xargs strace -o /tmp/strace-apache-proc.outps auxw | grep '[i]init_policy' | awk '{print " -p " $2}' | \
xargs strace -f -e trace=network -T -s 10000strace -f -e trace=bind nc -l 80strace -f -e trace=network nc -lu 80kill -9 $(lsof -i :<port> | awk '{l=$2} END {print l}')diff <(cd directory1 && find | sort) <(cd directory2 && find | sort)diff <(cat /etc/passwd) <(cut -f2 /etc/passwd)vimdiff file1 file2vimdiff <(jq -S . A.json) <(jq -S . B.json)d(){ vimdiff <(f $1) <(f $2);};f(){ hexdump -C $1 | cut -d' ' -f3- | tr -s ' ';}; d ~/bin1 ~/bin2Save diffchar @ ~/.vim/plugins
Click F7 to switch between diff modes
Usefull vimdiff commands:
qa to exit all windows:vertical resize 70 to resize windowCtrl+W [N columns]+(Shift+)<\>tail -f file | while read ; do echo "$(date +%T.%N) $REPLY" ; donetail -10000 access_log | awk '{print $1}' | sort | uniq -c | sort -n | tailtail -n 100 -f /path/to/logfile | grep "HTTP/[1-2].[0-1]\" [5]"cd /
tar -czvpf /mnt/system$(date +%d%m%Y%s).tgz --directory=/ \
--exclude=proc/* --exclude=sys/* --exclude=dev/* --exclude=mnt/* .cd /
tar cvpf /backup/snapshot-$(date +%d%m%Y%s).tgz --directory=/ \
--exclude=proc/* --exclude=sys/* --exclude=dev/* \
--exclude=mnt/* --exclude=tmp/* --use-compress-program=pigz .dump -y -u -f /backup/system$(date +%d%m%Y%s).lzo /cd /
restore -rf /backup/system$(date +%d%m%Y%s).lzocpulimit -p pid -l 50pwdx <pid>taskset -c 0 <command>tr : '\n' <<<$PATHchmod -R -x+X *# 1:
cp /bin/ls chmod.01
cp /bin/chmod chmod.01
./chmod.01 700 file
# 2:
/bin/busybox chmod 0700 /bin/chmod
# 3:
setfacl --set u::rwx,g::---,o::--- /bin/chmodwho -b[[ $(who -m | awk '{ print $1 }') == $(whoami) ]] || echo "You are su-ed to $(whoami)"(last -x -f $(ls -1t /var/log/wtmp* | head -2 | tail -1); last -x -f /var/log/wtmp) | \
grep -A1 reboot | head -2 | grep -q shutdown && echo "Expected reboot" || echo "Panic reboot"screen -d -m <command>screen -r -d <pid>### Record session
# 1)
script -t 2>~/session.time -a ~/session.log
# 2)
script --timing=session.time session.log
### Replay session
scriptreplay --timing=session.time session.logdu | \
sort -r -n | \
awk '{split("K M G",v); s=1; while($1>1024){$1/=1024; s++} print int($1)" "v[s]"\t"$2}' | \
head -n 20while true ; do inotifywait -r -e MODIFY dir/ && ls dir/ ; done;echo | openssl s_client -connect google.com:443 -showcertsecho | openssl s_client -connect google.com:443 -showcerts -tlsextdebug -statusecho | openssl s_client -showcerts -servername google.com -connect google.com:443openssl s_client -tls1_2 -connect google.com:443openssl s_client -cipher 'AES128-SHA' -connect google.com:443_host="example.com"
cat > req.in << __EOF__
HEAD / HTTP/1.1
Host: $_host
Connection: close
__EOF__
openssl s_client -connect ${_host}:443 -tls1_3 -sess_out session.pem -ign_eof < req.in
openssl s_client -connect ${_host}:443 -tls1_3 -sess_in session.pem -early_data req.in# _len: 2048, 4096
( _fd="private.key" ; _len="2048" ; \
openssl genrsa -out ${_fd} ${_len} )# _ciph: aes128, aes256
# _len: 2048, 4096
( _ciph="aes128" ; _fd="private.key" ; _len="2048" ; \
openssl genrsa -${_ciph} -out ${_fd} ${_len} )( _fd="private.key" ; _fd_unp="private_unp.key" ; \
openssl rsa -in ${_fd} -out ${_fd_unp} )# _ciph: aes128, aes256
( _ciph="aes128" ; _fd="private.key" ; _fd_pass="private_pass.key" ; \
openssl rsa -${_ciph} -in ${_fd} -out ${_fd_pass}( _fd="private.key" ; \
openssl rsa -check -in ${_fd} )( _fd="private.key" ; _fd_pub="public.key" ; \
openssl rsa -pubout -in ${_fd} -out ${_fd_pub} )( _fd="private.key" ; _fd_csr="request.csr" ; _len="2048" ; \
openssl req -out ${_fd_csr} -new -newkey rsa:${_len} -nodes -keyout ${_fd} )( _fd="private.key" ; _fd_csr="request.csr" ; \
openssl req -out ${_fd_csr} -new -key ${_fd} )> Where private.key is the existing private key. As you can see you do not generate this CSR from your certificate (public key). Also you do not generate the "same" CSR, just a new one to request a new certificate.
( _fd="private.key" ; _fd_csr="request.csr" ; _fd_crt="cert.crt" ; \
openssl x509 -x509toreq -in ${_fd_crt} -out ${_fd_csr} -signkey ${_fd} )( _fd="private.key" ; _fd_csr="request.csr" ; \
openssl req -new -sha256 -key ${_fd} -out ${_fd_csr} \
-config <(
cat << __EOF__
[req]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C = "<two-letter ISO abbreviation for your country>"
ST = "<state or province where your organisation is legally located>"
L = "<city where your organisation is legally located>"
O = "<legal name of your organisation>"
OU = "<section of the organisation>"
CN = "<fully qualified domain name>"
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = <fully qualified domain name>
DNS.2 = <next domain>
DNS.3 = <next domain>
__EOF__
))Other values in [ dn ]:
countryName = "DE" # C=
stateOrProvinceName = "Hessen" # ST=
localityName = "Keller" # L=
postalCode = "424242" # L/postalcode=
postalAddress = "Keller" # L/postaladdress=
streetAddress = "Crater 1621" # L/street=
organizationName = "apfelboymschule" # O=
organizationalUnitName = "IT Department" # OU=
commonName = "example.com" # CN=
emailAddress = "[email protected]" # CN/emailAddress=Example of oids (you'll probably also have to make OpenSSL know about the new fields required for EV by adding the following under [new_oids]):
[req]
...
oid_section = new_oids
[ new_oids ]
postalCode = 2.5.4.17
streetAddress = 2.5.4.9Full example:
( _fd="private.key" ; _fd_csr="request.csr" ; \
openssl req -new -sha256 -key ${_fd} -out ${_fd_csr} \
-config <(
cat << __EOF__
[req]
default_bits = 2048
default_md = sha256
prompt = no
distinguished_name = dn
req_extensions = req_ext
oid_section = new_oids
[ new_oids ]
serialNumber = 2.5.4.5
streetAddress = 2.5.4.9
postalCode = 2.5.4.17
businessCategory = 2.5.4.15
[ dn ]
serialNumber=00001111
businessCategory=Private Organization
jurisdictionC=DE
C=DE
ST=Hessen
L=Keller
postalCode=424242
streetAddress=Crater 1621
O=AV Company
OU=IT
CN=example.com
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.com
__EOF__
))For more information please look at these great explanations:
openssl ecparam -list_curves( _fd="private.key" ; \
openssl ec -in ${_fd} -noout -text )
# For x25519 only extracting public key
( _fd="private.key" ; _fd_pub="public.key" ; \
openssl pkey -in ${_fd} -pubout -out ${_fd_pub} )# _curve: prime256v1, secp521r1, secp384r1
( _fd="private.key" ; _curve="prime256v1" ; \
openssl ecparam -out ${_fd} -name ${_curve} -genkey )
# _curve: X25519
( _fd="private.key" ; _curve="x25519" ; \
openssl genpkey -algorithm ${_curve} -out ${_fd} )# _curve: prime256v1, secp521r1, secp384r1
( _fd="domain.com.key" ; _fd_csr="domain.com.csr" ; _curve="prime256v1" ; \
openssl ecparam -out ${_fd} -name ${_curve} -genkey ; \
openssl req -new -key ${_fd} -out ${_fd_csr} -sha256 )# _len: 2048, 4096
( _fd="domain.key" ; _fd_out="domain.crt" ; _len="2048" ; _days="365" ; \
openssl req -newkey rsa:${_len} -nodes \
-keyout ${_fd} -x509 -days ${_days} -out ${_fd_out} )# _len: 2048, 4096
( _fd="domain.key" ; _fd_out="domain.crt" ; _days="365" ; \
openssl req -key ${_fd} -nodes \
-x509 -days ${_days} -out ${_fd_out} )# _len: 2048, 4096
( _fd="domain.key" ; _fd_csr="domain.csr" ; _fd_out="domain.crt" ; _days="365" ; \
openssl x509 -signkey ${_fd} -nodes \
-in ${_fd_csr} -req -days ${_days} -out ${_fd_out} )( _dh_size="2048" ; \
openssl dhparam -out /etc/nginx/ssl/dhparam_${_dh_size}.pem "$_dh_size" )openssl pkeyparam -in dhparam.pem -text( _fd_pfx="cert.pfx" ; _fd_key="key.pem" ; \
openssl pkcs12 -in ${_fd_pfx} -nocerts -nodes -out ${_fd_key} )( _fd_pfx="cert.pfx" ; _fd_pem="key_certs.pem" ; \
openssl pkcs12 -in ${_fd_pfx} -nodes -out ${_fd_pem} )# PKCS#7 file doesn't include private keys.
( _fd_p7b="cert.p7b" ; _fd_pem="cert.pem" ; \
openssl pkcs7 -inform DER -outform PEM -in ${_fd_p7b} -print_certs > ${_fd_pem})
# or:
openssl pkcs7 -print_certs -in -in ${_fd_p7b} -out ${_fd_pem})( _fd_der="cert.crt" ; _fd_pem="cert.pem" ; \
openssl x509 -in ${_fd_der} -inform der -outform pem -out ${_fd_pem} )( _fd_der="cert.crt" ; _fd_pem="cert.pem" ; \
openssl x509 -in ${_fd_pem} -outform der -out ${_fd_der} )( _fd="private.key" ; \
openssl rsa -noout -text -in ${_fd} )# 1)
( _fd="public.key" ; \
openssl pkey -noout -text -pubin -in ${_fd} )
# 2)
( _fd="private.key" ; \
openssl rsa -inform PEM -noout -in ${_fd} &> /dev/null ; \
if [ $? = 0 ] ; then echo -en "OK\n" ; fi )( _fd="certificate.crt" ; # format: pem, cer, crt \
openssl x509 -noout -text -in ${_fd} )( _fd_csr="request.csr" ; \
openssl req -text -noout -in ${_fd_csr} )(openssl rsa -noout -modulus -in private.key | openssl md5 ; \
openssl x509 -noout -modulus -in certificate.crt | openssl md5) | uniq(openssl rsa -noout -modulus -in private.key | openssl md5 ; \
openssl req -noout -modulus -in request.csr | openssl md5) | uniqshred -vfuz -n 10 file
shred --verbose --random-source=/dev/urandom -n 1 /dev/sdascrub -p dod /dev/sda
scrub -p dod -r filebadblocks -s -w -t random -v /dev/sda
badblocks -c 10240 -s -w -t random -v /dev/sdasrm -vz /tmp/file
sfill -vz /local
sdmem -v
swapoff /dev/sda5 && sswap -vz /dev/sda5dd <dd_params> status=progress
watch --interval 5 killall -USR1 ddecho "string" | dd of=filenamegpg --export --armor "<username>" > username.pkey--export - export all keys from all keyrings or specific key-a|--armor - create ASCII armored outputgpg -e -r "<username>" dump.sql-e|--encrypt - encrypt data-r|--recipient - encrypt for specific <username>gpg -o dump.sql -d dump.sql.gpg-o|--output - use as output file-d|--decrypt - decrypt data (default)gpg --keyserver hkp://keyserver.ubuntu.com --search-keys "<username>"--keyserver - set specific key server--search-keys - search for keys on a key servergpg --batch --list-packets archive.gpg
gpg2 --batch --list-packets archive.gpgexec /sbin/init 6exec /sbin/initreadlink -f /proc/<PID>/cwdreadlink -f /proc/<PID>/execurl -Iks https://www.google.com-I - show response headers only-k - insecure connection when using ssl-s - silent mode (not display body)curl -Iks --location -X GET -A "x-agent" https://www.google.com--location - follow redirects-X - set method-A - set user-agentcurl -Iks --location -X GET -A "x-agent" --proxy http://127.0.0.1:16379 https://www.google.com--proxy [socks5://|http://] - set proxy servercurl -o file.pdf -C - https://example.com/Aiju2goo0Ja2.pdf-o - write output to file-C - resume the transfercurl ipinfo.io
curl ipinfo.io/ip
curl icanhazip.com
curl ifconfig.me/ip ; echo# URL sequence substitution with a dummy query string:
curl -ks https://example.com/?[1-20]
# With shell 'for' loop:
for i in {1..20} ; do curl -ks https://example.com/ ; done### Set domains and external dns servers.
_domain_list=(google.com) ; _dns_list=("8.8.8.8" "1.1.1.1")
for _domain in "${_domain_list[@]}" ; do
printf '=%.0s' {1..48}
echo
printf "[\\e[1;32m+\\e[m] resolve: %s\\n" "$_domain"
for _dns in "${_dns_list[@]}" ; do
# Resolve domain.
host "${_domain}" "${_dns}"
echo
done
for _proto in http https ; do
printf "[\\e[1;32m+\\e[m] trace + headers: %s://%s\\n" "$_proto" "$_domain"
# Get trace and http headers.
curl -Iks -A "x-agent" --location "${_proto}://${_domain}"
echo
done
done
unset _domain_list _dns_listhttp -p Hh https://www.google.com-p - print request and response headersH - request headersB - request bodyh - response headersb - response bodyhttp -p Hh https://www.google.com --follow --verify no-F, --follow - follow redirects--verify no - skip SSL verificationhttp -p Hh https://www.google.com --follow --verify no \
--proxy http:http://127.0.0.1:16379--proxy [http:] - set proxy server# Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twicessh user@host cat /path/to/remotefile | diff /path/to/localfile -ssh -t reachable_host ssh unreachable_hostcat > cmd.txt << __EOF__
cat /etc/hosts
__EOF__
ssh host -l user $(<cmd.txt)ssh-keygen -y -f ~/.ssh/id_rsassh-keygen -l -f .ssh/known_hostsssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@remote_hostssh -o PreferredAuthentications=publickey -o PubkeyAuthentication=yes -i id_rsa user@remote_hostfunction _ssh_sesslog() {
_sesdir="<path/to/session/logs>"
mkdir -p "${_sesdir}" && \
ssh $@ 2>&1 | tee -a "${_sesdir}/$(date +%Y%m%d).log"
}
# Alias:
alias ssh='_ssh_sesslog'### Delete all of ssh-agent's keys.
function _scl() {
/usr/bin/keychain --clear
}
### Add key to keychain.
function _scg() {
/usr/bin/keychain /path/to/private-key
source "$HOME/.keychain/$HOSTNAME-sh"
}ssh -tt user@host bashExample 1:
# Forwarding our local 2250 port to nmap.org:443 from localhost through localhost
host1> ssh -L 2250:nmap.org:443 localhost
# Connect to the service:
host1> curl -Iks --location -X GET https://localhost:2250Example 2:
# Forwarding our local 9051 port to db.d.x:5432 from localhost through node.d.y
host1> ssh -nNT -L 9051:db.d.x:5432 node.d.y
# Connect to the service:
host1> psql -U db_user -d db_dev -p 9051 -h localhost-n - redirects stdin from /dev/null-N - do not execute a remote command-T - disable pseudo-terminal allocation# Forwarding our local 9051 port to db.d.x:5432 from host2 through node.d.y
host1> ssh -nNT -R 9051:db.d.x:5432 node.d.y
# Connect to the service:
host2> psql -U postgres -d postgres -p 8000 -h localhosttimeout 1 bash -c "</dev/<proto>/<host>/<port>" >/dev/null 2>&1 ; echo $?<proto - set protocol (tcp/udp)<host> - set remote host<port> - set destination portexec 5<>/dev/tcp/<host>/<port>; cat <&5 & cat >&5; exec 5>&-tcpdump -ne -i eth0 -Q in host 192.168.252.1 and port 443-n - don't convert addresses (-nn will not resolve hostnames or ports)-e - print the link-level headers-i [iface|any] - set interface-Q|-D [in|out|inout] - choose send/receive direction (-D - for old tcpdump versions)host [ip|hostname] - set host, also [host not][and|or] - set logicport [1-65535] - set port number, also [port not]tcpdump -ne -i eth0 -Q in host 192.168.252.1 and port 443 -c 5 -w tcpdump.pcap-c [num] - capture only num number of packets-w [filename] - write packets to file, -r [filename] - reading from filetcpdump -nei eth0 icmptcpdump -nei eth0 tcp port 22 -vv -X | egrep "TCP|UDP"tcpdump -i eth0 -A -s0 port 443tcpdump -i eth0 port 80 -X | sed -n -e '/username/,/=ldap/ p'tcpdump -i eth0 port http -l -A | egrep -i \
'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' \
--color=auto --line-buffered -B20tcpdump -ei eth0 -nn -A -s1500 -l | grep "User-Agent:"tcpdump -ei eth0 -s 0 -A -vv \
'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420' or 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354'or simply:
tcpdump -ei eth0 -s 0 -v -n -l | egrep -i "POST /|GET /|Host:"tcpdump -ei eth0 -w /tmp/capture-%H.pcap -G 3600 -C 200-G <num> - pcap will be created every <num> seconds-C <size> - close the current pcap and open a new one if is larger than <size>tcpdump -ei enp0s25 -nnn -t -c 200 | cut -f 1,2,3,4 -d '.' | sort | uniq -c | sort -nr | head -n 20tcpdump -nei eth0 'not (src net (10 or 172.16/12 or 192.168/16) and dst net (10 or 172.16/12 or 192.168/16))'while true ; do tcpick -a -C -r dump.pcap ; sleep 2 ; clear ; donengrep -d eth0 "www.domain.com" port 443-d [iface|any] - set interface[domain] - set hostnameport [1-65535] - set port numberngrep -d eth0 "www.domain.com" src host 10.240.20.2 and port 443(host [ip|hostname]) - filter by ip or hostname(port [1-65535]) - filter by port numberngrep -d eth0 -qt -O ngrep.pcap "www.domain.com" port 443-q - quiet mode (only payloads)-t - added timestamps-O [filename] - save output to file, -I [filename] - reading from filengrep -d eth0 -qt 'HTTP' 'tcp'HTTP - show http headerstcp|udp - set protocol[src|dst] host [ip|hostname] - set direction for specific nodengrep -l -q -d eth0 -i "User-Agent: curl*"-l - stdout line buffered-i - case-insensitive searchhping3 -V -p 80 -s 5050 <scan_type> www.google.com-V|--verbose - verbose mode-p|--destport - set destination port-s|--baseport - set source port<scan_type> - set scan type-F|--fin - set FIN flag, port open if no reply-S|--syn - set SYN flag-P|--push - set PUSH flag-A|--ack - set ACK flag (use when ping is blocked, RST response back if the port is open)-U|--urg - set URG flag-Y|--ymas - set Y unused flag (0x80 - nullscan), port open if no reply-M 0 -UPF - set TCP sequence number and scan type (URG+PUSH+FIN), port open if no replyhping3 -V -c 1 -1 -C 8 www.google.com-c [num] - packet count-1 - set ICMP mode-C|--icmptype [icmp-num] - set icmp type (default icmp-echo = 8)hping3 -V -c 1000000 -d 120 -S -w 64 -p 80 --flood --rand-source <remote_host>--flood - sent packets as fast as possible (don't show replies)--rand-source - random source address mode-d --data - data size-w|--win - winsize (default 64)nmap -sP 192.168.0.0/24nmap -F --open 192.168.0.0/24nmap -p 1-65535 -sV -sS -T4 192.168.0.0/24nmap -p80,443 192.168.0.0/24 -oG - | nikto.pl -h -# Set variables:
_hosts="192.168.250.10"
_ports="80,443"
# Set Nmap NSE scripts stack:
_nmap_nse_scripts="+dns-brute,\
+http-auth-finder,\
+http-chrono,\
+http-cookie-flags,\
+http-cors,\
+http-cross-domain-policy,\
+http-csrf,\
+http-dombased-xss,\
+http-enum,\
+http-errors,\
+http-git,\
+http-grep,\
+http-internal-ip-disclosure,\
+http-jsonp-detection,\
+http-malware-host,\
+http-methods,\
+http-passwd,\
+http-phpself-xss,\
+http-php-version,\
+http-robots.txt,\
+http-sitemap-generator,\
+http-shellshock,\
+http-stored-xss,\
+http-title,\
+http-unsafe-output-escaping,\
+http-useragent-tester,\
+http-vhosts,\
+http-waf-detect,\
+http-waf-fingerprint,\
+http-xssed,\
+traceroute-geolocation.nse,\
+ssl-enum-ciphers,\
+whois-domain,\
+whois-ip"
# Set Nmap NSE script params:
_nmap_nse_scripts_args="dns-brute.domain=${_hosts},http-cross-domain-policy.domain-lookup=true,"
_nmap_nse_scripts_args+="http-waf-detect.aggro,http-waf-detect.detectBodyChanges,"
_nmap_nse_scripts_args+="http-waf-fingerprint.intensive=1"
# Perform scan:
nmap --script="$_nmap_nse_scripts" --script-args="$_nmap_nse_scripts_args" -p "$_ports" "$_hosts"nc -kl 5000-l - listen for an incoming connection-k - listening after client has disconnected>filename.out - save receive data to file (optional)nc 192.168.0.1 5051 < filename.in< filename.in - send data to remote hostnc -vz 10.240.30.3 5000-v - verbose output-z - scan for listening daemonsnc -vzu 10.240.30.3 1-65535-u - scan only udp portsserver> nc -l 5000 | tar xzvfp -
client> tar czvfp - /path/to/dir | nc 10.240.30.3 5000# 1)
server> nc -l 5000 -e /bin/bash
client> nc 10.240.30.3 5000
# 2)
server> rm -f /tmp/f; mkfifo /tmp/f
server> cat /tmp/f | /bin/bash -i 2>&1 | nc -l 127.0.0.1 5000 > /tmp/f
client> nc 10.240.30.3 5000while true ; do nc -l 5000 | tar -xvf - ; donewhile true ; do nc -l -p 1500 -c 'echo -e "HTTP/1.1 200 OK\n\n $(date)"' ; done> Restarts web server after each request - remove while condition for only single connection.
cat > index.html << __EOF__
<!doctype html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title></title>
<meta name="description" content="">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<p>
Hello! It's a site.
</p>
</body>
</html>
__EOF__server> while : ; do \
(echo -ne "HTTP/1.1 200 OK\r\nContent-Length: $(wc -c <index.html)\r\n\r\n" ; cat index.html;) | \
nc -l -p 5000 \
; done-p - port number#!/usr/bin/env bash
if [[ $# != 2 ]] ; then
printf "%s\\n" \
"usage: ./nc-proxy listen-port bk_host:bk_port"
fi
_listen_port="$1"
_bk_host=$(echo "$2" | cut -d ":" -f1)
_bk_port=$(echo "$2" | cut -d ":" -f2)
printf " lport: %s\\nbk_host: %s\\nbk_port: %s\\n\\n" \
"$_listen_port" "$_bk_host" "$_bk_port"
_tmp=$(mktemp -d)
_back="$_tmp/pipe.back"
_sent="$_tmp/pipe.sent"
_recv="$_tmp/pipe.recv"
trap 'rm -rf "$_tmp"' EXIT
mkfifo -m 0600 "$_back" "$_sent" "$_recv"
sed "s/^/=> /" <"$_sent" &
sed "s/^/<= /" <"$_recv" &
nc -l -p "$_listen_port" <"$_back" | \
tee "$_sent" | \
nc "$_bk_host" "$_bk_port" | \
tee "$_recv" >"$_back"server> chmod +x nc-proxy && ./nc-proxy 8080 192.168.252.10:8000
lport: 8080
bk_host: 192.168.252.10
bk_port: 8000
client> http -p h 10.240.30.3:8080
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 2748
Content-Type: text/html; charset=utf-8
Date: Sun, 01 Jul 2018 20:12:08 GMT
Last-Modified: Sun, 01 Apr 2018 21:53:37 GMT### TCP -> TCP
nc -l -p 2000 -c "nc [ip|hostname] 3000"
### TCP -> UDP
nc -l -p 2000 -c "nc -u [ip|hostname] 3000"
### UDP -> UDP
nc -l -u -p 2000 -c "nc -u [ip|hostname] 3000"
### UDP -> TCP
nc -l -u -p 2000 -c "nc [ip|hostname] 3000"gnutls-cli -p 443 google.comgnutls-cli --disable-sni -p 443 google.comsocat - TCP4:10.240.30.3:22- - standard input (STDIO)TCP4:<params> - set tcp4 connection with specific params[hostname|ip] - set hostname/ip[1-65535] - set port numbersocat TCP-LISTEN:1234,bind=127.0.0.1,reuseaddr,fork,su=nobody,range=127.0.0.0/8 UNIX-CLIENT:/tmp/fooTCP-LISTEN:<params> - set tcp listen with specific params[1-65535] - set port numberbind=[hostname|ip] - set bind hostname/ipreuseaddr - allows other sockets to bind to an addressfork - keeps the parent process attempting to produce more connectionssu=nobody - set userrange=[ip-range] - ip rangeUNIX-CLIENT:<params> - communicates with the specified peer socketfilename - define socketp0f -i enp0s25 -p -d -o /dump/enp0s25.log-i - listen on the specified interface-p - set interface in promiscuous mode-d - fork into background-o - output filenetstat -an | awk '/ESTABLISHED/ { split($5,ip,":"); if (ip[1] !~ /^$/) print ip[1] }' | \
sort | uniq -c | awk '{ printf("%s\t%s\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }'watch "netstat -plan | grep :443 | awk {'print \$5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1"netstat -nlt | grep 'tcp ' | grep -Eo "[1-9][0-9]*" | xargs -I {} sh -c "echo "" | nc -v -n -w1 127.0.0.1 {}"rsync --rsync-path 'sudo rsync' username@hostname:/path/to/dir/ /local/host google.com 9.9.9.9host -t soa google.com 9.9.9.9dig google.com +shortdig @9.9.9.9 google.com NSdig google.com +nocomments +noquestion +noauthority +noadditional +nostatsdig google.com ANY +noall +answerdig -x 172.217.16.14 +shortcertbot certonly -d example.com -d www.example.comcertbot certonly --manual --preferred-challenges=dns -d example.com -d *.example.comcertbot certonly -d example.com -d www.example.com --rsa-key-size 4096AS="AS32934"
whois -h whois.radb.net -- "-i origin ${AS}" | \
grep "^route:" | \
cut -d ":" -f2 | \
sed -e 's/^[ \t]//' | \
sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | \
cut -d ":" -f2 | \
sed -e 's/^[ \t]/allow /' | \
sed 's/$/;/' | \
sed 's/allow */subnet -> /g'_dname="google.com" ; curl -s "https://dns.google.com/resolve?name=${_dname}&type=A" | jq .# 1)
git log --oneline --decorate --graph --all
# 2)
git log --graph \
--pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' \
--abbrev-commit# Python 3.x
python3 -m http.server 8000 --bind 127.0.0.1
# Python 2.x
python -m SimpleHTTPServer 8000# Python 3.x
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
httpd = HTTPServer(('localhost', 4443), BaseHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="path/to/key.pem",
certfile='path/to/cert.pem', server_side=True)
httpd.serve_forever()
# Python 2.x
import BaseHTTPServer, SimpleHTTPServer
import ssl
httpd = BaseHTTPServer.HTTPServer(('localhost', 4443),
SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket,
keyfile="path/tp/key.pem",
certfile='path/to/cert.pem', server_side=True)
httpd.serve_forever()python -m base64 -e <<< "sample string"python -m base64 -d <<< "dGhpcyBpcyBlbmNvZGVkCg=="# egrep foo
awk '/foo/' filename# egrep -v foo
awk '!/foo/' filename# egrep -n foo
awk '/foo/{print FNR,$0}' filenameawk '{print $NF}' filenameawk 'length($0)>80{print FNR,$0}' filenameawk 'length < 80' filenameawk '1; { print "" }' filenameawk '{ print FNR "\t" $0 }' filename
awk '{ printf("%5d : %s\n", NR, $0) }' filename # in a fancy mannerawk 'NF { $0=++a " :" $0 }; { print }' filenameawk '/foo/{i=5+1;}{if(i){i--; print;}}' filenameawk '/server {/,/}/' filenameawk -F' ' '{print "ip:\t" $2 "\n port:\t" $3' filenameawk 'NF > 0' filename
# alternative:
awk NF filenameawk '{sub(/[ \t]*$/, "");print}' filenameawk '{sub(/^[ \t]+/, ""); print}' filename# uniq
awk 'a !~ $0{print}; {a=$0}' filenameawk '!x[$0]++' filenameawk '{$1=$3=""}1' filenameawk '/regexp/{gsub(/foo/, "bar")};{print}' filenameawk '/regexp/{sub(/^/, "++++"); print;next;}{print}' filenameawk '/'$(date -d "1 hours ago" "+%d\\/%b\\/%Y:%H:%M")'/,/'$(date "+%d\\/%b\\/%Y:%H:%M")'/ { print $0 }' \
/var/log/httpd/access_logsed -n 10p /path/to/filesed -i 10d /path/to/file
# alternative (BSD): sed -i'' 10d /path/to/filesed -i <file> -re '<start>,<end>d'sed ':a;N;$!ba;s/\n/ /g' /path/to/file
# cross-platform compatible syntax:
sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g' /path/to/file:a create a label aN append the next line to the pattern space$! if not the last line, ba branch (go to) label as substitute, /\n/ regex for new line, / / by a space, /g global match (as many times as it can)Alternatives:
# perl version (sed-like speed):
perl -p -e 's/\n/ /' /path/to/file
# bash version (slow):
while read line ; do printf "%s" "$line " ; done < filesed '/start/,+4d' /path/to/filegrep -rn "pattern"
grep -RnisI "pattern" *
fgrep "pattern" * -Rgrep 'INFO*'\''WARN' filename
grep 'INFO\|WARN' filename
grep -e INFO -e WARN filename
grep -E '(INFO|WARN)' filename
egrep "INFO|WARN" filenamegrep -vE '(error|critical|warning)' filenamegrep -v ^[[:space:]]*# filenameegrep -v '#|^$' filenamegrep -e -- filename
grep -- -- filename
grep "\-\-" filenamegrep . filename > newfilenameperl -i -pe's/SEARCH/REPLACE/' filename*.conf files changing all foo to bar (and backup original)perl -p -i.orig -e 's/\bfoo\b/bar/g' *.conf*.conf filesperl -pe 'exit if $. > 20' *.confperl -ne 'print if 10 .. 20' filenameperl -i.orig -ne 'print unless 1 .. 10' filenameperl -i.orig -ne 'print unless /^foo$/ .. /^bar$/' filenameperl -p -i -00pe0 filenameperl -p -i -e 's/\t/ /g' filenameperl -lne '$i++; $in += length($_); END { print "$i lines, $in characters"; }' filenameWhen you get a shell, it is generally not very clean, but after following these steps, you will have a fairly clean and comfortable shell to work with.
script /dev/null -c bashstty raw -echo; fg (returns the shell to foreground)reset (to reset terminal)xterm (when asked for terminal type)export TERM=xterm; export SHELL=bash# Dependencies:
# - curl
# - jq
function DomainResolve() {
local _host="$1"
local _curl_base="curl --request GET"
local _timeout="15"
_host_ip=$($_curl_base -ks -m "$_timeout" "https://dns.google.com/resolve?name=${_host}&type=A" | \
jq '.Answer[0].data' | tr -d "\"" 2>/dev/null)
if [[ -z "$_host_ip" ]] || [[ "$_host_ip" == "null" ]] ; then
echo -en "Unsuccessful domain name resolution.\\n"
else
echo -en "$_host > $_host_ip\\n"
fi
}Example:
shell> DomainResolve nmap.org
nmap.org > 45.33.49.119
shell> DomainResolve nmap.org
Unsuccessful domain name resolution.# Dependencies:
# - curl
function GetASN() {
local _ip="$1"
local _curl_base="curl --request GET"
local _timeout="15"
_asn=$($_curl_base -ks -m "$_timeout" "http://ip-api.com/line/${_ip}?fields=as")
_state=$(echo $?)
if [[ -z "$_ip" ]] || [[ "$_ip" == "null" ]] || [[ "$_state" -ne 0 ]]; then
echo -en "Unsuccessful ASN gathering.\\n"
else
echo -en "$_ip > $_asn\\n"
fi
}Example:
shell> GetASN 1.1.1.1
1.1.1.1 > AS13335 Cloudflare, Inc.
shell> GetASN 0.0.0.0
Unsuccessful ASN gathering.No matches for "".
Try a tool name like nmap, ssl or docker.