Useful Bash one liners

run a range of ip addresses. Could just use nmap by itself but for the sake of bash..

Execute nmapscan forever. maybe looking for a port to come up?

for i in *; do nmap x.x.x.x -Pn -sS -p 80 | grep -A 1 'PORT'; done

Execute nmap and iterate from x.x.x.24-31
for i in {24..31}; do nmap -Pn x.x.x.$i -T4; done

Execute nc and iterate through IP's with Proxychains
for i in 10.1.1.{1..254}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done

Search for Anonymous access to windows SMB Shares with READ ACCESS
for i in {99..101}; do smbmap -u "" -p "" -H 10.10.10.$i -q; done | grep 'READ' -B 3

Specific IP Address

for i in 10.1.1.{224,235,246,246,248}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done >> it-department-portscan.txt

Iterate through each file in a directory
for i in $(ls /opt/wordlists/SecLists/Passwords/Common-Credentials/*); do /opt/jtr/john-1.8.0/run/john /root/oscp/unshadowed- -w=$i; done

for i in `ls *.txt`; do base64 -d $i > $i.b64; done

If we want to see the output we can add 'echo' to the command like so.

for i in `ls *.txt`; do echo $i; base64 -d $i > $i.b64; done

Fingering Hosts
say we want to findout what username are available when the finger service is enabled we can iterate through a word lists and look for the desired results. We can also take advantage of parallel processing. We can see in the following example the user 'steve' has been found.

cat wordlist.txt | parallel -j 8 finger {}@
finger: alice: no such user.
finger: dave: no such user.
Login: steve                             Name:
Directory: /home/steve            Shell: /bin/bash
Never logged in.
No mail.
No Plan.

Create a file called orig.txt, rename the file to orig.php, execute a shell command and put the contents into the orig.php

<?php $myFile = 'orig.txt'; $shell = shell_exec('find / -type d -perm -o=rwx -ls 2>/dev/null'); $myFile = str_replace('.txt', '.php', $myFile); file_put_contents($myFile, $shell); ?>

Useful Grep Commands
Search for all keywords of 'pass' in the root file systems recursively.

grep -rnwi / -e '*pass*' 2>/dev/null

Cat out only any two characters
cat cewl-2.txt | grep '^..$'

Covert all UPPERCASE to lowercase
tr '[:upper:]' '[:lower:]' < cewl-2.txt > output.txt

Display all Groups for 'sambashare'
find / -type f -group sambashare

Display all Owners for root

No comments:

Post a Comment