Useful Bash one liners
run a range of ip addresses. Could just use nmap by itself but for the sake of bash..
Execute nmapscan forever. maybe looking for a port to come up?
for i in *; do nmap x.x.x.x -Pn -sS -p 80 | grep -A 1 'PORT'; done
Execute nmap and iterate from x.x.x.24-31
for i in {24..31}; do nmap -Pn x.x.x.$i -T4; done
Execute nc and iterate through IP's with Proxychains
for i in 10.1.1.{1..254}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done
Search for Anonymous access to windows SMB Shares with READ ACCESS
for i in {99..101}; do smbmap -u "" -p "" -H 10.10.10.$i -q; done | grep 'READ' -B 3
Echo out the binary, e.g. example with 'ls'
for i in $(ls); do echo $i; done
Specific IP Address
for i in 10.1.1.{224,235,246,246,248}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done >> it-department-portscan.txt
Iterate through each file in a directory
for i in $(ls /opt/wordlists/SecLists/Passwords/Common-Credentials/*); do /opt/jtr/john-1.8.0/run/john /root/oscp/unshadowed-10.11.1.141 -w=$i; done
or
for i in `ls *.txt`; do base64 -d $i > $i.b64; done
If we want to see the output we can add 'echo' to the command like so.
for i in `ls *.txt`; do echo $i; base64 -d $i > $i.b64; done
Fingering Hosts
say we want to findout what username are available when the finger service is enabled we can iterate through a word lists and look for the desired results. We can also take advantage of parallel processing. We can see in the following example the user 'steve' has been found.
cat wordlist.txt | parallel -j 8 finger {}@1.1.1.1
Output:
finger: alice: no such user.
finger: dave: no such user.
Login: steve Name:
Directory: /home/steve Shell: /bin/bash
Never logged in.
No mail.
No Plan.
PHP
Create a file called orig.txt, rename the file to orig.php, execute a shell command and put the contents into the orig.php
<?php $myFile = 'orig.txt'; $shell = shell_exec('find / -type d -perm -o=rwx -ls 2>/dev/null'); $myFile = str_replace('.txt', '.php', $myFile); file_put_contents($myFile, $shell); ?>
Useful Grep Commands
Search for all keywords of 'pass' in the root file systems recursively.
grep -rnwi / -e '*pass*' 2>/dev/null
Cat out only any two characters
cat cewl-2.txt | grep '^..$'
Covert all UPPERCASE to lowercase
tr '[:upper:]' '[:lower:]' < cewl-2.txt > output.txt
Display all Groups for 'sambashare'
find / -type f -group sambashare
Display all Owners for root
run a range of ip addresses. Could just use nmap by itself but for the sake of bash..
Execute nmapscan forever. maybe looking for a port to come up?
for i in *; do nmap x.x.x.x -Pn -sS -p 80 | grep -A 1 'PORT'; done
Execute nmap and iterate from x.x.x.24-31
for i in {24..31}; do nmap -Pn x.x.x.$i -T4; done
Execute nc and iterate through IP's with Proxychains
for i in 10.1.1.{1..254}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done
Search for Anonymous access to windows SMB Shares with READ ACCESS
for i in {99..101}; do smbmap -u "" -p "" -H 10.10.10.$i -q; done | grep 'READ' -B 3
Echo out the binary, e.g. example with 'ls'
for i in $(ls); do echo $i; done
Specific IP Address
for i in 10.1.1.{224,235,246,246,248}; do proxychains nc -zvn -w 1 ${i} 21 22 80 137 139 443 445 3389 8080; done >> it-department-portscan.txt
Iterate through each file in a directory
for i in $(ls /opt/wordlists/SecLists/Passwords/Common-Credentials/*); do /opt/jtr/john-1.8.0/run/john /root/oscp/unshadowed-10.11.1.141 -w=$i; done
or
for i in `ls *.txt`; do base64 -d $i > $i.b64; done
If we want to see the output we can add 'echo' to the command like so.
for i in `ls *.txt`; do echo $i; base64 -d $i > $i.b64; done
Fingering Hosts
say we want to findout what username are available when the finger service is enabled we can iterate through a word lists and look for the desired results. We can also take advantage of parallel processing. We can see in the following example the user 'steve' has been found.
cat wordlist.txt | parallel -j 8 finger {}@1.1.1.1
Output:
finger: alice: no such user.
finger: dave: no such user.
Login: steve Name:
Directory: /home/steve Shell: /bin/bash
Never logged in.
No mail.
No Plan.
PHP
Create a file called orig.txt, rename the file to orig.php, execute a shell command and put the contents into the orig.php
<?php $myFile = 'orig.txt'; $shell = shell_exec('find / -type d -perm -o=rwx -ls 2>/dev/null'); $myFile = str_replace('.txt', '.php', $myFile); file_put_contents($myFile, $shell); ?>
Useful Grep Commands
Search for all keywords of 'pass' in the root file systems recursively.
grep -rnwi / -e '*pass*' 2>/dev/null
Cat out only any two characters
cat cewl-2.txt | grep '^..$'
Covert all UPPERCASE to lowercase
tr '[:upper:]' '[:lower:]' < cewl-2.txt > output.txt
Display all Groups for 'sambashare'
find / -type f -group sambashare
Display all Owners for root
for i in $(cat ~/ipList.txt); do sudo proxychains4 -q python RunFinger.py -i $i; done 2>/dev/null
ReplyDelete